Intimately tied to botnets, Fast-Flux domains are increasingly being used in online phishing schemes and spammed sites. No longer a spammer/phisher's test concept, more and more spammers are taking advantage of this technique, which makes identifying phishing schemes more difficult and leaves the users/victims unaware that they were on an illegitimate site. When used for spammed sites, a hijacked set of botnet machines are harder to suspend based on the IP address, since they are constantly moving over thousands of addresses.
Fast-flux can be applied to domains, or to domain name servers. It can even be applied to both, so that both the domain name servers and the spammed domains can be spread over a rotation of illegally hijacked machines. This implementation has been called "double flux". Alex Polyakov and Leo Kuvayev operations have been seen to use mixes of fast-flux implementations.
What malware is used for fast-flux botnets?
There are two major competing contenders for this title.
- Warezov/Stration (distributed from infected hosts)
- Storm/Nuwar/Zhelatin/Peacomm/Peed (distributed by social engineering spam with links to infected hosts)
What phishing schemes are using this?
This is being increasingly used for MySpace phishing schemes.
What spam families are using this?
- Your Online Pharmacy, Pharmacy Express, Warezov distribution
- Harvey Investments Money Mule and many phish sites
- Pharma Shop, SwissWatchesDirect, Reliable Pharmacy, Herbal King
- Anatrim family, Canadian Pharmacy, Pharmsite, Soft Eden
- Royal Casino
- Prestige Replicas, Diamond Swiss, US Healthcare
- Storm / Nuwar / Zhelatin botnet "worm" distribution (eg ArcadeWorldGame on a 0 minute refresh)
Who is using this technique?
Spammers that are believed to have started using this technique at present are:
- Robert Soloway (arrested and awaiting trial, October 2007)
- Leo Kuvayev (3-5 minute cycle, Windows platform)
- Alex Polyakov (8-hour cycle, Linux platform)
How to identify fast-flux domains
Fast-flux domains use nameservers whose DNS IP address resolutions change rapidly using a round robin. This means that the domain's resolution to the spammed or phishing hosts change frequently. At the basic level, a simple name server lookup for an address will respond with multiple hits. Three examples using Unix or Windows functions ported from Unix -
nslookup -type=a puface.com dig puface.com a host -t a puface.com
How to shut-down a fast-flux domain
To shut down a fast-flux domain effectively, its name servers need to be identified and reported. It is imperative to request that the registrar erase the glue records of the nameservers, and place the domain (if an EPP domain) on at least "Client Hold" and "Client Update Prohibited" status (or equivalent). The Complainterator program makes this request automatically, and so using that software to report the domain will ensure the registrar receives the correct instructions.
Unless the domain's status is changed to "Client Update Prohibited" (or an equivalent, either in registry protocol or registrar backoffice rights) after erasing the nameservers' glue records, they will be automatically changed to a different address without any intervention of the registrar and the removal will fail.
See the round robin article.
http://www.icann.org/en/announcements/announcement-26jan09-en.htm ICANN requests user responses to fast-flux proposals (Jan 2009)