From Fast-Flux to RockPhish – Part 1

For several years, we have been talking about the sophistication of attacks. The main goals are discretion, camouflage and profitability. Some of the common techniques and tools are named Fast-Flux, RockPhish or MPack. As I recently worked on some spam campaigns and dubious websites, I will use them as examples and explain some of these new cybercriminal methods in a set of two blog contributions.

Before complicating the scheme, let me start with a very simple example:

Here, a spammer owns a lot of domain names. He constantly buys new ones using stolen credit card numbers and uses them accordingly with the service interruptions that can occur very quickly or slowly, depending upon the vigilance and honesty of the access providers.

One machine contains his site. It may be dedicated to selling medicine or counterfeit luxury products. In order to trick anti-spam software, e-mails are personalized with background noise and random text. For more diversification, and due to the many domain names he has, his software changes the URL of his site for the various messages it sends.

When a victim tries to follow the link provided for them, a process makes a request to the local name server for the IP address of the machine corresponding to the URL they were sent:

If the information exists at this level (a cache mechanism), it is forwarded directly to the requester. Otherwise, and if the link is still valid, the desired IP address is returned only after checking root and/or primary servers. Dozens of different domain names could point to a single machine.

Here is an example of a result that could be obtained using this method:

With phishing, the methods are becoming more complex. This curve issued from APGW statistics does not highlight the number of victims, which has increased a lot this year.

It shows that, since mid-2006, the total number of incidents (with and without a victim) has remained stable. What’s interesting are the peaks in November 2006 and particularly in April 2007. The question is: how can we have three times more phishing sites than identified attacks? The answer is called RockPhish.

To understand it better, we will expand upon the previous example and look at the intermediate single-flux and double-flux methods.

In single-flux, the criminal has just one domain. Thanks to an unscrupulous access provider, he manages his own domain name server. The criminal also has a network of compromised machines available to him, which he uses as a platform to relay between the victims and his site. The use of very short DNS expiry dates linked to a round-robin technique involving many zombie machine IP addresses allows it to continually change a fictitious physical address used to reach the mirror site.

The latter is therefore even better protected.

When the victim tries to reach the mirror site, a request is sent to the name server with authority over the zone.

The lifespan of the address being no more than a few minutes, there is generally no cached solution. The criminal’s name server is therefore checked. The IP address of one of the bots is sent back to the victim. During the several minutes of the transaction, it will relay the traffic and then disappear, making it more difficult to locate and therefore neutralize key sites.

Here is an example of an online casino site using single-flux technique:

My Windows dig (Domain Information Groper) version shows some distinctive network features: the expiration dates here are very short, and the IP addresses are very varied. This is the mark of a camouflage using the single-flux technique.

Next post will allow us to see how work a double-flux and, after that a RockPhish network.