CyberWire Daily - Staying ahead of Fast Flux Networks. [Research Saturday]
Episode Date: December 2, 2017Bad actors are using Fast Flux Networks with quickly-changing IP addresses and domain names to help hide their activities. Or Katz, Principal Lead Security Researcher at Akamai, takes us through their... recently-published white paper, "Digging Deeper — An In-Depth Analysis of a Fast Flux Network." Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps,
not the entire network, continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
So basically, FastLux Network is a network that is compounded out of many different
infected machines being controlled by the same owner, the same botnet owner.
That's Orr Katz. He's a principal lead security researcher at Akamai. Their recently published white paper is called Digging Deeper,
an in-depth analysis of a fast-flux network.
The magic thing that happened in that given botnet is that there is constant change in the
domains being associated to that botnet, and there is a
constant change with the IPs that are associated to those domains, part of the botnet. So in a way,
when someone tries to look at the network from the outside, that given botnet, you will see a lot of
changes and actually will see some sort of a polymorphism of that given network.
So before we dig into some of the technical details here in your white paper, can you give
us a sense for some of the history of this sort of thing? So basically, this kind of behavior of
FASLACs was first introduced in 2006. And ever since, there's a lot of indication and a lot of research that was published on that
technique. It is actually a technique being used by malicious parties in order to get botnets that
are constantly changing. So there's mentioning of that since 2006 in a well-known malware called
Stormworm. And over the years, we have seen a lot of involvement in that given
techniques and in the way it's being abused. Take us through your research here. What led
you to explore these fast flux networks? Well, I started and my position is to start with the data.
We have a lot of data in Akamai. We can see a lot of web kind of data going through Akamai network to many of Akamai customers
on the web.
And we can actually also see a lot of traffic going out of many enterprises, also Akamai
customers that are being protected by Akamai enterprise security threat product.
These are two different point of view on like on the landscape, on the data that goes through the internet.
And once I combined those two together, I was able to find a lot of activities that led me at the end of the day to finding that given FastLux botnet.
Take us through what were some of the activities that caught your eye.
So when I looked into a lot of the IPs that participate with a lot of web attacks that we can see,
I actually was able to see that those IP addresses
are associated with many different domains.
And when looking into those given domains
and exploring those domains,
I actually started doing a lot of pivoting
and started to enlarge the amount of data that I can see
and the relation between different parts of the data.
And in a way, I was able to reconstruct the botnet, that given FastLock botnet that I researched,
and I was able to have a lot of evidence saying, well, I can see many of those IPs associated with web attacks,
but at the same time, I can also see many of the domains that are associated with those IPs that are actually part of many malware activity. So in a way, that was the beginning of the research.
And so what did you find in terms of what was going on with the IP addresses and the domains?
So in many cases, FastLux network have been used as some sort of
hosting capabilities to many different malicious activities. And I was able to see a lot of activities
such as downloading of malware binaries.
I was able to see all kind of command and control
activities like sproxing data through that FastLux network.
I was able to see a lot of web attacks
targeting many of Akamai web security customers
with attacks such as SQL injection,
credential abuse attacks, and scraping.
And I was also able to see a lot of websites being hosted on that given network that, well,
those websites are definitely malicious since we were able to see those websites sell a
lot of merchandise that are not supposed to be sold, such as stolen credit card numbers,
stolen credentials.
So in a way, looking at all those things, we were able to see that that given network is actually providing a service to a lot of bad guys doing a lot of malicious activities.
And there was also a component with domain name servers as well.
So yeah, obviously, when you build such botnet, you need to control the domain names
of that botnet. And what you will have is also a name server. A name server is the component in
the DNS chain that you will have the ability by using that utility in your network to actually
manage the domains and the associated IPs to those domains. Now, if you have control on that,
you can do a lot of changes and in a way change the domains that are being active and replacing
them once they are being detected or just replace them once a campaign become irrelevant. So in a
way, you have IP addresses, main servers and domains. And the combination of those three
is what creating that FastLux network.
Let's just talk about, I mean, some of the basics here of how this is working. So basically,
the network, the fluxing part is that IP addresses and domains are being shuffled
around and changed quickly to sort of stay ahead of detection. Is that a good way to describe it?
That's a good way to describe it. Well, when we talk about malware, we need to understand that malware communicates with domain
names. When you write a malware, in most cases, you will use domain name. You don't want to use
an IP address because once someone will detect that IP address, game is over. So the bad guys
are doing the same thing that we are doing. They are giving domain names to their services. Now,
domain names can also be detected. Well, if you will do a reverse
engineering on a given malware, you will have the domain name. Now, if you have
some sort of infrastructure of domain names
that is constantly changing, and also the IPs that are associated
to those domains are constantly changing, that create a lot of noise and a lot of
ability to the bad guy to keep being undetected and
have a very strong and stealth infrastructure.
And this is what the bad guys are trying to do with the Fast Deluxe networks.
Can you give us an idea of the scale of this?
How many IP addresses and domains are we talking about?
So on the time frame of eight weeks observing that given network, we were able to see over
14,000 IP addresses that are associated with the network, over 100 domains and over 20 nameservers, different nameservers being associated with the network. that when we look today on some of the data from the time that we actually conducted that research,
is that most of the IP addresses that we saw on the time of the research are not relevant any longer.
They already changed.
Meaning the infected machines that are, when you combine them together,
are part of that network, are already not relevant.
They change those infrastructures.
So they constantly change.
One of the things you discovered in your research was that there was a separation
between the command and control network and the hosting network.
Can you describe that for us?
Yes, when we started the research, when we look on all the network,
we didn't have the knowledge of doing segregation
and having the ability to differentiate what really happened
on the network. And while we conducted the research and while we progressed with the research,
what we were trying to see is if there are different services being hosted and what is the
different properties and what are the different attributes that are being associated to those
different networks. And once we did some sort of a relation graph between different entities in the network, we suddenly were able to see that the network is actually being divided into two separate parts.
One part is a part of the network that we had evidences showing that that part of the network is being used for command and control activities, CNC.
activity, CNC. And on the second part of the network, we were able to see a lot of other activities such as hosting activity, as I mentioned before, hosting of web services that are illegal,
hosting of mailwares binaries, all sort of malicious activity that are being hosted on that
segment of the network. So in terms of where these infected machines were being hosted, what was the geographical spread?
So what we were able to see is that the majority of the infected machines that belong to that network
or associated with that network are being hosted in Ukraine, Russia, and Romania.
This is what we were able to see.
There are other countries and other resources from different geographical locations,
but the majority, the mass majority of the resources are from those countries.
Now, there was a bit of misdirection here.
I mean, some of the, am I correct, some of the IP addresses or domains were legitimate domains from Fortune 100 companies?
Is that accurate?
Yeah, we were able to see that for some reason we're able to see that there
some of the IP addresses that are associated with the network
are actually IP addresses that belongs to fortune 100 companies
now that surprised us and we looked into those IPs and we
checked it out and we were able to see those IPs are actually not part of the
network
they are associated with the network, but they are not truly being an infected machine that are part of the network.
And what we believe is the reason for seeing those IPs is that the bad guys are trying to get the reputation of those IP addresses,
belong to Fortune 100 companies, and by using those IPs as part of the network, they get that reputation,
that good reputation. Now, in terms of communication, it doesn't affect the communication
of malwares with the network, because once you get a DNS response from the name server,
the botnet name server, you will get a list of IPs. Some of those IPs will be the IPs of the infected machine and
other IPs will be IPs of those legit IPs for those Fortune 100 companies. Now, once they will fail
communication with the Fortune 100 company, they will try to do communication with the infected
machine. And in a way, that's preserved the communication level of the network while still
having those IP addresses that are
legit IPs. So what kind of malicious activity were you seeing running on this particular
FastFlux network? We were able to see communication to command and control server.
We were able to see all kinds of services being hosted on the malware. We were able to see binary
files, and we verified that obviously,
that belonged to well-known mailwares
being hosted on that network.
We were able to see all kind of websites,
illegal website being hosted on the network,
a website that sell stolen credential
or stolen credit card number
or offer all kind of spamming activities.
And we were also able to see phishing websites.
Well, we suspect that those phishing websites, since their name looks like websites that
are part of phishing campaign, that used to be related to the network but are not currently
active.
Yeah, I was interested too that a part of your research showed that when it came to
scraping, that there was a timing factor, that they did their activities during the
day. Yeah, we saw that, according to the the data that we're able to see that the activity of the scraping
is some sort of behavior of a normal kind of behavior of users against networks.
And the reason for that is that we suspect that the bad guys know that
when you have web scraping activity that looks linear or looks
like it's not changing over the hours of the day, then you will be, well, it will be easy to detect
such activities. But when you behave like humans in their activities against websites, you have
much more or better capabilities to remain undetected and under the radar.
So what are your recommendations for people to protect themselves against these sorts of networks?
I think that trying to look for those networks on your own is very challenging.
It was very challenging for me.
So I think that in a way, you have to have a layered security in your organization.
You need to have good endpoint security.
You need to have great next generation firewall in your organization. You need to have good endpoint security. You need to have
great next generation firewall in your environment. But you should also look on all the traffic that
goes out of your organization into the internet. Try to identify malicious activity from your
organization or your home to the internet that was classified as malicious and stop that activity
while it starts. And when you
stop DNS traffic, when you know you're going to a highly malicious website through DNS traffic,
when you stop that, you stop the chain and the traffic will not go through.
Do you have any sense for how many other fast flux networks are out there? Is this a common thing?
It is a common thing, but I'm not sure there are a lot of such networks. Again,
the level of sophistication need to be on some sort of technical capabilities that need to be
provided. But more than that, you need to have infected resources in places in the world that
you will have some hard time mitigating those infected machines and solving the problems that are related to those infected machines.
And in terms of attribution, you mentioned that the networks seem to be coming out of Russia and Ukraine.
Is your sense that these are primarily being run as criminal enterprises?
Is there a nation-state component? Do you have any opinions on that?
We don't have any indication on attribution
at that point for the network, so we really don't know if it's nation state or just criminal
organizations. What is your sense for the general sophistication of a network like this? Is this
something that's difficult to set up or would it be fairly routine for someone? I believe it's not
that simple to build such network create a lot of challenges building
such networks uh require a lot of skill sets that it's not trivial you have to manage that network
over time you need to make sure that it's being sustained so in a way yeah that the level of
sophistication is getting much higher and obviously we need to keep up the pace and make sure that we have the best
solutions that we can to stop those bad guys from doing those things. So obviously, we are in the
cat and mouse kind of activity here or kind of game and we need to win that game.
Our thanks to Orc Cats from Akamai for joining us. You can check out the research paper,
Digging Deeper, an in-depth analysis of a fast-flux network on Akamai's website.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Thank you. The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.