CMD:	  Look	  who’s	  talking	  too	           DNS:	  a	  botnet	  dialect	  
Francisco	  J.	  Gómez	  Rodríguez	  (fran@Gd.es):	  •  Computer	  Engineering	  (EUI-­‐UPM)	  •  Security	  Research	  (T...
look	  who’s	  talking	  too	  Nasal	  Spray	  This	  presenta9on	  contains:	  one	  year	  ago	  …………………………………………....	  ...
INTRODUCTION	  
One	  year	  ago	  …	  •  We	  talked	  about	  DNS	  and	  Malware.	  •  We	  released	  Cloud	  Malware	  DistribuGon	  ...
A	  DNS	  shot	  
Cloud	  Malware	  DistribuGon	  in	  a	  nutshell	  CMD	  
Cloud	  Malware	  DistribuGon	  1.  Encoding:	  Split	  malware	  payload	  into	  DNS	  Records.	      	  2.  Publishing:...
Encoding	  &	  Publish	     Cloud	  Malware	  DistribuGon	  (I)	                                                          ...
Cloud	  Malware	  DistribuGon(II)	                                                                          8rjqerkjqet.cm...
Cloud	  Malware	  DistribuGon	  (III)	   •  Since	  the	  Open	  Emi`er	  Server	  has	  cached	  all	  records	  we	     ...
Cloud	  Malware	  DistribuGon	  (IV)	                                                      kzmfzzmfzze.cmdns.domain.com	  ...
 Own	  survey	  :	  yesterday	  and	  today	                                  Febrero	  de	  2011	        Marzo	  de	  201...
A	  quick	  test…	                                DNSCrypt	  In	   the	   same	   way	   the	   SSL	   turns	   HTTP	   we...
…	  a	  quick	  demo.	  Summary:	  We	  can	  use	  DNSCrypt	  and	  CMD	  Method	  works.	  	  
DNS:	  yesterday,	  today,	  and	  tomorrow	  DNS	  IS	  IN	  THE	  AIR	  
Are	  you	  talking	  to	  me?	  •  Let’s	  see	  some	  about…	      –  DNS	  as	  covert	  channel.	      –  DNS	  uses	...
l	             DNS	  as	  Covert	  Channe	  	  •  OzymanDNS	  (Kaminsky)	  •  Dnscapy	  •  (NSTX)	  Iodine:	  Use	  severa...
Are	  you	  talking	  to	  me?	  •  Let’s	  see	  some	  about…	      –  DNS	  as	  covert	  channel.	      –  DNS	  uses	...
Stateless	  malware	  (I)	  •  TSPY_ZBOT.SMQH  –  Another Modified ZeuS Variant Seen in the Wild.  –  Reported in Septembe...
Stateless	  malware(II)	  •  Older	  version	  using	  TCP	  to	  exchange	  configura7on	  files.	  However,	     The	  new...
Stateless	  malware(II)	  •  Older	  version	  using	  TCP	  to	  exchange	  configura7on	  files.	  However,	     The	  new...
Where	  theres	  smoke,	  theres	  fire.	  
Feedorbot	  •  Using DNS protocol.   –  Feedorbot share encrypted commands from C&C.   –  Encapsuling data in TXT records ...
HiloG	  •  Thanks	  DNS	  querys	  HiloG	  monitors	  infected	  host	  status.	            –  h`p://blog.forGnet.com/hilo...
Morto	  •  From IRC to DNS.   –  Morto, like Feedorbot, uses TXT records to comnunicate.   –  http://www.symantec.com/conn...
GATHERING	  &	  EVALUATING	  INFORMATION	  
Gathering	  &	  EvaluaGng	  InformaGon	  (I)	  •  h`p://www.wombat-­‐project.eu/	  	  •  h`p://exposure.iseclab.org/index....
Gathering	  &	  EvaluaGng	  InformaGon	  (II)	  •  h`ps://dnsdb.isc.org/#Home	  	  •  h`p://www.webboar.com	  	  
Gathering	  &	  EvaluaGng	  InformaGon	  (III)	  •  Don´t	  forget	  the	  classics:	                                     ...
Learned	  in	  #Rooted2012	  •    h`p://labs.alienvault.com/labs/index.php/projects/open-­‐source-­‐ip-­‐reputaGon-­‐porta...
SomeGmes	  …	  I	  see	  dead	  people	                        •  September,	  2011	                        	  	  	  	  (T...
