#RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez

CMD:
Look
who’s
talking
too

DNS:
a
botnet
dialect

Francisco
J.
Gómez
Rodríguez
(fran@Gd.es):

•  Computer
Engineering
(EUI-‐UPM)

•  Security
Research
(Telefonica
R&D)

•  dig
fran.rootedcon.themaﬁa.info
TXT

Carlos
Díaz
Hidalgo
(charlie@Gd.es):

•  TelecommunicaGons
Engineer
(ETSITM-‐UPM),
GPEN,
GCIH,

OPST,
ITILF
and
CCNA.

•  Technology
Specialist
in
Ethical
Hacking
(Telefonica
R&D)

•  dig
charlie.rootedcon.themaﬁa.info
TXT

look
who’s
talking
too

Nasal
Spray

This
presenta9on
contains:

one
year
ago
…………………………………………....

3
mg

cloud
malware
distribuGon
…………………..….

10
mg

dns
is
in
the
air
…………………………………………

10
mg

suspicion
………………………………………………….

8
mg

data
leak
………………………………………………….

10
mg

laboratory
……………………………………………….

10
mg

4.4
FL
OZ
(130mL)

Tamper-‐Evident:
Do
not
accept
if
sealed
blister

unit
has
been
broken
or
opened

THIS
PACKAGE
FOR
HOUSEHOLDS

WITHOUT
YOUNG
CHILDREN

One
year
ago
…

•  We
talked
about
DNS
and
Malware.

•  We
released
Cloud
Malware
DistribuGon

(CMD):

–  An
alternaGve
method
for
malware
distribuGon

using
Cache
DNS
services.

–  Using
client
default
DNS
se_ngs.

–  Malware
source
virtually
untraceable.

Cloud
Malware
DistribuGon
in
a
nutshell

CMD

Cloud
Malware
DistribuGon

1.  Encoding:
Split
malware
payload
into
DNS
Records.

2.  Publishing:
Publish
domain
and
each
record
in
a
public
Name
Server.

3.  Loading:
Force
an
Open
Emi`er
DNS
Cache
Server
to
store
all
records.

4.  Downloading:
Download
records
from
an
infected
host
(bot).

5.  Decoding:
Rebuild
malware
payload
from
records.

8rjqerkjqet.cmdns.domain.com

ueirytbdosu.cmdns.domain.com

ktqtr53xase.cmdns.domain.com

kzmfzzmfzze.cmdns.domain.com


1,2


3
4
5


Open
Emi`er

DNS

Encoding
&
Publish
Cloud
Malware
DistribuGon
(I)


8rjqerkjqet

ueirytbdosu

ktqtr53xase

kzmfzzmfzze


•  From
malware
ﬁle
we
create

a
base32
coded
string.

•  So
we
split
the
string
into

DNS
compliance
records.

DNS
AUTH
8rjqerkjqetueirytbdosuktqtr53xasekzmfzzmfzze

Freedns.afraid.org





Cloud
Malware
DistribuGon(II)


•  We
upload
each
DNS
record
from

a
malicious
DNS
to
Open
Emièr.

•  This
is
made
by
requesGng
each

record
to
Open
Emièr
DNS.

•  Then
Server
caches
each
record.

Split[1..n].cmdns.domain.com

A?


Open

Emièr

cmdns.domain.com

DNS
AUTH
NS?

DNS

Freedns.afraid.org

Loading

Cloud
Malware
DistribuGon
(III)

•  Since
the
Open
Emièr
Server
has
cached
all
records
we

convert
it
into
a
domain
authoritaGve
domain
server.

•  From
now
on,
Open
Emièr
will
resolve
all
domain
queries.

•  Thus,
all
Internet
DNS
servers
can
resolve
malware
records
and

bots
can
get
them.

DNS
AUTH

Freedns.afraid.org


Open



Emièr


DNS

Downloading

Cloud
Malware
DistribuGon
(IV)





8rjqerkjqetueirytbdosuktqtr53xasekzmfzzmfzze

•  With
all
the
retrieved
records
bots

can
rebuild
the
original
ﬁle.

•  Bot
has
now
updated
the
malware

ﬁle.

Decoding

Own
survey
:
yesterday
and
today

Febrero
de
2011
Marzo
de
2012

España
EEUU
España
EEUU

Queried
hosts
10.406
10.406
8217
8217

Replying
hosts
87,22%
87,39%
87,58%
87,69%

Open
resolvers
76,46%
77,28%
95,45%
82,08%

Open
emi`ers
57,76%
57,33%
53,78%
53,51%

Accept
+norecurse

queries

55,91%
55,49%
87,67%
74,44%

TTL
≥
604800
43,05%
42,94%
51,24%
49,32%

A
quick
test…

DNSCrypt

In
the
same
way
the
SSL
turns
HTTP
web
traffic

into
HTTPS
encrypted
Web
traffic,
DNSCrypt

turns
regular
DNS
traffic
into
encrypted
DNS

traffic
that
is
secure
from
eavesdropping
and

man-‐in-‐the-‐middle
aàcks.

…
a
quick
demo.

Summary:
We
can
use
DNSCrypt
and
CMD
Method
works.

DNS:
yesterday,
today,
and
tomorrow

DNS
IS
IN
THE
AIR

Are
you
talking
to
me?

•  Let’s
see
some
about…

–  DNS
as
covert
channel.

–  DNS
uses
in
malware
communicaGons.

l

DNS
as
Covert
Channe

•  OzymanDNS
(Kaminsky)

•  Dnscapy

•  (NSTX)
Iodine:
Use
several
RR
types,

NULL,TXT,CNAME)

•  Dns2tcp
&
TCP-‐over-‐DNS:
relay
TCP
connecGons.

•  LoopcVPN
One
of
China-‐Telecom
Hotspot

nightmare.

Stateless
malware
(I)

•  TSPY_ZBOT.SMQH
–  Another Modified ZeuS Variant Seen in the Wild.
–  Reported in September 2011 by Trendmicro.
–  Data exchange is also now happening in UDP.
–  http://blog.trendmicro.com/another-modified-zeus-variant-seen-in-the-wild/

Stateless
malware(II)

•  Older
version
using
TCP
to
exchange
conﬁgura7on
ﬁles.
However,

The
new
version
exchanges
all
data
in
UDP
–  http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet

Stateless
malware(II)

•  Older
version
using
TCP
to
exchange
conﬁgura7on
ﬁles.
However,

The
new
version
exchanges
all
data
in
UDP
–  http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet

TCP

Where
there's
smoke,
there's
ﬁre.

Feedorbot

•  Using DNS protocol.
–  Feedorbot share encrypted commands from C&C.
–  Encapsuling data in TXT records and Base64 encoded.
–  http://www.cj2s.de/On-Botnets-that-use-DNS-for-Command-and-Control.pdf

HiloG

•  Thanks
DNS
querys
HiloG
monitors
infected
host
status.

–  h`p://blog.forGnet.com/hiloG-‐the-‐botmaster-‐of-‐disguise

142625.bc7a3d45.01.0AC1FD9D62074E6D9D2889088284DAB5.n.empty.1148.empty.
5_1._t_i.ffffffff.explorer_exe.173.rc2.a4h9uploading.com

•  Although
It
uses
DNS
as
control
protocol,
bots
download

update
ﬁles
from
“ﬁle
hosGng”
servers
by
HTTP.

Morto

•  From IRC to DNS.
–  Morto, like Feedorbot, uses TXT records to comnunicate.
–  http://www.symantec.com/connect/blogs/morto-worm-sets-dns-record

GATHERING
&
EVALUATING

INFORMATION

Gathering
&
EvaluaGng
InformaGon
(I)

•  h`p://www.wombat-‐project.eu/

•  h`p://exposure.iseclab.org/index.html

Gathering
&
EvaluaGng
InformaGon
(II)

•  h`ps://dnsdb.isc.org/#Home

•  h`p://www.webboar.com

Gathering
&
EvaluaGng
InformaGon
(III)

•  Don´t
forget
the
classics:

–  h`p://www.robtex.com/

Learned
in
#Rooted2012

•  h`p://labs.alienvault.com/labs/index.php/projects/open-‐source-‐ip-‐reputaGon-‐portal/

SomeGmes
…
I
see
dead
people

•  September,
2011

(Top
10
Malicious
Domains)

Ten
Li`le
Niggers

•  h`p://www.webboar.com/ip/67.15.149.70/

–  25
Domain(s)
on
IP
Address
67.15.149.70

•  azxdf.com
•  civiGcle0.com
•  morewallfalls7.com

•  mjuyh.com
•  ckubf.com
•  okjyu.com

•  hjuyv.com
•  djhbw.com
•  orn2hcb.com

•  plokm.com
•  himovingto8.com
•  qlovg.com

•  nbgtr.com
•  hiuxd.com
•  quiluGon2.com

•  vcxde.com
•  liunj.com
•  uncdt.com

•  asljd.com
•  loijm.com
•  xvfar.com

•  bruGllor5.com
•  mjrth.com
•  zscdw.com

•  zukamosion3.com

SomeGmes
…
I
see
dead
people

TradiGonal
data
leak
using
DNS

[OUTPUT_DOMAIN]

DataLeakRecord1.[OUTPUT_DOMAIN] DataLeakRecord1

DataLeakRecord2.[OUTPUT_DOMAIN] DataLeakRecord2

…

1
2

Cache
DNS

(public or private) DNS
Auth.

