Akamai Diversity

The Akamai Blog

Digging Deeper - An In-Depth Analysis of a Fast Flux Network (Part Four)

We suggest reading Parts One, Two, and Three before continuing with this blog post.

Fast Flux Network Malicious Activity 

Fast Flux Network as a Platform for Malware Activity 

In order to make sure, beyond any reasonable doubt, that the Fast Flux network is being used for malicious activities, we collected evidence from a variety of public sources that shows a clear relationship between the analyzed malware samples and domains being hosted on the Fast Flux network. 

 

Hosting Malware - Dropper 

We were able to track down and analyze a sample of unnamed malware that is being distributed as a Word document that includes a malicious macro. Once the macro is enabled, it executes JavaScript code that accesses a domain (on the Fast Flux network) and downloads a file that contains a binary. This binary is known malware classified as a Trojan by many antivirus vendors. 

We were able to see that the downloaded file (same file path) exists on several IP addresses, representing different compromised machines, also associated with the Fast Flux network. 

For further reading, see Appendix - Malware analysis. 

C&C  

We were also able to find evidence for other malware variants that use domains associated to the Fast Flux network. Evidence from sandboxing analysis of malware samples showed us that domains that are associated to the Fast Flux network are being used as C&C servers. 

 diggingfourteen.png

Figure 16: An example for C&C communication over HTTP (going through the C&C network)

The HTTP request (see Figure 16) shows an HTTP POST request that contains exfiltrated data (encrypted) being sent from the infected sandbox machine to a domain that is being used as the C&C server. 

Fast Flux Network as Illegal-Market Websites Hosting Provider 

We were also able to find evidence of websites whose primary purpose is to function as an illegal market being hosted on the Fast Flux network, offering merchandise such as: 

  • Stolen credentials for popular online retail websites 

  • Hacked credit card numbers with CVV 

  • Professionals hackers carders forum 

diggingfifteen.png

We can see (Figure 17) that when searching Google for one of the illegal-market domains, we were able to find the offering of that website, including stolen credentials, stolen credit cards, and spamming services. 

In order to evaluate the similarity between hosting illegal-market domains and hosting malware domains, we used a similarity matrix as described in Fluxing - Deep Dive. We measured the similarity between the domain that was used for selling credit cards and a domain that was being used to deliver malware binaries. The results revealed a 50% similarity rate between the domains. This is more evidence that strengthens the relationship between the different domains being used for different services, and shows that the Fast Flux network is being used as a collection of malicious services. 

Fast Flux Network as Phishing Hosting Provider 

We were also able to see some domains being hosted on the Fast Flux network that look like a part of a phishing campaign. One was a domain starting with a prefix of a well-known e-commerce traveling service that is most commonly used as a social engineering technique. Such techniques are being used to give spammed victims the feeling of confidence when seeing a known e-commerce company as part of the domain name, while in practice the primary domain is not related to the e-commerce company

Fast Flux Network - Web Attacks 

Akamai's position as a Content Delivery Network (CDN) gave us the visibility to web attacks traffic going out of the Fast Flux network, targeting Akamai's customers. 

We assume that several infected machines in the Fast Flux network serve a double purpose. Not only do they act as servers, they are also involved in web attacks against Akamai's customers executing a variety of web attacks such as SQL injection, web scraping, credential abuse, and more. 

diggingsixteen.pngFigure 18: Web attacks by IP addresses per day over time

According to what we can see over time, the web attacks tend to occur on a daily basis. This can be explained by the attackers' objective to be seen as legitimate users that are active during daytime hours.

diggingseventeen.png

Figure 19: Total number of IP addresses per attack type

According to what we can see in the aggregation based on the attack type (see Figure 19), the majority of attacks are scraping and credential abuse. This data represents a known trend in the web application attack landscape, showing an increased volume in the attacks that abuse application functionality.

Note that at the time of writing, we couldn't find direct evidence that indicates that the owners of the Fast Flux network also offer infrastructure or proxying capabilities for executing web attacks.

Summary

Fast Flux networks can be compared to a living organism; an organism that evolves and changes over time as part of its self-preservation mechanism. Tracking such evolving networks is nearly impossible by only looking for incriminating malicious evidence. By the time the evidence is collected, the network will already be changed.

In order to track such networks, a different approach is required. They need to be tracked based on network attributes, derived from their malicious fluctuation phenomena.

As the largest Content Delivery Network (CDN) in the world, Akamai can only appreciate and regret at the same time the amount of technological effort being invested in building such malicious networks that are resilient and evasive to detection.

We believe that the right approach for detecting such networks is to focus on the ever-changing behavior of the network and, as a result, use algorithms that will enable detection of such behaviors. Having visibility to a wide range of data sources such as enterprise traffic, as well as web traffic, can result in better insights on the threat landscape and can lead to improvement in detection capabilities.

Those techniques need to be able to look at attributes and features of such networks, understand which ones are the most relevant, and build algorithms that differentiate legitimate networks from Fast Flux networks.

During our research, Akamai was also able to spot and mitigate malicious activity originating from one of its enterprise customers, where a compromised machine was trying to download malware from one of the domains being hosted on the Fast Flux network.

Monitoring and blocking any access to such Fast Flux networks is mission critical for security teams around the world. In order to prevent infection, businesses must add another layer of protection that will eliminate the communication channel to malware or phishing websites. Doing that will help with keeping up with the next emerging threat outside your door.

To learn more about how Akamai research can help you identify emerging, advanced threats, visit akamai.com/etp

Appendix - Malware Analysis

As part of the research, we were able to track down and analyze a sample of unnamed malware being distributed as a Word document that includes a malicious macro. Once the macro is enabled, it executes JavaScript code that accesses a domain (on the Fast Flux network) and downloads a file that contains a malicious binary.

JavaScript Analysis

After deobfuscating the JavaScript file, we can see an HTTP request to a domain known to be a member of the Fast Flux network, trying to download a file named "fz13.bin."

diggingeighteen.png

Figure 20: Un-obfuscated JavaScript code that downloads malware from Fast Flux network

Once the remote binary is downloaded, it is being extracted from the file and executed as an ".exe" file using WshShell object in order to run the executable.

 diggingnineteen.png

Figure 21: JavaScript code - execution of the downloaded file on local machine

VirusTotal Detection

This binary is known malware classified as Trojan by many antivirus vendors (see Figure 21); we can see that 42 out of 60 antivirus vendors indicate it is malicious.

diggingtwenty.png

Figure 22: Antivirus vendors detection on VirusTotal

We were able to see that the downloaded file (same file path) exists on at least several IP addresses associated with the Fast Flux network.

To learn more about how Akamai research can help you identify emerging, advanced threats, visit akamai.com/etp.