Scratch	  &	  Win	  
Ten	  Li`le	  Niggers	  •  h`p://www.webboar.com/ip/67.15.149.70/	    –  25	  Domain(s)	  on	  IP	  Address	  67.15.149.70...
SomeGmes	  …	  I	  see	  dead	  people	  
CMD	  could	  be	  alive!	  
DATA	  LEAK	  OVER	  DNS	  
DATA	  LEAK	  OVER	  DNS	  
TradiGonal	  data	  leak	  using	  DNS	                                                                          [OUTPUT_D...
Using	  a	  DNS	  reflector	                                                                                               ...
DNS	  reflector	  (demo)	  
Using	  Fast-­‐Flux	  DNS	  reflectors	                                                                                    ...
Data	  Leak	  using	  NXDOMAIN	  responses	  •  NXDOMAIN	  responses	  are	  cached:	      –  NegaGve	  caching	  is	  use...
Caching	  NXDOMAIN	  responses	  (I)	  	  
Caching	  NXDOMAIN	  responses	  (II)	  	  
Caching	  NXDOMAIN	  responses	  (III)	  	  
Data	  leak	  with	  “dig”	                                RCODE	      TTL	            QUERY	  TIME	  
Leak	  recovery	  with	  “dig”	  (I)	                   TTL	  <	  86400	                   QUERY	  TIME	  <	  300	  msec	  
Leak	  recovery	  with	  “dig”	  (II)	                      TTL	  =	  86400	                      QUERY	  TIME	  approx.	 ...
Leak	  recovery	  with	  “dig”	  (III)	                    TTL	  <	  86400	                    QUERY	  TIME	  <	  300	  ms...
Leak	  recovery	  with	  “dig”	  (IV)	                                             RCODE	  ≠	  NXDOMAIN	                  ...
Data	  Leak	  using	  NXDOMAIN	  responses	                                                                  DNS	         ...
Data	  Leak	  using	  NXDOMAIN	  responses	                                                                               ...
NXDOMAIN	  (demo)	  
Data	  Leak	  using	  “nice”	  domains	  •  There	  are	  authoritaGve	  DNS	  server	  that:	      –  Simply	  point	  al...
Caching	  ‘nice’	  responses	  (II)	  	  
Caching	  ‘nice’	  responses	  (II)	  	  
Data	  Leak	  using	  ‘nice’	  domains	                                                               DNS	                ...
Data	  Leak	  using	  ‘nice’	  domains	                                                                                   ...
Conclusions	  data-­‐leak	                              Use	  client	        Upload	               Expose	          Downlo...
ToDo:	  Improvement++	  •  Data	  Leak	  using	  ‘nice’	  domains.	  But	     remembering	  that:	      –  Must	  use	  cl...
Harder	  than	  finding	  a	  needle	  in	  a	                haystack!	  
Are	  we	  infected?	  LABORATORY	  
Making	  the	  lab.	  •  We	  need	  a	  “real”	  threat…	  •  But	  we	  are	  “ethical”…	  •  And	  we	  are	  not	  dev...
And	  the	  winner	  is…	  •    Wri`en	  in	  C#	  and	  PHP	  •    GNU/GPL	  •    Geared	  to	  build	  botnets	  •    HT...
How	  Flu	  works	  •  Flu	  server	  share	  XML	  commands	  file.	  •  Infected	  hosts	  get	  XML	  file	  through	    ...
Flu	  and	  CMD	  •  We	  use	  CMD	  to	  distribute	  XML	  commands	  file.	  •  Our	  dream:	  Flu	  become	  stateless...
Flu	  and	  CMD:	  Server	  •  PHP	  5.3.0	  or	  higher	  required.	  •  Three	  steps:	       1.  	  domain.db	  file	  c...
Flu	  and	  CMD:	  3th	  Party	  •    ISC	  Bind	  •    FreeDNS.afraid.org	  •    HE	  free	  DNS	  service	  •    Misconfi...
Flu	  and	  CMD:	  3th	  Party	  •    ISC	  Bind	  •    FreeDNS.afraid.org	  •    HE	  free	  DNS	  service	  •    Misconfi...
Flu	  and	  CMD:	  Client	             •  We	  use	  ARSoD.Tools.Net	  library.	             •  Without	  GUI	  changes:	 ...
Flu	  and	  CMD:	  How	  it	  works	  (I)	  XML2DNS	                     LOADXML	                  DOWNLOADXML	           ...