OUTPUT_DOMAIN

Bot

Using
a
DNS
reﬂector

DNS
Auth.

DataLeakRecord1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)

2

1

(PUBLICATION_DOMAIN)

Cache
DNS

Data1
-‐>
DataLeakRecord1
(public or private) 3

Force
Data
Leak
Upload

CMD

5

Bot Data1
[PUBLICATION_DOMAIN]

Data1

4
Data2

…

Data1.[PUBLICATION_DOMAIN]
Cache
DNS
DNS
Auth.

(Open
emi`er
+
cache)

PUBLICATION_DOMAIN

Data1
-‐>
DataLeakRecord1

Using
Fast-‐Flux
DNS
reﬂectors

DNS
Auth.

DataLeakRecord1.[OUTPUT_DOMAIN]
(OUTPUT_DOMAIN)

2

1

Cache
DNS
(PUBLICATION_DOMAIN)

Data1
-‐>
DataLeakRecord1
(public or private)
3

DataLeakRecord1.[OUTPUT_DOMAIN] Force
Data
Leak
Upload

CMD

5

Bot Data1
[PUBLICATION_DOMAIN]

Data1

4
Data2

…

Data1.[PUBLICATION_DOMAIN]
Cache
DNS
DNS
Auth.

(Open
emi`er
+
cache)

Data
Leak
using
NXDOMAIN
responses

•  NXDOMAIN
responses
are
cached:

–  NegaGve
caching
is
useful.

–  TTL
value:
The
SOA
'minimum'
parameter
is
used

as
the
negaGve
(NXDOMAIN)
caching
Gme

(deﬁned
in
RFC
2308).

•  Other
queries
may
reuse
some
parts
of
the

lookup
(quick
response).

Caching
NXDOMAIN
responses
(I)

Caching
NXDOMAIN
responses
(II)

Caching
NXDOMAIN
responses
(III)

Data
leak
with
“dig”

RCODE

TTL

QUERY
TIME

Leak
recovery
with
“dig”
(I)

TTL
<
86400

QUERY
TIME
<
300
msec

Leak
recovery
with
“dig”
(II)

TTL
=
86400

QUERY
TIME
approx.
300
msec

It
is
not
a
good
method
for
recovery!

Leak
recovery
with
“dig”
(III)

TTL
<
86400

QUERY
TIME
<
300
msec

Leak
recovery
with
“dig”
(IV)

RCODE
≠
NXDOMAIN

QUERY
TIME
<
300
msec

It
is
the
preferred
method
for
recovery!

Data
Leak
using
NXDOMAIN
responses

DNS
2

1

(Open
emi`er
+
cache)
DNS
Auth.

UT_DOM
AIN] 1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)

1.[OUTP
d1.[OUTPUT_DOMAIN]
OMAIN]
TPUT_D
d1.[OU …
AIN]
dataleakrecord1

UT_DOM
rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN]
… DataLeakRecord1.[OUTPUT_DOMAIN]
IN]
T_DOMA
d1.[OUTPU
krecor
atalea MAIN]
PUT_DO
rd1.[OUT
akreco
datale

Bot

Data
Leak
using
NXDOMAIN
responses

DNS
2

1

(Open
emi`er
+
cache)
DNS
Auth.

UT_DOM
AIN] 1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)

1.[OUTP
d1.[OUTPUT_DOMAIN]
OMAIN]
TPUT_D
d1.[OU …
AIN]
dataleakrecord1

UT_DOM
IN]
T_DOMA
d1.[OUTPU
krecor
atalea MAIN]
PUT_DO
rd1.[OUT
akreco

a1.[OUTPUT_DOMAIN]
datale

1.[OUTPUT_DOMAIN]
z.[OUTPUT_DOMAIN]

b.[OUTPUT_DOMAIN]
a.[OUTPUT_DOMAIN]
…

…
Bot

QUERY:
+norecurse

3
RESPONSE:
RCODE?

dataleakrecord1 TTL
value?

