<\/p>\n
FastFlux emerging again<\/h2>\n\nWhat is FastFlux?<\/h3>\n
FastFlux is a technique used by phishers, malware authors, and botnet operators to hide the actual location of their infrastructure behind a network of compromised hosts that are acting as a proxy, forwarding the malicious traffic to the real backend.<\/p>\n<\/p><\/div>\n
After analyzing this quarter\u2019s statistics, it is evident that FastFlux is once again rising in popularity. Here\u2019s a quick FastFlux refresher, including a deeper dive into how cybercriminals use it to make their infrastructure resilient against takedowns. <\/p>\n
What makes FastFl to cybercriminals?<\/h3>\n
All FastFlux networks that are currently in business can be rented as a service on the dark web. This makes life easy for botnet operators. All they have to do is register domains required for the botnet C&Cs and point them to the FastFlux operator\u2019s service. FastFlux takes care of the rest, ensuring that the A records rapidly change.<\/p>\n
Here\u2019s an example of a FluBot botnet C&C domain hosted on a FastFlux botnet:\n<\/p>\n
\n;; QUESTION SECTION:\n;gurbngbcxheshsj.ru. IN A ;; ANSWER SECTION:\nDomain TTL RecordType IP Address\ngurbngbcxheshsj.ru. 150 IN A 189.165.94.67\ngurbngbcxheshsj.ru. 150 IN A 124.109.61.160\ngurbngbcxheshsj.ru. 150 IN A 187.190.48.60\ngurbngbcxheshsj.ru. 150 IN A 115.91.217.231\ngurbngbcxheshsj.ru. 150 IN A 175.126.109.15\ngurbngbcxheshsj.ru. 150 IN A 175.119.10.231\ngurbngbcxheshsj.ru. 150 IN A 218.38.155.210\ngurbngbcxheshsj.ru. 150 IN A 179.52.22.168\ngurbngbcxheshsj.ru. 150 IN A 113.11.118.155\ngurbngbcxheshsj.ru. 150 IN A 14.51.96.70\n<\/pre>\nAs you can see, the botnet C&C domain uses ten concurrent A records with a time to live (TTL) of only 150 seconds. Monitoring these A records reveals that the underlying FastFlux botnet consists of 100 to 150 active FastFlux nodes per day.<\/p>\n
Generally, these nodes are compromised devices, commonly Customer Premise Equipment (CPE), insecurely configured (e.g., running vulnerable software or using standard login credentials), and accessible directly from the internet.<\/p>\n
These kinds of devices are a soft target for cybercriminals. They simply need to conduct internet-wide scans to discover these vulnerable devices and compromise them. This whole process can all be automated, making it quick, easy, and effective.<\/p>\n
Operators of FastFlux botnets choose the geolocation of their target devices they use for FastFlux hosting carefully. As you will notice when reading through this report, many FastFlux C&C nodes are hosted in places that are relatively well \u201cdigitized,\u201d i.e., have good internet connections but are not as advanced along the maturity curve in terms of cybersecurity. <\/p>\n
Latin America is commonly a target, e.g., Brazil, Chile, Argentina, Uruguay, and Asian countries such as Korea. The newcomers to the geolocation statistics in this update reflect this.<\/p>\n
<\/p>\n
Number of botnet C&Cs observed, Q3 2021<\/h2>\n
In Q3 2021, Spamhaus Malware Labs identified 2,656 botnet C&Cs compared to 1,462 in Q2 2021. This was an 82% increase quarter on quarter! The monthly average increased from 487 per month in Q2 to 885 botnet C&Cs per month in Q3.<\/p>\n
\n\n![](\"https:\/\/www.spamhaus.org\/news\/images\/botnet-report-2021-q3\/2021-q3-01-number-of-new-botnet-c2s.png\")
<\/td>\n<\/tr>\n \n![](\"https:\/\/www.spamhaus.org\/news\/images\/botnet-report-2021-q3\/2021-q3-02-quarterly-number-table.png\")
<\/td>\n<\/tr>\n<\/table>\n <\/p>\n
Geolocation of botnet C&Cs, Q3 2021<\/h2>\n
Given FastFlux\u2019s influence over the past quarter, it isn\u2019t surprising that there\u2019s a clear pattern to the newcomers entering the chart for Q3 2021. Many of the countries joining the charts were responsible for hosting a large percentage of TeamBot, and FluBot botnet C&C servers – utilizing Fastflux – and fit the profile of countries with extensive internet coverage but less security-focused.<\/p>\n
Significant increases in Russia<\/h3>\n
The number of botnet C&Cs located in Russia has dramatically risen. This is the second increase quarter on quarter that Russia has experienced:\n<\/p>\n
\n- Q1 to Q2 \u2013 19% increase<\/li>\n
- Q2 to Q3 \u2013 64% increase<\/li>\n<\/ul>\n
Therefore, it comes as no surprise that in Q3 Russia overtook the United States for the #1 spot. <\/p>\n
Continued increases across Europe<\/h3>\n
The trend that started in Q2 continued in Q3. Once again, there was an uptick in the number of botnet C&C servers hosted in various European countries, including the Netherlands (+63%), Germany (+45%), France (+34%), and Switzerland (+34%).<\/p>\n
\n\n![](\"https:\/\/www.spamhaus.org\/news\/images\/botnet-report-2021-q3\/2021-q3-03-c2s-geolocation-table.png\")
<\/td>\n<\/tr>\n<\/table>\n\n\n![](\"https:\/\/www.spamhaus.org\/news\/images\/botnet-report-2021-q3\/2021-q3-04-c2s-geolocation-map.png\")
<\/td>\n<\/tr>\n<\/table>\n <\/p>\n
Malware associated with botnet C&Cs, Q3 2021<\/h2>\n
Here are the top malware families associated with newly observed botnet C&Cs in Q3, 2021.<\/p>\n
TeamBot and FluBot emerging<\/h3>\n
Have you ever heard of TeamBot? Probably not. While it is neither a new nor severe threat, TeamBot sits at the top of the charts with FluBot, both backdoors.<\/p>\n
Our threat hunters believe that TeamBot and FluBot are using the same FastFlux infrastructure, rotating the same botnet C&C IP addresses every few minutes, hence the shared listing below.<\/p>\n
This quarter, there was an explosion in backdoor malware, making it the most prevalent type of malware associated with botnet C&Cs in Q3 2021.<\/p>\n
RedLine wins, Raccoon loses<\/h3>\n
In 2021, we\u2019ve been observing a battle for pole position between RedLine and Raccoon, both credential stealers, available for sale on the dark web. While we saw a huge increase (571%) of Raccoon botnet C&C servers in Q2 2021, RedLine malware experienced a 71% increase in Q3 2021, displacing Raccoon from its top spot.<\/p>\n
IcedID disappears<\/h3>\n
IcedID has been relatively inactivate this year, making a brief appearance at #18 in Q2 before disappearing again this quarter. The reason behind this is unknown. However, our researchers don\u2019t believe its silence will continue indefinitely. IcedID is one of the Trojans available to ransomware groups for purchase on the dark web.
These Trojans sell access to corporate networks – a very lucrative business.<\/p>\n
\n\n![](\"https:\/\/www.spamhaus.org\/news\/images\/botnet-report-2021-q3\/2021-q3-05-malware-table.png\")
<\/td>\n<\/tr>\n<\/table>\n\n\n\nMalware type comparisons between Q2 and Q3 2021<\/h3>\n
![](\"https:\/\/www.spamhaus.org\/news\/images\/botnet-report-2021-q3\/2021-q3-06-malware-type.png\")
<\/td>\n<\/tr>\n<\/table>\n
<\/p>\n
Most abused top-level domains, Q3 2021<\/h2>\nNo changes at the top of the chart<\/h3>\n
In Q3, .com and .xyz continued to stay at the top of our ranking. The situation deteriorated for these two TLDs, particularly .com, which experienced a 90% increase. We hope that VeriSign, the owner of this TLD, will take all necessary steps to improve this situation and increase their TLD\u2019s reputation.<\/p>\n
Three new TLDs<\/h3>\n
Two new gTLDs and one ccTLD joined our Top 20: .club, .co and .monster. All have seen a significant increase in the number of new botnet C&C domains registered through their service.<\/p>\n
\n\n![](\"https:\/\/www.spamhaus.org\/news\/images\/botnet-report-2021-q3\/2021-q3-07-tlds.png\")
<\/td>\n<\/tr>\n<\/table>\n <\/p>\n
Most abused domain registrars, Q3 2021<\/h2>\n
We observed significant increases across most of the domain registrars listed in our Top 20. The United States is home to the largest percentage of domain registrars; however, their share has dropped quarter on quarter, while China, the United Kingdom, and Russia have increased.<\/p>\n
In Q2 you saw Arsys, now you don\u2019t<\/h3>\n
A nod of approval to Arsys, who was a new entry at #5 in Q2. They appear to have taken positive steps to ensure their TLD remains as clean as possible and dropped off the Top 20 in Q3, along with HiChina, 1API, Name.com, and 55hl.com. Excellent work to all these registrars.<\/p>\n