Flu	  and	  CMD:	  How	  it	  works	  (II)	    •  How	  flu	  call	  back?	           –  NXDOMAIN	  can:	  Track	  new	  bo...
Flu	  and	  CMD:	  How	  it	  works	  (II)	            1.  How	  flu	  call	  back?	                   –  NXDOMAIN	  can:	 ...
Flu	  and	  CMD:	  Demo	  
Conclusions	  •  DNS	  is	  a	  botnet	  dialect…	      –  One	  year	  ago	  DNS	  was	  a	  possibility,	  today	  could...
QuesGons?	                   Who	  invented	  the	  rootedcon?	  Perez	  the	  mouse	                          Rootedcon	 ...
References	  §    h`p://code.kryo.se/iodine/	  	  §    h`p://dns.measurement-­‐factory.com/	  	  §    h`p://darkwing.uo...
Thanks	  for	  your	  Gme!	        @{Hlexpired,ffranz}	        {charlie,fran}@7d.es	  
Upcoming SlideShare
Loading in...5
×

#RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez

8,317
-1

Published on

Showed in RootedCON 2012, Madrid. Review Cloud Malware Distribution and shows data-leak methods. Release new Flu-trojan flavor that uses DNS as communication channel.

Published in: Technology
1 Comment
1 Like
Statistics
Notes
  • Download is now available.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
8,317
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
43
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

#RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez

  1. 1. CMD:  Look  who’s  talking  too   DNS:  a  botnet  dialect  
  2. 2. Francisco  J.  Gómez  Rodríguez  (fran@Gd.es):  •  Computer  Engineering  (EUI-­‐UPM)  •  Security  Research  (Telefonica  R&D)  •  dig  fran.rootedcon.themafia.info  TXT  Carlos  Díaz  Hidalgo  (charlie@Gd.es):  •  TelecommunicaGons  Engineer  (ETSITM-­‐UPM),  GPEN,  GCIH,   OPST,  ITILF  and  CCNA.  •  Technology  Specialist  in  Ethical  Hacking  (Telefonica  R&D)  •  dig  charlie.rootedcon.themafia.info  TXT  
  3. 3. look  who’s  talking  too  Nasal  Spray  This  presenta9on  contains:  one  year  ago  …………………………………………....        3  mg  cloud  malware  distribuGon  …………………..….      10  mg  dns  is  in  the  air  …………………………………………      10  mg  suspicion  ………………………………………………….          8  mg  data  leak  ………………………………………………….      10  mg  laboratory  ……………………………………………….        10  mg   4.4  FL  OZ  (130mL)   Tamper-­‐Evident:  Do  not  accept  if  sealed  blister   unit  has  been  broken  or  opened   THIS  PACKAGE  FOR  HOUSEHOLDS   WITHOUT  YOUNG  CHILDREN  
  4. 4. INTRODUCTION  
  5. 5. One  year  ago  …  •  We  talked  about  DNS  and  Malware.  •  We  released  Cloud  Malware  DistribuGon   (CMD):   –  An  alternaGve  method  for  malware  distribuGon   using  Cache  DNS  services.   –  Using  client  default  DNS  se_ngs.   –  Malware  source  virtually  untraceable.  
  6. 6. A  DNS  shot  
  7. 7. Cloud  Malware  DistribuGon  in  a  nutshell  CMD  
  8. 8. Cloud  Malware  DistribuGon  1.  Encoding:  Split  malware  payload  into  DNS  Records.    2.  Publishing:  Publish  domain  and  each  record  in  a  public  Name  Server.    3.  Loading:  Force  an  Open  Emi`er  DNS  Cache  Server  to  store  all  records.    4.  Downloading:  Download  records  from  an  infected  host  (bot).    5.  Decoding:  Rebuild  malware  payload  from  records.   8rjqerkjqet.cmdns.domain.com     ueirytbdosu.cmdns.domain.com     ktqtr53xase.cmdns.domain.com     kzmfzzmfzze.cmdns.domain.com     8rjqerkjqet.cmdns.domain.com     1,2   ueirytbdosu.cmdns.domain.com     3   4   5 ktqtr53xase.cmdns.domain.com     kzmfzzmfzze.cmdns.domain.com     Open  Emi`er   DNS  
  9. 9. Encoding  &  Publish   Cloud  Malware  DistribuGon  (I)   8rjqerkjqet.cmdns.domain.com     8rjqerkjqet   ueirytbdosu.cmdns.domain.com     ueirytbdosu   ktqtr53xase   ktqtr53xase.cmdns.domain.com     kzmfzzmfzze     kzmfzzmfzze.cmdns.domain.com     •  From  malware  file  we  create   a  base32  coded  string.   •  So  we  split  the  string  into   DNS  compliance  records.   DNS  AUTH   8rjqerkjqetueirytbdosuktqtr53xasekzmfzzmfzze     Freedns.afraid.org   8rjqerkjqet.cmdns.domain.com     kzmfzzmfzze.cmdns.domain.com     ueirytbdosu.cmdns.domain.com     ktqtr53xase.cmdns.domain.com    
  10. 10. Cloud  Malware  DistribuGon(II)   8rjqerkjqet.cmdns.domain.com    •  We  upload  each  DNS  record  from   a  malicious  DNS  to  Open  Emi`er.   ueirytbdosu.cmdns.domain.com    •  This  is  made  by  requesGng  each   ktqtr53xase.cmdns.domain.com     record  to  Open  Emi`er  DNS.  •  Then  Server  caches  each  record.   kzmfzzmfzze.cmdns.domain.com     Split[1..n].cmdns.domain.com   A?   8rjqerkjqet.cmdns.domain.com     Open   ueirytbdosu.cmdns.domain.com     Emi`er   ktqtr53xase.cmdns.domain.com     cmdns.domain.com   DNS  AUTH   NS?   DNS   kzmfzzmfzze.cmdns.domain.com    Freedns.afraid.org   Loading  
  11. 11. Cloud  Malware  DistribuGon  (III)   •  Since  the  Open  Emi`er  Server  has  cached  all  records  we   convert  it  into  a  domain  authoritaGve  domain  server.   •  From  now  on,  Open  Emi`er  will  resolve  all  domain  queries.   •  Thus,  all  Internet  DNS  servers  can  resolve  malware  records  and   bots  can  get  them.   DNS  AUTH        Freedns.afraid.org  8rjqerkjqet.cmdns.domain.com     Open  ueirytbdosu.cmdns.domain.com    ktqtr53xase.cmdns.domain.com     Emi`er  kzmfzzmfzze.cmdns.domain.com     DNS   Downloading  
  12. 12. Cloud  Malware  DistribuGon  (IV)   kzmfzzmfzze.cmdns.domain.com     ktqtr53xase.cmdns.domain.com     ueirytbdosu.cmdns.domain.com     8rjqerkjqet.cmdns.domain.com     8rjqerkjqetueirytbdosuktqtr53xasekzmfzzmfzze     •  With  all  the  retrieved  records  bots   can  rebuild  the  original  file.     •  Bot  has  now  updated  the  malware   file.  Decoding  
  13. 13.  Own  survey  :  yesterday  and  today   Febrero  de  2011   Marzo  de  2012   España   EEUU   España   EEUU   Queried  hosts   10.406   10.406   8217   8217   Replying  hosts   87,22%   87,39%   87,58%   87,69%   Open  resolvers   76,46%   77,28%   95,45%   82,08%   Open  emi`ers   57,76%   57,33%   53,78%   53,51%  Accept  +norecurse   queries   55,91%   55,49%   87,67%   74,44%   TTL  ≥  604800   43,05%   42,94%   51,24%   49,32%  
  14. 14. A  quick  test…   DNSCrypt  In   the   same   way   the   SSL   turns   HTTP   web   traffic  into   HTTPS   encrypted   Web   traffic,   DNSCrypt  turns   regular   DNS   traffic   into   encrypted   DNS  traffic   that   is   secure   from   eavesdropping   and  man-­‐in-­‐the-­‐middle  a`acks.    
  15. 15. …  a  quick  demo.  Summary:  We  can  use  DNSCrypt  and  CMD  Method  works.    
  16. 16. DNS:  yesterday,  today,  and  tomorrow  DNS  IS  IN  THE  AIR  
  17. 17. Are  you  talking  to  me?  •  Let’s  see  some  about…   –  DNS  as  covert  channel.   –  DNS  uses  in  malware  communicaGons.  
  18. 18. l   DNS  as  Covert  Channe    •  OzymanDNS  (Kaminsky)  •  Dnscapy  •  (NSTX)  Iodine:  Use  several  RR  types,   NULL,TXT,CNAME)  •  Dns2tcp  &  TCP-­‐over-­‐DNS:  relay  TCP  connecGons.  •  LoopcVPN  One  of  China-­‐Telecom  Hotspot   nightmare.  
