Dell SecureWorks Counter Threat Unit security researcher Joe Stewart uncovered a burgeoning botnet that uses the rare fast-flux method to stay operational and escape detection. Stewart recently demonstrated a sample of the botnet's malware he reverse-engineered, with evidence that the botnet uses fast-flux. Fast-flux is a round-robin tactic in which compromised bot machines serve as proxies or hosts for pernicious sites and are constantly rotated, switching their DNS records to prevent discovery by researchers.
The now-extinct Storm and Warezov/Stration botnets were the first major ones to incorporate fast-flux, but the technique has remained rare despite concerns by researchers that this evasion method would become a trend. That is because an additional level of expertise and effort is needed to design the botnet this way, Stewart says. He uncovered the first signs of the fast-flux botnet, nicknamed Wibimo, while working on a spamming botnets study. "I don't think it's [a] huge [botnet]," he says. "But it feels like a new botnet: It doesn't mesh with what we've seen" with existing botnets.