转自:http://ytuwlg.iteye.com/blog/355718
通过病毒邮件和欺诈网站学到的对付网络封锁的好东西:Fast Flux技术
收到一封邮件,引起我的好奇了:
邮件标题是:Has it really happened?
邮件正文很短": Damned terrorists!!! http://iopbg.goodnewsdigital.com/contact.php
点开一看:内容是:
Powerful explosion burst in Changsha this morning.
At least 12 people have been killed and more than 40 wounded in a bomb blast near market in Changsha. Authorities suggested that explosion was caused by "dirty" bomb. Police said the bomb was detonated from close by using electric cables. "It was awful" said the eyewitness about blast that he heard from his shop. "It made the floor shake. So many people were running"
Until now there has been no claim of responsibility.
You need the latest Flash player to view video content. Click here to download.
Related Links:
http://en.wikipedia.org/wiki/Dirty_bomb
http://www.google.com/search?q=Changsha+terror+attack
大意就是说长沙受到恐怖袭击了,还晒煞有介事的提供一个“脏弹”的维基百科链接,但问题是,中间那个图片和“Click here”是指向的一个EXE文件的链接,有高手能够反编译一下那个EXE文件么?我想知道这个有组织有预谋的陷阱是谁设置的,想知道是哪个有钱人搞的。
刚才把这个病毒上传到virustotal了,结果是 https://www.virustotal.com/analisis/986833dbe078295b04885e9eb5cd5a88
我为什么说这个欺诈邮件是“有组织有预谋的陷阱”呢?让我们来调查一下:
C:\>nslookup iopbg.goodnewsdigital.com
服务器: registerlafonera.fon.com
Address: 192.168.10.1:53
非权威应答:
名称: iopbg.goodnewsdigital.com
Address: 96.32.70.105
C:\>nslookup iopbg.goodnewsdigital.com
服务器: registerlafonera.fon.com
Address: 192.168.10.1:53
非权威应答:
名称: iopbg.goodnewsdigital.com
Address: 76.100.243.204
C:\>nslookup iopbg.goodnewsdigital.com
服务器: registerlafonera.fon.com
Address: 192.168.10.1:53
非权威应答:
名称: iopbg.goodnewsdigital.com
Address: 67.183.201.90
C:\>nslookup iopbg.goodnewsdigital.com
服务器: registerlafonera.fon.com
Address: 192.168.10.1:53
非权威应答:
名称: iopbg.goodnewsdigital.com
Address: 89.215.17.167
C:\>nslookup iopbg.goodnewsdigital.com
服务器: registerlafonera.fon.com
Address: 192.168.10.1:53
非权威应答:
名称: iopbg.goodnewsdigital.com
Address: 68.51.31.108
C:\>
这段DNS查询显示iopbg.goodnewsdigital.com有无数的IP,每个独立的IP都是可以直接访问的IP,IP地址果然是不断变化的,能识我的IP
所在的城市显示不同的内容,已经查到有9个IP了,每个IP都能直接访问,显示同样的内容。
http://89.215.17.167/main.php
http://68.51.31.108/main.php
http://67.183.201.90/main.php
http://76.100.243.204/main.php
http://96.32.70.105/main.php
http://67.163.159.63/main.php
http://69.247.85.44/main.php
http://72.241.82.41/main.php
http://71.57.67.175/main.php
http://24.14.118.126/main.php
我用Nslookup查,发现iopbg.goodnewsdigital.com的A记录的time to live(TTL)是0秒,也就是说,
这个域名的A记录是不缓存的,
然后查询了很多次,去掉重复的,这个iopbg.goodnewsdigital.com至少有25个IP,我还不知道这这些IP是肉鸡还
是某幕后组织亲自花钱买的IP:
208.120.85.40
24.4.148.160
64.194.71.148
66.168.217.225
67.163.213.245
68.36.175.10
68.46.249.189
68.57.189.195
69.146.242.207
69.242.22.235
69.247.85.44
69.248.156.235
71.226.237.56
72.138.2.127
72.24.114.230
72.241.82.41
76.100.243.204
76.92.65.155
85.28.124.2
89.139.202.194
89.29.140.76
89.78.198.19
96.10.57.207
98.195.51.11
99.140.165.64
网上查询了一下,原来这就是 Fast Flux技术,这里有更详细的介绍,http://www.honeynet.org/papers/ff/
可惜全是英文,我看这这里的介绍就明白是怎么回事了:
Fast flux hosting 是指网络罪犯用于逃避侦测的技术, 网络罪犯可借此迅速修改 IP 地址和/或域名服务器。
来源:http://www.icann.org/zh/topics/policy/update-dec08-zh.htm#10
图片来自:http://www.honeynet.org/node/134
原来只要把域名的A记录的 TTL 改短一点甚至改为0秒,然后用上无数肉机作为反向代理,这就是Fast flux了啊。
网上还有文章说:
Fast-flux 基本上是 load-balancing 的新花樣。它是一種依序循環式(round-robin)的方法,在此受到感染的 bot 機器(通常是家庭電腦)成了proxies 或惡意網站的主機。這些電腦會不斷地輪流改變它們的 DNS 紀錄以避免被研究者、ISPs 或執法單位查獲。
此技術的目的是讓基於 IP 封鎖清單的方法在預防攻擊上變得英雄無用武之地,
from: http://www.wretch.cc/blog/fsj/8106356