digging deeper - an in-depth analysis of a fast flux … deeper – an in-depth analysis of a fast...
TRANSCRIPT
AKAMAI WHITE PAPER
Digging Deeper – An In-Depth Analysis of a Fast Flux Network
Research Credits:
Or Katz, Principal Lead Security Researcher, Akamai
Raviv Perets, Senior Security Researcher, Akamai
Guy Matzliach, Security Researcher, Akamai
Table of Contents
Introduction 1
Fast Flux Network – Overview 2
Fluxing – Deep Dive 3
IIP Addresses 3
Domains 4
Nameservers 4
Fast Flux Domains and Nameserver Correlation 5
Fast Flux Network – C&C Network vs. Hosting Network 7
Network Sources Behavior 7
Network Sources Geographical Information 8
Network Sources Open Ports 8
Fast Flux Network Malicious Activity 9
Fast Flux Network as a Platform for Malware Activity 9
Fast Flux Network as Illegal-market Websites Hosting Provider 10
Fast Flux Network as Phishing Hosting Provider 11
Fast Flux Network – Web Attacks 11
Summary 12
Appendix – Malware analysis 13
Digging Deeper – An In-Depth Analysis of a Fast Flux Network 1
IntroductionRecently, we have seen large-scale botnets used to execute attacks rarely seen in the past. These botnets incorporate new features and have bigger capabilities. How do these botnets remain resilient to detection?
Fast Flux is a DNS technique used by botnets to hide various types of malicious activities, such as phishing, web proxying, malware delivery, and malware communication, behind an ever-changing network of compromised hosts acting as proxies. The Fast Flux network concept was first introduced in 2006, with the emergence of Storm Worm malware variants. The Fast Flux network is typically used to make the communication between malware and its command and control server (C&C) more resistant to discovery. Akamai’s Enterprise Threat Protector (ETP) Research Team has analyzed sophisticated botnet infrastructure that leverages Fast Flux techniques including domains, nameservers, and IP address changes. Figure 1 shows an overview of such a network, which can also be referred to as a form of bulletproof hosting, that hosts various malicious services. These networks empower bad actors to execute attack campaigns by utilizing network capabilities to host malware binaries, proxy communication to C&C servers, phishing websites, or proxy attacks on websites across the Internet.
Akamai’s high visibility to both web and enterprise traffic gave us the ability to get new and unique insights on the behavior of such Fast Flux networks.
According to our research, we were able to track a botnet that is using Fast Flux techniques with more than 14,000 IP addresses associated with it, with most of the IP addresses originating from eastern Europe. Some of the associated IP addresses are in address space that is assigned to Fortune 100 companies. These addresses are most likely used by the Fast Flux network owner as spoofed entities and are not genuine members of the Fast Flux network. This allows the botnet to inherit the reputation of the Fortune 100 companies.
This research includes an in-depth analysis of the discovered Fast Flux network, and presents:
• How network fluxing is using domains, IP addresses, and even nameservers to become resistant to discovery
• How a Fast Flux network is being segregated to different sub-networks based on the offered malicious service
• How the analyzed Fast Flux Network offers services such as malware communication (proxying) and hosting malware binaries, websites that sell various stolen credentials, and phishing websites
• How web attacks such as web scraping and credential abuse go through the Fast Flux network
• How to detect and defend against such networks
Figure 1: High-level architecture overview of the Fast Flux network and associated threat landscape
Digging Deeper – An In-Depth Analysis of a Fast Flux Network 2
Fast Flux Network – OverviewWhile analyzing DNS communication to suspicious domains, Akamai’s Cloud Security Intelligence (CSI) platform collected data that allowed our team to identify a large-scale Fast Flux network with more than 14,000 associated IP addresses.
In order to better detect and track such networks, we performed an in-depth analysis:
• Across various data sources, including web and DNS traffic, passive DNS, WHOIS history, Shodan.io, and malware analysis
• Using data science tools and techniques such as network graphs, similarity learning, and heatmaps
In order to understand the boundaries and relations between the network entities, an undirected network graph was created (see Figure 2). The graph represents the following entities and relations between them: domains (shown in red), IP addresses (purple), and nameservers (green). The inspected network is composed of two sub-networks sharing a strong relation. These sub-networks are connected based on the similarity between their shared IP addresses associated with different nameservers.
Figure 2: Graph network of Fast Flux domains, associated IP addresses, and associated nameservers
Digging Deeper – An In-Depth Analysis of a Fast Flux Network 3
Fluxing – Deep DiveThe primary characteristic of the Fast Flux network is that the network constantly changes its domains, IP addresses, and nameservers. These changes obfuscate the true nature of the network and make it more difficult for researchers to understand and defend against.
IP AddressesLooking at the amount of IP addresses associated with the Fast Flux network over time, we observed a rapid change in the involved IP addresses. This behavior is also known as “single-flux,” where multiple individual nodes within the network register and de-register their addresses for a single DNS name. Figure 3 shows the number of IP addresses involved with the observed network daily from May 24, 2017 until June 17, 2017.
Figure 3: Number of associated IP addresses to Fast Flux network per day over time
Monitoring the Fast Flux network IP addresses rotation (by analyzing a collection of four snapshots that each represent a week of the network and the associated IP addresses) shows that an average of 75% of network IP addresses changed between snapshots. When comparing the first snapshot and the fourth snapshot, we can see that only 19% of the associated IP addresses remained the same.
Figure 4: IP addresses rotation over time
Digging Deeper – An In-Depth Analysis of a Fast Flux Network 4
DomainsExamining IP fluxing over time, we observed some domains alternated between active and inactive mode (a domain was considered inactive if its DNS queries receive a NXDOMAIN response, indicating “non-existing domain”). The Fast Flux network activated a domain for a limited time frame, making sure that by the time the malicious activity related to that domain was spotted, a new domain could take place and as a result, network services remained intact.
This behavior is also known as “double-flux,” where multiple nodes within the network register and de-register their addresses as part of the DNS nameserver and the related domain name. This provides an additional layer of redundancy and survivability within the network. Following the DNS “trail” and shutting down servers used by the botnet doesn’t put an end to the larger botnet.
Figure 5: Number of associated IP addresses per domain (Fast Flux network domains) per day over time
Figure 6: Example for the two Fast Flux network nameservers’ registrant personal information
NameserversWe were able to see more than 15 nameservers, most registered by different entities, associated with the Fast Flux network. Over time, we observed changes in the nameserver in use, as new servers were rotated into usage. We attribute this behavior to the Fast Flux network’s need to be resilient to detection, making the nameserver an entity that is constantly changing and therefore hard to track.
The analysis of the Fast Flux network begins with the assumption that the botnet is malicious. The nameservers’ registrant personal information (see Figure 6) shows what are most likely fake identities for the alleged owners of the nameservers. When we look at the similarity between those nameservers in terms of associated IP addresses later in this paper, we can see evidence that those nameservers are strongly related. Looking at the registrant personal information, we can see that someone took the time to register those nameservers with different fake names that were associated with different countries to make them look unrelated; however, as our research above shows, these domains are strongly related.
Digging Deeper – An In-Depth Analysis of a Fast Flux Network 5
Another indication of authenticity for the nameserver can be found in the history of the nameservers, most of which were recently registered, indicating an emerging activity. The usage of fake identities is another technique being used by Fast Flux network owners to make nameservers look legitimate.
Fast Flux Domains and Nameserver Correlation
In order to visualize the strength of relationships between different domains hosted on the Fast Flux network, we created a heat map to highlight the correlations between different domains. Similarity is being represented as a factor of similar associated IP addresses of each pair of domains.
Each pair of domains has a similarity value, ranging from 0 to 1. The value of 1 represents a perfect match (i.e., the set of associated IP addresses of the first domain contains the set of IP addresses of the second domain). The heat map below is assigned with a darker blue color as the similarity value gets closer to 1.
