Staying ahead of Fast Flux Networks — Research Saturday
Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:23] I'd like to tell you a little bit about our sponsor, Cybrary, the people who know how to empower your security team. Cybrary is the learning and assessment tool of choice for IT and security teams at today's top companies. They deliver the kind of hands-on training fifty-five percent of enterprises say is the most important qualification when they're hiring. And once you hire, you want to retain. And Cybrary helps there too, because seventy percent of employees say professional development is a big reason for staying on board. Visit www.cybrary.it/teams, and see what they can do for your organization. Not only is it effective, it's affordable too, costing just about a twelfth of what legacy approaches to training would set you back. So contact Cybrary for a demo. That's www.cybrary.it/teams, and tell them the CyberWire sent you.
Or Katz: [00:01:20] So basically, a Fast Flux network is a network that is compiled out of many different infected machines being controlled by the same owner, the same botnet owner.
Dave Bittner: [00:01:30] That's Or Katz. He's a Principal Lead Security Researcher at Akamai. Their recently published white paper is called "Digging Deeper – An In-depth Analysis of a Fast Flux Network."
Or Katz: [00:01:41] The magic thing that happened in that given botnet is that there is constant change in that domain being associated to that botnet, and there is constant change with the IPs that associated to those domains, part of the botnet. So in a way, when someone tried to look at the network from the outside of that given botnet, he will see a lot of changes, and actually will see some sort of polymorphism of that given network.
Dave Bittner: [00:02:11] So before we dig into some of the technical details here in your white paper, can you give us a sense for some of the history of this sort of thing?
Or Katz: [00:02:18] So basically, this kind of behavior of Fast Flux was first introduced in 2006, and ever since there is a lot of indications and a lot of research that was published on that technique. It is actually a technique being used by malicious parties in order to get botnets that are constantly changing. So there is mentioning of that since 2006 in a well-known malware called Storm Worm. And over the years we have seen a lot of involvement in that given techniques and in the way it's being abused.
Dave Bittner: [00:02:54] Take us through your research here, what led you to explore these Fast Flux networks?
Or Katz: [00:03:00] Well, I started, and my position is to start with the data. We have a lot of data in Akamai, we can see a lot of web kind of data going through Akamai's network to many of Akamai's customers on the Web. And we can actually also see a lot of traffic going out of many enterprises, also Akamai customers, that are being protected by Akamai's Enterprise Security Threats product. These are two different points of view on, like on the landscape, on the data that goes through the Internet. And once I combined those two together, I was able to find a lot of activities that led me, at the end of the day, to finding that given Fast Flux botnet.
Dave Bittner: [00:03:42] Take us through, what were some of the activities that caught your eye?
Or Katz: [00:03:45] So when I looked into a lot of the IPs that participate with a lot of web attacks that we can see, I actually was able to see that those IP addresses are associated with many different domains, and when looking into those given domains and exploring those domains, I actually started doing a lot of pivoting and started to enlarge the amount of data that I can see, and the relation between different parts of the data.
Or Katz: [00:04:11] And in a way, I was able to reconstruct the botnet, that given Fast Flux botnet that I researched, and I was able to have a lot of evidence saying, well, I can see many of those IPs associated with web attacks, but at the same time I can also see many of the domains that are associated with those IPs that are actually part of many malware activities. So in a way, that was the beginning of the research.
Dave Bittner: [00:04:35] And so, what did you find in terms of what was going on with the IP addresses and the domains?
Or Katz: [00:04:40] So, in many cases, Fast Flux networks are being used as some sort of a hosting capabilities to many different malicious activities. And I was able to see a lot of activities, such as downloading of malware binaries. I was able to see all kind of command-and-control activities, like proxying data through that Fast Flux network. I was able to see a lot of web attacks targeting many of Akamai Web Security's customers, with attacks such as SQL injection, credential abuse attacks, and scraping.
Or Katz: [00:05:12] And I was also able to see a lot of websites being hosted on that given network that, well, those websites are definitely malicious, since we were able to see those websites sell a lot of merchandise that are not supposed to be sold, such as stolen credit card numbers, stolen credentials. So in a way, looking in all those things, we were able to see that that given network is actually priming a service to a lot of bad guys doing a lot of malicious activities.
Dave Bittner: [00:05:41] And there was also a component with Domain Name Servers as well.
