• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
#RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez
 

#RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez

on

  • 6,745 views

Showed in RootedCON 2012, Madrid. Review Cloud Malware Distribution and shows data-leak methods. Release new Flu-trojan flavor that uses DNS as communication channel.

Showed in RootedCON 2012, Madrid. Review Cloud Malware Distribution and shows data-leak methods. Release new Flu-trojan flavor that uses DNS as communication channel.

Statistics

Views

Total Views
6,745
Views on SlideShare
5,241
Embed Views
1,504

Actions

Likes
1
Downloads
34
Comments
1

5 Embeds 1,504

http://www.iniqua.com 1495
http://www.linkedin.com 5
https://www.linkedin.com 2
http://translate.googleusercontent.com 1
https://si0.twimg.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Download is now available.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez Presentation Transcript

    • CMD:  Look  who’s  talking  too   DNS:  a  botnet  dialect  
    • Francisco  J.  Gómez  Rodríguez  (fran@Gd.es):  •  Computer  Engineering  (EUI-­‐UPM)  •  Security  Research  (Telefonica  R&D)  •  dig  fran.rootedcon.themafia.info  TXT  Carlos  Díaz  Hidalgo  (charlie@Gd.es):  •  TelecommunicaGons  Engineer  (ETSITM-­‐UPM),  GPEN,  GCIH,   OPST,  ITILF  and  CCNA.  •  Technology  Specialist  in  Ethical  Hacking  (Telefonica  R&D)  •  dig  charlie.rootedcon.themafia.info  TXT  
    • look  who’s  talking  too  Nasal  Spray  This  presenta9on  contains:  one  year  ago  …………………………………………....        3  mg  cloud  malware  distribuGon  …………………..….      10  mg  dns  is  in  the  air  …………………………………………      10  mg  suspicion  ………………………………………………….          8  mg  data  leak  ………………………………………………….      10  mg  laboratory  ……………………………………………….        10  mg   4.4  FL  OZ  (130mL)   Tamper-­‐Evident:  Do  not  accept  if  sealed  blister   unit  has  been  broken  or  opened   THIS  PACKAGE  FOR  HOUSEHOLDS   WITHOUT  YOUNG  CHILDREN  
    • INTRODUCTION  
    • One  year  ago  …  •  We  talked  about  DNS  and  Malware.  •  We  released  Cloud  Malware  DistribuGon   (CMD):   –  An  alternaGve  method  for  malware  distribuGon   using  Cache  DNS  services.   –  Using  client  default  DNS  se_ngs.   –  Malware  source  virtually  untraceable.  
    • A  DNS  shot  
    • Cloud  Malware  DistribuGon  in  a  nutshell  CMD  
    • Cloud  Malware  DistribuGon  1.  Encoding:  Split  malware  payload  into  DNS  Records.    2.  Publishing:  Publish  domain  and  each  record  in  a  public  Name  Server.    3.  Loading:  Force  an  Open  Emi`er  DNS  Cache  Server  to  store  all  records.    4.  Downloading:  Download  records  from  an  infected  host  (bot).    5.  Decoding:  Rebuild  malware  payload  from  records.   8rjqerkjqet.cmdns.domain.com     ueirytbdosu.cmdns.domain.com     ktqtr53xase.cmdns.domain.com     kzmfzzmfzze.cmdns.domain.com     8rjqerkjqet.cmdns.domain.com     1,2   ueirytbdosu.cmdns.domain.com     3   4   5 ktqtr53xase.cmdns.domain.com     kzmfzzmfzze.cmdns.domain.com     Open  Emi`er   DNS  
