xperts at Akamai have identified a running Fast Flux botnet composed of over 14,000 compromised systems used to spread malware.
Experts at Akamai have identified a running botnet of over 14,000 compromised systems used to spread malware. The botmasters implemented a technique dubbed Fast Flux to make the infrastructure hard to take down.
Treat actors implementing the Fast Flux technique hosts a domain using multiple IP addresses by switching the domain from one IP to another. The IP addresses are swapped in and out with extremely high frequency, through changing DNS records.
The Fast Flux technique was first implemented in 2016 by the Storm Worm malware variants.
“Fast Flux, a DNS technique first introduced in 2006 and widely associated with the Storm Worm malware variants, can be used by botnets to hide various types of malicious activities – including phishing, web proxying, malware delivery, and malware communication.” reported Akamai. “The technique allows the botnet to “hide” behind an ever-changing network of compromised hosts, ultimately acting as proxies and making detection incredibly difficult.”
Experts were able to track a botnet composed of more than 14,000 IP addresses, most of them originating from eastern Europe.
The Fast Flux Network works as an illegal websites hosting provider for illegal websites
offering merchandise such as:
- Stolen credentials for popular e-commerce websites
- Hacked credit card numbers with CVV
- Professionals hackers carders forum
The botnet was working for both hosting phishing websites and malware C&C servers, it was also utilized for carrying out automated attacks such as web scraping, SQL injections, and credentials abuse.
“The primary characteristic of the Fast Flux network is that the network constantly changes its domains, IP addresses, and nameservers. These changes obfuscate the true nature of the network and make it more difficult for researchers to understand and defend against.” continues the analysis.
To read the original article: