Fast-Flux Proxy Samples
There have been noticeable advancements the flux agent presented in this document over the past year,
including the migration away from arbitrary TCP connections to obtain clear text instructions, using
an HTTP library to obtain downloaded instructions, settings and binary updates, and finally the most
recent variants that receive control settings via encoded update files. The following examples demonstrates
a short historical timeline of just one fast-flux service network malware variant responsible for all
double-flux service networks referenced in this research. It is worth noting that we have observed
evidence supporting five distinct fast-flux service nets in operation on the Internet but have not
acquired malware samples for all variants to support in depth study.
Sample: 5cbef2780c8b59977ae598775bad8ecb-weby.exe File type(s): MS-DOS executable (EXE), OS/2 or MS Windows Size: 51200 Bytes Access: 2007-04-02 22:34:03.000000000 -0400 Modify: 2007-04-02 22:30:36.000000000 -0400 Change: 2007-04-02 22:34:03.000000000 -0400 MD5: 5cbef2780c8b59977ae598775bad8ecb SHA1: 0925a54ba0366a6406d3222e65b03df0ea8cbc11 Source(s) of sample: (Timestamps are YYYY-MM-DD hh:mm:ss EDT -0400) [2007-04-02 22:32:27] 5cbef2780c8b59977ae598775bad8ecb - http://xxx.myexes.hk/exes/weby.exe
Sample: 70978572bc5c4fecb9d759611b27a762-weby.exe File type(s): MS-DOS executable (EXE), OS/2 or MS Windows Size: 50176 Bytes Access: 2007-03-15 02:09:03.000000000 -0400 Modify: 2007-03-09 10:51:26.000000000 -0500 Change: 2007-03-15 02:09:03.000000000 -0400 MD5: 70978572bc5c4fecb9d759611b27a762 SHA1: f8a4d881257dc2f2b2c17ee43f60144e6615994d Source(s) of sample: (Timestamps are YYYY-MM-DD hh:mm:ss EDT -0400) [2007-03-15 02:06:43] 70978572bc5c4fecb9d759611b27a762 âhttp://xxx.myexes.hk/exes/webdlx/weby.exe
Sample: 5870fd7119a91323dbdf04ebd07d0ac7-plugin_ddos.dll File type(s): MS-DOS executable (EXE), OS/2 or MS Windows Size: 9728 Bytes Access: 2007-04-02 15:39:05.000000000 -0400 Modify: 2007-03-09 23:48:17.000000000 -0500 Change: 2007-04-02 15:39:06.000000000 -0400 MD5: 5870fd7119a91323dbdf04ebd07d0ac7 SHA1: 4c4d1b3e2030e9a8f3b5c8f152ef9ac7590a96ca Source(s) of sample: (Timestamps are YYYY-MM-DD hh:mm:ss EDT -0400) [2007-04-02 15:36:55] 5870fd7119a91323dbdf04ebd07d0ac7 â http://65.111.176.xxx/weby/plugin_ddos.dll
Previous incarnation: Sample: e903534fab14ee7e00c279d64f578cbb-webyx.exe File type(s): MS-DOS executable (EXE) Size: 29557 Bytes Access: 2007-02-06 15:26:03.000000000 -0500 Modify: 2007-02-02 08:47:24.000000000 -0500 Change: 2007-02-06 15:26:03.000000000 -0500 MD5: e903534fab14ee7e00c279d64f578cbb SHA1: cf8279c35ec7d8914f3a4ccaaa71e14e7a925b93 Source(s) of sample: (Timestamps are YYYY-MM-DD hh:mm:ss EST -0500) [2007-02-06 15:20:55] e903534fab14ee7e00c279d64f578cbb - http://xxx.myfiles.hk/exes/webyx.exe
Even older sample: Sample: 88b58b62ae43f0fa42e852874aefbd01-weby.exe File type(s): MS-DOS executable (EXE) Size: 29425 Bytes Access: 2007-01-20 16:29:06.000000000 -0500 Modify: 2007-01-20 05:39:22.000000000 -0500 Change: 2007-01-20 16:29:06.000000000 -0500 MD5: 88b58b62ae43f0fa42e852874aefbd01 SHA1: 6a22e1a06ced848da220301ab85be7a33867bfb5 Source(s) of sample: (Timestamps are YYYY-MM-DD hh:mm:ss EST -0500) [2007-01-20 16:26:12] 88b58b62ae43f0fa42e852874aefbd01 - http://xxx.myexes.hk/exes/weby.exe
A prehistoric sample of flux-agent code (according to Internet time). We first observed nodes infected with this malware in the middle of 2006, but only acquired a malware sample for analysis in November 2006: Sample: d134894005c299c1c01e63d9012a12c6-CD373B130D74F24CA5F8F1ADECA0F6856BC6072A-dnssvc.exe File type(s): MS-DOS executable (EXE), OS/2 or MS Windows Size: 11264 Bytes Access: 2006-11-14 06:39:03.000000000 -0500 Modify: 2006-11-14 06:29:14.000000000 -0500 Change: 2006-11-14 06:39:03.000000000 -0500 MD5: d134894005c299c1c01e63d9012a12c6 SHA1: cd373b130d74f24ca5f8f1adeca0f6856bc6072a Source(s) of sample: (Timestamps are YYYY-MM-DD hh:mm:ss EST -0500) [2006-11-14 06:29:44] d134894005c299c1c01e63d9012a12c6 - CD373B130D74F24CA5F8F1ADE