Reseller issues<\/h3>\n
In Q3, we saw the biggest increases in newly registered botnet C&C domains at CentralNic (+488%), Tucows (+266%), RegRU (+252%), West263.com (+168%), and Network Solutions (+163%).<\/p>\n
The vast majority of fraudulent domain name registrations originate from poor resellers who have inappropriate or non-existent customer vetting in place.<\/p>\n
Registrars can struggle to penalize these dirty resellers for many reasons, including poorly written Terms of Services (ToS). However, other matters can also
\ncome into play, such as a vested financial interest or a fundamental lack of motivation to take responsibility for these issues.<\/p>\n
We hope that these registrars will improve their reputation quickly by implementing stricter measures on their resellers to ensure they strive to fight against the registration of fraudulent domain names.<\/p>\n
\n\n![](\"https:\/\/www.spamhaus.org\/news\/images\/botnet-report-2021-q3\/2021-q3-08-registrars.png\")
<\/td>\n<\/tr>\n<\/table>\n\n\n\nLocation of Most Abused Domain Registrars<\/h3>\n
![](\"https:\/\/www.spamhaus.org\/news\/images\/botnet-report-2021-q3\/2021-q3-09-registrars-location.png\")
<\/td>\n<\/tr>\n<\/table>\n
<\/p>\n
Networks hosting the most newly observed botnet C&Cs, Q2 2021<\/h2>\n
As usual, there were many changes in the networks hosting newly observed botnet C&Cs. Notably, there was an influx of networks hosting FastFlux botnet C&Cs, used by cybercriminals to host backdoor malware.<\/p>\n
Does this list reflect ho dealt with at networks?<\/h3>\n
While this Top 20 listing illustrates that there may be an issue with customer vetting processes, it doesn\u2019t reflect on the speed abuse desks deal with reported issues. See \u201cNetworks hosting the most active botnet C&Cs\u201d to view networks where abuse isn\u2019t dealt with in a timely manner.<\/p>\n
serverion.com<\/h3>\n
We have seen a 69% increase in the number of new botnet C&C servers installed at the Dutch hosting provider serverion.com. Our researchers believe that this increase is predominantly due to their downstream customer des.capital, which tends to attract botnet operators.<\/p>\n
Making positive changes<\/h3>\n
In last quarter\u2019s update, we reported that a botnet hosting operation had moved from Amazon to DigitalOcean, causing the latter\u2019s listings to rocket. We want to congratulate DigitalOcean for dropping off our Top 20 list in Q3 2021, along with other networks, including Google, who were at #2, HostSailor, Microsoft, M247, and Off Shore Racks.<\/p>\n
\n\n![](\"https:\/\/www.spamhaus.org\/news\/images\/botnet-report-2021-q3\/2021-q3-10-network-newly-observed.png\")
<\/td>\n<\/tr>\n<\/table>\n <\/p>\n
Networks hosting the most active botnet C&Cs, Q3 2021<\/h2>\n
Finally, let\u2019s take a look at the networks that hosted a large number of active botnet C&Cs in Q3 2021. Hosting providers who appear in this ranking either have an abuse problem or do not take the appropriate action when receiving abuse reports.<\/p>\n
An increase in botnet C&C abuse<\/h3>\n
Sadly, the situation in terms of active botnet C&C servers deteriorated for many ISPs who were on our Top 20 in Q2. Ipjetable.net (FR), microsoft.com (US), vietserver.vn (VN), and openvpn (SE) all have one thing in common: Instead of taking appropriate measures against the abuse on their infrastructure, the number of active botnet C&C servers increased in these networks.<\/p>\n
uninet.net.mx & stc.com.sa<\/h3>\n
These two ISPs are new to our Top 20 this quarter and have taken #1 and #2 spots due to the vast number of FastFlux bots hosted on their networks.<\/p>\n
In fact, the majority of the newcomers to this chart are due to hosting FastFlux bots on their networks and not responding quickly to abuse reports. All these companies are providing a resilient botnet C&C infrastructure for botnet operators.<\/p>\n
\n\n![](\"https:\/\/www.spamhaus.org\/news\/images\/botnet-report-2021-q3\/2021-q3-11-network-most-active-botnets.png\")
