Experts at Akamai have identified a running botnet of over 14,000 compromised systems used to spread malware. The botmasters implemented a technique dubbed Fast Flux to make the infrastructure hard to take down.
Treat actors implementing the Fast Flux technique hosts a domain using multiple IP addresses by switching the domain from one IP to another. The IP addresses are swapped in and out with extremely high frequency, through changing DNS records.
The Fast Flux technique was first implemented in 2016 by the Storm Worm malware variants.
“Fast Flux, a DNS technique first introduced in 2006 and widely associated with the Storm Worm malware variants, can be used by botnets to hide various types of malicious activities – including phishing, web proxying, malware delivery, and malware communication.” reported Akamai. “The technique allows the botnet to “hide” behind an ever-changing network of compromised hosts, ultimately acting as proxies and making detection incredibly difficult.”
Experts were able to track a botnet composed of more than 14,000 IP addresses, most of them originating from eastern Europe.
The Fast Flux Network works as an illegal websites hosting provider for illegal websites
offering merchandise such as:
The botnet was working for both hosting phishing websites and malware C&C servers, it was also utilized for carrying out automated attacks such as web scraping, SQL injections, and credentials abuse.
“The primary characteristic of the Fast Flux network is that the network constantly changes its domains, IP addresses, and nameservers. These changes obfuscate the true nature of the network and make it more difficult for researchers to understand and defend against.” continues the analysis.
Researchers observed the Fast Flux network is being segregated to different sub-networks based on the offered malicious service
Researchers believe devices were infected with malware that installs a proxy component on the infcted hosts. Every time someone wants to connect to a malicious site exposed by the botnet, DNS servers would provide the IP of an infected host that was at that time “hosting” the domain. The proxy component of the infected host then redirects incoming traffic to the malicious site, hosted elsewhere.
The analysis of the Botnet revealed it was organized in two separate sub-networks:
Experts noticed that most of the hosting sub-network were located in Ukraine, Romania, and Russia. The composition of the botnet’s C&C sub-network was very different.
The botnet’s C&C sub-network IPs contained private IP addresses, such as 10.x.x.x, 192.168.x.x, belonging to Fortune 100 companies, as well as military organizations.
The analysis of the exposed ports for all IPs shows that most of the hosting network had ports 80 and 443 exposed, while most of the C&C sub-network had port 7547 exposed.
The port 7547 is specific to the TR-069 protocol implemented by remote management tools of routers and modems, these devices are suspected to represent a good portion of the botnet.
According to Akamai, Fast Flux botnets can be compared to a living organism that evolves over the time to preserve itself, experts will continue to monitor its evolution.
(Security Affairs – Fast Flux botnet, malware)