Tracking FastFlux Networks

During an investigation, two weeks ago, we discovered a malware sample that used a new malicious domain: auth-update.ru. The domain pointed to multiple suspicious, rotating IP's.

We are still tracking this large fastflux network and keep finding more domains associated with it. Some of these domains include:

Each domain has been observed serving multiple types of Malware and CnC servers:

  • Zeus/Kazy
  • CryptoWall 3
  • FAREIT Spyware
  • Dyre + Dridex

We have obtained thousands of IP address from this network, mostly from Ukraine & Russia. Running dig this morning revealed more addresses:

$> date
Thu 26 Mar 2015 09:55:50 EDT
$> dig downs1.ru +short
195.66.220.205
178.150.135.236
109.108.252.93
88.156.84.155
24.10.15.65
109.229.23.49
108.46.145.13
109.254.116.68
46.98.108.44
178.151.127.68
94.45.140.60
109.251.158.130
176.8.193.164

Here are some IP reports on Cymon:

Below is a simple script that you can use for tracking and scraping IP addresses that are part of the FastFlux domain: