Last August, WireX made headlines. For one thing, it was dubbed the first-known DDoS botnet that used the Android platform. For another, it used a technique that—for those who have been around in the industry for quite a while now—rung familiar in the ears: fast flux.
In the context of cybersecurity, fast flux could refer to two things: one, a network similar to a P2P that hosts a botnet’s command and control (C&C) servers and proxy nodes; and two, a method of registering on a domain name system (DNS) that prevents the host server IP address from being identified. For this post, we’re focusing on the latter.
Malware creators are the first actors to use this tactic. And Storm, the infamous worm that boggled and exasperated Internet users and security researchers alike in 2007, is one of the first binaries that proved fast flux’s effectiveness in protecting its mothership from detection and exposure. Fast flux made it doubly difficult for the security community and law enforcement agencies to track down criminal activity and shut down operations. Eventually—and albeit gradually—Storm’s reign ended, mainly due to the ISP that hosted the worm’s master servers, Atrivo, going dark.
From then on, the actors behind fast flux campaigns have been varied: from phishers and bot herders to criminal gangs behind money mule recruitment sites. There are also those that use fast flux to engage in other unlawful schemes, such as hosting exploit sites, extreme or illegal adult content sites, carding sites, bogus online pharmacies, and web traps. Recently, fast flux has been gaining notoriety and usage among cybersquatters, which makes this another threat for businesses with an online presence.
Fast flux—what is it really?
Fast flux is, in a nutshell, an advanced game of hide and seek. Cybercriminals hide by assigning hundreds or thousands of IP addresses that are swapped with extreme frequency to a fully qualified domain name (FQDN)—let’s say www.uniquedomainname.org. This is done using a combination of (1) distributing the load received by the server across many geographical points acting as proxies or redirectors and (2) banking on a remarkably short time-to-live (TTL) data lifespan. This address swapping happens so fast that the whole architecture seems to be in flux.
Here’s a simple illustration: If criminals assign www.uniquedomain.org a set of IP addresses that change every 150 seconds, users who access www.uniquedomain.org are actually connecting to different infected machines every single time.
Fast flux is occasionally used as a standalone term; however, we also see it used as a descriptor to the nature of a network, botnet, or a malicious agent. As such, you’ll find the below terms used as well, and for clarity, we have listed their definitions:
- fast-flux service network (FFSN): The Honeynet Project defines this as “a network of compromised computer systems with public DNS records that are constantly changing, in some cases every few minutes.” There are two known types of this: single-flux and double-flux.
- fast-flux botnet: Refers to a botnet that uses fast flux techniques. Herders behind such a botnet are known to engage in hosting-as-a-service schemes wherein they rent out their networks to other criminals. Also, some fast-flux botnets have begun supporting SSL communication.
- fast-flux agent: Depending on the context, this could refer to either (1) the malware responsible for infecting systems to add them to the fast-flux network or (2) the machine that belongs to a fast-flux network.
Fast flux shouldn’t be confused with domain flux, which involves the changing of the domain name, not the IP address. Both fluxing techniques have been used by cybercriminals.
Wait, so assigning different IP addresses to a single domain name is legal?
Although it’s generally the case that one domain name points to one IP address, this association isn’t a strict mapping. And that is a good thing! Otherwise, web admins wouldn’t be able to efficiently distribute incoming network traffic to multiple resources, wherein a single resource corresponds to a unique IP address. This is the basic concept behind load balancing, and popular websites use it all the time. And round-robin DNS—this one-domain-to-many-IP-address association—is just one of several load-balancing algorithms one can implement.
There’s nothing illicit about this. What criminals are doing is merely taking advantage of or abusing what network technology already has to offer.
Aside from Storm, what other malware has been associated with fast flux?
Threat campaigns that use malware associated with fast flux networks usually involve botnets. And in the earlier years, worms were the type that used fast-flux botnets. Storm is a worm binary; so is Stration, its rival. Nowadays, other malware strains have banked on fast flux’s efficacy. We have Kronos and ZeuS/Zbot, two known banking Trojans; Kelihos, a Trojan spammer and Bitcoin miner; Teslacrypt, a ransomware (their payment sites are found hosted on an FFSN in East Europe); and Asprox, a Trojan password stealer turned advance persistent threat (APT).
As a side note, fast flux networks are not only used to hide malicious activities. Akamai, a known cloud delivery platform, has revealed in a white paper [PDF] that a fast flux network was used in several web attacks, specifically SQL injection, web scraping, and credential abuse, against their own customers.
Read: Inside the Kronos malware—Part 1, Part 2
Can fast flux be detected/identified? If so, how?
Definitely. Some organizations and independent groups in the security industry have put a lot of effort into investigating, studying, and educating others on what fast flux is, how it works, and how it can be detected. Below are just a few references that you can visit, browse, and read more thoroughly:
- FFSN Detection & Mitigation from The Honeynet Project
- Fast-Flux Bot Detection in Real Time
- FluXOR: Detecting and monitoring fast-flux service networks (PDF)
- Fast Flux Watch: A mechanism for online detection of fast-flux networks
- Research to Detection—Identify fast flux in your environment
Can users protect themselves from fast flux activity?
When it comes to keeping our computing devices safe from physical and online compromise—with data in them unaltered and secure—extra vigilance and good security hygiene can save folks from a lot of headaches in the future. Installing an anti-malware with URL blocking features on devices not only protects them from malware but also blocks sites that have been deemed malicious, consequently stopping the attack chain. Lastly, regularly update all security software you use.
Stay safe out there!