![Page 1: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/1.jpg)
Unifying the Global Response to Cybercrime
!
Monitoring a Fast Flux Botnet using
Recursive and Passive DNS
A Case Study
Dhia Mahjoub OpenDNS
September 18th, 2013
![Page 2: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/2.jpg)
Unifying the Global Response to Cybercrime
!
Outline • Real time Monitoring System
• Botnet geo distribution
• Botnet daily cycle
• OS distribution
• Daily detected domains
• Domains and IPs lifetime
• Kelihos domains usage
• Malware samples
• Collaboration with MalwareMustDie
• Detection, analysis, reporting, takedown, cleanup, etc
![Page 3: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/3.jpg)
Unifying the Global Response to Cybercrime
!
Introduction
• What is Fast flux?
• DNS-based redundancy/evasion technique
• Domain resolves to many IPs, many ASNs, many CCs, relatively low TTL
• Domain resolves to 1 IP with TTL=0
• Used for Kelihos dropper domains via BH, Red Kit EK, trojan CnCs, spam, scam, pharmacy, dating domains
![Page 4: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/4.jpg)
Unifying the Global Response to Cybercrime
!
Real Time Monitoring System
While true
1. Select a seed of domains with a confirmed profile
2. Continuously milk domains for IPs
3. Continuously “inverse lookup” IPs in passive DNS, for new domains that start resolving to these IPs
4. Check detected domains for known profile (e.g. TTL, registration, existence of payload, etc)
5. Add new domains to the initial seed
![Page 5: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/5.jpg)
Unifying the Global Response to Cybercrime
!
Build seed domains list
• Resolve domains to IPs, TTL
• Resolve domains to NSs, TTL
• Build graph of domain, IP, NS
• Extract clusters of “same TTL domains”
• For each TTL cluster, extract largest connected component from domain, IP, NS graph
![Page 6: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/6.jpg)
Unifying the Global Response to Cybercrime
!
Use case: Kelihos FF domains
• Various gTLDs, ccTLDs, 1 single IP, TTL=0, hosted on Kelihos botnet IP pool (growing), infected individual machines, recent registration, delivering malware executables with known names
• Recorded case(s) of domain resolving to several IPs with TTL=600, cocala.asia, or TTL=300
![Page 7: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/7.jpg)
Unifying the Global Response to Cybercrime
!
Use case: Spam FF domains
• Work from home, weight loss, fake news, casino spam, TTL=1440, hosted on shared hosting IPs at a small number of lax, abused, or BP hosting ASNs
![Page 8: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/8.jpg)
Unifying the Global Response to Cybercrime
!
Use case: Spam FF domains
![Page 9: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/9.jpg)
Unifying the Global Response to Cybercrime
!
Post-discovery checks
Exclude:
• Sinkholed domains
• Domains not matching sought after profile, e.g. higher TTL, not using botnet IP pool, shared hosting, old registration, not hosting malware payloads
![Page 10: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/10.jpg)
Unifying the Global Response to Cybercrime
!
Kelihos FF domains Case Study: Results
![Page 11: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/11.jpg)
Unifying the Global Response to Cybercrime
!
Kelihos
• Info-stealer
• Spam botnet
• P2P structure with fallback FF CnC domains
• Checks victim’s IP against known CBLs, if not listed, victim’s machine can be used as a proxy CnC, or spam bot
![Page 12: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/12.jpg)
Unifying the Global Response to Cybercrime
!
Kelihos
• Sample of 712 domains from the past 6 months, 541 2LDs, 171 3LDs
![Page 13: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/13.jpg)
Unifying the Global Response to Cybercrime
!
TLD distribution
![Page 14: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/14.jpg)
Unifying the Global Response to Cybercrime
!
TLD distribution
![Page 15: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/15.jpg)
Unifying the Global Response to Cybercrime
!
TLD distribution
• Most abused registrars: bizcn, internet.bs, PDR LTD., 1API Gmbh, REGGI-REG-RIPN through resellers
![Page 16: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/16.jpg)
Unifying the Global Response to Cybercrime
!
Botnet Geo distribution
• Sample of 28560 IPs ->106 countries
• Link to interactive map
![Page 17: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/17.jpg)
Unifying the Global Response to Cybercrime
!
Botnet Geo distribution
![Page 18: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/18.jpg)
Unifying the Global Response to Cybercrime
!
Botnet Geo distribution
![Page 19: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/19.jpg)
Unifying the Global Response to Cybercrime
!
Botnet Daily Cycle • Follows the daily cycle of Ukraine, Russia Time zone
![Page 20: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/20.jpg)
Unifying the Global Response to Cybercrime
!
