fast detection of new malicious domains using dns
DESCRIPTION
OpenDNS Security Researcher Dhia Mahjoub presented this talk at BSides Raleigh on October 18th, 2013.TRANSCRIPT
Fast Detection of New Malicious Domains using DNS
Dhia Mahjoub OpenDNS
October 18th, 2013
Outline • DNS infrastructure • Monitoring/detec@on system • Domain/IP watch list • Post-‐detec@on filtering • Implementa@on • Use cases • FF Kelihos domains, EK domains, Ransomware, Trojans • Conclusion
querylogs authlogs
DNS big data
OpenDNS’ Network Map
Malicious use of DNS
• Botnet/Malware C&C
• DGAs
• Fast flux
• DNS amplifica@on aXacks
Our Focus
• AXack domains, not compromised domains -‐>Exploit kit domains -‐>Malware delivery domains
Fast Flux Monitoring/Detec@on System
• TTL=0 Kelihos Fast Flux domains 7-‐months study presented at APWG eCrime 2013 hXp://labs.umbrella.com/2013/09/24/real-‐@me-‐monitoring-‐kelihos-‐fast-‐flux-‐botnet-‐case-‐study-‐presented-‐apwg-‐ecrime-‐2013/
• TTL=150
• TTL=300
• TTL=1440, spam domains
Fast Flux Monitoring/Detec@on System
While true 1. Select a seed of Kelihos domains w/ a confirmed profile 2. Con@nuously milk domains for IPs 3. Con@nuously “inverse lookup” IPs in passive DNS, for
new domains that start resolving to these IPs 4. Check detected domains for known profile (e.g. TTL,
registra@on, existence of payload, etc) 5. Add new domains to the ini@al seed
Kelihos domains profile
• Various gTLDs, ccTLDs, 1 single IP, TTL=0, hosted on Kelihos botnet IP pool (growing), infected individual machines, recent registra@on, delivering malware executables with known names
• Recorded case(s) of domain resolving to several IPs with TTL=600, cocala.asia, or TTL=300
Generalized Monitoring/Detec@on System
• While true • Read IP watch list, launch parallel process for every IP • A process performs IP inverse lookup against DNSDB • Every process returns new domains for IP • Join all processes’ output, check against blacklist • Keep only new domains • Perform parallelized post discovery checks using
different heuris@cs: traffic paXern, name paXern, extra IP reputa@on check, etc.
• Add new domains to blacklist
Watch list selec@on • Con@nuous background process
• Different methods/heuris@cs to harvest new IPs with high risk poten@al
• Use fresh blacklist, 3rd party BL domain list
Watch list selec@on (cont’d) • Resolve IPs and cluster by popularity, age, aXack theme
-‐>IP observed to host exclusively EK domains or ransomware -‐>Similar name paXern of hosted domains -‐>Similar traffic paXern
• Remove IPs on large shared hos@ng providers unless excep@ons (e.g keep OVH CIDR dedicated to malware), sinkholes, other IP profiles that could cause FPs
Harves@ng bad IPs • When we discover new high risk IPs, why not just block
IPs? Sure, we can, and we open do!