Or Katz: [00:05:45] So, yeah, obviously when you build such a botnet, you need to control the domain names of that botnet, and what you will have is also a nameserver. A nameserver is the component in the DNS chain that you will have the ability, by using that utility in your network, to actually manage the domains and the associated IPs to those domains. Now, if you have control of that, you can do a lot of changes, and in a way, change the domains that are being active, and replacing them once they are being detected, or just replace them once a campaign becomes irrelevant. So in a way, you have IP addresses, nameservers, and domains, and the combination of those three is what's creating that Fast Flux network.
Dave Bittner: [00:06:31] Let's just talk about some of the basics here, of how this is working. So basically, the network, the fluxing part is that IP addresses and domains are being shuffled around and changed quickly to sort of stay ahead of detection. Is that a good way to describe it?
Or Katz: [00:06:48] That's a good way to describe it. Well, when we talk about malware, we need to understand that malware communicates with domain names. When you write a malware, in most cases, you will use a domain name. You don't want to use an IP address, because once you, once someone will detect that IP address, game is over.
Or Katz: [00:07:04] So the bad guys are doing the same thing that we're doing, they are giving domain names to their services. Now domain names can also be detected. Well, if you will do a reverse engineering on a given malware, you will have the domain name. Now, if you have some sort of an infrastructure of domain names that is constantly changing, and also the IPs that are associated to those domains are constantly changing, that creates a lot of noise and a lot of ability to the bad guy to keep being undetected, and have a very strong and stealthy infrastructure. And this is what the bad guys are trying to do with their Fast Flux networks.
Dave Bittner: [00:07:39] Can you give us an idea of the scale of this? How many IP addresses and domains are we talking about?
Or Katz: [00:07:44] So in the time frame of eight weeks observing that given network, we were able to see over 14,000 IP addresses that are associated with the network, over 100 domains, and over 20 nameservers, different nameservers, being associated with the network. And this was in the time frame of eight weeks. What we know today is that, when we look today on some of the data from the time that we actually conducted that research, is that most of the IP addresses that we saw on the time of the research are not relevant any longer. They already changed. Meaning the infected machines that are, when you combine them together are part of that network, are already not relevant. They changed those infrastructures, so they constantly change.
Dave Bittner: [00:08:30] One of the things you discovered in your research was that there was a separation between the command-and-control network and the hosting network. Can you describe that for us?
Or Katz: [00:08:39] Yes, when we started the research, when we looked on all the networks, we didn't have the knowledge of doing segregation, and having the ability to differentiate what really happened on the network. And while we conducted the research, and while we progressed with the research, what we were trying to see is if there are different services being hosted, and what is the different properties, and what are the different attributes that'd been associated to those different networks.
Or Katz: [00:09:06] And once we did some sort of a relation graph between different entities in the network, we suddenly were able to see that the network is actually being divided into two separate parts. One part is a part of the network that we had evidence showing that that part of the network is being used for command-and-control activities, C&C. And on the second part of the network, we were able to see a lot of other activities, such as hosting activity. As I mentioned before, hosting of web services that are illegal, hosting of malware binaries, all sort of malicious activity that are being hosted on that segment of the network.
Dave Bittner: [00:09:45] So, in terms of where these infected machines were being hosted, what was the geographical spread?
Or Katz: [00:09:52] So, what we were able to see is that the majority of the infected machines that belong to that network, or associated with that network, are being hosted in Ukraine, Russia, and Romania. This is what we were able to see. There are other countries and other resources from different geographical locations, but the majority, the mass majority of their resources are from those countries.
Dave Bittner: [00:10:17] Now, there was a bit of misdirection here, I mean, some of the, am I correct some of the IP addresses or domains were legitimate domains from Fortune 100 companies? Is that accurate?
Or Katz: [00:10:30] Yeah. We were able to see that, for some reason we were able to see that there are, some of the IP addresses that are associated with the network, are actually the IP addresses that belong to Fortune 100 companies. Now that surprised us, and we looked into those IPs and we checked it out, and we were able to see that those IPs are actually not part of the network. They are associated with the network, but they are not truly being, uh, infected machines that are part of the network.
Or Katz: [00:10:56] And what we believe is the reason for seeing those IPs, is that the bad guys are trying to get the reputation of those IP addresses belonging to Fortune 100 companies. And by using those IPs as part of the network they get that reputation, that good reputation.
