MySpace incident illustrates dangers of ever changing fast flux malware delivery networks.
In June, ScanSafe reported a high profile malware outbreak that used “fast flux” (aka flux bot) networks to seed a Web-based attack. Fast flux is used to hide malware delivery sites behind complex ever changing networks of proxy servers. A system infected with a flux bot will be used as one of these proxies.
On June 28, ScanSafe identified fast flux being used to spread malware on MySpace. A flash movie installed on several compromised MySpace pages lead users to a spoofed MySpace login page. The login page hosts a number of exploits that download malware and attempt to make the user login to MySpace so that their credentials can be stolen and their MySpace page can than be updated to host malware. ScanSafe estimates that nearly 100,000 MySpace accounts may have been affected.
Fast flux networks represent a disturbing advance in the development and use of bot networks—networks of compromised “zombie” PCs used to spread malware. Unlike traditional bots, which use IRC servers, PCs compromised by fast flux networks serve temporary hosts for malicious Websites. These hosting bots are constantly rotated, changing their DNS records to avoid detection. ScanSafe anticipates that fast flux networks will increasingly be used to seed malware.
