The nameservers’ registrant personal information (Figure 6) shows what are most likely fake identities for the alleged owners of the nameservers. The analysis of the Fast Flux network begins with the assumption that the botnet is malicious. These subnetworks are connected based on the similarity between their shared IP addresses associated with different nameservers.įigure 6: Example for the two Fast Flux network nameservers’ registrant personal information The inspected network is composed of two subnetworks sharing a strong relation. The graph represents the following entities and relations between them: domains (shown in red), IP addresses (purple), and nameservers (green). To understand the boundaries and relations between the network entities, an undirected network graph was created (Figure 2). Using data science tools and techniques such as network graphs, similarity learning, and heatmaps To better detect and track such networks, we performed an in-depth analysis:Īcross various data sources, including web and DNS traffic, passive DNS, WHOIS history, Shodan.io, and malware analysis While analyzing DNS communication to suspicious domains, Akamai’s Cloud Security Intelligence (CSI) platform collected data that allowed our team to identify a large-scale Fast Flux network with more than 14,000 associated IP addresses. How to detect and defend against such networks How web attacks such as web scraping and credential abuse go through the Fast Flux network How the analyzed Fast Flux network offers services such as malware communication (proxying) and hosting malware binaries, websites that sell various stolen credentials, and phishing websites How a Fast Flux network is being segregated to different subnetworks based on the offered malicious service How network fluxing is using domains, IP addresses, and even nameservers to become resistant to discovery This research includes an in-depth analysis of the discovered Fast Flux network, and presents: This allows the botnet to inherit the reputation of the Fortune 100 companies. These addresses are most likely used by the Fast Flux network owner as spoofed entities and are not genuine members of the Fast Flux network. Some of the associated IP addresses are in address space that is assigned to Fortune 100 companies. These networks empower threat actors to execute attack campaigns by utilizing network capabilities to host malware binaries, proxy communication to C2 servers, phishing websites, or proxy attacks on websites across the internet.Īkamai’s high visibility to both web and enterprise traffic gives us the ability to get new and unique insights on the behavior of such Fast Flux networks.Īccording to our research, we were able to track a botnet that is using Fast Flux techniques with more than 14,000 IP addresses associated with it, with most of the IP addresses originating from eastern Europe. Figure 1 shows an overview of such a network, which can also be referred to as a form of bulletproof hosting, that hosts various malicious services. Akamai’s research team has analyzed sophisticated botnet infrastructure that leverages Fast Flux techniques including domains, nameservers, and IP address changes. The Fast Flux network is typically used to make the communication between malware and its command and control (C2) server more resistant to discovery. The Fast Flux network concept was first introduced in 2006, with the emergence of Storm Worm malware variants. How do these botnets remain resilient to detection?įast Flux is a DNS technique used by botnets to hide various types of malicious activities, such as phishing, web proxying, malware delivery, and malware communication, behind an ever-changing network of compromised hosts acting as proxies. These botnets incorporate new features and have bigger capabilities. Recently, we have seen large-scale botnets used to execute attacks rarely seen in the past.
0 Comments
Leave a Reply. |