monitoring a fast flux botnet using recursive and passive ......real time monitoring system while...
TRANSCRIPT
Unifying the Global Response to Cybercrime
!
Monitoring a Fast Flux Botnet using
Recursive and Passive DNS
A Case Study
Dhia Mahjoub OpenDNS
September 18th, 2013
Unifying the Global Response to Cybercrime
!
Outline • Real time Monitoring System
• Botnet geo distribution
• Botnet daily cycle
• OS distribution
• Daily detected domains
• Domains and IPs lifetime
• Kelihos domains usage
• Malware samples
• Collaboration with MalwareMustDie
• Detection, analysis, reporting, takedown, cleanup, etc
Unifying the Global Response to Cybercrime
!
Introduction
• What is Fast flux?
• DNS-based redundancy/evasion technique
• Domain resolves to many IPs, many ASNs, many CCs, relatively low TTL
• Domain resolves to 1 IP with TTL=0
• Used for Kelihos dropper domains via BH, Red Kit EK, trojan CnCs, spam, scam, pharmacy, dating domains
Unifying the Global Response to Cybercrime
!
Real Time Monitoring System
While true
1. Select a seed of domains with a confirmed profile
2. Continuously milk domains for IPs
3. Continuously “inverse lookup” IPs in passive DNS, for new domains that start resolving to these IPs
4. Check detected domains for known profile (e.g. TTL, registration, existence of payload, etc)
5. Add new domains to the initial seed
Unifying the Global Response to Cybercrime
!
Build seed domains list
• Resolve domains to IPs, TTL
• Resolve domains to NSs, TTL
• Build graph of domain, IP, NS
• Extract clusters of “same TTL domains”
• For each TTL cluster, extract largest connected component from domain, IP, NS graph
Unifying the Global Response to Cybercrime
!
Use case: Kelihos FF domains
• Various gTLDs, ccTLDs, 1 single IP, TTL=0, hosted on Kelihos botnet IP pool (growing), infected individual machines, recent registration, delivering malware executables with known names
• Recorded case(s) of domain resolving to several IPs with TTL=600, cocala.asia, or TTL=300
Unifying the Global Response to Cybercrime
!
Use case: Spam FF domains
• Work from home, weight loss, fake news, casino spam, TTL=1440, hosted on shared hosting IPs at a small number of lax, abused, or BP hosting ASNs
Unifying the Global Response to Cybercrime
!
Use case: Spam FF domains
Unifying the Global Response to Cybercrime
!
Post-discovery checks
Exclude:
• Sinkholed domains
• Domains not matching sought after profile, e.g. higher TTL, not using botnet IP pool, shared hosting, old registration, not hosting malware payloads
Unifying the Global Response to Cybercrime
!
Kelihos FF domains Case Study: Results
Unifying the Global Response to Cybercrime
!
Kelihos
• Info-stealer
• Spam botnet
• P2P structure with fallback FF CnC domains
• Checks victim’s IP against known CBLs, if not listed, victim’s machine can be used as a proxy CnC, or spam bot
Unifying the Global Response to Cybercrime
!
Kelihos
• Sample of 712 domains from the past 6 months, 541 2LDs, 171 3LDs
Unifying the Global Response to Cybercrime
!
TLD distribution
Unifying the Global Response to Cybercrime
!
TLD distribution
Unifying the Global Response to Cybercrime
!
TLD distribution
• Most abused registrars: bizcn, internet.bs, PDR LTD., 1API Gmbh, REGGI-REG-RIPN through resellers
Unifying the Global Response to Cybercrime
!
Botnet Geo distribution
• Sample of 28560 IPs ->106 countries
• Link to interactive map
Unifying the Global Response to Cybercrime
!
Botnet Geo distribution
Unifying the Global Response to Cybercrime
!
Botnet Geo distribution
Unifying the Global Response to Cybercrime
!
Botnet Daily Cycle • Follows the daily cycle of Ukraine, Russia Time zone
Unifying the Global Response to Cybercrime
!
OS distribution
• 85% hosts running Windows XP or Vista
• 1/3 of them running Win XP PocketPC/CE
• Win XP PocketPC/CE used in banks and corporate environments
Unifying the Global Response to Cybercrime
!
Daily detected Kelihos domains
Unifying the Global Response to Cybercrime
!
Domains and IPs lifetime
• Statistics on lifetime of domains and duration of usage of IPs in the botnet
• -> Efficiency of takedown, cleanup
• -> Efficiency of criminals’ operation and botnet growth
Unifying the Global Response to Cybercrime
!
Domains’ lifetime counts
Counts = f(domain lifetime in days)
Unifying the Global Response to Cybercrime
!
Domains and IPs lifetime
Unifying the Global Response to Cybercrime
!
IPs’ lifetime counts
Counts = f(IP lifetime in days)
Unifying the Global Response to Cybercrime
!
Botnet’s IPs lifetime
Unifying the Global Response to Cybercrime
!
IPs’ lifetime (cont’d)
• 2624 IPs lasted 1 day
• 19416 lasted less than a day
Unifying the Global Response to Cybercrime
!
Kelihos Domains Usage
• Kelihos malware dropper sites
• Trojan CnC
• Exploit redirectors via Iframe injection
• Discuss example(s)
Unifying the Global Response to Cybercrime
!
CB, Iframe injection->Keli redirector
• http://labs.umbrella.com/2013/07/30/tracking-versatile-kelihos-domains/
Unifying the Global Response to Cybercrime
!
CB, Iframe injection->Keli redirector
Unifying the Global Response to Cybercrime
!
CB, Iframe injection->Keli redirector
Unifying the Global Response to Cybercrime
!
Malware Exes names stats
Unifying the Global Response to Cybercrime
!
Malware Exes names stats
Unifying the Global Response to Cybercrime
!
Malware samples
• VirusTotal report calc.exe http://bit.ly/18mEF6D
• Payload repacked several times a day
• VirusTotal report cornel2.exe http://bit.ly/19zCtrf
• VT detection ratio got as low as 1/45
• rasta02.exe (3/45 on Sep 1) http://bit.ly/18mlVpv
• cornel2.exe (1/45 on Sep 1) http://bit.ly/18mm0cV
Unifying the Global Response to Cybercrime
!
SGraph demo
• dw6ioiw.luqpuiz.net
• http://urlquery.net/report.php?id=5488906
• byy18.ralnyix.net
• http://urlquery.net/report.php?id=5524644
• e6tni.awbijis.net
• http://urlquery.net/report.php?id=5251670
Unifying the Global Response to Cybercrime
!
Collaboration with @MalwareMustDie
• Dedicated security researchers/engineers
• Detection
• RT monitoring system
• Daily zone files/regex
• Malware payload analysis
• Report domains to appropriate bodies, e.g. registrars, ICANN, for suspension, sinkholing
• Report infected IPs to ISPs, regional CERTs for cleanup
-> Efficient operation, but needs more cooperation
Unifying the Global Response to Cybercrime
!
Conclusion
• RT monitoring/detection system
• DNS-based view of Kelihos FF botnet
• Large scale infection of machines
• Diverse usage of botnet/domains
• More collaboration of authorities needed for rapid takedown of domains, otherwise infections’ spread and botnet growth is rampant (70%)
Unifying the Global Response to Cybercrime
!
Contact Info
• Contact me at [email protected] if you are interested in:
• Asking questions
• Collaborating
• Follow me on Twitter @DhiaLite
• Blogs http://labs.umbrella.com/author/dhia/
• Follow @MalwareMustDie