  19. 19. Are  you  talking  to  me?  •  Let’s  see  some  about…   –  DNS  as  covert  channel.   –  DNS  uses  in  malware  communicaGons.  
  20. 20. Stateless  malware  (I)  •  TSPY_ZBOT.SMQH –  Another Modified ZeuS Variant Seen in the Wild. –  Reported in September 2011 by Trendmicro. –  Data exchange is also now happening in UDP. –  http://blog.trendmicro.com/another-modified-zeus-variant-seen-in-the-wild/
  21. 21. Stateless  malware(II)  •  Older  version  using  TCP  to  exchange  configura7on  files.  However,   The  new  version  exchanges  all  data  in  UDP –  http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet
  22. 22. Stateless  malware(II)  •  Older  version  using  TCP  to  exchange  configura7on  files.  However,   The  new  version  exchanges  all  data  in  UDP –  http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet TCP  
  23. 23. Where  theres  smoke,  theres  fire.  
  24. 24. Feedorbot  •  Using DNS protocol. –  Feedorbot share encrypted commands from C&C. –  Encapsuling data in TXT records and Base64 encoded. –  http://www.cj2s.de/On-Botnets-that-use-DNS-for-Command-and-Control.pdf
  25. 25. HiloG  •  Thanks  DNS  querys  HiloG  monitors  infected  host  status.   –  h`p://blog.forGnet.com/hiloG-­‐the-­‐botmaster-­‐of-­‐disguise     142625.bc7a3d45.01.0AC1FD9D62074E6D9D2889088284DAB5.n.empty.1148.empty. 5_1._t_i.ffffffff.explorer_exe.173.rc2.a4h9uploading.com  •  Although  It  uses  DNS  as  control  protocol,  bots  download   update  files  from  “file  hosGng”  servers  by  HTTP.      
  26. 26. Morto  •  From IRC to DNS. –  Morto, like Feedorbot, uses TXT records to comnunicate. –  http://www.symantec.com/connect/blogs/morto-worm-sets-dns-record
  27. 27. GATHERING  &  EVALUATING  INFORMATION  
  28. 28. Gathering  &  EvaluaGng  InformaGon  (I)  •  h`p://www.wombat-­‐project.eu/    •  h`p://exposure.iseclab.org/index.html    
  29. 29. Gathering  &  EvaluaGng  InformaGon  (II)  •  h`ps://dnsdb.isc.org/#Home    •  h`p://www.webboar.com    
  30. 30. Gathering  &  EvaluaGng  InformaGon  (III)  •  Don´t  forget  the  classics:   –  h`p://www.robtex.com/  
  31. 31. Learned  in  #Rooted2012  •  h`p://labs.alienvault.com/labs/index.php/projects/open-­‐source-­‐ip-­‐reputaGon-­‐portal/    
  32. 32. SomeGmes  …  I  see  dead  people   •  September,  2011          (Top  10  Malicious  Domains)  
  33. 33. Scratch  &  Win  
  34. 34. Ten  Li`le  Niggers  •  h`p://www.webboar.com/ip/67.15.149.70/   –  25  Domain(s)  on  IP  Address  67.15.149.70   •  azxdf.com   •  civiGcle0.com   •  morewallfalls7.com   •  mjuyh.com   •  ckubf.com   •  okjyu.com   •  hjuyv.com   •  djhbw.com   •  orn2hcb.com   •  plokm.com   •  himovingto8.com   •  qlovg.com   •  nbgtr.com   •  hiuxd.com   •  quiluGon2.com   •  vcxde.com   •  liunj.com   •  uncdt.com   •  asljd.com   •  loijm.com   •  xvfar.com   •  bruGllor5.com   •  mjrth.com   •  zscdw.com   •  zukamosion3.com  
  35. 35. SomeGmes  …  I  see  dead  people  
  36. 36. CMD  could  be  alive!  