OS distribution
• 85% hosts running Windows XP or Vista
• 1/3 of them running Win XP PocketPC/CE
• Win XP PocketPC/CE used in banks and corporate environments
![Page 21: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/21.jpg)
Unifying the Global Response to Cybercrime
!
Daily detected Kelihos domains
![Page 22: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/22.jpg)
Unifying the Global Response to Cybercrime
!
Domains and IPs lifetime
• Statistics on lifetime of domains and duration of usage of IPs in the botnet
• -> Efficiency of takedown, cleanup
• -> Efficiency of criminals’ operation and botnet growth
![Page 23: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/23.jpg)
Unifying the Global Response to Cybercrime
!
Domains’ lifetime counts
Counts = f(domain lifetime in days)
![Page 24: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/24.jpg)
Unifying the Global Response to Cybercrime
!
Domains and IPs lifetime
![Page 25: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/25.jpg)
Unifying the Global Response to Cybercrime
!
IPs’ lifetime counts
Counts = f(IP lifetime in days)
![Page 26: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/26.jpg)
Unifying the Global Response to Cybercrime
!
Botnet’s IPs lifetime
![Page 27: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/27.jpg)
Unifying the Global Response to Cybercrime
!
IPs’ lifetime (cont’d)
• 2624 IPs lasted 1 day
• 19416 lasted less than a day
![Page 28: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/28.jpg)
Unifying the Global Response to Cybercrime
!
Kelihos Domains Usage
• Kelihos malware dropper sites
• Trojan CnC
• Exploit redirectors via Iframe injection
• Discuss example(s)
![Page 29: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/29.jpg)
Unifying the Global Response to Cybercrime
!
CB, Iframe injection->Keli redirector
• http://labs.umbrella.com/2013/07/30/tracking-versatile-kelihos-domains/
![Page 30: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/30.jpg)
Unifying the Global Response to Cybercrime
!
CB, Iframe injection->Keli redirector
![Page 31: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/31.jpg)
Unifying the Global Response to Cybercrime
!
CB, Iframe injection->Keli redirector
![Page 32: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/32.jpg)
Unifying the Global Response to Cybercrime
!
Malware Exes names stats
![Page 33: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/33.jpg)
Unifying the Global Response to Cybercrime
!
Malware Exes names stats
![Page 34: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/34.jpg)
Unifying the Global Response to Cybercrime
!
Malware samples
• VirusTotal report calc.exe http://bit.ly/18mEF6D
• Payload repacked several times a day
• VirusTotal report cornel2.exe http://bit.ly/19zCtrf
• VT detection ratio got as low as 1/45
• rasta02.exe (3/45 on Sep 1) http://bit.ly/18mlVpv
• cornel2.exe (1/45 on Sep 1) http://bit.ly/18mm0cV
![Page 35: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/35.jpg)
Unifying the Global Response to Cybercrime
!
SGraph demo
• dw6ioiw.luqpuiz.net
• http://urlquery.net/report.php?id=5488906
• byy18.ralnyix.net
• http://urlquery.net/report.php?id=5524644
• e6tni.awbijis.net
• http://urlquery.net/report.php?id=5251670
![Page 36: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/36.jpg)
Unifying the Global Response to Cybercrime
!
Collaboration with @MalwareMustDie
• Dedicated security researchers/engineers
• Detection
• RT monitoring system
• Daily zone files/regex
• Malware payload analysis
• Report domains to appropriate bodies, e.g. registrars, ICANN, for suspension, sinkholing
• Report infected IPs to ISPs, regional CERTs for cleanup
-> Efficient operation, but needs more cooperation
![Page 37: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/37.jpg)
Unifying the Global Response to Cybercrime
!
Conclusion
• RT monitoring/detection system
• DNS-based view of Kelihos FF botnet
• Large scale infection of machines
• Diverse usage of botnet/domains
• More collaboration of authorities needed for rapid takedown of domains, otherwise infections’ spread and botnet growth is rampant (70%)
![Page 38: Monitoring a Fast Flux Botnet using Recursive and Passive ......Real Time Monitoring System While true 1. Select a seed of domains with a confirmed profile 2. Continuously milk domains](https://reader034.vdocuments.mx/reader034/viewer/2022043018/5f3a55df16373024d953ac10/html5/thumbnails/38.jpg)
Unifying the Global Response to Cybercrime
!
Contact Info
• Contact me at [email protected] if you are interested in:
• Asking questions
• Collaborating
• Follow me on Twitter @DhiaLite
• Blogs http://labs.umbrella.com/author/dhia/
• Follow @MalwareMustDie