Figure 7: Similarity heat map between different domains
Digging Deeper – An In-Depth Analysis of a Fast Flux Network 6
Figure 8: Similarity heat map between different nameservers
Looking on the heat maps we can see that many paired domains and nameservers have a strong relation between them. This strengthens our suspicion of the existence of fluxing behavior, where a network of compromised machines is being activated by reallocation of resources (represented as IP address) to new domains and nameservers rapidly.
A similar heat map was also created for nameservers hosting all the domains in the Fast Flux network. For example, nameservers, such as “klyatiemoskali{.}at” show a strong correlation “cobby{.}at” with similarity rate of 0.75.
Digging Deeper – An In-Depth Analysis of a Fast Flux Network 7
Figure 9: Graph network of Fast Flux domains and associated IP addresses
Figure 10: Associated IP addresses C&C network Figure 11: Associated IP addresses hosting network
Fast Flux Network – C&C Network vs. Hosting Network
In order to further investigate the initial assumption of having two different sub-networks as observed in Fast Flux Network – Overview, we created a network graph, but this time without showing the relation to the nameserver. Doing that showed us that we can see two distinct sub-networks segregated in terms of associated IP addresses.
Further analysis (described in Fast Flux Network Malicious Activity) of the domains that are being clustered into two different sub-networks revealed that each sub-network offers a different type of service. On the top right side (see Figure 9), we identified domains (shown in red) that are being used by malware as the communication channel to C&C servers. On the bottom left (see Figure 9), we identified domains being used for hosting malware, phishing websites, and illegal-market websites.
Network Sources Behavior
Digging Deeper – An In-Depth Analysis of a Fast Flux Network 8
When looking on the IP addresses associated with each sub-network over the time frame of one week, we can see that the C&C sub-network is unstable (see Figure 10). Both the total, as well as the new IP addresses associated to the C&C sub-network, are constantly changing throughout the week. Looking at the hosting sub-network (see Figure 11), we can see the stability with regard to the total number of IP addresses, and the number of new IP addresses associated per day.
Network Sources Geographical InformationWhen analyzing the geographical information of each network, we can see in the hosting network (see Figure 12) that the top countries include Ukraine, Romania, and Russia.
Further, most of the IP addresses belong to local Internet Service Providers (ISPs) that are typically used by household consumers and are addresses you would not expect to see hosting web services.
Figure 12: Top 10 countries hosting network Figure 13: Top 10 countries C&C network
When looking at the C&C network (see Figure 13), we can see the United States ranked first. The “reserved” value represents private IP addresses, (i.e., private addresses that are being used only with internal websites or intranets). Analysis of the U.S. IP addresses shows that many of those IP addresses belong to Fortune 100 companies, as well as military organizations, probably being used as fake entries on the nameserver associated with the given domains.
The Enterprise Threat Protector security research team suspects that these IP addresses are not compromised machines and that the presence of these IP addresses on the nameserver can be explained as a technique being used by C&C network owners designed to inherit the reputation of the associated organizations. Inspection of such domains by law enforcement or security vendors can result in misleading conclusions on the nature of the domains and the associated IP addresses.
Network Sources Open PortsBy looking at Shodan.io, a search engine that shares information on computers that are connected to the Internet, we were able to find limited evidence of open ports on both sub-networks. In the case of the hosting network, we had information on 24% of the network IP addresses and in the case of the C&C network, 5% of the network IP addresses. We believe that the difference in the percentage of collected ports information is related to the usage of “fake” and “reserved” IP addresses in the C&C network, as seen in Network Sources Geographical Information.
Digging Deeper – An In-Depth Analysis of a Fast Flux Network 9
Figure 14: Top 10 most used ports C&C network Figure 15: Top 10 most used ports hosting network
While information on all botnet members’ open ports was limited, we see evidence that supports the difference between the two networks. The hosting network’s most common open ports are ports 80, and 443, representing the service being delivered by the network, hosting of websites, and malware binaries.
When analyzing the C&C sub-network (see Figure 14), we see that port 7547 is the most used port. This port is used mostly by routers that have a TR-069 management tool, and the usage shows how the same type of vulnerable devices are being used for the same goal. Such routers are known to be highly exploited and are probably used as infrastructure that acts as a proxy layer for the communication of the malware with its C&C server.
Fast Flux Network Malicious Activity
Fast Flux Network as a Platform for Malware ActivityIn order to make sure, beyond any reasonable doubt, that the Fast Flux network is being used for malicious activities, we collected evidence from a variety of public sources that shows a clear relationship between the analyzed malware samples and domains being hosted on the Fast Flux network.
Hosting Malware – DropperWe were able to track down and analyze a sample of unnamed malware that is being distributed as a Word document that includes a malicious macro. Once the macro is enabled, it executes JavaScript code that accesses a domain (on the Fast Flux network) and downloads a file that contains a binary. This binary is known malware classified as a Trojan by many antivirus vendors.
We were able to see that the downloaded file (same file path) exists on several IP addresses, representing different compromised machines, also associated with the Fast Flux network.
For further reading, see Appendix – Malware analysis.
Digging Deeper – An In-Depth Analysis of a Fast Flux Network 10
C&CWe were also able to find evidence for other malware variants that use domains associated to the Fast Flux network. Evidence from sandboxing analysis of malware samples showed us that domains that are associated to the Fast Flux network are being used as C&C servers.
The HTTP request (see Figure 16) shows an HTTP POST request that contains exfiltrated data (encrypted) being sent from the infected sandbox machine to a domain that is being used as the C&C server.
Fast Flux Network as Illegal-market Websites Hosting ProviderWe were also able to find evidence of websites whose primary purpose is to function as an illegal market being hosted on the Fast Flux network, offering merchandise such as:
• Stolen credentials for popular online retail websites
• Hacked credit card numbers with CVV
• Professionals hackers carders forum
Figure 16: An example for C&C communication over HTTP (going through the C&C network)
Figure 17: Example of illegal-market website catalog, hosted on the hosting network
Digging Deeper – An In-Depth Analysis of a Fast Flux Network 11
Figure 18: Web attacks by IP addresses per day over time
We can see (Figure 17) that when searching Google for one of the illegal-market domains, we were able to find the offering of that website, including stolen credentials, stolen credit cards, and spamming services.
In order to evaluate the similarity between hosting illegal-market domains and hosting malware domains, we used a similarity matrix as described in Fluxing – Deep Dive. We measured the similarity between the domain that was used for selling credit cards and a domain that was being used to deliver malware binaries. The results revealed a 50% similarity rate between the domains. This is more evidence that strengthens the relationship between the different domains being used for different services, and shows that the Fast Flux network is being used as a collection of malicious services.
Fast Flux Network as Phishing Hosting ProviderWe were also able to see some domains being hosted on the Fast Flux network that look like a part of a phishing campaign. One was a domain starting with a prefix of a well-known e-commerce traveling service that is most commonly used as a social engineering technique. Such techniques are being used to give spammed victims the feeling of confidence when seeing a known e-commerce company as part of the domain name, while in practice the primary domain is not related to the e-commerce company.
Fast Flux Network – Web AttacksAkamai’s position as a Content Delivery Network (CDN) gave us the visibility to web attacks traffic going out of the Fast Flux network, targeting Akamai’s customers.
We assume that several infected machines in the Fast Flux network serve a double purpose. Not only do they act as servers, they are also involved in web attacks against Akamai’s customers executing a variety of web attacks such as SQL injection, web scraping, credential abuse, and more.
According to what we can see over time, the web attacks tend to occur on a daily basis. This can be explained by the attackers’ objective to be seen as legitimate users that are active during daytime hours.