    • Encoding  &  Publish   Cloud  Malware  DistribuGon  (I)   8rjqerkjqet.cmdns.domain.com     8rjqerkjqet   ueirytbdosu.cmdns.domain.com     ueirytbdosu   ktqtr53xase   ktqtr53xase.cmdns.domain.com     kzmfzzmfzze     kzmfzzmfzze.cmdns.domain.com     •  From  malware  file  we  create   a  base32  coded  string.   •  So  we  split  the  string  into   DNS  compliance  records.   DNS  AUTH   8rjqerkjqetueirytbdosuktqtr53xasekzmfzzmfzze     Freedns.afraid.org   8rjqerkjqet.cmdns.domain.com     kzmfzzmfzze.cmdns.domain.com     ueirytbdosu.cmdns.domain.com     ktqtr53xase.cmdns.domain.com    
    • Cloud  Malware  DistribuGon(II)   8rjqerkjqet.cmdns.domain.com    •  We  upload  each  DNS  record  from   a  malicious  DNS  to  Open  Emi`er.   ueirytbdosu.cmdns.domain.com    •  This  is  made  by  requesGng  each   ktqtr53xase.cmdns.domain.com     record  to  Open  Emi`er  DNS.  •  Then  Server  caches  each  record.   kzmfzzmfzze.cmdns.domain.com     Split[1..n].cmdns.domain.com   A?   8rjqerkjqet.cmdns.domain.com     Open   ueirytbdosu.cmdns.domain.com     Emi`er   ktqtr53xase.cmdns.domain.com     cmdns.domain.com   DNS  AUTH   NS?   DNS   kzmfzzmfzze.cmdns.domain.com    Freedns.afraid.org   Loading  
    • Cloud  Malware  DistribuGon  (III)   •  Since  the  Open  Emi`er  Server  has  cached  all  records  we   convert  it  into  a  domain  authoritaGve  domain  server.   •  From  now  on,  Open  Emi`er  will  resolve  all  domain  queries.   •  Thus,  all  Internet  DNS  servers  can  resolve  malware  records  and   bots  can  get  them.   DNS  AUTH        Freedns.afraid.org  8rjqerkjqet.cmdns.domain.com     Open  ueirytbdosu.cmdns.domain.com    ktqtr53xase.cmdns.domain.com     Emi`er  kzmfzzmfzze.cmdns.domain.com     DNS   Downloading  
    • Cloud  Malware  DistribuGon  (IV)   kzmfzzmfzze.cmdns.domain.com     ktqtr53xase.cmdns.domain.com     ueirytbdosu.cmdns.domain.com     8rjqerkjqet.cmdns.domain.com     8rjqerkjqetueirytbdosuktqtr53xasekzmfzzmfzze     •  With  all  the  retrieved  records  bots   can  rebuild  the  original  file.     •  Bot  has  now  updated  the  malware   file.  Decoding  
    •  Own  survey  :  yesterday  and  today   Febrero  de  2011   Marzo  de  2012   España   EEUU   España   EEUU   Queried  hosts   10.406   10.406   8217   8217   Replying  hosts   87,22%   87,39%   87,58%   87,69%   Open  resolvers   76,46%   77,28%   95,45%   82,08%   Open  emi`ers   57,76%   57,33%   53,78%   53,51%  Accept  +norecurse   queries   55,91%   55,49%   87,67%   74,44%   TTL  ≥  604800   43,05%   42,94%   51,24%   49,32%  
    • A  quick  test…   DNSCrypt  In   the   same   way   the   SSL   turns   HTTP   web   traffic  into   HTTPS   encrypted   Web   traffic,   DNSCrypt  turns   regular   DNS   traffic   into   encrypted   DNS  traffic   that   is   secure   from   eavesdropping   and  man-­‐in-­‐the-­‐middle  a`acks.    
    • …  a  quick  demo.  Summary:  We  can  use  DNSCrypt  and  CMD  Method  works.    
    • DNS:  yesterday,  today,  and  tomorrow  DNS  IS  IN  THE  AIR  
    • Are  you  talking  to  me?  •  Let’s  see  some  about…   –  DNS  as  covert  channel.   –  DNS  uses  in  malware  communicaGons.  
    • l   DNS  as  Covert  Channe    •  OzymanDNS  (Kaminsky)  •  Dnscapy  •  (NSTX)  Iodine:  Use  several  RR  types,   NULL,TXT,CNAME)  •  Dns2tcp  &  TCP-­‐over-­‐DNS:  relay  TCP  connecGons.  •  LoopcVPN  One  of  China-­‐Telecom  Hotspot   nightmare.  
