Researchers at Akamai have identified a botnet of over 14,000 IP addresses used in malware distribution operations. The botnet is still up and running, and experts believe it will be hard to take it down because its operators are employing a clever technique called Fast Flux.
The principle behind the Fast Flux technique is that someone hosts a domain using multiple IP addresses by switching the domain from one IP to another after short intervals, hence the technique's name of a domain going through a fast flux (flow) of IPs.
Malware authors have first used fast fluxing in late 2006. The first malware to use it was the Storm Worm, which deployed it to hide the IP addresses for its command and control (C&C) servers. The massive Avalanche malware-hosting network also used Fast Flux to hide its infrastructure.
Speaking at the Akamai EDGE 2017 conference yesterday, Akamai researchers revealed the existence of a similar Avalanche-like infrastructure, hosting everything from phishing pages to web proxies, and from carder shops to C&C servers for various malware campaigns.
In addition, besides providing hosting for phishing and malware C&C servers, the botnet was also utilized for carrying out automated attacks such as web scraping, SQL injections, and brute-force dictionary attacks that tested publicly leaked credentials.
Researchers worked months to identify and draw connections between all domains and IP addresses. In the end, they discovered a complex infrastructure that uses Fast Flux to constantly shift IPs for malicious domains, and allow the hosted malware infrastructure to linger far longer than usual.
Researchers believe devices were infected with malware that allowed the botnet operator to use them as part of his ever-shifting malware-hosting infrastructure.
This was done by installing a proxy package on each host in order to expose the machine to the Internet and relay traffic for crooks.
When someone would want to connect to a malicious site, DNS servers would give out the IP of an infected host that was at that time "hosting" the domain.
The infected IP (via the proxy package) would then redirect incoming traffic to the real malicious site, hosted somewhere else. Security researchers would have to pay close attention and not take DNS records as the real host of that specific site.
Taking a deeper dive into the botnet's structure, researchers discovered that the entire infrastructure actually consisted of two separate parts — the hosting sub-network (for hosting and redirecting traffic for malicious sites) and the C&C sub-network (this is the botnet's own command-and-control infrastructure, not to be confused with C&C servers "hosted" for other crooks/operations).
Each of these sub-networks had its own set of IPs that were used to temporarily host domains, before being moved to another.
Ukrainian, Romanian, and Russian IPs made up most of the hosting sub-network. The composition of the botnet's C&C sub-network was very different.
Most of these IPs contained private (reserved) IP addresses, such as 10.x.x.x, 192.168.x.x, meaning they were machines hosted on private, closed networks. Furthermore, some IPs contained clues that they might be found in Fortune 100 companies.
Akamai also analyzed the exposed ports for all IPs and discovered that most of the hosting network had ports 80 and 443 exposed (specific to proxy servers), while most of the C&C sub-network had port 7547 exposed.
This was peculiar because port 7547 is specific to the TR-069 protocol used to manage remote routers and modems. This also provides a hint to the category of devices that could make up the botnet.
Recently, Bleeping Computer observed a shift in the IoT botnet market from IoT botnets tooled for launching DDoS attacks to IoT botnets equipped to re-route malicious traffic.
To be clear, Akamai did not make any final assumptions on the botnet's underlying infrastructure — of being made up of routers, IoT devices, or home computers. This was only one of their observations.
Research is still underway, and experts hope to gain enough insight to bring this — yet to be named — botnet down, just like they did with Avalanche.