Fast Flux is a multi-purpose botnet that is currently comprised of over 14,000 IP addresses. The Fast Flux botnet operator hosts a domain name on one of these IPs and then, after a short period of time, rotates the domain to another IP address in the group in order to evade detection and maintain its infrastructure. The operator uses Fast Flux to host phishing sites, malware-embedded sites, C2 servers, and to conduct activities such as web scraping, SQL injections, and brute-force attacks against targets. Researchers determined that the Fast Flux infrastructure is comprised of two parts: the hosting sub-network, which is used to host and redirect traffic to malicious websites, and the C2 sub-network, used to control this botnet. The hosting sub-network primarily contains Ukrainian, Romanian, and Russian IP addresses, but the C2 sub-network contains private IP addresses suggesting that systems located on private networks are infected, possibly unbeknownst to the owners and administrators. Researchers discovered that most IPs within the hosting sub-network have ports 80 and 443 open and exposed to the public, where the C2 sub-network had port 7547 open and exposed, indicating that the infected devices are likely routers and modems.
Reporting and Technical Details:
- Akamai Identifies 14K-Strong Fast Flux Botnet (Bleeping Computer)
- Digging Deeper - An In-Depth Analysis of a Fast Flux Network (Akamai)