• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Start a Free Trial
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud-Delivered Firewall
      • Malware Protection
      • Remote Browser Isolation (RBI)
      • Data loss prevention (DLP)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Analyst Reports
      • Case Studies
      • Customer Videos
      • Datasheets
      • eBooks
      • Infographics
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
    • Get the 2022 Cloud Scurity Comparison Guide
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • Ransomware
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
      • Cyber Threat Categories and Definitions
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Spotlight

Black Hat 2016 preview: Fast Flux with SSL, a unique and popular Bulletproof Hosting option for cyber criminals

By Dhia Mahjoub
Posted on May 16, 2016
Updated on March 27, 2020

Share

FacebookTweetLinkedIn

Fast Flux botnets 2013-2016

In the current cybercrime ecosystem, fast flux proxy networks are an efficient form of bulletproof hosting. They represent a hosting-as-a-service or reverse proxy platform for various malware and ransomware C2 domains, as well as phishing and carding sites.
We covered the Kelihos fast flux network back in 2013 in a few blogs [1] as well as at BSides New Orleans [2], APWG eCrime [2], and Botconf [3][4].
At Black Hat 2014 [5][6][7] and Defcon 22 [8][9], we disclosed research about another fast flux hosting infrastructure we called the “Zbot fast flux proxy network” which we have been tracking since 2013. At Botconf 2013, this proxy network was briefly mentioned and dubbed “fluxxy” by Nick Summerlin and Brad Porter. This hosting network is a botnet that consisted of a couple tens of thousands of infected hosts located mainly in Russia and Ukraine. It was easy to recognize because the domains it was hosting had a TTL value of 150 seconds. The name servers of these domains were also fluxing to IPs from the botnet which characterizes this network as double flux. At the time, the botnet was used by criminal customers to serve Zeus, Kins, ICE IX and Citadel config, binary and drop zone urls in addition to Asprox and DDoS bot C2s, phishing sites and Pony panels. We subsequently presented more results about this botnet at Botconf 2014 [10].
pony
In Mid 2015, the operators behind the “Zbot” proxy network updated their setup in such a way that the served fast flux domains were now resolving to bot IPs with a random TTL in the range between 129 to 150 seconds and the network remained double flux. The botnet also started supporting SSL communication. This infrastructure evolved most likely to evade detection or for other operational reasons. We discussed the new TTL update at Hack.lu 2015 [11]. At the time, the network has added more malware variants served on behalf of its clientele such as Zemot/Rerdom, Necurs, Tinba, and Rovnix. Even the ephemeral new GameOver Zeus used it to host some of its DGAs in July 2014 [12] before it switched to dedicated hosting then withered away.
More recently, a few blogs in 2016 touched upon this botnet such as [13].

What’s new at Black Hat 2016?

This year at Black Hat 2016, we will be unveiling novel results about this bulletproof fast flux hosting infrastructure. We also collaborated with Intel471 to shed light on the underground service and actors behind this botnet.

Content Delivery Network functionality

At the moment, this network is leveraging up to 56,000 live bots that consist in compromised home and SOHO routers concentrated in Russia and Ukraine. The network performs reverse proxy functions similar to that of a common CDN, but with an emphasis on hiding the upstream malware content providers.
For example, curl –header ‘Host: mrbin.cc’ hxxp://109.86.110.190 will return the main page of hxxp://mrbin.cc/ where 109.86.110.190 is a live bot IP. hxxp://mrbin.cc/ is a known carding site that is currently served by the fast flux infrastructure. The content of hxxp://mrbin.cc/ can be delivered by any bot IP supporting this feature. A subset of the entire botnet support this reverse proxy feature.
In the past months, this proxy network delivered Teslacrypt payments sites, RockLoader, Quakbot and Ramdo C2 domains, as well as phishing, and carding sites.
Currently, the longest living active domains served by the botnet are carding sites such as:

  • csh0p.cc
  • mcduck.tv
  • mcduck.ws
  • mcdumpals.at
  • mrbin.cc
  • mrbin.tv
  • popeyeds.cc
  • popeyeds.la
  • royaldumps.cm
  • royaldumps.tw
  • try2swipe.me
  • try2swipe.ws
  • unclesam.tw
  • unclesam.ws
  • www.csh0p.cc

royal_dumps
A few CIBC bank phishing sites are also live at the time of this writing.
logon_cibc_phish

SSL support

A notable technical aspect of this botnet is its use of SSL certificates for securing traffic. Currently, the botnet supports 5 active SSL certs, one is self-signed and the remaining four are legitimate and valid. Only a subset of the entire botnet (around 2.5% of IPs) supports SSL certs. We point out that the attackers are essentially playing by the rules to obtain these certs. They are not exploiting a flaw in PKI, SSL/TLS, browser security models, or even the certificate authorities. They are obtaining (through a small fee, if any) a certificate to verify to others that they really own their domains. Except, they use their domains to serve for malicious intent. They’ve essentially made that reassuring green lock icon in your browser mean that you have a really secure link to the attacker. We’ll discuss our findings on this aspect involving a well known CA that had signed many of the certificates we observed being used on malicious domains.

The Actors

The folks at Intel 471 closely monitor the various underground services used by threat actors and groups. One such service is that of bulletproof hosting, which is a key cybercrime enabler. Intel 471 categorizes bulletproof hosting services into tiers depending on the technical and administrative complexity, reputation, and resiliency to takedown of the provider. Working with the researchers at Intel 471 we’ve been able to correlate key characteristics of the technical aspect of the fast flux botnet and domains to actors and groups in the underground that are both using and operating the botnet. It’s believed the group behind this particular fast flux botnet is actually one of a small number of top-tier bulletproof hosting providers found in the underground marketplace. This particular group has been providing bulletproof services to the Russian and English language marketplaces since mid-2011, but their origins may date as far back as early 2000. Since their arrival to the underground marketplace, this particular service provider has built a very good reputation among cyber-criminals. One of the group’s more unique offerings is fast and stable fast flux hosting via bots, or compromised hosts. Even more unique, when compared to other bulletproof hosting providers, is the ability to use SSL in conjunction with the fast flux hosting in order to secure traffic. This functionality was specifically advertised as part of the service offering starting in April 2015. This correlates with technical analysis and research we had done in May 2015 where we had identified a revamping of the botnet and addition of SSL functionality in May 2015.
We have refrained from including actor handles and the name of the bulletproof service as Intel 471 has asked that they not be named publicly.

Conclusion

The malware content served by this botnet proxy network is constantly changing since it is a hosting as a service platform. As new criminal customers rent service from this platform or the needs of existing clients evolve, the botnet will deliver different content based on those needs. In our upcoming Black Hat 2016 talk, we will disclose further details and show that the combination of technical research and actor-centric research through the collaboration with Intel 471 can provide valuable insights that would otherwise be missed.
We thank colleagues Thomas Mathew and Chris Dorros and the Intel471 folks for collaborating on this research.

References

[1] /2013/07/30/tracking-versatile-kelihos-domains/
[2] /2013/09/24/real-time-monitoring-kelihos-fast-flux-botnet-case-study-presented-apwg-ecrime-2013/
[3] /2013/12/18/operation-kelihos-presented-botconf-2013/
[4] http://www.dailymotion.com/video/x1ap0b5_14-hendrik-adrian-and-dhia-mahjoub-the-power-of-a-team-work-management-of-dissecting-a-fast-flux-bot_tech
[5] https://www.youtube.com/watch?v=cHuyqnVhT4g
[6] https://www.blackhat.com/docs/us-14/materials/us-14-Mahjoub-Catching-Malware-En-Masse-DNS-And-IP-Style.pdf
[7] https://www.blackhat.com/docs/us-14/materials/us-14-Mahjoub-Catching-Malware-En-Masse-DNS-And-IP-Style-WP.pdf
[8] https://www.youtube.com/watch?v=KFx4lhxMi-M
[9] https://defcon.org/images/defcon-22/dc-22-presentations/Mahjoub-Toonk-Reuille/DEFCON-22-Mahjoub-Reuille-Toonk-Catching-Malware-En-Masse-DNS-IP-Style-UPDATED.pdf
[10] https://www.youtube.com/watch?v=eC2jPNU0NZI
[11] http://2015.hack.lu/talks/#a-collective-view-of-current-trends-in-criminal-hosting-infrastructures
[12] http://garwarner.blogspot.com/2014/07/new-gameover-zeus-variant-uses-fastflux.html
[13] http://krebsonsecurity.com/2016/05/carding-sites-turn-to-the-dark-cloud/

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2022 Cisco Umbrella