Hydraflux Service Networks

Sunday, 20 July 2008

Fast-flux Service Networks commonly are compromised hosts and part of a malicious botnet. They provide a layer of protection around a central "Mothership" to which they provide client access by blind proxy. The DNS records for the domain used to access the Mothership is a rapidly changing subset of the compromised hosts, or flux nodes, in the botnet which makes it more difficult to block client access to the Mothership which may be serving malicious content or Spamvertised services to clients. The weakest link is the Mothership - the central server providing the malicious content - which can be removed from the network thus removing the malicious content.

hydra.png

During April and May 2008, William Salusky, a security analyst and handler at the Internet Storm Center observed an interesting new behaviour of flux nodes communicating with the Mothership in a particular botnet. They were communicating with several machines which may have been Motherships or may have been a combination of motherships and other flux nodes. The flux nodes received, in response to an HTTP POST request, a file named COMMON.BIN which contained a list of all upstream machines to which client requests could be forwarded. This development, dubbed "Hydraflux" in a post to the ISC Handlers Diary, means that the malicious content can no longer be removed by "taking-out the Mothership" as there would be more than one. It seems reasonable to suppose that if one of the Motherships went offline, another might replace it (like the heads of Hydra) and that this might make it impossible to take-down such an operation as long as machines serving malicious content are added to the pool that constitutes the "Hydraship".

Interesting development indeed, but I think that this may work against, in the long run, those persons operating this type of network for criminal purposes. If it becomes harder to combat this type of network by informing Internet Service Providers's and other network administrative bodies about the Hydraships, the focus will switch to the new weakest link in the operation. I believe that the focus will turn to the domain registration process in order to find ways of reducing the numbers of domain names available to these operations which would make it easier to keep track and block access to those domains. We'll see. In the meantime, I'm looking forward to reading William's research on Hydraflux when it becomes available.  

UPDATE: 2008-07-24T14:53 +0100 UTC

There is some more content on these observations available at: http://handlers.dshield.org/wsalusky/ws/index.php/HydraFlux