Fast Flux botnets 2013-2016
In the current cybercrime ecosystem, fast flux proxy networks are an efficient form of bulletproof hosting. They represent a hosting-as-a-service or reverse proxy platform for various malware and ransomware C2 domains, as well as phishing and carding sites.
We covered the Kelihos fast flux network back in 2013 in a few blogs [1] as well as at BSides New Orleans [2], APWG eCrime [2], and Botconf [3][4].
At Black Hat 2014 [5][6][7] and Defcon 22 [8][9], we disclosed research about another fast flux hosting infrastructure we called the “Zbot fast flux proxy network” which we have been tracking since 2013. At Botconf 2013, this proxy network was briefly mentioned and dubbed “fluxxy” by Nick Summerlin and Brad Porter. This hosting network is a botnet that consisted of a couple tens of thousands of infected hosts located mainly in Russia and Ukraine. It was easy to recognize because the domains it was hosting had a TTL value of 150 seconds. The name servers of these domains were also fluxing to IPs from the botnet which characterizes this network as double flux. At the time, the botnet was used by criminal customers to serve Zeus, Kins, ICE IX and Citadel config, binary and drop zone urls in addition to Asprox and DDoS bot C2s, phishing sites and Pony panels. We subsequently presented more results about this botnet at Botconf 2014 [10].
In Mid 2015, the operators behind the “Zbot” proxy network updated their setup in such a way that the served fast flux domains were now resolving to bot IPs with a random TTL in the range between 129 to 150 seconds and the network remained double flux. The botnet also started supporting SSL communication. This infrastructure evolved most likely to evade detection or for other operational reasons. We discussed the new TTL update at Hack.lu 2015 [11]. At the time, the network has added more malware variants served on behalf of its clientele such as Zemot/Rerdom, Necurs, Tinba, and Rovnix. Even the ephemeral new GameOver Zeus used it to host some of its DGAs in July 2014 [12] before it switched to dedicated hosting then withered away.
More recently, a few blogs in 2016 touched upon this botnet such as [13].
What’s new at Black Hat 2016?
This year at Black Hat 2016, we will be unveiling novel results about this bulletproof fast flux hosting infrastructure. We also collaborated with Intel471 to shed light on the underground service and actors behind this botnet.
Content Delivery Network functionality
At the moment, this network is leveraging up to 56,000 live bots that consist in compromised home and SOHO routers concentrated in Russia and Ukraine. The network performs reverse proxy functions similar to that of a common CDN, but with an emphasis on hiding the upstream malware content providers.
For example, curl –header ‘Host: mrbin.cc’ hxxp://109.86.110.190 will return the main page of hxxp://mrbin.cc/ where 109.86.110.190 is a live bot IP. hxxp://mrbin.cc/ is a known carding site that is currently served by the fast flux infrastructure. The content of hxxp://mrbin.cc/ can be delivered by any bot IP supporting this feature. A subset of the entire botnet support this reverse proxy feature.
In the past months, this proxy network delivered Teslacrypt payments sites, RockLoader, Quakbot and Ramdo C2 domains, as well as phishing, and carding sites.
Currently, the longest living active domains served by the botnet are carding sites such as:
- csh0p.cc
- mcduck.tv
- mcduck.ws
- mcdumpals.at
- mrbin.cc
- mrbin.tv
- popeyeds.cc
- popeyeds.la
- royaldumps.cm
- royaldumps.tw
- try2swipe.me
- try2swipe.ws
- unclesam.tw
- unclesam.ws
- www.csh0p.cc
A few CIBC bank phishing sites are also live at the time of this writing.