Digging Deeper – An In-Depth Analysis of a Fast Flux Network 12
According to what we can see in the aggregation based on the attack type (see Figure 19), the majority of attacks are scraping and credential abuse. This data represents a known trend in the web application attack landscape, showing an increased volume in the attacks that abuse application functionality.
Note that at the time of writing, we couldn’t find direct evidence that indicates that the owners of the Fast Flux network also offer infrastructure or proxying capabilities for executing web attacks.
SummaryFast Flux networks can be compared to a living organism; an organism that evolves and changes over time as part of its self-preservation mechanism. Tracking such evolving networks is nearly impossible by only looking for incriminating malicious evidence. By the time the evidence is collected, the network will already be changed.
In order to track such networks, a different approach is required. They need to be tracked based on network attributes, derived from their malicious fluctuation phenomena.
As the largest Content Delivery Network (CDN) in the world, Akamai can only appreciate and regret at the same time the amount of technological effort being invested in building such malicious networks that are resilient and evasive to detection.
We believe that the right approach for detecting such networks is to focus on the ever-changing behavior of the network and, as a result, use algorithms that will enable detection of such behaviors. Having visibility to a wide range of data sources such as enterprise traffic, as well as web traffic, can result in better insights on the threat landscape and can lead to improvement in detection capabilities.
Figure 19: Total number of IP addresses per attack type
Digging Deeper – An In-Depth Analysis of a Fast Flux Network 13
Figure 20: Un-obfuscated JavaScript
code that downloads malware from
Fast Flux network
Figure 21: JavaScript code –
execution of the downloaded
file on local machine
Those techniques need to be able to look at attributes and features of such networks, understand which ones are the most relevant, and build algorithms that differentiate legitimate networks from Fast Flux networks.
During our research, Akamai was also able to spot and mitigate malicious activity originating from one of its enterprise customers, where a compromised machine was trying to download malware from one of the domains being hosted on the Fast Flux network.
Monitoring and blocking any access to such Fast Flux networks is mission critical for security teams around the world. In order to prevent infection, businesses must add another layer of protection that will eliminate the communication channel to malware or phishing websites. Doing that will help with keeping up with the next emerging threat outside your door.
Appendix – Malware AnalysisAs part of the research, we were able to track down and analyze a sample of unnamed malware being distributed as a Word document that includes a malicious macro. Once the macro is enabled, it executes JavaScript code that accesses a domain (on the Fast Flux network) and downloads a file that contains a malicious binary.
JavaScript AnalysisAfter deobfuscating the JavaScript file, we can see an HTTP request to a domain known to be a member of the Fast Flux network, trying to download a file named “fz13.bin.”
Once the remote binary is downloaded, it is being extracted from the file and executed as an “.exe” file using WshShell object in order to run the executable.
Digging Deeper – An In-Depth Analysis of a Fast Flux Network 14
We were able to see that the downloaded file (same file path) exists on at least several IP addresses associated with the Fast Flux network.
VirusTotal DetectionThis binary is known malware classified as Trojan by many antivirus vendors (see Figure 21); we can see that 42 out of 60 antivirus vendors indicate it is malicious.
Figure 22: Antivirus vendors detection on VirusTotal
Digging Deeper – An In-Depth Analysis of a Fast Flux Network 15
As the world’s largest and most trusted cloud delivery platform, Akamai makes it easier for its customers to provide the best and most secure digital experiences on any device, anytime, anywhere. Akamai’s massively distributed platform is unparalleled in scale with over 200,000 servers across 130 countries, giving customers superior performance and threat protection. Akamai’s portfolio of web and mobile performance, cloud security, enterprise access, and video delivery solutions are supported by exceptional customer service and 24/7 monitoring. To learn why the top financial institutions, e-commerce leaders, media & entertainment providers, and government organizations trust Akamai please visit www.akamai.com, blogs.akamai.com, or @Akamai on Twitter. You can find our global contact information at www.akamai.com/locations. Published 11/06.