Or Katz: [00:11:14] Now, in terms of communication, it doesn't affect the communication of malware with network, because once you get a DNS response from the nameserver, the botnet nameserver, you will get a list of IPs. Some of those IPs will be the IPs of the infected machines, and other IPs will be IPs of those, legit IPs for those Fortune 100 companies. Now, once they will fail communication with the Fortune 100 company, they will try to do communication with an infected machine. And in a way, that preserves the communication level of the network, while still having those IP addresses that are legit IPs.
Dave Bittner: [00:11:52] So what kind of malicious activity were you seeing running on this particular Fast Flux network?
Or Katz: [00:11:58] We were able to see communication to command-and-control server. We were able to see all kinds of services being hosted on the malware. We were we able to see binary files, and we verified that obviously, that belong to well-known malware, being hosted on that network. We were able to see all kinds of websites, illegal websites being hosted on the network websites that sell stolen credentials, or stolen credit card numbers, or offer all kinds of spying activities. And we were also able to see phishing websites. Well, we suspected those phishing websites since their name looks like websites that are part of phishing campaign, that used to be related to the network but are not currently active.
Dave Bittner: [00:12:40] Yeah, I was interested too that part of your research showed that when it came to scraping, that there was a timing factor, that they did their activities during the day.
Or Katz: [00:12:50] Yeah. We saw that, going through the data the we were able to see, that activity of the scraping is some sort of behavior, of normal kind of behavior of users against networks. And the reason for that is that we suspect that the bad guys know that when you have web scraping activity that looks linear, or it looks like it's not changing over the hours of the day, then you will be, well, it will be easy to dectect such activities. But when you behave like humans in their activities against websites, you have much more or better capabilities to remain undetected and under the radar.
Dave Bittner: [00:13:31] So what are your recommendations for people to protect themselves against these sorts of networks?
Or Katz: [00:13:36] I think that trying to look for those networks on your own is very challenging. It was very challenging for me. So I think that, in a way, you have to have a layered security in your organization. You need to have good endpoint security, you need to have great Next-Generation Firewall in your environment.
Or Katz: [00:13:54] But you should also look on all the traffic that goes out of your organization into the Internet. Try to identify malicious activity from your organization, or your home, to the Internet, that was classified as malicious and stop that activity or while it starts. And when you stop DNS traffic when you know you are going to a highly malicious website, through DNS traffic, when you stop that you stop the chain and the traffic will not go through.
Dave Bittner: [00:14:20] Do you have any sense for how many other Fast Flux networks are out there? Is this a common thing?
Or Katz: [00:14:26] It is a common thing, but I'm not sure there are a lot of such networks. Again, the level of sophistication needs to be on some sort of technical capabilities that need to be provided. But more than that, you need to have infected resources in places in the world, that you will have some hard time mitigating those infected machines and solving the problems that related to those infected machines.
Dave Bittner: [00:14:53] And in terms of attribution, you mentioned that the network seemed to be coming out of Russia and Ukraine. Is your sense that these are primarily being run as criminal enterprises? Is there a nation-state component? Do you have any opinions on that?
Or Katz: [00:15:08] We don't have any indication on attribution at that point for the network, so we really don't know if it's nation-state or just criminal organizations.
Dave Bittner: [00:15:17] What is your sense for the general sophistication of a network like this? Is this something that's difficult to set up, or would it be fairly routine for someone?
Or Katz: [00:15:26] I believe it's not that simple. To build such a network creates a lot of challenges. Building such networks requires a lot of skill sets, that is not trivial. You have to manage that network over time, you need to make sure that it can sustain. So in a way, yeah, the level of sophistication is getting much higher.
Or Katz: [00:15:46] And obviously, we need to keep up the pace and make sure that we have the best solution that we can to stop those bad guys from doing those things. So obviously, we are in the cat-and-mouse kind of activity here, or kind of game, and we need to win that game.
Dave Bittner: [00:16:05] Our thanks to Or Katz from Akamai for joining us. You can check out the research paper, "Digging Deeper – An In-depth Analysis of a Fast Flux Network on Akamai's website.
Dave Bittner: [00:16:16] And thanks again to our sponsor, Cybrary, for making this edition of Research Saturday possible. Visit www.cybrary.it/teams, and see what they can do for your organization.
Dave Bittner: [00:16:28] Don't forget to check out our CyberWire Daily News Brief and podcast, along with interviews, our glossary, and more on our website, thecyberwire.com.
Dave Bittner: [00:16:36] The CyberWire Research Saturday is proudly produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. It's produced by Pratt Street Media. The coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.