Tracking FastFlux Networks

During an investigation, two weeks ago, we discovered a malware sample that used a new malicious domain: The domain pointed to multiple suspicious, rotating IP's.

We are still tracking this large fastflux network and keep finding more domains associated with it. Some of these domains include:

Each domain has been observed serving multiple types of Malware and CnC servers:

  • Zeus/Kazy
  • CryptoWall 3
  • FAREIT Spyware
  • Dyre + Dridex

We have obtained thousands of IP address from this network, mostly from Ukraine & Russia. Running dig this morning revealed more addresses:

$> date
Thu 26 Mar 2015 09:55:50 EDT
$> dig +short

Here are some IP reports on Cymon:

Below is a simple script that you can use for tracking and scraping IP addresses that are part of the FastFlux domain: