marauder or scanning your dnsdb for fun and profit - source boston

!

Marauder or Scanning your DNSDB for Fun and Profit

Dhia!Mahjoub!OpenDNS!

April!10th,!2014!Boston!

Short!Bio!

•  Senior!Security!Researcher!at!OpenDNS!

•  PredicAve!threat!detecAon!based!on!DNS!traffic!and!hosAng!infrastructure!analysis!

•  CS!PhD!graduate!from!Southern!Methodist!University!

!!!!IIIIIII>!Go!Mustangs!!

!

•  Graph!Theory!applied!on!Wireless!Sensor!Networks!problems!(network!lifeAme,!rouAng)!

•  Enjoyed!wriAng!sniffers,!port!scanners!in!C…!

Outline!

•  DNSDB!

•  Marauder!

•  ImplementaAon!

•  ASN!graph!

•  Use$case$1:$Suspicious!Sibling!Leaf!ASNs!!•  Use$Case$2:!Rogue!ASN!deIpeered!or!gone!stealth!•  Use$Case$3:!ASN(s)!abused!or!lax!about!content!•  Marauder:!PlaZorm,!tools,!libraries!used!

•  Marauder!in!acAon!

•  Use$case$4:!Malicious!subIallocated!ranges!

•  Use$case$5:!PredicAng!Malicious!domains!IP!infrastructure!

•  Conclusion!

querylogs! authlogs!

DNS$data$

OpenDNS’!Network!Map!

$DNSDB$

$

Passive!DNS!

•  Introduced!by!Florian!Weimar!in!2004!

•  Passive!DNS!builds!zone!replicas!without!cooperaAon!from!zone!administrators!

•  Captures!messages!between!DNS!servers!

•  Messages!are!processed,!deIduplicated,!and!DNS!records!are!consolidated!in!an!indexed!database!

!I>!Historical!DNS!database!(DNSDB)!

Passive!DNS!(cont’d)!

!Various!Services!

1.  hbp://www.bd.de/bd_dnslogger_en.html!

2.  DNSDB!(Farsight!Security)!hbps://www.dnsdb.info/!

3.  Umbrella!SGraph!(reIdubbed!InvesAgate)!hbps://sgraph.opendns.com/main!

4.  VirusTotal!DNSDB!•  hbps://github.com/gamelinux/passivedns!

•  hbps://github.com/chrislee35/passivednsIclient!

Why!is!DNSDB!useful?!

D!

D!

D!

D!

IP!

IP!

NS!

IP!

NS!

+$TIME$

Domain!

IP!address!

Name!server!

Streaming!AuthoritaAve!DNS!

•  Tap!into!processed!authoritaAve!DNS!stream!before!it’s!consolidated!into!a!persistent!DB!

•  asn,!domain,!2LD,!IP,!NS_IP,!Amestamp,!TTL,!type!

•  Faster!

•  100s!–!1000s!entries/sec!(from!subset!of!resolvers)!

•  Need!to!implement!your!own!filters,!detecAon!heurisAcs!

$Marauder$

$

Marauder!

•  Maraud!(def):!To!rove!and!raid!in!search!for!plunder!

•  MarAn!BI26!Marauder!

•  WW2!mediumIrange!bomber!

•  Pacific,!Mediterranean,!Western!Europe!theaters!

Marauder!

•  Cruise!the!IP,!DNS!space!in!search!for!new!aback!domains,!IP!infrastructures!!

ImplementaAon!

1.  IP!watchlist!+!domain!filter(s)!+!more!post!detecAon!filter(s)!

•  IP!watchlist!<I!blacklist!feeds!+!other!heurisAcs!to!build!malicious/suspicious!IP!lists!

2.  Domain!detecAon!heurisAcs:!name!pabern,!IP,!NS,!age,!traffic!volume!

Building!the!IP!watchlist!!

Mo<va<on!•  Assess!malicious!IP!ranges!in!BGP!prefixes,!ASNs!

from!a!new!perspecAve!

•  Look!beyond!the!simple!counAng!of!number!of!bad!domains,!bad!IPs!hosted!on!prefixes!of!an!ASN!

How$?$•  Look!at!topology!of!AS$graph$•  Look!at!smaller!granularity!than!BGP!prefix:!!

!subGallocated$ranges$within!BGP!prefixes!

AS!graph!

•  BGP!rouAng!tables!

•  Valuable!data!sources!

•  Routeviews!hbp://archive.routeviews.org/bgpdata/!

•  CidrIreport!hbp://www.cidrIreport.org/as2.0/!

•  Hurricane!Electric!database!hbp://bgp.he.net/!

•  Your!own!rouAng!tables!if!you!operate!your!own!worldwide!BGP!routers!

•  500,000+$BGP$prefixes$•  46,000+$ASNs$

AS!graph!

•  Route!Views!hbp://archive.routeviews.org/bgpdata/!

AS!graph!

•  Cidr!Report!hbp://www.cidrIreport.org/as2.0/!

AS!graph!

•  Hurricane!Electric!database!hbp://bgp.he.net/!

AS!graph!

•  Show!one!line!of!the!BGP!rouAng!table!

•  TABLE_DUMP2|1392422403|B|96.4.0.55|11686|67.215.94.0/24|11686!4436!2914!36692|IGP|96.4.0.55|0|0||NAG||!

•  The!AS!graph!changes!constantly:!•  New!prefixes!(with!their!routes)!are!announced!

•  Old!prefixes!are!dropped!

•  IntenAonal,!human!error,!hardware!faults,!or!malicious!

AS!graph!

AS!graph!


•  We!can!extract!two!types!of!useful!data:!

!1.!Upstream!and!downstream!ASNs!of!every!ASN!

!2.!IP!to!ASN!mapping!(via!prefix!to!ASN!mapping)!•  pyasn,!Python!IP!to!ASN!lookup!module!!

!hbps://code.google.com/p/pyasn/!

•  Team!Cymru!IP!to!ASN!mapping!

•  GeoIPASNum.dat!from!maxmind!

•  curl!ipinfo.io/8.8.8.8/org!

AS!graph!

•  Build!AS!graph!

•  Directed!graph:!node=ASN,!a!directed!edge!from!an!ASN!to!an!upstream!ASN!


AS!graph!

•  Directed!graph:!node=ASN,!a!directed!edge!from!an!ASN!to!an!upstream!ASN!

Interes<ng$cases:$•  Leaf!ASNs!that!are!siblings,!i.e.!they!have!common!

parents!in!the!AS!graph!(share!same!upstream!AS)!

•  Cluster!the!leaves!by!country!

•  Find!interesAng!paberns:!certain!siblings!in!certain!countries!are!delivering!similar!suspicious!campaigns!

$Use$Case$1:$

Suspicious$Sibling$leaf$ASNs$$

Leaf!ASNs!and!their!upstreams!

•  January!8th!topology!snapshot,!Ukraine,!Russia!

•  10!sibling!leaf!ASNs!with!2!upstream!ASNs!

•  /23!or!/24!serving!TrojWare.Win32.KrypAk.AXJX!

•  !TrojanIDownloader.Win32.Ldmon.A!•  hbp://telussecuritylabs.com/threats/show/TSL20130715I08!


•  February!21st!topology!snapshot,!Ukraine,!Russia!

!

•  AS31500!detached!itself!from!the!leaves!(stopped!announcing!their!prefixes)!

•  More!leaves!started!hosAng!suspicious!payload!domains!

•  3100+!malware!domains!on!1020+!IPs!hosAng!malware!


•  Taking!a!sample!of!160!live!IPs!

•  Server!setup!is!similar:!

50!IPs!with:!22/tcp$$$open$$ssh$$$$$$$$OpenSSH$6.2_hpn13v11$(FreeBSD$20130515;$protocol$2.0)$8080/tcp$open$$h[pGproxy$3Proxy$h[p$proxy$Service$Info:$OS:$FreeBSD$!

108!IPs!with:$22/tcp$open$$ssh$$$$$OpenSSH$5.3$(protocol$1.99)$80/tcp$open$$h[p?$


•  The!payload!url!were!live!on!the!enAre!range!of!IPs!before!any!domains!were!hosted!on!them!

•  So,!the!IP!infrastructure!is!set!up!in!bulk!and!in!advance!

•  hbp://pastebin.com/X83gkPY4!$

$Use$Case$2:$

ASN$abused$or$lax$about$shady$content$

$

Example!ASNs!abused!or!lax!

•  Wordstream!hosAng!fake!merchandise,!Exploit!kit!domains,!XXX!themed!sites,!etc!

•  Resellers!using!IP!space!of!larger!providers!

•  e.g.!IxamIhosAng!uses!Voxility!

•  Other!abused!ASNs!like!OVH,!LeaseWeb,!etc!

•  Ranking!of!ASNs:!sitevet.com!

$

$Use$Case$3:$

Rogue$ASN$deGpeered$or$gone$stealth$$

$

Rogue!ASN!deIpeered!or!gone!stealth!

•  AS48031!XSERVERIIPINETWORKIAS!PE!Ivanov!Vitaliy!Sergeevich!86400!

•  Serving!browlock,!porn,!radical!forums,!spam,!etc!

•  “PE!Ivanov!Vitaliy!Sergeevich!malware”!


Romanian!Man!Commits!Suicide!and!Kills!His!4IYearIOld!ayer!Falling!for!Police!Ransomware!


•  AS48031!XSERVERIIPINETWORKIAS!PE!Ivanov!Vitaliy!Sergeevich!86400!•  176.103.48.0/20!48031!

•  193.169.86.0/23!48031!

•  193.203.48.0/22!48031!

•  193.30.244.0/22!48031!

•  194.15.112.0/22!48031!

•  196.47.100.0/24!48031!

•  91.207.60.0/23!48031!

•  91.213.8.0/24!48031!

•  91.217.90.0/23!48031!

•  91.226.212.0/23!48031!

•  91.228.68.0/22!48031!

•  93.170.48.0/22!48031!

•  94.154.112.0/20!48031!

Rogue!ASN!deIpeered!or!stealth!

$Marauder:$Pla_orm,$tools,$

libraries$used$$

PlaZorm!and!tools!used!IHadoop!cluster!!IRaw!logs!on!HDFS!!IIndexed!DNSDB!in!HBase!!IPython,!shell,!Gnu!Parallel!!IStreaming,!zmq!!

Python!libraries!

•  Happybase:!developerIfriendly!Python!library!to!interact!with!Apache!HBase!

!hbp://happybase.readthedocs.org/en/latest/!

!Column!I>!value!

!Single!row:!domain,$<me,$type,$IP$G>$TTL$•  Search!DNSDB!by!IP,!name!

•  Forward!lookup!for!domain!to!get!history!of!IPs,!TTL!

•  Inverse!lookup!for!IP!to!get!mapping!domain(s)!over!Ame!

Python!libraries!

•  Happybase:!!import$happybase$#protect$in$a$try$catch$connec<on$=$happybase.Connec<on(’server.com',$compat='0.90')$table$=$connec<on.table('authlogs')$_domain$=$“google.com”$for$key,$data$in$table.scan(row_prefix=_domain):$

$domain,<me,type,$ip$=$key.split(":")$$ip_[l$=$ip$+$"$"$+$data['name2rr:v']$#$if$you$need$the$TTL$

Python!libraries!

•  IPy:!Python!class!and!tools!for!handling!of!IPv4!and!IPv6!addresses!and!networks!

!hbps://github.com/haypo/pythonIipy/wiki!

!Use!it!to!flaben!a!CIDR!into!a!list!of!IPs$!from$IPy$import$IP$$cidr$=$IP('127.0.0.0/30')$$for$ip$in$cidr:$$ $print$ip$

Python!libraries!

•  PySubnetTree:!Python!data!structure!SubnetTree!which!maps!subnets!given!in!CIDR!notaAon!to!Python!objects.!!

•  Lookups!are!performed!by!longestIprefix!matching.!

!hbp://www.bro.org/download/README.pysubnebree.html!

!Use!it!to!map!IP!to!BGP!prefix!and/or!ASN!

!!

•  A!row!in!the!prefix!to!ASN!database!(file):!

$1.22.232.0/24$45528$

Python!libraries!

•  PySubnetTree:!!Load!pref_asn!db!then!do!lookups!on!IPs!

import$SubnetTree$pref_asn_db$=$SubnetTree.SubnetTree()$f_pref_asn$=$open(“prefGasn",$'r')$….$pref_asn_db[“1.22.232.0/24”]=“1.22.232.0/24$45528”$ip$=$“1.22.232.7”$cidr$=$pref_asn_db[ip].split()[0]$

Python!libraries!

•  PyASN:!Python!extension!module!(wriben!in!C)!that!allows!to!perform!very!fast!IP!to!ASN!lookups!

!hbps://code.google.com/p/pyasn/!

•  pygeoip:$Map!IP!to!country!code!

hbps://pypi.python.org/pypi/pygeoip!

•  networkx:!Python!package!to!manipulate!graphs!

!hbp://networkx.github.io/!

!

!

$

$Marauder$in$ac<on$

$

Marauder!in!acAon!

•  Input:!IP,!BGP!prefix,!or!ASN!

•  Use!DNSDB!(HBase)!

•  Use!auth!DNS!stream!

HBase:$1) !IP:!direct!lookup!

2) !BGP!prefix!I>!flaben!prefixI>!fork!processes!(GNU!parallel!processes!or!threads)!to!query!HBase!for!every!IP!

3) !ASN!I>!get!list!of!prefixes!from!pref_asn_db!I>!process!every!prefix!like!in!2)!

$Use$Case$4:$

Malicious$subGallocated$ranges$$

Malicious!subIallocated!ranges!

•  Case!of!OVH!

•  SubIallocated!ranges!reserved!by!same!suspicious!customers,!serving!Nuclear!Exploit!kit!domains!

•  Users!are!lead!to!the!Exploit!landing!sites!through!malverAsing!campaigns,!then!malware!is!dropped!on!vicAms’!machines!(e.g.!zbot)!

•  Monitoring!paberns!for!5!months:!Oct$2013GFeb$2014$


•  For!several!months,!OVH!ranges!were!abused!

•  Notable!fact:!IPs!were!exclusively!used!for!hosAng!Nuclear!Exploit!subdomains,!no!other!sites!hosted!

!

!

!


•  Some!OVH!subIallocated!ranges!used!in!JanIFeb!2014!

192.95.50.208!I!192.95.50.215!

198.50.183.68!I!198.50.183.71!

192.95.42.112!I!192.95.42.127!

192.95.6.112!I!192.95.6.127!

192.95.10.208!I!192.95.10.223!

192.95.7.224!I!192.95.7.239!

192.95.43.160!I!192.95.43.175!

192.95.43.176!I!192.95.43.191!

198.50.131.0!I!198.50.131.15!


•  Feb!7th,!bad!actors!moved!to!a!Ukrainian!hosAng!provider!hbp://www.besthosAng.ua/!

•  31.41.221.143!2014I02I14!2014I02I14!0!

•  31.41.221.142!2014I02I12!2014I02I14!2!

•  31.41.221.130!2014I02I12!2014I02I14!2!•  31.41.221.140!2014I02I12!2014I02I12!0!

•  31.41.221.139!2014I02I12!2014I02I12!0!

•  31.41.221.138!2014I02I11!2014I02I12!1!

•  31.41.221.137!2014I02I10!2014I02I11!1!

•  31.41.221.136!2014I02I10!2014I02I11!1!

•  31.41.221.135!2014I02I10!2014I02I10!0!

•  31.41.221.134!2014I02I09!2014I02I19!10!

•  31.41.221.132!2014I02I08!2014I02I09!1!

•  31.41.221.131!2014I02I07!2014I02I08!1!

!

!


•  Feb!14th,!bad!actors!moved!to!a!Russian!hosAng!provider!hbp://pinspb.ru/!

•  5.101.173.10!2014I02I21!2014I02I22!1!

•  5.101.173.9!2014I02I19!2014I02I21!2!

•  5.101.173.8!2014I02I19!2014I02I19!0!•  5.101.173.7!2014I02I18!2014I02I19!1!

•  5.101.173.6!2014I02I18!2014I02I18!0!

•  5.101.173.5!2014I02I17!2014I02I18!1!

•  5.101.173.4!2014I02I17!2014I02I17!0!

•  5.101.173.3!2014I02I16!2014I02I17!1!

•  5.101.173.2!2014I02I15!2014I02I16!1!

•  5.101.173.1!2014I02I14!2014I02I15!1!


•  Feb!22nd,!bad!actors!moved!back!to!OVH!

!

!

•  Notable!fact:!They!change!MO,!IPs!have!been!allocated!and!used!in!the!past!for!other!content!I>!evasion!technique!or!resource!recycling!

•  But!during!all!this!Ame,!bad!actors!sAll!kept!the!name!server!infrastructure!on!OVH!on!ranges!reserved!by!same!customers!

Malicious!subIallocated!ranges!•  198.50.143.73$2013G11G25$2014G02G24$91$•  198.50.143.69$2013G11G25$2014G02G24$91$•  198.50.143.68$2013G11G25$2014G02G24$91$•  198.50.143.67$2013G11G26$2014G02G24$90$•  198.50.143.65$2013G11G24$2014G02G23$91$•  198.50.143.66$2013G11G25$2014G02G23$90$•  198.50.143.64!2013I11I24!2014I01I25!62!

•  198.50.143.75!2013I12I03!2013I12I10!7!

•  198.50.143.79!2013I11I25!2013I12I10!15!•  198.50.143.78!2013I11I25!2013I12I10!15!

•  198.50.143.74!2013I11I25!2013I12I10!15!

•  198.50.143.72!2013I11I25!2013I12I10!15!

•  198.50.143.71!2013I11I25!2013I12I10!15!

•  198.50.143.76!2013I11I25!2013I12I09!14!

•  198.50.143.70!2013I11I26!2013I12I09!13!

•  198.50.143.77!2013I11I26!2013I12I05!9!


•  hbp://labs.umbrella.com/2014/02/14/whenIipsIgoInuclear/!

•  hbp://pastebin.com/SX5R69vY!

•  hbp://pastebin.com/KuxpNJwV!

Abused!TLDs!

•  Nuclear!has!been!abusing!various!TLDs,!ccTLDs!(Feb!2014)!

•  .pw!for!a!while!

•  Take!down!campaign!with!MalwareMustDie!

•  Moved!to!.ru!and!.in.net!

•  Then!back!to!.pw!

$Use$Case$5:$

Predic<ng$malicious$domains$IP$infrastructure$

$

Malicious!subIallocated!ranges!(Feb!2014)!

•  For!Nuclear,!In!addiAon!to!subIallocated!ranges!reserved!by!same!actors!(for!OVH!case)!

•  The!live!IPs!all!have!same!server!setup!(fingerprint):!

•  31.41.221.131!to!31.41.221.143!22/tcp$$open$$ssh$$$$$OpenSSH$5.5p1$Debian$6+squeeze4$(protocol$2.0)$80/tcp$$open$$h[p$$$$nginx$web$server$0.7.67$111/tcp$open$$rpcbind$

•  5.101.173.1!to!5.101.173.10!22/tcp$$open$$ssh$$$$$OpenSSH$6.0p1$Debian$4$(protocol$2.0)$80/tcp$$open$$h[p$$$$nginx$web$server$1.2.1$111/tcp$open$$rpcbind$

Malicious!subIallocated!ranges!(Feb!2014)!

•  198.50.143.64!to!198.50.143.79!22/tcp$$open$$$$$ssh$$$$$$$$$$OpenSSH$5.5p1$Debian$6+squeeze4$(protocol$2.0)$80/tcp$$open$$$$$h[p$$$$$$$$$nginx$web$server$0.7.67$445/tcp$filtered$microsoqGds!

•  In!some!cases,!IPs!are!brought!online!in!small!chunks!

•  The!name!server!IPs!also!have!the!same!fingerprint!

•  CombinaAon!of!these!different!indicators!has!made!predicAons!100%!accurate!for!the!past!months.!Bad!actors!change!their!MO,!but!this!approach!works!on!other!abacks!

•  I>!We!block/monitor!IPs!before!they!start$hos<ng$domains!

Conclusion!•  PredicAve!threat!detecAon!based!on:!

•  Monitoring!of!DNS!traffic!(recursive!and!authoritaAve)!

!and!!

•  hosAng!infrastructure!

•  Shut!down!the!bad!actors!infrastructure!at!the!hosAng!provider;!reseller!level!or!lowest!common!upstream!ancestor!(with!bad!reputaAon!and!repeated!offenses)!

References!•  Discovering!Fast!Flux!domains!using!Machine!Learning!

!Presented!at!BSides$New$Orleans$2013$

•  Real!Ame!monitoring!of!Kelihos!Fast!Flux!botnet!!Presented!at!APWG$eCrime$2013$

•  Fast!detecAon!of!malicious!domains!using!DNS!!Presented!at!BSides$Raleigh$2013$

•  The!power!of!the!team!work!–!Management!of!DissecAng!Kelihos!Fast!Flux!Botnet!“Unleashed”!!!Presented!at!BotConf$2013$

!

Contact!Info!

•  [email protected]!if!you!are!interested!in:!

•  Asking!quesAons!•  CollaboraAng!

•  Twiber!@DhiaLite!

•  Blogs!hbp://labs.umbrella.com/author/dhia/!

Thank!you!!

(Q!&!A)!

marauder or scanning your dnsdb for fun and profit - source boston

Technology

profit dhia