<\/td>\n<\/tr>\n<\/table>\nThat\u2019s all for now. Stay safe and see you in January!<\/p>\n
Download the Spamhaus Botnet Report 2021 Q3 as PDF<\/a><\/p>\n
What is FastFlux?<\/h3>\n
FastFlux is a technique used by phishers, malware authors, and botnet operators to hide the actual location of their infrastructure behind a network of compromised hosts that are acting as a proxy, forwarding the malicious traffic to the real backend.<\/p>\n<\/p><\/div>\n
After analyzing this quarter\u2019s statistics, it is evident that FastFlux is once again rising in popularity. Here\u2019s a quick FastFlux refresher, including a deeper dive into how cybercriminals use it to make their infrastructure resilient against takedowns. <\/p>\n
What makes FastFl to cybercriminals?<\/h3>\n
All FastFlux networks that are currently in business can be rented as a service on the dark web. This makes life easy for botnet operators. All they have to do is register domains required for the botnet C&Cs and point them to the FastFlux operator\u2019s service. FastFlux takes care of the rest, ensuring that the A records rapidly change.<\/p>\n
Here\u2019s an example of a FluBot botnet C&C domain hosted on a FastFlux botnet:\n<\/p>\n
\n;; QUESTION SECTION:\n;gurbngbcxheshsj.ru. IN A ;; ANSWER SECTION:\nDomain TTL RecordType IP Address\ngurbngbcxheshsj.ru. 150 IN A 189.165.94.67\ngurbngbcxheshsj.ru. 150 IN A 124.109.61.160\ngurbngbcxheshsj.ru. 150 IN A 187.190.48.60\ngurbngbcxheshsj.ru. 150 IN A 115.91.217.231\ngurbngbcxheshsj.ru. 150 IN A 175.126.109.15\ngurbngbcxheshsj.ru. 150 IN A 175.119.10.231\ngurbngbcxheshsj.ru. 150 IN A 218.38.155.210\ngurbngbcxheshsj.ru. 150 IN A 179.52.22.168\ngurbngbcxheshsj.ru. 150 IN A 113.11.118.155\ngurbngbcxheshsj.ru. 150 IN A 14.51.96.70\n<\/pre>\nAs you can see, the botnet C&C domain uses ten concurrent A records with a time to live (TTL) of only 150 seconds. Monitoring these A records reveals that the underlying FastFlux botnet consists of 100 to 150 active FastFlux nodes per day.<\/p>\n
Generally, these nodes are compromised devices, commonly Customer Premise Equipment (CPE), insecurely configured (e.g., running vulnerable software or using standard login credentials), and accessible directly from the internet.<\/p>\n
These kinds of devices are a soft target for cybercriminals. They simply need to conduct internet-wide scans to discover these vulnerable devices and compromise them. This whole process can all be automated, making it quick, easy, and effective.<\/p>\n
Operators of FastFlux botnets choose the geolocation of their target devices they use for FastFlux hosting carefully. As you will notice when reading through this report, many FastFlux C&C nodes are hosted in places that are relatively well \u201cdigitized,\u201d i.e., have good internet connections but are not as advanced along the maturity curve in terms of cybersecurity. <\/p>\n
Latin America is commonly a target, e.g., Brazil, Chile, Argentina, Uruguay, and Asian countries such as Korea. The newcomers to the geolocation statistics in this update reflect this.<\/p>\n
<\/p>\n
Number of botnet C&Cs observed, Q3 2021<\/h2>\n
In Q3 2021, Spamhaus Malware Labs identified 2,656 botnet C&Cs compared to 1,462 in Q2 2021. This was an 82% increase quarter on quarter! The monthly average increased from 487 per month in Q2 to 885 botnet C&Cs per month in Q3.<\/p>\n
| <\/td>\n<\/tr>\n | |||||||||
| <\/td>\n<\/tr>\n<\/table>\n <\/p>\n Geolocation of botnet C&Cs, Q3 2021<\/h2>\nGiven FastFlux\u2019s influence over the past quarter, it isn\u2019t surprising that there\u2019s a clear pattern to the newcomers entering the chart for Q3 2021. Many of the countries joining the charts were responsible for hosting a large percentage of TeamBot, and FluBot botnet C&C servers – utilizing Fastflux – and fit the profile of countries with extensive internet coverage but less security-focused.<\/p>\n Significant increases in Russia<\/h3>\nThe number of botnet C&Cs located in Russia has dramatically risen. This is the second increase quarter on quarter that Russia has experienced:\n<\/p>\n
|