• But you lose intel and inves@ga@ve material related to domains: name paXerns, DGAs, dynamic DNS usage, malicious subdomains under legi@mate compromised domains
Post detec@on checks • Traffic paXern, name paXern, further IP reputa@on check
• If a spike or beginning of spike, then poten@al risk domain
• Exclude spam domains
• But spike means domain has already delivered aXack
Post detec@on checks (cont’d) • So preemp@ve blocking is necessary if domain has high
poten@al of being an aXack domain
• Not everything should be automated
• Human intel and inves@ga@on needed at @mes to remove FPs and add FN back -‐> Fine-‐tune the model
Plarorm and tools used -‐Pig on Hadoop cluster -‐Raw logs on HDFS -‐Indexed DNSDB in HBase -‐Python, shell, Gnu Parallel
System in a nutshell -‐>Constantly running process of harves@ng fresh high risk IPs -‐>Constantly running process of discovering fresh malicious domains -‐>Constantly querying DNSDB with IP inverse lookups Backend: -‐>DNSDB constantly fed with authorita@ve traffic from all resolvers
Whitelist
• IPs hos@ng spam domains A lot of IPs on AS15149, e.g. 216.169.100.133
• Shared hos@ng IPs with a large number of general purpose websites
Use cases • Kelihos fast flux botnet • Fake AV • .pl domains used for Kovter and other • Godaddy compromised domains • Cryptolocker CnC discovery • NuclearPack EK • Browlock domains
Kelihos Fast flux • Kelihos fast flux botnet • Up un@l Sep 16th, about 984 domains (and subdomains)
hosted on 28757 IPs hXp://labs.umbrella.com/2013/09/24/real-‐@me-‐monitoring-‐kelihos-‐fast-‐flux-‐botnet-‐case-‐study-‐presented-‐apwg-‐ecrime-‐2013/
• Sample of domains of Aug-‐Sep • 399 domains on 8159 IPs
Fake AV • 82.208.40.11 hos@ng 23502 Fake AV, Fake SW domains for
76 days
hXps://www.virustotal.com/en/ip-‐address/82.208.40.11/informa@on/
• Free domains under cz.cc, uni.me • 176.31.125.91 hos@ng 6687 similar domains for 66 days
.pl used for ransomware • Sample of .pl domains • 19267 domains on 12 IPs • 3 level domains
f9photo.ucuphahnui.kepno.pl 95oishi.maimuofief.pisz.pl
• First 2 labels are DGAs
• Used in malver@sing campaigns on adult websites leading to Exploit kit domains and Kovter ransomware dropping hXp://www.malekal.com/2013/07/31/en-‐urausy-‐adulrriendzfinder-‐malver@sing-‐banner/
from malware.dontneedcoffee.com
NuclearPack EK -‐>1523 domains on 198.50.225.113 • 2 level domains under .biz • 1st label is random, 16 2LDs registered July 28th • hxxp://[email protected]:
59902/0e724s2d10467436c6149sce02712a.html -‐>1378 domains on 198.50.235.198 • 2 level domains under .biz • 1st label is random • hxxp://u5s1av.diwalipearl.biz:
55252/5a9b00e34d8b18cb571ba56a357cfafc.html
NuclearPack EK -‐>198.50.235.200 became ac@ve on Oct 15th • Already hos@ng 400+ domains • hxxp://[email protected]:
44142/4078c813508ad60acc95d0744365c68c.html • Shiping on 198.50.128.0/17 OVH prefix
Compromised GoDaddy domains • Campaign of injec@ng malicious subdomains (3LDs) under
legi@mate/compromised Godaddy domains (2LDs) • 5 IPs hos@ng 800 subdomains (3LDs) over 10 days in Aug-‐Sep • Used to serve Cool exploit kit through CookieBomb aXack on
compromised websites and finally drop Reveton hXp://quequero.org/2013/09/ac@ve-‐cookiebomb-‐cve-‐2013-‐2465-‐reveton/
• Happened before in 2012 and happening again hXp://nakedsecurity.sophos.com/2012/11/23/hacked-‐go-‐daddy-‐ransomware/
Compromised GoDaddy domains
Cryptolocker CnCs • Ransomware released early September 2013 • Encrypts your files and asks for a $300 ransom to get them
back • 2 ini@al Cryptolocker CnCs were picked up by the system a
day before they were published on Sep 11
• xeogrhxquuubt.com
• qaaepodedahnslq.org
Browlock domains • Browser-‐based ransomware targeted at countries in 3
different con@nents • Example: 194.44.49.150 hos@ng 2629 subdomains over 26
days
Browlock domains
Browlock domains (cont’d) • Browser-‐based ransomware targeted at countries in 3
different con@nents • 193.169.87.15, 196.47.100.2, over a period of 13 days,
hos@ng 8978 browlock domains and domains with adult-‐themed names that redirect to browlock
Browlock domains (cont’d)
Conclusion • Ongoing research and work to increase coverage and
accuracy of early detec@on of domains before they deliver aXacks
• Extend coverage to shared hos@ng IPs
• Effec@ve early detec@on/protec@on DNS-‐based system • Use it with other protec@on methods: AV, IDS, etc. • Experimenta@on in our lab with streaming technologies:
Storm, Kava, Zeromq -‐> Complementary with DNSDB-‐based detec@on system
Contact Info • Contact me at [email protected] if you are interested in: • Asking ques@ons • Collabora@ng
• Follow me on TwiXer @DhiaLite • Blogs hXp://labs.umbrella.com/author/dhia/
Thank you
(Q & A)