From Fast-Flux to RockPhish - Part 2
Monday December 3, 2007 at 8:52 am CST
Posted by Francois Paget
Last Friday, I started some analysis on fast-flux techniques. I stopped my discussion with single-flux so today I will improve on the camouflage!! To do this, the fake site’s IP addresses are varying as well as the IP addresses of the name servers that define them in the DNS architecture. This is double-flux.
Here, the criminal has a genuine control and monitoring workstation. These machines are no longer just for relaying http traffic; they simulate the domain name servers and resend the various IP addresses for the connection which - as before - are valid only for a moment.
When the victim tries to reach the site he would like to visit, a request is sent to the name server with authority over the zone. Just like with single-flux, the short lifespan of the address leads the name server request to the criminal network. First used at this level, the fast-flux technique causes the request to be redirected to a first zombie machine inside the botnet (fast-flux on name servers - IP_A to IP_E). This machine requests the response from the C&C workstation and forwards it to the requestor by using the same method a second time (fast_flux on web site - IP_1 to IP_9).
In return, the IP address of another zombie machine is sent to the victim. This second bot relays the traffic, preserving the criminal’s anonymity.
As the hereafter blurred image suggests, this third example deals with an adult site that tries to remain discreet about its origins. Two dig commands launched a few minutes apart show us the result.
On the web site side, the expiration dates are reduced to 10 minutes (600 seconds), and the site’s IP addresses are very varied (fast-flux on web site). It’s the same for the domain name servers, which changed within a short period of time (fast-flux on name servers).
Combining the three previous methods gives a major headache :-). But as result, we obtain the scheme used in the mysterious RockPhish structures. The ingredients are:
- lots of domain names,
- a fast-flux botnet network in double-flux mode,
- specialized software that is responsible for sending out phishing e-mails, where each recipient is assigned an index. This is used as a parameter in the URL, and again within the mirror site as long as the victim gets connected.
I won’t bore you with the final synoptic for the network traffic. Simply seeing the next URLs collected in the phishing e-mails collection gives you an idea of the complexity of the attack.
The host domain name varies, as do the domain name servers. The control and monitoring workstation manages the structure of the network in real time. Let’s not forget that this is primarily a network of compromised machines (a botnet). The index is there to ensure proper redirection according to victims, banks, machines to be activated, and the group of fraudsters profiting from the attack.
I hope this dissection interested you. It demonstrates that attacks are more and more sophisticated. To be sure, groups like the ones using RockPhish with so much energy to improve their network resilience and stealth are doing so because it is very profitable for them.