Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]

1,293 views
1,233 views

Published on

“DNS: Internet Dial-Tone”; Partiendo de esta premisa y con la vista puesta en el método de distribución de ‘malware’ presentado en 2011 (Cloud Malware Distribution), intentaremos mostrar de forma dinámica los resultados obtenidos después de algunos meses de trabajo focalizado en las comunicaciones, tanto en la parte de control como en la fuga de información, de las ‘botnets’. Por supuesto con el protocolo DNS con un papel protagonista. Jugaremos con tres parámetros fundamentales que tendremos que equilibrar:

Nivel de exposición de la infraestructura del atacante.
Recursos y complejidad.
Ancho de banda en la comunicación.
El objetivo final es concienciar de la importancia de poner el foco en este protocolo como se ha hecho en otros. Nuestros resultados, y los resultados obtenidos por proveedores de seguridad e investigadores en los últimos meses avalan la posición que defendemos.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,293
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]

  1. 1. CMD:%Look%who’s%talking%too% DNS:%a%botnet%dialect%
  2. 2. Francisco%J.%Gómez%Rodríguez%(fran@Gd.es):%•  Computer%Engineering%(EUIMUPM)%•  Security%Research%(Telefonica%R&D)%•  dig$fran.rootedcon.themafia.info$TXT$Carlos%Díaz%Hidalgo%(charlie@Gd.es):%•  TelecommunicaGons%Engineer%(ETSITMMUPM),%GPEN,%GCIH,% OPST,%ITILF%and%CCNA.%•  Technology%Specialist%in%Ethical%Hacking%(Telefonica%R&D)%•  dig$charlie.rootedcon.themafia.info$TXT$
  3. 3. look$who’s$talking$too$Nasal%Spray%This$presenta9on$contains:$one%year%ago%…………………………………………....%%%%3%mg%cloud%malware%distribuGon%…………………..….%%%10%mg%dns%is%in%the%air%…………………………………………%%%10%mg%suspicion%………………………………………………….%%%%%8%mg%data%leak%………………………………………………….%%%10%mg%laboratory%……………………………………………….%%%%10%mg% 4.4$FL$OZ$(130mL)$ Tamper;Evident:%Do%not%accept%if%sealed%blister% unit%has%been%broken%or%opened% THIS%PACKAGE%FOR%HOUSEHOLDS% WITHOUT%YOUNG%CHILDREN%
  4. 4. INTRODUCTION$
  5. 5. One%year%ago%…%•  We%talked%about%DNS%and%Malware.%•  We%released%Cloud%Malware%DistribuGon% (CMD):% –  An%alternaGve%method%for%malware%distribuGon% using%Cache%DNS%services.% –  Using%client%default%DNS%se_ngs.% –  Malware%source%virtually%untraceable.%
  6. 6. A%DNS%shot%
  7. 7. Cloud%Malware%DistribuGon%in%a%nutshell%CMD$
  8. 8. Cloud%Malware%DistribuGon%1.  Encoding:%Split%malware%payload%into%DNS%Records.% %2.  Publishing:%Publish%domain%and%each%record%in%a%public%Name%Server.% %3.  Loading:%Force%an%Open%Emi`er%DNS%Cache%Server%to%store%all%records.% %4.  Downloading:%Download%records%from%an%infected%host%(bot).% %5.  Decoding:%Rebuild%malware%payload%from%records.% 8rjqerkjqet.cmdns.domain.com1% ueirytbdosu.cmdns.domain.com1% ktqtr53xase.cmdns.domain.com1% kzmfzzmfzze.cmdns.domain.com1% 8rjqerkjqet.cmdns.domain.com1% 1,2% ueirytbdosu.cmdns.domain.com1% 3% 4% 5 ktqtr53xase.cmdns.domain.com1% kzmfzzmfzze.cmdns.domain.com1% Open%Emi`er% DNS%
  9. 9. Encoding%&%Publish% Cloud%Malware%DistribuGon%(I)% 8rjqerkjqet.cmdns.domain.com1% 8rjqerkjqet1 ueirytbdosu.cmdns.domain.com1% ueirytbdosu1 ktqtr53xase1 ktqtr53xase.cmdns.domain.com1% kzmfzzmfzze1% kzmfzzmfzze.cmdns.domain.com1% •  From%malware%file%we%create% a%base32%coded%string.% •  So%we%split%the%string%into% DNS%compliance%records.% DNS%AUTH% 8rjqerkjqetueirytbdosuktqtr53xasekzmfzzmfzze1% Freedns.afraid.org% 8rjqerkjqet.cmdns.domain.com1% kzmfzzmfzze.cmdns.domain.com1% ueirytbdosu.cmdns.domain.com1% ktqtr53xase.cmdns.domain.com1%
  10. 10. Cloud%Malware%DistribuGon(II)% 8rjqerkjqet.cmdns.domain.com1%•  We%upload%each%DNS%record%from% a%malicious%DNS%to%Open%Emi`er.% ueirytbdosu.cmdns.domain.com1%•  This%is%made%by%requesGng%each% ktqtr53xase.cmdns.domain.com1% record%to%Open%Emi`er%DNS.%•  Then%Server%caches%each%record.% kzmfzzmfzze.cmdns.domain.com1% Split[1..n].cmdns.domain.com% A?% 8rjqerkjqet.cmdns.domain.com1% Open% ueirytbdosu.cmdns.domain.com1% Emi`er% ktqtr53xase.cmdns.domain.com1% cmdns.domain.com% DNS%AUTH% NS?% DNS% kzmfzzmfzze.cmdns.domain.com1%Freedns.afraid.org% Loading%
  11. 11. Cloud%Malware%DistribuGon%(III)% •  Since%the%Open%Emi`er%Server%has%cached%all%records%we% convert%it%into%a%domain%authoritaGve%domain%server.% •  From%now%on,%Open%Emi`er%will%resolve%all%domain%queries.% •  Thus,%all%Internet%DNS%servers%can%resolve%malware%records%and% bots%can%get%them.% DNS%AUTH% % % %Freedns.afraid.org%8rjqerkjqet.cmdns.domain.com1% Open%ueirytbdosu.cmdns.domain.com1%ktqtr53xase.cmdns.domain.com1% Emi`er%kzmfzzmfzze.cmdns.domain.com1% DNS% Downloading%
  12. 12. Cloud%Malware%DistribuGon%(IV)% kzmfzzmfzze.cmdns.domain.com1% ktqtr53xase.cmdns.domain.com1% ueirytbdosu.cmdns.domain.com1% 8rjqerkjqet.cmdns.domain.com1% 8rjqerkjqetueirytbdosuktqtr53xasekzmfzzmfzze1% •  With%all%the%retrieved%records%bots% can%rebuild%the%original%file.%% •  Bot%has%now%updated%the%malware% file.%Decoding%
  13. 13. %Own%survey%:%yesterday%and%today% Febrero$de$2011$ Marzo$de$2012$ España% EEUU% España% EEUU% Queried%hosts% 10.406% 10.406% 8217% 8217% Replying%hosts% 87,22%% 87,39%% 87,58%% 87,69%% Open%resolvers% 76,46%% 77,28%% 95,45%% 82,08%% Open%emi`ers% 57,76%% 57,33%% 53,78%% 53,51%%Accept%+norecurse% queries% 55,91%% 55,49%% 87,67%% 74,44%% TTL%≥%604800% 43,05%% 42,94%% 51,24%$ 49,32%$
  14. 14. A%quick%test…% DNSCrypt$In% the% same% way% the% SSL% turns% HTTP% web% traffic%into% HTTPS% encrypted% Web% traffic,% DNSCrypt%turns% regular% DNS% traffic% into% encrypted% DNS%traffic% that% is% secure% from% eavesdropping% and%manMinMtheMmiddle%a`acks.%%
  15. 15. …%a%quick%demo.%Summary:%We%can%use%DNSCrypt%and%CMD%Method%works.%%
  16. 16. DNS:%yesterday,%today,%and%tomorrow%DNS$IS$IN$THE$AIR$
  17. 17. Are%you%talking%to%me?%•  Let’s%see%some%about…% –  DNS%as%covert%channel.% –  DNS%uses%in%malware%communicaGons.%
  18. 18. l% DNS%as%Covert%Channe%%•  OzymanDNS%(Kaminsky)%•  Dnscapy%•  (NSTX)%Iodine:%Use%several%RR%types,% NULL,TXT,CNAME)%•  Dns2tcp%&%TCPMoverMDNS:%relay%TCP%connecGons.%•  LoopcVPN%One%of%ChinaMTelecom%Hotspot% nightmare.%
  19. 19. Are%you%talking%to%me?%•  Let’s%see%some%about…% –  DNS%as%covert%channel.% –  DNS%uses%in%malware%communicaGons.%
  20. 20. Stateless%malware%(I)%•  TSPY_ZBOT.SMQH –  Another Modified ZeuS Variant Seen in the Wild. –  Reported in September 2011 by Trendmicro. –  Data exchange is also now happening in UDP. –  http://blog.trendmicro.com/another-modified-zeus-variant-seen-in-the-wild/
  21. 21. Stateless%malware(II)%•  Older&version&using&TCP&to&exchange&configura7on&files.&However,& The&new&version&exchanges&all&data&in&UDP –  http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet
  22. 22. Stateless%malware(II)%•  Older&version&using&TCP&to&exchange&configura7on&files.&However,& The&new&version&exchanges&all&data&in&UDP –  http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet TCP%
  23. 23. Where%theres%smoke,%theres%fire.%
  24. 24. Feedorbot%•  Using DNS protocol. –  Feedorbot share encrypted commands from C&C. –  Encapsuling data in TXT records and Base64 encoded. –  http://www.cj2s.de/On-Botnets-that-use-DNS-for-Command-and-Control.pdf
  25. 25. HiloG%•  Thanks%DNS%querys%HiloG%monitors%infected%host%status.% –  h`p://blog.forGnet.com/hiloGMtheMbotmasterMofMdisguise% ! 142625.bc7a3d45.01.0AC1FD9D62074E6D9D2889088284DAB5.n.empty.1148.empty. 5_1._t_i.ffffffff.explorer_exe.173.rc2.a4h9uploading.com%•  Although%It%uses%DNS%as%control%protocol,%bots%download% update%files%from%“file%hosGng”%servers%by%HTTP.%% !
  26. 26. Morto%•  From IRC to DNS. –  Morto, like Feedorbot, uses TXT records to comnunicate. –  http://www.symantec.com/connect/blogs/morto-worm-sets-dns-record
  27. 27. GATHERING$&$EVALUATING$INFORMATION$
  28. 28. Gathering%&%EvaluaGng%InformaGon%(I)%•  h`p://www.wombatMproject.eu/%%•  h`p://exposure.iseclab.org/index.html%%
  29. 29. Gathering%&%EvaluaGng%InformaGon%(II)%•  h`ps://dnsdb.isc.org/#Home%%•  h`p://www.webboar.com%%
  30. 30. Gathering%&%EvaluaGng%InformaGon%(III)%•  Don´t%forget%the%classics:% –  h`p://www.robtex.com/%
  31. 31. Learned%in%#Rooted2012%•  h`p://labs.alienvault.com/labs/index.php/projects/openMsourceMipMreputaGonMportal/%%
  32. 32. SomeGmes%…%I%see%dead%people% •  September,%2011% %%%%(Top%10%Malicious%Domains)%
  33. 33. Scratch%&%Win%
  34. 34. Ten%Li`le%Niggers%•  h`p://www.webboar.com/ip/67.15.149.70/% –  25%Domain(s)%on%IP%Address%67.15.149.70% •  azxdf.com% •  civiGcle0.com% •  morewallfalls7.com% •  mjuyh.com% •  ckubf.com% •  okjyu.com% •  hjuyv.com% •  djhbw.com% •  orn2hcb.com% •  plokm.com% •  himovingto8.com% •  qlovg.com% •  nbgtr.com% •  hiuxd.com% •  quiluGon2.com% •  vcxde.com% •  liunj.com% •  uncdt.com% •  asljd.com% •  loijm.com% •  xvfar.com% •  bruGllor5.com% •  mjrth.com% •  zscdw.com% •  zukamosion3.com%
  35. 35. SomeGmes%…%I%see%dead%people%
  36. 36. CMD%could%be%alive!%
  37. 37. DATA$LEAK$OVER$DNS$
  38. 38. DATA$LEAK$OVER$DNS$
  39. 39. TradiGonal%data%leak%using%DNS% [OUTPUT_DOMAIN]1 DataLeakRecord1.[OUTPUT_DOMAIN] DataLeakRecord11 DataLeakRecord2.[OUTPUT_DOMAIN] DataLeakRecord21 …! 1% 2% Cache%DNS% (public or private) DNS%Auth.% OUTPUT_DOMAIN% Bot
  40. 40. Using%a%DNS%reflector% DNS%Auth.% DataLeakRecord1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)% 2% 1% (PUBLICATION_DOMAIN)! Cache%DNS% !Data1!R>!DataLeakRecord1 (public or private) 3% Force%Data%Leak%Upload% CMD$ 5%Bot Data1 [PUBLICATION_DOMAIN]1 Data11 4% Data21 …! Data1.[PUBLICATION_DOMAIN] Cache%DNS% DNS%Auth.% (Open%emi`er%+%cache)% PUBLICATION_DOMAIN% !Data1!R>!DataLeakRecord1
  41. 41. DNS%reflector%(demo)%
  42. 42. Using%FastMFlux%DNS%reflectors% DNS%Auth.% DataLeakRecord1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)% 2% 1% Cache%DNS% (PUBLICATION_DOMAIN)! !Data1!R>!DataLeakRecord1 (public or private) 3%DataLeakRecord1.[OUTPUT_DOMAIN] Force%Data%Leak%Upload% CMD$ 5% Bot Data1 [PUBLICATION_DOMAIN]1 Data11 4% Data21 …! Data1.[PUBLICATION_DOMAIN] Cache%DNS% DNS%Auth.% (Open%emi`er%+%cache)%
  43. 43. Data%Leak%using%NXDOMAIN%responses%•  NXDOMAIN%responses%are%cached:% –  NegaGve%caching%is%useful.% –  TTL%value:%The%SOA%minimum%parameter%is%used% as%the%negaGve%(NXDOMAIN)%caching%Gme% (defined%in%RFC%2308).%•  Other%queries%may%reuse%some%parts%of%the% lookup%(quick%response).%
  44. 44. Caching%NXDOMAIN%responses%(I)%%
  45. 45. Caching%NXDOMAIN%responses%(II)%%
  46. 46. Caching%NXDOMAIN%responses%(III)%%
  47. 47. Data%leak%with%“dig”% RCODE$ TTL$ QUERY$TIME$
  48. 48. Leak%recovery%with%“dig”%(I)% TTL$<$86400$ QUERY$TIME$<$300$msec$
  49. 49. Leak%recovery%with%“dig”%(II)% TTL$=$86400$ QUERY$TIME$approx.$300$msec$ It$is$not$a$good$method$for$recovery!$
  50. 50. Leak%recovery%with%“dig”%(III)% TTL$<$86400$ QUERY$TIME$<$300$msec$
  51. 51. Leak%recovery%with%“dig”%(IV)% RCODE$≠$NXDOMAIN$ QUERY$TIME$<$300$msec$ It$is$the$preferred$method$for$recovery!$
  52. 52. Data%Leak%using%NXDOMAIN%responses% DNS% 2% 1% (Open%emi`er%+%cache)% DNS%Auth.% UT_DOM AIN] 1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)% 1.[OUTP d1.[OUTPUT_DOMAIN] OMAIN] TPUT_D d1.[OU … AIN] dataleakrecord1 UT_DOM rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN] … DataLeakRecord1.[OUTPUT_DOMAIN] IN] T_DOMA d1.[OUTPU krecor atalea MAIN] PUT_DO rd1.[OUT akreco datale Bot
  53. 53. Data%Leak%using%NXDOMAIN%responses% DNS% 2% 1% (Open%emi`er%+%cache)% DNS%Auth.% UT_DOM AIN] 1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)% 1.[OUTP d1.[OUTPUT_DOMAIN] OMAIN] TPUT_D d1.[OU … AIN] dataleakrecord1 UT_DOM rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN] … DataLeakRecord1.[OUTPUT_DOMAIN] IN] T_DOMA d1.[OUTPU krecor atalea MAIN] PUT_DO rd1.[OUT akreco a1.[OUTPUT_DOMAIN] datale 1.[OUTPUT_DOMAIN] z.[OUTPUT_DOMAIN] b.[OUTPUT_DOMAIN] a.[OUTPUT_DOMAIN] … … Bot QUERY:%+norecurse% % 3% RESPONSE:%RCODE?% dataleakrecord1 TTL%value?% Query%Gme?%
  54. 54. NXDOMAIN%(demo)%
  55. 55. Data%Leak%using%“nice”%domains%•  There%are%authoritaGve%DNS%server%that:% –  Simply%point%all%unknown%DNS%queries%to%a%single% IP%address.% –  Minimum%TTL%value%on%the%order%of%1M7%days.%•  Where%can%I%find%them?% inbox.com% imgur.com% –  Alexa%“Tops%Sites”:% motherless.com% h`p://www.alexa.com/topsites%% wikia.com% wikispaces.com% pbworks.com% %%%%%%%%%%%%…%
  56. 56. Caching%‘nice’%responses%(II)%%
  57. 57. Caching%‘nice’%responses%(II)%%
  58. 58. Data%Leak%using%‘nice’%domains% DNS% 2% ‘nice’%DNS%Auth.% 1% (Open%emi`er%+%cache)% (OUTPUT_DOMAIN)% AIN] 1.[OUTPUT_DOMAIN] UT_DOM 1.[OUTP d1.[OUTPUT_DOMAIN] OMAIN] TPUT_D d1.[OU … AIN]dataleakrecord1 UT_DOM rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN] … DataLeakRecord1.[OUTPUT_DOMAIN] IN] T_DOMA d1.[OUTPU krecor atalea MAIN] PUT_DO rd1.[OUT akreco datale Bot
  59. 59. Data%Leak%using%‘nice’%domains% DNS% 2% ‘nice’%DNS%Auth.% 1% (Open%emi`er%+%cache)% (OUTPUT_DOMAIN)% AIN] 1.[OUTPUT_DOMAIN] UT_DOM 1.[OUTP d1.[OUTPUT_DOMAIN] OMAIN] TPUT_D d1.[OU … AIN]dataleakrecord1 UT_DOM rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN] … DataLeakRecord1.[OUTPUT_DOMAIN] IN] T_DOMA d1.[OUTPU krecor atalea MAIN] PUT_DO rd1.[OUT akreco a1.[OUTPUT_DOMAIN] datale 1.[OUTPUT_DOMAIN] z.[OUTPUT_DOMAIN] b.[OUTPUT_DOMAIN] a.[OUTPUT_DOMAIN] … … Bot QUERY:%+norecurse% % 3% ANSWER%SECTION?% dataleakrecord1 TTL%value?%
  60. 60. Conclusions%dataMleak% Use$client$ Upload$ Expose$ Download$ Score$ default$DNS$ queries$ cybercrime$ queries$ (0;10)$ seings$ needed$ infrastructure$ needed$ TradiGonal% YES% 2%queries/kB% YES$ M% 5%DNS%tunneling%Using%FastMFlux% YES% 2%queries/kB% YES$ 2%queries/kB% 4%DNS%reflectors% Using% NXDOMAIN% NO$ 2$queries/B$ NO% 20%queries/B% 2% response% Using%“nice”% NO$ 2$queries/B$ NO% 20%queries/B% 6% domains%
  61. 61. ToDo:%Improvement++%•  Data%Leak%using%‘nice’%domains.%But$ remembering$that:$ –  Must%use%client%default%DNS%se_ngs.%•  Maybe%can%use%three%party%resources%…%(once% again)% –  %…%Use%misconfigured%DNS%(proxy%DNS,%cache%DNS,% authoritaGve%server,%…).% –  e.g.%must%ignore%“+norecurse”%flag,%“minimalM response”%configured,%etc.%•  Result:%Untraceable%data%leaks%
  62. 62. Harder%than%finding%a%needle%in%a% haystack!%
  63. 63. Are%we%infected?%LABORATORY$
  64. 64. Making%the%lab.%•  We%need%a%“real”%threat…%•  But%we%are%“ethical”…%•  And%we%are%not%developers…% Searching…$
  65. 65. And%the%winner%is…%•  Wri`en%in%C#%and%PHP%•  GNU/GPL%•  Geared%to%build%botnets%•  HTTP%communicaGon%
  66. 66. How%Flu%works%•  Flu%server%share%XML%commands%file.%•  Infected%hosts%get%XML%file%through% HTTP%request.% HTTP$ Flu% Flu% Infected% SERVER% Host%
  67. 67. Flu%and%CMD%•  We%use%CMD%to%distribute%XML%commands%file.%•  Our%dream:%Flu%become%stateless%Trojan.%•  Then%we’ll%have%statelessMTrojanMGPL%botnet.% 1%GET% 1%query% 11%pkts.% HTTP/TCP% Vs% DNS/UDP% 2%pkts.% 1%conn.% % 0%conn.% DNS$ Open% DNS$ Flu% Flu% Emi`er% Infected% DNS% DNS% Host%
  68. 68. Flu%and%CMD:%Server%•  PHP%5.3.0%or%higher%required.%•  Three%steps:% 1.  &domain.db%file%create.%(external%lib:%Tar.php)% 2.  Load%XML%file%into%DNS%server.%(NaGve%lib)% 3.  Download%data%from%infected%host.%(NaGve%lib)%
  69. 69. Flu%and%CMD:%3th%Party%•  ISC%Bind%•  FreeDNS.afraid.org%•  HE%free%DNS%service%•  Misconfigured%DNS%server.% Open% Emi`er%
  70. 70. Flu%and%CMD:%3th%Party%•  ISC%Bind%•  FreeDNS.afraid.org%•  HE%free%DNS%service%•  Misconfigured%DNS%server.% Open% Emi`er%
  71. 71. Flu%and%CMD:%Client% •  We%use%ARSoD.Tools.Net%library.% •  Without%GUI%changes:% –  We%use%domainload&to%data%leak.% –  We%use%domaindownload&to%get%XML%file.%
  72. 72. Flu%and%CMD:%How%it%works%(I)%XML2DNS$ LOADXML$ DOWNLOADXML$ DNS$ Open% DNS$ Flu% Flu% Emi`er% Infected% DNS% DNS% Host%
  73. 73. Flu%and%CMD:%How%it%works%(II)% •  How%flu%call%back?% –  NXDOMAIN%can:%Track%new%bots.% –  NXDOMAIN%can’t:%Send%huge%files.%% DNS$ Open% DNS$ Flu% Flu% Emi`er% Infected% C&C% Nxdomainquery% Nxdomainquery% Noerror% DNS% Noerror% Host%DNS%Server%
  74. 74. Flu%and%CMD:%How%it%works%(II)% 1.  How%flu%call%back?% –  NXDOMAIN%can:%Track%new%bots.% –  NXDOMAIN%can’t:%Send%huge%files.%% 2.  Then…%we%need%to%expose%DNS%server.% DNS$ Open% DNS$ Flu% Flu% Emi`er% Infected% C&C% Nxdomainquery% Nxdomainquery%1% Noerror% DNS% Noerror% Host% DNS%Server% DNS$ DNS$ Flu% Flu% Cache%2% Infected% DNS% DNS% Host%
  75. 75. Flu%and%CMD:%Demo%
  76. 76. Conclusions%•  DNS%is%a%botnet%dialect…% –  One%year%ago%DNS%was%a%possibility,%today%could%be%a%real% threat.%•  Data%leak%using%DNS%need%an%improvement…% –  ...but%we%are%working%progress.%•  Malware%need%to%communicate%undetected,%and%IDS% want%to%detect%malware.% –  Both%must%be%looking%for%the%same…%DNS.%•  Don’t%forget%DNS%Protocol%
  77. 77. QuesGons?% Who$invented$the$rootedcon?$Perez$the$mouse$ Rootedcon$is$your$parents$Santa$ Three$Magic$Kings$
  78. 78. References%!  h`p://code.kryo.se/iodine/%%!  h`p://dns.measurementMfactory.com/%%!  h`p://darkwing.uoregon.edu/~joe/secprof10Mdns/secprof10Mdns.pdf%%%!  h`p://www.blackhat.com/presentaGons/bhMeuropeM05/BH_EU_05MKaminsky.pdf%%!  h`p://www.blackhat.com/presentaGons/bhMusaM04/bhMusM04Mkaminsky/bhMusM04Mkaminsky.ppt%%!  h`p://www.pcworld.com/arGcle/220024/feds_accidentally_seize_84000_innocent_domains_link_them_with_child_porn.html%%%!  h`p://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf%%%!  h`p://www.secdev.org/projects/scapy/%%!  h`ps://www.isc.org/soÉware/bind/documentaGon/arm95#man.dig%%!  h`p://dns.measurementMfactory.com/cgiMbin/openresolvercheck.pl%%%!  h`p://hakin9.org/magazine/1652MmobileMmalwareMtheMnewMcyberMthreat%%!  h`p://www.ieÑ.org/rfc/rfc{1033,1034,1035,1183,2181}.txt%%!  h`p://tools.ieÑ.org/id/draÉMcmdMpreventMmalwareMdnsMdistributeM00.txt%%%!  h`p://www.wombatMproject.eu/%%!  h`p://exposure.iseclab.org/index.html%%!  h`ps://dnsdb.isc.org/#Home%%%!  h`p://www.webboar.com%%!  h`ps://dns.he.net/%%!  h`p://www.fluMproject.com/%%!  h`p://arsoÉtoolsnet.codeplex.com/%%
  79. 79. Thanks%for%your%Gme!% @{Hlexpired,ffranz}& {charlie,fran}@7d.es%

×