New Trends in FastFlux Networks

Presented at Black Hat USA 2013, July 31, 2013, 10:15 a.m. (60 minutes)

Fast-flux networks has been adopted by attackers for many years. Existing works only focus on characteristics such as the fast changing rate of the IP addresses (e.g. A record) and the name server addresses (NS records); the single flux/double flux structure etc. In this work, we track and analyze over 200 fast-flux domains and we discovered that the features of the fast-flux networks have shifted. More specifically, we discovered that the change rate of the IP addresses and name server addresses are slower than before, in some cases even slower than some benign applications that leverage fast-flux alike techniques. We also discovered that IP addresses and name servers are shared among different families of fast-flux domains indicating that there is a well-established under-ground economic model for the use of fast-flux network. Moreover, we also noticed that instead of single or double flux, current fast-flux domains exhibits "n-levels" of flux behavior, i.e., there appears to be "n" levels of name servers in the DNS system for fast-flux domains. Finally, we also studied the benign applications that look alike fast-flux domains but not. In light of these new characteristics, we proposed several new detection approaches that capture the discoveries about the new features of fast-flux domains.

Presenters:

  • Xinran Wang - Palo Alto Networks
    Xinran is the team lead of the malware research team at Palo Alto networks. He has extensive experience in the security industry. He has published many papers and has spoken at top security conferences including Usenix security, ACM conference on Computer and Communications Security (CCS), Annual Computer Security Applications Conference (ACSAC), and Virus Bulletin. His papers have been cited over 400 times. He earned his PhD degree in Comptuer Science from Penn State University
  • Wei Xu - Palo Alto Networks
    Wei Xu is a malware research engineer in Palo Alto Networks. He received his B.S. degree and M.S. degree in Eletrical Engineering from Tsinghua University, Beijing, China, in 2005 and 2007 respectively. His research interests include Web security, online privacy protection and smartphone security. Currently, he is working on the detection of malicious documents and the analysis of permission usage in Android apps. His past research projects include the early detection of worm propagation in online social networks and the detection of obfuscated malicious JavaScript code in Web pages.

Links: