RSA sees increase in fast-flux botnets

RSA sees increase in fast-flux botnets

Summary: The security vendor claims more gangs are using fast-flux techniques to hide networks of compromised computers, but University of Cambridge researchers disagree

TOPICS: Security

Security vendor RSA has reported that it has seen an increase in the use of sophisticated techniques that hide command-and-control servers in networks of compromised computers. However, University of Cambridge researchers have disputed the claim, saying fast-flux use has remained constant over the past year.

Fast-flux is a DNS technique that distributes command-and-control by constantly reallocating the servers controlling peer-to-peer botnets. It makes those servers difficult to identify and shut down, as they "move" around the network. Fast-flux can also be associated with the allocation of proxy servers to hide static command-and-control servers in botnets.

RSA said on Monday that the technique, widely reported as being used by the controllers of the Storm botnet, is now being used by at least three other compromised networks.

"We've definitely seen an increase in the trend of using fast-flux as an attack vector," RSA director of financial services Andrew Moloney said on Monday.

RSA refused to name the botnets or the gangs involved, and said naming them would compromise its surveillance. Senior RSA researcher Uriel Maimon told that RSA had recently seen a gang using a combination of fast-flux DNS distributed command-and-control and routing all botnet traffic through proxy servers to further obfuscate the compromised networks.

However, researchers from the University of Cambridge have challenged RSA's claims, saying instead that the number of botnets using fast-flux has not increased in the past year but has remained constant.

"It has been fairly consistent for the past 12 months," said Tyler Moore, a researcher at the University of Cambridge Computer Laboratory. "We've mainly been tracking fast-flux websites used for phishing attacks but fast-flux networks are a for-hire service — people pay to host whatever they want."

The researchers had not named the botnets, instead calling them "Fast-flux 1" and so on, and had detected three "pools" using fast-flux techniques.

Read this


Special report: The top five internal security threats

What should an employer watch out for?

Read more

Moore said that he had focused his research on group phishing sites, which attempt to dupe users into divulging sensitive information, and fast-flux sites claiming to sell pharmaceutical products.

Fast-flux sites are also used to recruit and interact with "money mules", who launder the proceeds of phishing crime for phishers.

The University of Cambridge researchers track which domains links in spam emails try to resolve to. Links to fast-flux networks automatically resolve to many different IP addresses.

Moore said that use of proxies to hide command-and-control servers, a technique most widely used by the Rock Phish gang, had also remained consistent for the past year.

"We don't track them beyond the proxies," said Moore. "We leave it to SOCA and the FBI to go after Rock Phish."

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Botnets

    Are we not wasting our time by trying to fight software with software? Hackers are using our very own computers against us in much the same manor as the 9/11 terrorists. We can not eliminate the botnet epidemic we can only contain it. The only way to fight botnets is to encourage individuals to TURN THEIR COMPUTER OFF when they are not using it. If 5K members of a 10K botnet turn their computers off when they are not using them or when they are not actively searching the internet, the bot herder will only have half his usual power at a given period of time. The best way to solve a complex problem is with a simple solution...