Authors: Or Katz, Principal Lead Security Researcher, Akamai; Raviv Perets, Senior Security Researcher, Akamai; Guy Matzliach, Security Researcher, Akamai
Recently, we have seen large-scale botnets used to execute attacks rarely seen in the past. These botnets incorporate new features and have bigger capabilities. How do these botnets remain resilient to detection?
Fast Flux is a DNS technique used by botnets to hide various types of malicious activities, such as phishing, web proxying, malware delivery, and malware communication, behind an ever-changing network of compromised hosts acting as proxies. The Fast Flux network concept was first introduced in 2006, with the emergence of Storm Worm malware variants. The Fast Flux network is typically used to make the communication between malware and its command and control server (C&C) more resistant to discovery. Akamai's Enterprise Threat Protector (ETP) Research Team has analyzed sophisticated botnet infrastructure that leverages Fast Flux techniques including domains, nameservers, and IP address changes. Figure 1 shows an overview of such a network, which can also be referred to as a form of bulletproof hosting, that hosts various malicious services. These networks empower bad actors to execute attack campaigns by utilizing network capabilities to host malware binaries, proxy communication to C&C servers, phishing websites, or proxy attacks on websites across the Internet.
Akamai's high visibility to both web and enterprise traffic gave us the ability to get new and unique insights on the behavior of such Fast Flux networks.
According to our research, we were able to track a botnet that is using Fast Flux techniques with more than 14,000 IP addresses associated with it, with most of the IP addresses originating from eastern Europe. Some of the associated IP addresses are in address space that is assigned to Fortune 100 companies. These addresses are most likely used by the Fast Flux network owner as spoofed entities and are not genuine members of the Fast Flux network. This allows the botnet to inherit the reputation of the Fortune 100 companies.
This research includes an in-depth analysis of the discovered Fast Flux network, and presents:
How network fluxing is using domains, IP addresses, and even nameservers to become resistant to discovery
How a Fast Flux network is being segregated to different sub-networks based on the offered malicious service
How the analyzed Fast Flux Network offers services such as malware communication (proxying) and hosting malware binaries, websites that sell various stolen credentials, and phishing websites
How web attacks such as web scraping and credential abuse go through the Fast Flux network
How to detect and defend against such networks
Figure 1: High-level architecture overview of the Fast Flux network and associated threat landscape
Fast Flux Network - Overview
While analyzing DNS communication to suspicious domains, Akamai's Cloud Security Intelligence (CSI) platform collected data that allowed our team to identify a large-scale Fast Flux network with more than 14,000 associated IP addresses.
In order to better detect and track such networks, we performed an in-depth analysis:
Across various data sources, including web and DNS traffic, passive DNS, WHOIS history, Shodan.io, and malware analysis
Using data science tools and techniques such as network graphs, similarity learning, and heatmaps
In order to understand the boundaries and relations between the network entities, an undirected network graph was created (see Figure 2). The graph represents the following entities and relations between them: domains (shown in red), IP addresses (purple), and nameservers (green). The inspected network is composed of two sub-networks sharing a strong relation. These sub-networks are connected based on the similarity between their shared IP addresses associated with different nameservers.
Figure 2: Graph network of Fast Flux domains, associated IP addresses, and associated nameservers
Continue reading more about the primary characteristics of Fast Flux networks in Part Two.