SSL support
A notable technical aspect of this botnet is its use of SSL certificates for securing traffic. Currently, the botnet supports 5 active SSL certs, one is self-signed and the remaining four are legitimate and valid. Only a subset of the entire botnet (around 2.5% of IPs) supports SSL certs. We point out that the attackers are essentially playing by the rules to obtain these certs. They are not exploiting a flaw in PKI, SSL/TLS, browser security models, or even the certificate authorities. They are obtaining (through a small fee, if any) a certificate to verify to others that they really own their domains. Except, they use their domains to serve for malicious intent. They’ve essentially made that reassuring green lock icon in your browser mean that you have a really secure link to the attacker. We’ll discuss our findings on this aspect involving a well known CA that had signed many of the certificates we observed being used on malicious domains.
The Actors
The folks at Intel 471 closely monitor the various underground services used by threat actors and groups. One such service is that of bulletproof hosting, which is a key cybercrime enabler. Intel 471 categorizes bulletproof hosting services into tiers depending on the technical and administrative complexity, reputation, and resiliency to takedown of the provider. Working with the researchers at Intel 471 we’ve been able to correlate key characteristics of the technical aspect of the fast flux botnet and domains to actors and groups in the underground that are both using and operating the botnet. It’s believed the group behind this particular fast flux botnet is actually one of a small number of top-tier bulletproof hosting providers found in the underground marketplace. This particular group has been providing bulletproof services to the Russian and English language marketplaces since mid-2011, but their origins may date as far back as early 2000. Since their arrival to the underground marketplace, this particular service provider has built a very good reputation among cyber-criminals. One of the group’s more unique offerings is fast and stable fast flux hosting via bots, or compromised hosts. Even more unique, when compared to other bulletproof hosting providers, is the ability to use SSL in conjunction with the fast flux hosting in order to secure traffic. This functionality was specifically advertised as part of the service offering starting in April 2015. This correlates with technical analysis and research we had done in May 2015 where we had identified a revamping of the botnet and addition of SSL functionality in May 2015.
We have refrained from including actor handles and the name of the bulletproof service as Intel 471 has asked that they not be named publicly.
Conclusion
The malware content served by this botnet proxy network is constantly changing since it is a hosting as a service platform. As new criminal customers rent service from this platform or the needs of existing clients evolve, the botnet will deliver different content based on those needs. In our upcoming Black Hat 2016 talk, we will disclose further details and show that the combination of technical research and actor-centric research through the collaboration with Intel 471 can provide valuable insights that would otherwise be missed.
We thank colleagues Thomas Mathew and Chris Dorros and the Intel471 folks for collaborating on this research.
References
[1] /2013/07/30/tracking-versatile-kelihos-domains/
[2] /2013/09/24/real-time-monitoring-kelihos-fast-flux-botnet-case-study-presented-apwg-ecrime-2013/
[3] /2013/12/18/operation-kelihos-presented-botconf-2013/
[4] http://www.dailymotion.com/video/x1ap0b5_14-hendrik-adrian-and-dhia-mahjoub-the-power-of-a-team-work-management-of-dissecting-a-fast-flux-bot_tech
[5] https://www.youtube.com/watch?v=cHuyqnVhT4g
[6] https://www.blackhat.com/docs/us-14/materials/us-14-Mahjoub-Catching-Malware-En-Masse-DNS-And-IP-Style.pdf
[7] https://www.blackhat.com/docs/us-14/materials/us-14-Mahjoub-Catching-Malware-En-Masse-DNS-And-IP-Style-WP.pdf
[8] https://www.youtube.com/watch?v=KFx4lhxMi-M
[9] https://defcon.org/images/defcon-22/dc-22-presentations/Mahjoub-Toonk-Reuille/DEFCON-22-Mahjoub-Reuille-Toonk-Catching-Malware-En-Masse-DNS-IP-Style-UPDATED.pdf
[10] https://www.youtube.com/watch?v=eC2jPNU0NZI
[11] http://2015.hack.lu/talks/#a-collective-view-of-current-trends-in-criminal-hosting-infrastructures
[12] http://garwarner.blogspot.com/2014/07/new-gameover-zeus-variant-uses-fastflux.html
[13] http://krebsonsecurity.com/2016/05/carding-sites-turn-to-the-dark-cloud/