    • Are  you  talking  to  me?  •  Let’s  see  some  about…   –  DNS  as  covert  channel.   –  DNS  uses  in  malware  communicaGons.  
    • Stateless  malware  (I)  •  TSPY_ZBOT.SMQH –  Another Modified ZeuS Variant Seen in the Wild. –  Reported in September 2011 by Trendmicro. –  Data exchange is also now happening in UDP. –  http://blog.trendmicro.com/another-modified-zeus-variant-seen-in-the-wild/
    • Stateless  malware(II)  •  Older  version  using  TCP  to  exchange  configura7on  files.  However,   The  new  version  exchanges  all  data  in  UDP –  http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet
    • Stateless  malware(II)  •  Older  version  using  TCP  to  exchange  configura7on  files.  However,   The  new  version  exchanges  all  data  in  UDP –  http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet TCP  
    • Where  theres  smoke,  theres  fire.  
    • Feedorbot  •  Using DNS protocol. –  Feedorbot share encrypted commands from C&C. –  Encapsuling data in TXT records and Base64 encoded. –  http://www.cj2s.de/On-Botnets-that-use-DNS-for-Command-and-Control.pdf
    • HiloG  •  Thanks  DNS  querys  HiloG  monitors  infected  host  status.   –  h`p://blog.forGnet.com/hiloG-­‐the-­‐botmaster-­‐of-­‐disguise     142625.bc7a3d45.01.0AC1FD9D62074E6D9D2889088284DAB5.n.empty.1148.empty. 5_1._t_i.ffffffff.explorer_exe.173.rc2.a4h9uploading.com  •  Although  It  uses  DNS  as  control  protocol,  bots  download   update  files  from  “file  hosGng”  servers  by  HTTP.      
    • Morto  •  From IRC to DNS. –  Morto, like Feedorbot, uses TXT records to comnunicate. –  http://www.symantec.com/connect/blogs/morto-worm-sets-dns-record
    • GATHERING  &  EVALUATING  INFORMATION  
    • Gathering  &  EvaluaGng  InformaGon  (I)  •  h`p://www.wombat-­‐project.eu/    •  h`p://exposure.iseclab.org/index.html    
    • Gathering  &  EvaluaGng  InformaGon  (II)  •  h`ps://dnsdb.isc.org/#Home    •  h`p://www.webboar.com    
    • Gathering  &  EvaluaGng  InformaGon  (III)  •  Don´t  forget  the  classics:   –  h`p://www.robtex.com/  
    • Learned  in  #Rooted2012  •  h`p://labs.alienvault.com/labs/index.php/projects/open-­‐source-­‐ip-­‐reputaGon-­‐portal/    
    • SomeGmes  …  I  see  dead  people   •  September,  2011          (Top  10  Malicious  Domains)  
    • Scratch  &  Win  
    • Ten  Li`le  Niggers  •  h`p://www.webboar.com/ip/67.15.149.70/   –  25  Domain(s)  on  IP  Address  67.15.149.70   •  azxdf.com   •  civiGcle0.com   •  morewallfalls7.com   •  mjuyh.com   •  ckubf.com   •  okjyu.com   •  hjuyv.com   •  djhbw.com   •  orn2hcb.com   •  plokm.com   •  himovingto8.com   •  qlovg.com   •  nbgtr.com   •  hiuxd.com   •  quiluGon2.com   •  vcxde.com   •  liunj.com   •  uncdt.com   •  asljd.com   •  loijm.com   •  xvfar.com   •  bruGllor5.com   •  mjrth.com   •  zscdw.com   •  zukamosion3.com  
    • SomeGmes  …  I  see  dead  people  
    • CMD  could  be  alive!  
    • DATA  LEAK  OVER  DNS  
    • DATA  LEAK  OVER  DNS  
    • TradiGonal  data  leak  using  DNS   [OUTPUT_DOMAIN]   DataLeakRecord1.[OUTPUT_DOMAIN] DataLeakRecord1   DataLeakRecord2.[OUTPUT_DOMAIN] DataLeakRecord2   …   1   2   Cache  DNS   (public or private) DNS  Auth.   OUTPUT_DOMAIN   Bot
    • Using  a  DNS  reflector   DNS  Auth.   DataLeakRecord1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)   2   1   (PUBLICATION_DOMAIN)   Cache  DNS    Data1  -­‐>  DataLeakRecord1 (public or private) 3   Force  Data  Leak  Upload   CMD   5  Bot Data1 [PUBLICATION_DOMAIN]   Data1   4   Data2   …   Data1.[PUBLICATION_DOMAIN] Cache  DNS   DNS  Auth.   (Open  emi`er  +  cache)   PUBLICATION_DOMAIN    Data1  -­‐>  DataLeakRecord1
    • DNS  reflector  (demo)  
    • Using  Fast-­‐Flux  DNS  reflectors   DNS  Auth.   DataLeakRecord1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)   2   1   Cache  DNS   (PUBLICATION_DOMAIN)    Data1  -­‐>  DataLeakRecord1 (public or private) 3  DataLeakRecord1.[OUTPUT_DOMAIN] Force  Data  Leak  Upload   CMD   5   Bot Data1 [PUBLICATION_DOMAIN]   Data1   4   Data2   …   Data1.[PUBLICATION_DOMAIN] Cache  DNS   DNS  Auth.   (Open  emi`er  +  cache)  
    • Data  Leak  using  NXDOMAIN  responses  •  NXDOMAIN  responses  are  cached:   –  NegaGve  caching  is  useful.   –  TTL  value:  The  SOA  minimum  parameter  is  used   as  the  negaGve  (NXDOMAIN)  caching  Gme   (defined  in  RFC  2308).  •  Other  queries  may  reuse  some  parts  of  the   lookup  (quick  response).  
    • Caching  NXDOMAIN  responses  (I)    
    • Caching  NXDOMAIN  responses  (II)    
    • Caching  NXDOMAIN  responses  (III)    
    • Data  leak  with  “dig”   RCODE   TTL   QUERY  TIME  
    • Leak  recovery  with  “dig”  (I)   TTL  <  86400   QUERY  TIME  <  300  msec  
    • Leak  recovery  with  “dig”  (II)   TTL  =  86400   QUERY  TIME  approx.  300  msec   It  is  not  a  good  method  for  recovery!  
    • Leak  recovery  with  “dig”  (III)   TTL  <  86400   QUERY  TIME  <  300  msec  
    • Leak  recovery  with  “dig”  (IV)   RCODE  ≠  NXDOMAIN   QUERY  TIME  <  300  msec   It  is  the  preferred  method  for  recovery!  
    • Data  Leak  using  NXDOMAIN  responses   DNS   2   1   (Open  emi`er  +  cache)   DNS  Auth.   UT_DOM AIN] 1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)   1.[OUTP d1.[OUTPUT_DOMAIN] OMAIN] TPUT_D d1.[OU … AIN] dataleakrecord1 UT_DOM rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN] … DataLeakRecord1.[OUTPUT_DOMAIN] IN] T_DOMA d1.[OUTPU krecor atalea MAIN] PUT_DO rd1.[OUT akreco datale Bot
    • Data  Leak  using  NXDOMAIN  responses   DNS   2   1   (Open  emi`er  +  cache)   DNS  Auth.   UT_DOM AIN] 1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)   1.[OUTP d1.[OUTPUT_DOMAIN] OMAIN] TPUT_D d1.[OU … AIN] dataleakrecord1 UT_DOM rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN] … DataLeakRecord1.[OUTPUT_DOMAIN] IN] T_DOMA d1.[OUTPU krecor atalea MAIN] PUT_DO rd1.[OUT akreco a1.[OUTPUT_DOMAIN] datale 1.[OUTPUT_DOMAIN] z.[OUTPUT_DOMAIN] b.[OUTPUT_DOMAIN] a.[OUTPUT_DOMAIN] … … Bot QUERY:  +norecurse     3   RESPONSE:  RCODE?   dataleakrecord1 TTL  value?   Query  Gme?  
    • NXDOMAIN  (demo)  
    • Data  Leak  using  “nice”  domains  •  There  are  authoritaGve  DNS  server  that:   –  Simply  point  all  unknown  DNS  queries  to  a  single   IP  address.   –  Minimum  TTL  value  on  the  order  of  1-­‐7  days.  •  Where  can  I  find  them?   inbox.com   imgur.com   –  Alexa  “Tops  Sites”:   motherless.com   h`p://www.alexa.com/topsites     wikia.com   wikispaces.com   pbworks.com                          …  
    • Caching  ‘nice’  responses  (II)    
    • Caching  ‘nice’  responses  (II)    
    • Data  Leak  using  ‘nice’  domains   DNS   2   ‘nice’  DNS  Auth.   1   (Open  emi`er  +  cache)   (OUTPUT_DOMAIN)   AIN] 1.[OUTPUT_DOMAIN] UT_DOM 1.[OUTP d1.[OUTPUT_DOMAIN] OMAIN] TPUT_D d1.[OU … AIN]dataleakrecord1 UT_DOM rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN] … DataLeakRecord1.[OUTPUT_DOMAIN] IN] T_DOMA d1.[OUTPU krecor atalea MAIN] PUT_DO rd1.[OUT akreco datale Bot
    • Data  Leak  using  ‘nice’  domains   DNS   2   ‘nice’  DNS  Auth.   1   (Open  emi`er  +  cache)   (OUTPUT_DOMAIN)   AIN] 1.[OUTPUT_DOMAIN] UT_DOM 1.[OUTP d1.[OUTPUT_DOMAIN] OMAIN] TPUT_D d1.[OU … AIN]dataleakrecord1 UT_DOM rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN] … DataLeakRecord1.[OUTPUT_DOMAIN] IN] T_DOMA d1.[OUTPU krecor atalea MAIN] PUT_DO rd1.[OUT akreco a1.[OUTPUT_DOMAIN] datale 1.[OUTPUT_DOMAIN] z.[OUTPUT_DOMAIN] b.[OUTPUT_DOMAIN] a.[OUTPUT_DOMAIN] … … Bot QUERY:  +norecurse     3   ANSWER  SECTION?   dataleakrecord1 TTL  value?  
    • Conclusions  data-­‐leak   Use  client   Upload   Expose   Download   Score   default  DNS   queries   cybercrime   queries   (0-­‐10)   seings   needed   infrastructure   needed   TradiGonal   YES   2  queries/kB   YES   -­‐   5  DNS  tunneling  Using  Fast-­‐Flux   YES   2  queries/kB   YES   2  queries/kB   4  DNS  reflectors   Using   NXDOMAIN   NO   2  queries/B   NO   20  queries/B   2   response   Using  “nice”   NO   2  queries/B   NO   20  queries/B   6   domains  
    • ToDo:  Improvement++  •  Data  Leak  using  ‘nice’  domains.  But   remembering  that:   –  Must  use  client  default  DNS  se_ngs.  •  Maybe  can  use  three  party  resources  …  (once   again)   –   …  Use  misconfigured  DNS  (proxy  DNS,  cache  DNS,   authoritaGve  server,  …).   –  e.g.  must  ignore  “+norecurse”  flag,  “minimal-­‐ response”  configured,  etc.  •  Result:  Untraceable  data  leaks  
    • Harder  than  finding  a  needle  in  a   haystack!  
    • Are  we  infected?  LABORATORY  
    • Making  the  lab.  •  We  need  a  “real”  threat…  •  But  we  are  “ethical”…  •  And  we  are  not  developers…   Searching…  
    • And  the  winner  is…  •  Wri`en  in  C#  and  PHP  •  GNU/GPL  •  Geared  to  build  botnets  •  HTTP  communicaGon  
    • How  Flu  works  •  Flu  server  share  XML  commands  file.  •  Infected  hosts  get  XML  file  through   HTTP  request.   HTTP   Flu   Flu   Infected   SERVER   Host  
    • Flu  and  CMD  •  We  use  CMD  to  distribute  XML  commands  file.  •  Our  dream:  Flu  become  stateless  Trojan.  •  Then  we’ll  have  stateless-­‐Trojan-­‐GPL  botnet.   1  GET   1  query   11  pkts.   HTTP/TCP   Vs   DNS/UDP   2  pkts.   1  conn.     0  conn.   DNS   Open   DNS   Flu   Flu   Emi`er   Infected   DNS   DNS   Host  
    • Flu  and  CMD:  Server  •  PHP  5.3.0  or  higher  required.  •  Three  steps:   1.   domain.db  file  create.  (external  lib:  Tar.php)   2.  Load  XML  file  into  DNS  server.  (NaGve  lib)   3.  Download  data  from  infected  host.  (NaGve  lib)  
    • Flu  and  CMD:  3th  Party  •  ISC  Bind  •  FreeDNS.afraid.org  •  HE  free  DNS  service  •  Misconfigured  DNS  server.   Open   Emi`er  
    • Flu  and  CMD:  3th  Party  •  ISC  Bind  •  FreeDNS.afraid.org  •  HE  free  DNS  service  •  Misconfigured  DNS  server.   Open   Emi`er  
    • Flu  and  CMD:  Client   •  We  use  ARSoD.Tools.Net  library.   •  Without  GUI  changes:   –  We  use  domainload  to  data  leak.   –  We  use  domaindownload  to  get  XML  file.  
    • Flu  and  CMD:  How  it  works  (I)  XML2DNS   LOADXML   DOWNLOADXML   DNS   Open   DNS   Flu   Flu   Emi`er   Infected   DNS   DNS   Host  
    • Flu  and  CMD:  How  it  works  (II)   •  How  flu  call  back?   –  NXDOMAIN  can:  Track  new  bots.   –  NXDOMAIN  can’t:  Send  huge  files.     DNS   Open   DNS   Flu   Flu   Emi`er   Infected   C&C   Nxdomainquery   Nxdomainquery   Noerror   DNS   Noerror   Host  DNS  Server  
    • Flu  and  CMD:  How  it  works  (II)   1.  How  flu  call  back?   –  NXDOMAIN  can:  Track  new  bots.   –  NXDOMAIN  can’t:  Send  huge  files.     2.  Then…  we  need  to  expose  DNS  server.   DNS   Open   DNS   Flu   Flu   Emi`er   Infected   C&C   Nxdomainquery   Nxdomainquery  1   Noerror   DNS   Noerror   Host   DNS  Server   DNS   DNS   Flu   Flu   Cache  2   Infected   DNS   DNS   Host  
    • Flu  and  CMD:  Demo  
    • Conclusions  •  DNS  is  a  botnet  dialect…   –  One  year  ago  DNS  was  a  possibility,  today  could  be  a  real   threat.  •  Data  leak  using  DNS  need  an  improvement…   –  ...but  we  are  working  progress.  •  Malware  need  to  communicate  undetected,  and  IDS   want  to  detect  malware.   –  Both  must  be  looking  for  the  same…  DNS.  •  Don’t  forget  DNS  Protocol  
    • QuesGons?   Who  invented  the  rootedcon?  Perez  the  mouse   Rootedcon  is  your  parents  Santa   Three  Magic  Kings  
    • References  §  h`p://code.kryo.se/iodine/    §  h`p://dns.measurement-­‐factory.com/    §  h`p://darkwing.uoregon.edu/~joe/secprof10-­‐dns/secprof10-­‐dns.pdf      §  h`p://www.blackhat.com/presentaGons/bh-­‐europe-­‐05/BH_EU_05-­‐Kaminsky.pdf    §  h`p://www.blackhat.com/presentaGons/bh-­‐usa-­‐04/bh-­‐us-­‐04-­‐kaminsky/bh-­‐us-­‐04-­‐kaminsky.ppt    §  h`p://www.pcworld.com/arGcle/220024/feds_accidentally_seize_84000_innocent_domains_link_them_with_child_porn.html      §  h`p://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf      §  h`p://www.secdev.org/projects/scapy/    §  h`ps://www.isc.org/soƒware/bind/documentaGon/arm95#man.dig    §  h`p://dns.measurement-­‐factory.com/cgi-­‐bin/openresolvercheck.pl      §  h`p://hakin9.org/magazine/1652-­‐mobile-­‐malware-­‐the-­‐new-­‐cyber-­‐threat    §  h`p://www.ie„.org/rfc/rfc{1033,1034,1035,1183,2181}.txt    §  h`p://tools.ie„.org/id/draƒ-­‐cmd-­‐prevent-­‐malware-­‐dns-­‐distribute-­‐00.txt      §  h`p://www.wombat-­‐project.eu/    §  h`p://exposure.iseclab.org/index.html    §  h`ps://dnsdb.isc.org/#Home      §  h`p://www.webboar.com    §  h`ps://dns.he.net/    §  h`p://www.flu-­‐project.com/    §  h`p://arsoƒtoolsnet.codeplex.com/    
    • Thanks  for  your  Gme!   @{Hlexpired,ffranz}   {charlie,fran}@7d.es