Research Finds Home Routers fill ranks of Fast Flux Botnets

Research from the firm Akamai finds cyber criminals are marrying vulnerable home routers to sophisticated “fast flux” command and control tools to create long-lived, cyber criminal infrastructure.

Researchers at Akamai Technologies say that vulnerable and compromised home routers make up the bulk of a 14,000 host “fast flux” botnet that is being used as “bullet proof” hosting for malicious software, phishing web sites and web attack tools.

Compromised routers in Russia, Ukraine and Romania make up most of the hosts in the botnet, said Or Katz, the Principal Lead Security Researcher at Akamai, which conducted the research, which is available here (PDF).


“The hosts are part of an ISP with many in Russia, Romania and Ukraine,” he said. Researchers say the routers are identifiable because they are publicly addressable via communications ports like 80 and 443 – suggesting that they are running web servers and communicating via HTTP and secure HTTP. “These are not legitimate  behaviors on these types of devices, and certainly not on a large number of these hosts,” Katz told The Security Ledger on the sidelines of the Akamai Edge conference in Las Vegas on Thursday.

With botnets such as Mirai, so-called “command and control” (or C&C) systems use the IP addresses of infected hosts (like IP cameras) in the field. But fast flux botnets are more clever: communicating through a constantly shifting list of temporary web domains associated with groups of infected hosts through the Domain Name System (DNS). Organizations that spot the malicious communications and block the source domain soon find that the web domain used by the botnet has changed and the malicious activity has resumed.

The sophistication of the “fast flux” networks allows them to persist over time – taking a kind of “living” quality, with constantly shifting membership and organization, Katz said. Their resilience makes them attractive to cyber criminal groups, who use them as a platform for everything from delivering malware to fencing stolen credit cards. Web attacks including SQL injection, web scraping and credential abuse (or “stuffing”) are also part of the suite of malicious services the networks perform.

Akamai, which operates a global content distribution network, has developed tools that analyze the ever shifting traffic from the infected routers to the company’s customers, even as the domains associated with the botnet keep changing. But Katz said there is no simple way to eradicate the botnets.

“Theoretically we can say that we can reach out to those places that host global malicious activities and work with governments to take them out. But realistically its not that simple.” In lieu of that, simply finding the domains and blocking any traffic to them is the best interim fix for what may be an endemic problem Katz said.

The problem of eradicating botnets is a thorny one, and the advent of connected but loosely managed devices like home routers, IP cameras, digital video recorders and network attached storage devices has only complicated it.  Often, the owners of these devices do not know they are affected and lack the technical know-how to disinfect and secure the devices. That allows botnets to persist for months, years or longer.

Not that some haven’t tried. In April, the Department of Homeland Security warned about destructive attacks by BrickerBot,  malicious software that attacked and disabled vulnerable Linux devices that might otherwise be fodder for botnets.

Calls to cripple or wipe vulnerable devices before they can be used for evil are alluring, but dangerous, Josh Corman of the firm PTC recently told The Security Ledger. Embedded systems that might look like they’re low-value from the public Internet could easily be critical systems like medical imaging or drug infusion systems or devices used in manufacturing environments. “This idea of bricking things is a bad idea if its connected to humans or something that could go ‘boom,'” Corman said.

Comments are closed.