  37. 37. DATA  LEAK  OVER  DNS  
  38. 38. DATA  LEAK  OVER  DNS  
  39. 39. TradiGonal  data  leak  using  DNS   [OUTPUT_DOMAIN]   DataLeakRecord1.[OUTPUT_DOMAIN] DataLeakRecord1   DataLeakRecord2.[OUTPUT_DOMAIN] DataLeakRecord2   …   1   2   Cache  DNS   (public or private) DNS  Auth.   OUTPUT_DOMAIN   Bot
  40. 40. Using  a  DNS  reflector   DNS  Auth.   DataLeakRecord1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)   2   1   (PUBLICATION_DOMAIN)   Cache  DNS    Data1  -­‐>  DataLeakRecord1 (public or private) 3   Force  Data  Leak  Upload   CMD   5  Bot Data1 [PUBLICATION_DOMAIN]   Data1   4   Data2   …   Data1.[PUBLICATION_DOMAIN] Cache  DNS   DNS  Auth.   (Open  emi`er  +  cache)   PUBLICATION_DOMAIN    Data1  -­‐>  DataLeakRecord1
  41. 41. DNS  reflector  (demo)  
  42. 42. Using  Fast-­‐Flux  DNS  reflectors   DNS  Auth.   DataLeakRecord1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)   2   1   Cache  DNS   (PUBLICATION_DOMAIN)    Data1  -­‐>  DataLeakRecord1 (public or private) 3  DataLeakRecord1.[OUTPUT_DOMAIN] Force  Data  Leak  Upload   CMD   5   Bot Data1 [PUBLICATION_DOMAIN]   Data1   4   Data2   …   Data1.[PUBLICATION_DOMAIN] Cache  DNS   DNS  Auth.   (Open  emi`er  +  cache)  
  43. 43. Data  Leak  using  NXDOMAIN  responses  •  NXDOMAIN  responses  are  cached:   –  NegaGve  caching  is  useful.   –  TTL  value:  The  SOA  minimum  parameter  is  used   as  the  negaGve  (NXDOMAIN)  caching  Gme   (defined  in  RFC  2308).  •  Other  queries  may  reuse  some  parts  of  the   lookup  (quick  response).  
  44. 44. Caching  NXDOMAIN  responses  (I)    
  45. 45. Caching  NXDOMAIN  responses  (II)    
  46. 46. Caching  NXDOMAIN  responses  (III)    
  47. 47. Data  leak  with  “dig”   RCODE   TTL   QUERY  TIME  
  48. 48. Leak  recovery  with  “dig”  (I)   TTL  <  86400   QUERY  TIME  <  300  msec  
  49. 49. Leak  recovery  with  “dig”  (II)   TTL  =  86400   QUERY  TIME  approx.  300  msec   It  is  not  a  good  method  for  recovery!  
  50. 50. Leak  recovery  with  “dig”  (III)   TTL  <  86400   QUERY  TIME  <  300  msec  
  51. 51. Leak  recovery  with  “dig”  (IV)   RCODE  ≠  NXDOMAIN   QUERY  TIME  <  300  msec   It  is  the  preferred  method  for  recovery!  
  52. 52. Data  Leak  using  NXDOMAIN  responses   DNS   2   1   (Open  emi`er  +  cache)   DNS  Auth.   UT_DOM AIN] 1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)   1.[OUTP d1.[OUTPUT_DOMAIN] OMAIN] TPUT_D d1.[OU … AIN] dataleakrecord1 UT_DOM rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN] … DataLeakRecord1.[OUTPUT_DOMAIN] IN] T_DOMA d1.[OUTPU krecor atalea MAIN] PUT_DO rd1.[OUT akreco datale Bot
  53. 53. Data  Leak  using  NXDOMAIN  responses   DNS   2   1   (Open  emi`er  +  cache)   DNS  Auth.   UT_DOM AIN] 1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)   1.[OUTP d1.[OUTPUT_DOMAIN] OMAIN] TPUT_D d1.[OU … AIN] dataleakrecord1 UT_DOM rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN] … DataLeakRecord1.[OUTPUT_DOMAIN] IN] T_DOMA d1.[OUTPU krecor atalea MAIN] PUT_DO rd1.[OUT akreco a1.[OUTPUT_DOMAIN] datale 1.[OUTPUT_DOMAIN] z.[OUTPUT_DOMAIN] b.[OUTPUT_DOMAIN] a.[OUTPUT_DOMAIN] … … Bot QUERY:  +norecurse     3   RESPONSE:  RCODE?   dataleakrecord1 TTL  value?   Query  Gme?  
