Zbot Botnet Uses Fast Flux Technique to Avoid Detection

After two years of research, RiskAnalytics issues a report on how one of the world's most successful botnet is still pervasive.

Zbot botnet

Since 2014, security firm RiskAnalytics has been tracking the activities of a particularly virulent botnet that attackers are using on the Internet. In a new report, RiskAnalytics details how the Zbot botnet is making use of a technique known as "fast flux" to evade detection and stay alive.

A botnet is a collection of compromised systems (sometimes referred to as zombies) that an attacker controls through a command and control system to attack other users and sites on the Internet. Fast flux, a technique that has been used since at least 2007, makes use of the Domain Name System (DNS) to hide the source of an attack. The way DNS is supposed to work is a domain name is referenced in a DNS resolver to forward to a specific IP address. With fast flux, attackers link multiple sets of IP addresses to a given domain name and swap new addresses in and out of the DNS records in an attempt to evade detection.

"Many botnets aren't doing fast flux, but from what we've seen, all fast flux activity is driven by some kind of botnet," Noah Dunker, director of Security Labs for RiskAnalytics, told eWEEK. "Fast flux is basically a subset of botnets, and 'double-flux' is the term used when the DNS servers for a fast flux network are also hosted on the fast flux network itself."

The Zbot botnet originated from the Zeus banking Trojan. Dunker noted that Zbot today shares little if anything with Zeus, which was one of the most active Trojans in the world until 2012, when much of the original Zeus botnet was disrupted in a coordinated takedown by Microsoft.

With the modern Zbot botnet using fast flux techniques, it is increasingly difficult for organizations to simply block a given IP address range to defend against the botnet. Wayne Crowder, director of threat intelligence at RiskAnalytics, explained that his company uses sophisticated algorithms to detect domains that match the fast flux indicators. Those detections are automatically processed to remove lawful content delivery network domains.

"The process then analyzes the domains with all of their resolving IP addresses for various other indicators that sort out infected endpoints versus legitimate hosted services or content," he said.

The risk for organizations with fast flux botnet blocking is that false positives are possible as IP addresses are always changing. RiskAnalytics has taken great care to use additional metrics aside from simply fast flux when creating the algorithm that selects addresses to send to its own fast flux feed, which is used by devices and threat intelligence customers, Dunker said.

"For example, several legitimate content distribution networks look suspicious to the base algorithm used in our industry, but they are easy to filter out based on other factors," he said.

Over the two years that RiskAnalytics has been examining Zbot, the botnet has in fact reused a number of IP addresses that it cycles through as part of the fast flux approach. Dunker noted that his company frequently sees the same infected systems recur after being silent for a period of time.

"Sometimes an entire domain will fall out of use for a while and return to service days, weeks or months later," he said. "At one point in late May while writing the paper, we found out that 23 of infected systems we identified when we first began researching it in 2014 had still been recently participating in the same botnet."

Dunker expects that the Zbot botnet will continue to grow and that more services will use it as time goes on. Crowder noted that RiskAnalytics assumes that the Zbot network has to be a profitable enterprise that will continue to be sold as a service on the black market for the foreseeable future.

"Just like we have seen different ransomware using this network, we will continue to see new or other types of malware used in this network," he said.

Crowder worries that the next generation of the botnet could expand to other networks or expand into the Internet of things (IoT). If smart TVs, appliances and other connected devices become part of the Zbot botnet, it would be even more challenging to track and stop.

"Unless the Zbot code is leaked or the criminals who sell and host it are exposed, the only realistic thing we can do is monitor the activity of the network and try to contain it," Crowder said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.