Fast Flux, Double Flux and the Dark Cloud

Here’s more detail from our report about the Dark Cloud fast flux network.

The Threat Intelligence team at RiskAnalytics noticed this specific botnet in July 2014, after gathering DNS data to detect and block threats before they impacted customer networks. While we have found several other fast flux botnets over the years, this particular one stood out to us as a threat that was already ongoing and required deeper analysis. At the time, orion-baet[.]su, terminus-hls[.]su, and vision-vaper[.]su were participating in a fast flux network with hundreds of suspected-compromised IP addresses. Ongoing research uncovered more domains that have been used by the botnet as recently as the time of writing this report. Often, new domains join this botnet only a few days or at most, weeks apart. Some domain names have remained associated with the network for months or years. Parts of the botnet use frequently changing DNS NS records as well as DNS A records. This is generally regarded as “double flux” activity — another layer in hiding the network.

Participating domains return a set of ten IP addresses for each query with a varying DNS cache time-to-live (TTL) of less than 150 seconds, forcing the addresses to be refreshed after no more than two and a half minutes. Over time, hundreds or thousands of IP addresses are used. This technique is designed to bypass IP address blocking solutions while still maintaining the advantages of a highly available network. This service is sold in underground cybercrime markets as bulletproof1 hosting for malware or other criminal activities. These indicators are consistent with prior research that classifies this network as Zbot.2 Other press coverage has called this network the “Dark Cloud.”3

Get the full report here. 2 3