  54. 54. NXDOMAIN  (demo)  
  55. 55. Data  Leak  using  “nice”  domains  •  There  are  authoritaGve  DNS  server  that:   –  Simply  point  all  unknown  DNS  queries  to  a  single   IP  address.   –  Minimum  TTL  value  on  the  order  of  1-­‐7  days.  •  Where  can  I  find  them?   inbox.com   imgur.com   –  Alexa  “Tops  Sites”:   motherless.com   h`p://www.alexa.com/topsites     wikia.com   wikispaces.com   pbworks.com                          …  
  56. 56. Caching  ‘nice’  responses  (II)    
  57. 57. Caching  ‘nice’  responses  (II)    
  58. 58. Data  Leak  using  ‘nice’  domains   DNS   2   ‘nice’  DNS  Auth.   1   (Open  emi`er  +  cache)   (OUTPUT_DOMAIN)   AIN] 1.[OUTPUT_DOMAIN] UT_DOM 1.[OUTP d1.[OUTPUT_DOMAIN] OMAIN] TPUT_D d1.[OU … AIN]dataleakrecord1 UT_DOM rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN] … DataLeakRecord1.[OUTPUT_DOMAIN] IN] T_DOMA d1.[OUTPU krecor atalea MAIN] PUT_DO rd1.[OUT akreco datale Bot
  59. 59. Data  Leak  using  ‘nice’  domains   DNS   2   ‘nice’  DNS  Auth.   1   (Open  emi`er  +  cache)   (OUTPUT_DOMAIN)   AIN] 1.[OUTPUT_DOMAIN] UT_DOM 1.[OUTP d1.[OUTPUT_DOMAIN] OMAIN] TPUT_D d1.[OU … AIN]dataleakrecord1 UT_DOM rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN] … DataLeakRecord1.[OUTPUT_DOMAIN] IN] T_DOMA d1.[OUTPU krecor atalea MAIN] PUT_DO rd1.[OUT akreco a1.[OUTPUT_DOMAIN] datale 1.[OUTPUT_DOMAIN] z.[OUTPUT_DOMAIN] b.[OUTPUT_DOMAIN] a.[OUTPUT_DOMAIN] … … Bot QUERY:  +norecurse     3   ANSWER  SECTION?   dataleakrecord1 TTL  value?  
  60. 60. Conclusions  data-­‐leak   Use  client   Upload   Expose   Download   Score   default  DNS   queries   cybercrime   queries   (0-­‐10)   seings   needed   infrastructure   needed   TradiGonal   YES   2  queries/kB   YES   -­‐   5  DNS  tunneling  Using  Fast-­‐Flux   YES   2  queries/kB   YES   2  queries/kB   4  DNS  reflectors   Using   NXDOMAIN   NO   2  queries/B   NO   20  queries/B   2   response   Using  “nice”   NO   2  queries/B   NO   20  queries/B   6   domains  
  61. 61. ToDo:  Improvement++  •  Data  Leak  using  ‘nice’  domains.  But   remembering  that:   –  Must  use  client  default  DNS  se_ngs.  •  Maybe  can  use  three  party  resources  …  (once   again)   –   …  Use  misconfigured  DNS  (proxy  DNS,  cache  DNS,   authoritaGve  server,  …).   –  e.g.  must  ignore  “+norecurse”  flag,  “minimal-­‐ response”  configured,  etc.  •  Result:  Untraceable  data  leaks  
  62. 62. Harder  than  finding  a  needle  in  a   haystack!  
  63. 63. Are  we  infected?  LABORATORY  
  64. 64. Making  the  lab.  •  We  need  a  “real”  threat…  •  But  we  are  “ethical”…  •  And  we  are  not  developers…   Searching…  
  65. 65. And  the  winner  is…  •  Wri`en  in  C#  and  PHP  •  GNU/GPL  •  Geared  to  build  botnets  •  HTTP  communicaGon  
  66. 66. How  Flu  works  •  Flu  server  share  XML  commands  file.  •  Infected  hosts  get  XML  file  through   HTTP  request.   HTTP   Flu   Flu   Infected   SERVER   Host  
  67. 67. Flu  and  CMD  •  We  use  CMD  to  distribute  XML  commands  file.  •  Our  dream:  Flu  become  stateless  Trojan.  •  Then  we’ll  have  stateless-­‐Trojan-­‐GPL  botnet.   1  GET   1  query   11  pkts.   HTTP/TCP   Vs   DNS/UDP   2  pkts.   1  conn.     0  conn.   DNS   Open   DNS   Flu   Flu   Emi`er   Infected   DNS   DNS   Host  
  68. 68. Flu  and  CMD:  Server  •  PHP  5.3.0  or  higher  required.  •  Three  steps:   1.   domain.db  file  create.  (external  lib:  Tar.php)   2.  Load  XML  file  into  DNS  server.  (NaGve  lib)   3.  Download  data  from  infected  host.  (NaGve  lib)  
  69. 69. Flu  and  CMD:  3th  Party  •  ISC  Bind  •  FreeDNS.afraid.org  •  HE  free  DNS  service  •  Misconfigured  DNS  server.   Open   Emi`er  
  70. 70. Flu  and  CMD:  3th  Party  •  ISC  Bind  •  FreeDNS.afraid.org  •  HE  free  DNS  service  •  Misconfigured  DNS  server.   Open   Emi`er  
  71. 71. Flu  and  CMD:  Client   •  We  use  ARSoD.Tools.Net  library.   •  Without  GUI  changes:   –  We  use  domainload  to  data  leak.   –  We  use  domaindownload  to  get  XML  file.  
  72. 72. Flu  and  CMD:  How  it  works  (I)  XML2DNS   LOADXML   DOWNLOADXML   DNS   Open   DNS   Flu   Flu   Emi`er   Infected   DNS   DNS   Host  
  73. 73. Flu  and  CMD:  How  it  works  (II)   •  How  flu  call  back?   –  NXDOMAIN  can:  Track  new  bots.   –  NXDOMAIN  can’t:  Send  huge  files.     DNS   Open   DNS   Flu   Flu   Emi`er   Infected   C&C   Nxdomainquery   Nxdomainquery   Noerror   DNS   Noerror   Host  DNS  Server  
  74. 74. Flu  and  CMD:  How  it  works  (II)   1.  How  flu  call  back?   –  NXDOMAIN  can:  Track  new  bots.   –  NXDOMAIN  can’t:  Send  huge  files.     2.  Then…  we  need  to  expose  DNS  server.   DNS   Open   DNS   Flu   Flu   Emi`er   Infected   C&C   Nxdomainquery   Nxdomainquery  1   Noerror   DNS   Noerror   Host   DNS  Server   DNS   DNS   Flu   Flu   Cache  2   Infected   DNS   DNS   Host  
  75. 75. Flu  and  CMD:  Demo  
  76. 76. Conclusions  •  DNS  is  a  botnet  dialect…   –  One  year  ago  DNS  was  a  possibility,  today  could  be  a  real   threat.  •  Data  leak  using  DNS  need  an  improvement…   –  ...but  we  are  working  progress.  •  Malware  need  to  communicate  undetected,  and  IDS   want  to  detect  malware.   –  Both  must  be  looking  for  the  same…  DNS.  •  Don’t  forget  DNS  Protocol  
  77. 77. QuesGons?   Who  invented  the  rootedcon?  Perez  the  mouse   Rootedcon  is  your  parents  Santa   Three  Magic  Kings  
  78. 78. References  §  h`p://code.kryo.se/iodine/    §  h`p://dns.measurement-­‐factory.com/    §  h`p://darkwing.uoregon.edu/~joe/secprof10-­‐dns/secprof10-­‐dns.pdf      §  h`p://www.blackhat.com/presentaGons/bh-­‐europe-­‐05/BH_EU_05-­‐Kaminsky.pdf    §  h`p://www.blackhat.com/presentaGons/bh-­‐usa-­‐04/bh-­‐us-­‐04-­‐kaminsky/bh-­‐us-­‐04-­‐kaminsky.ppt    §  h`p://www.pcworld.com/arGcle/220024/feds_accidentally_seize_84000_innocent_domains_link_them_with_child_porn.html      §  h`p://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf      §  h`p://www.secdev.org/projects/scapy/    §  h`ps://www.isc.org/soƒware/bind/documentaGon/arm95#man.dig    §  h`p://dns.measurement-­‐factory.com/cgi-­‐bin/openresolvercheck.pl      §  h`p://hakin9.org/magazine/1652-­‐mobile-­‐malware-­‐the-­‐new-­‐cyber-­‐threat    §  h`p://www.ie„.org/rfc/rfc{1033,1034,1035,1183,2181}.txt    §  h`p://tools.ie„.org/id/draƒ-­‐cmd-­‐prevent-­‐malware-­‐dns-­‐distribute-­‐00.txt      §  h`p://www.wombat-­‐project.eu/    §  h`p://exposure.iseclab.org/index.html    §  h`ps://dnsdb.isc.org/#Home      §  h`p://www.webboar.com    §  h`ps://dns.he.net/    §  h`p://www.flu-­‐project.com/    §  h`p://arsoƒtoolsnet.codeplex.com/    
  79. 79. Thanks  for  your  Gme!   @{Hlexpired,ffranz}   {charlie,fran}@7d.es  
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×