Akamai Diversity

The Akamai Blog

Digging Deeper - An In-Depth Analysis of a Fast Flux Network (Part Three)

We suggest reading Parts One and Two before continuing with this blog post.

Fast Flux Network - C&C Network vs. Hosting Network 

In order to further investigate the initial assumption of having two different sub-networks as observed in Fast Flux Network - Overview, we created a network graph, but this time without showing the relation to the nameserver. Doing that showed us that we can see two distinct sub-networks segregated in terms of associated IP addresses. 

 

diggingnine.png

Figure 9: Graph network of Fast Flux domains and associated IP addresses

Further analysis (described in Fast Flux Network Malicious Activity) of the domains that are being clustered into two different sub-networks revealed that each sub-network offers a different type of service. On the top right side (see Figure 9), we identified domains (shown in red) that are being used by malware as the communication channel to C&C servers. On the bottom left (see Figure 9), we identified domains being used for hosting malware, phishing websites, and illegal- market websites. 

Network Sources Behavior

diggingten.pngFigure 10: Associated IP addresses C&C network


diggingeleven.png

Figure 11: Associated IP addresses hosting network

When looking at the C&C network (see Figure 13), we can see the United States ranked first. The "reserved" value represents private IP addresses, (i.e., private addresses that are being used only with internal websites or intranets). Analysis of the U.S. IP addresses shows that many of those IP addresses belong to Fortune 100 companies, as well as military organizations, probably being used as fake entries on the nameserver associated with the given domains. 

The Enterprise Threat Protector security research team suspects that these IP addresses are not compromised machines and that the presence of these IP addresses on the nameserver can be explained as a technique being used by C&C network owners designed to inherit the reputation of the associated organizations. Inspection of such domains by law enforcement or security vendors can result in misleading conclusions on the nature of the domains and the associated IP addresses. 

Network Sources Geographical Information 

When analyzing the geographical information of each network, we can see in the hosting network (see Figure 12) that the top countries include Ukraine, Romania, and Russia. 

Further, most of the IP addresses belong to local Internet Service Providers (ISPs) that are typically used by household consumers and are addresses you would not expect to see hosting web services. 

diggingtwelve.png

Network Sources Open Ports 

By looking at Shodan.io, a search engine that shares information on computers that are connected to the Internet, we were able to find limited evidence of open ports on both sub-networks. In the case of the hosting network, we had information on 24% of the network IP addresses and in the case of the C&C network, 5% of the network IP addresses. We believe that the difference in the percentage of collected ports information is related to the usage of "fake" and "reserved" IP addresses in the C&C network, as seen in Network Sources Geographical Information. 

When looking on the IP addresses associated with each sub-network over the time frame of one week, we can see that the C&C sub-network is unstable (see Figure 10). Both the total, as well as the new IP addresses associated to the C&C sub-network, are constantly changing throughout the week. Looking at the hosting sub-network (see Figure 11), we can see the stability with regard to the total number of IP addresses, and the number of new IP addresses associated per day. 

While information on all botnet members' open ports was limited, we see evidence that supports the difference between the two networks. The hosting network's most common open ports are ports 80, and 443, representing the service being delivered by the network, hosting of websites, and malware binaries. 

diggingthirteen.png

When analyzing the C&C sub-network (see Figure 14), we see that port 7547 is the most used port. This port is used mostly by routers that have a TR-069 management tool, and the usage shows how the same type of vulnerable devices are being used for the same goal. Such routers are known to be highly exploited and are probably used as infrastructure that acts as a proxy layer for the communication of the malware with its C&C server. 

Continue reading more about types of Fast Flux network malicious activity in Part Four.