Query
Gme?

Data
Leak
using
“nice”
domains

•  There
are
authoritaGve
DNS
server
that:

–  Simply
point
all
unknown
DNS
queries
to
a
single

IP
address.

–  Minimum
TTL
value
on
the
order
of
1-‐7
days.

•  Where
can
I
ﬁnd
them?
inbox.com

imgur.com

–  Alexa
“Tops
Sites”:
motherless.com

h`p://www.alexa.com/topsites

wikia.com

wikispaces.com

pbworks.com

…

Caching
‘nice’
responses
(II)

Data
Leak
using
‘nice’
domains

DNS
2
‘nice’
DNS
Auth.

1

(Open
emi`er
+
cache)
(OUTPUT_DOMAIN)

AIN] 1.[OUTPUT_DOMAIN]
UT_DOM
1.[OUTP
d1.[OUTPUT_DOMAIN]
OMAIN]
TPUT_D
d1.[OU …
AIN]
dataleakrecord1

UT_DOM
IN]
T_DOMA
d1.[OUTPU
krecor
atalea MAIN]
PUT_DO
rd1.[OUT
akreco
datale

Bot

Data
Leak
using
‘nice’
domains

DNS
2
‘nice’
DNS
Auth.

1

(Open
emi`er
+
cache)
(OUTPUT_DOMAIN)

AIN] 1.[OUTPUT_DOMAIN]
UT_DOM
1.[OUTP
d1.[OUTPUT_DOMAIN]
OMAIN]
TPUT_D
d1.[OU …
AIN]
dataleakrecord1

UT_DOM
IN]
T_DOMA
d1.[OUTPU
krecor
atalea MAIN]
PUT_DO
rd1.[OUT
akreco

a1.[OUTPUT_DOMAIN]
datale

1.[OUTPUT_DOMAIN]
z.[OUTPUT_DOMAIN]

b.[OUTPUT_DOMAIN]
a.[OUTPUT_DOMAIN]
…

…
Bot

QUERY:
+norecurse

3
ANSWER
SECTION?

dataleakrecord1 TTL
value?

Conclusions
data-‐leak

Use
client
Upload
Expose
Download
Score

default
DNS
queries
cybercrime
queries
(0-‐10)

seings
needed
infrastructure
needed

TradiGonal

YES
2
queries/kB
YES
-‐
5

DNS
tunneling

Using
Fast-‐Flux

YES
2
queries/kB
YES
2
queries/kB
4

DNS
reﬂectors

Using

NXDOMAIN
NO
2
queries/B
NO
20
queries/B
2

response

Using
“nice”

NO
2
queries/B
NO
20
queries/B
6

domains

ToDo:
Improvement++

•  Data
Leak
using
‘nice’
domains.
But

remembering
that:

–  Must
use
client
default
DNS
se_ngs.

•  Maybe
can
use
three
party
resources
…
(once

again)

– 
…
Use
misconfigured
DNS
(proxy
DNS,
cache
DNS,

authoritaGve
server,
…).

–  e.g.
must
ignore
“+norecurse”
flag,
“minimal-‐
response”
configured,
etc.

•  Result:
Untraceable
data
leaks

Harder
than
ﬁnding
a
needle
in
a

haystack!

Are
we
infected?

LABORATORY

Making
the
lab.

•  We
need
a
“real”
threat…

•  But
we
are
“ethical”…

•  And
we
are
not
developers…

Searching…

And
the
winner
is…

•  Wri`en
in
C#
and
PHP

•  GNU/GPL

•  Geared
to
build
botnets

•  HTTP
communicaGon

How
Flu
works

•  Flu
server
share
XML
commands
ﬁle.

•  Infected
hosts
get
XML
ﬁle
through

HTTP
request.

HTTP
Flu

Flu

Infected

SERVER

Host

Flu
and
CMD

•  We
use
CMD
to
distribute
XML
commands
ﬁle.

•  Our
dream:
Flu
become
stateless
Trojan.

•  Then
we’ll
have
stateless-‐Trojan-‐GPL
botnet.

1
GET
1
query

11
pkts.
HTTP/TCP
Vs
DNS/UDP
2
pkts.

1
conn.

0
conn.

DNS
Open
DNS
Flu

Flu

Emi`er
Infected

DNS

DNS
Host

Flu
and
CMD:
Server

•  PHP
5.3.0
or
higher
required.

•  Three
steps:

1. 
domain.db
ﬁle
create.
(external
lib:
Tar.php)

2.  Load
XML
ﬁle
into
DNS
server.
(NaGve
lib)

3.  Download
data
from
infected
host.
(NaGve
lib)

Flu
and
CMD:
3th
Party

•  ISC
Bind

•  FreeDNS.afraid.org

•  HE
free
DNS
service

•  Misconﬁgured
DNS
server.

Open

Emi`er

Flu
and
CMD:
Client

•  We
use
ARSoD.Tools.Net
library.

•  Without
GUI
changes:

–  We
use
domainload
to
data
leak.

–  We
use
domaindownload
to
get
XML
ﬁle.

Flu
and
CMD:
How
it
works
(I)

XML2DNS
LOADXML
DOWNLOADXML

DNS
Open
DNS
Flu

Flu

Emi`er
Infected

DNS

DNS
Host

Flu
and
CMD:
How
it
works
(II)

•  How
flu
call
back?

–  NXDOMAIN
can:
Track
new
bots.

–  NXDOMAIN
can’t:
Send
huge
files.

DNS
Open
DNS
Flu

Flu

Emièr
Infected

C&C
Nxdomainquery
Nxdomainquery

Noerror

DNS
Noerror

Host

DNS
Server

Flu
and
CMD:
How
it
works
(II)

1.  How
flu
call
back?

–  NXDOMAIN
can:
Track
new
bots.

–  NXDOMAIN
can’t:
Send
huge
files.

2.  Then…
we
need
to
expose
DNS
server.

DNS
Open
DNS
Flu

Flu

Emièr
Infected

C&C
Nxdomainquery
Nxdomainquery

1
Noerror

DNS
Noerror

Host

DNS
Server

DNS
DNS
Flu

Flu
Cache

2
Infected

DNS
DNS

Host

Conclusions

•  DNS
is
a
botnet
dialect…

–  One
year
ago
DNS
was
a
possibility,
today
could
be
a
real

threat.

•  Data
leak
using
DNS
need
an
improvement…

–  ...but
we
are
working
progress.

•  Malware
need
to
communicate
undetected,
and
IDS

want
to
detect
malware.

–  Both
must
be
looking
for
the
same…
DNS.

•  Don’t
forget
DNS
Protocol

QuesGons?

Who
invented
the
rootedcon?

Perez
the
mouse
Rootedcon
is
your
parents

Santa
Three
Magic
Kings

References

§  h`p://code.kryo.se/iodine/

§  h`p://dns.measurement-‐factory.com/

§  h`p://darkwing.uoregon.edu/~joe/secprof10-‐dns/secprof10-‐dns.pdf

§  h`p://www.blackhat.com/presentaGons/bh-‐europe-‐05/BH_EU_05-‐Kaminsky.pdf

§  h`p://www.blackhat.com/presentaGons/bh-‐usa-‐04/bh-‐us-‐04-‐kaminsky/bh-‐us-‐04-‐kaminsky.ppt

§  h`p://www.pcworld.com/arGcle/220024/feds_accidentally_seize_84000_innocent_domains_link_them_with_child_porn.html

§  h`p://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf

§  h`p://www.secdev.org/projects/scapy/

§  h`ps://www.isc.org/soƒware/bind/documentaGon/arm95#man.dig

§  h`p://dns.measurement-‐factory.com/cgi-‐bin/openresolvercheck.pl

§  h`p://hakin9.org/magazine/1652-‐mobile-‐malware-‐the-‐new-‐cyber-‐threat

§  h`p://www.ie„.org/rfc/rfc{1033,1034,1035,1183,2181}.txt

§  h`p://tools.ie„.org/id/draƒ-‐cmd-‐prevent-‐malware-‐dns-‐distribute-‐00.txt

§  h`p://www.wombat-‐project.eu/

§  h`p://exposure.iseclab.org/index.html

§  h`ps://dnsdb.isc.org/#Home

§  h`p://www.webboar.com

§  h`ps://dns.he.net/

§  h`p://www.ﬂu-‐project.com/

§  h`p://arsoƒtoolsnet.codeplex.com/

Thanks
for
your
Gme!

@{Hlexpired,ﬀranz}

{charlie,fran}@7d.es

#RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez

Recommended

Recommended

More Related Content

What's hot

What's hot (16)

Similar to #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez

Similar to #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez (20)

Recently uploaded

Recently uploaded (20)

#RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez