• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
 

Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]

on

  • 1,320 views

“DNS: Internet Dial-Tone”; Partiendo de esta premisa y con la vista puesta en el método de distribución de ‘malware’ presentado en 2011 (Cloud Malware Distribution), intentaremos mostrar de ...

“DNS: Internet Dial-Tone”; Partiendo de esta premisa y con la vista puesta en el método de distribución de ‘malware’ presentado en 2011 (Cloud Malware Distribution), intentaremos mostrar de forma dinámica los resultados obtenidos después de algunos meses de trabajo focalizado en las comunicaciones, tanto en la parte de control como en la fuga de información, de las ‘botnets’. Por supuesto con el protocolo DNS con un papel protagonista. Jugaremos con tres parámetros fundamentales que tendremos que equilibrar:

Nivel de exposición de la infraestructura del atacante.
Recursos y complejidad.
Ancho de banda en la comunicación.
El objetivo final es concienciar de la importancia de poner el foco en este protocolo como se ha hecho en otros. Nuestros resultados, y los resultados obtenidos por proveedores de seguridad e investigadores en los últimos meses avalan la posición que defendemos.

Statistics

Views

Total Views
1,320
Views on SlideShare
1,320
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012] Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012] Presentation Transcript

    • CMD:%Look%who’s%talking%too% DNS:%a%botnet%dialect%
    • Francisco%J.%Gómez%Rodríguez%(fran@Gd.es):%•  Computer%Engineering%(EUIMUPM)%•  Security%Research%(Telefonica%R&D)%•  dig$fran.rootedcon.themafia.info$TXT$Carlos%Díaz%Hidalgo%(charlie@Gd.es):%•  TelecommunicaGons%Engineer%(ETSITMMUPM),%GPEN,%GCIH,% OPST,%ITILF%and%CCNA.%•  Technology%Specialist%in%Ethical%Hacking%(Telefonica%R&D)%•  dig$charlie.rootedcon.themafia.info$TXT$
    • look$who’s$talking$too$Nasal%Spray%This$presenta9on$contains:$one%year%ago%…………………………………………....%%%%3%mg%cloud%malware%distribuGon%…………………..….%%%10%mg%dns%is%in%the%air%…………………………………………%%%10%mg%suspicion%………………………………………………….%%%%%8%mg%data%leak%………………………………………………….%%%10%mg%laboratory%……………………………………………….%%%%10%mg% 4.4$FL$OZ$(130mL)$ Tamper;Evident:%Do%not%accept%if%sealed%blister% unit%has%been%broken%or%opened% THIS%PACKAGE%FOR%HOUSEHOLDS% WITHOUT%YOUNG%CHILDREN%
    • INTRODUCTION$
    • One%year%ago%…%•  We%talked%about%DNS%and%Malware.%•  We%released%Cloud%Malware%DistribuGon% (CMD):% –  An%alternaGve%method%for%malware%distribuGon% using%Cache%DNS%services.% –  Using%client%default%DNS%se_ngs.% –  Malware%source%virtually%untraceable.%
    • A%DNS%shot%
    • Cloud%Malware%DistribuGon%in%a%nutshell%CMD$
    • Cloud%Malware%DistribuGon%1.  Encoding:%Split%malware%payload%into%DNS%Records.% %2.  Publishing:%Publish%domain%and%each%record%in%a%public%Name%Server.% %3.  Loading:%Force%an%Open%Emi`er%DNS%Cache%Server%to%store%all%records.% %4.  Downloading:%Download%records%from%an%infected%host%(bot).% %5.  Decoding:%Rebuild%malware%payload%from%records.% 8rjqerkjqet.cmdns.domain.com1% ueirytbdosu.cmdns.domain.com1% ktqtr53xase.cmdns.domain.com1% kzmfzzmfzze.cmdns.domain.com1% 8rjqerkjqet.cmdns.domain.com1% 1,2% ueirytbdosu.cmdns.domain.com1% 3% 4% 5 ktqtr53xase.cmdns.domain.com1% kzmfzzmfzze.cmdns.domain.com1% Open%Emi`er% DNS%
    • Encoding%&%Publish% Cloud%Malware%DistribuGon%(I)% 8rjqerkjqet.cmdns.domain.com1% 8rjqerkjqet1 ueirytbdosu.cmdns.domain.com1% ueirytbdosu1 ktqtr53xase1 ktqtr53xase.cmdns.domain.com1% kzmfzzmfzze1% kzmfzzmfzze.cmdns.domain.com1% •  From%malware%file%we%create% a%base32%coded%string.% •  So%we%split%the%string%into% DNS%compliance%records.% DNS%AUTH% 8rjqerkjqetueirytbdosuktqtr53xasekzmfzzmfzze1% Freedns.afraid.org% 8rjqerkjqet.cmdns.domain.com1% kzmfzzmfzze.cmdns.domain.com1% ueirytbdosu.cmdns.domain.com1% ktqtr53xase.cmdns.domain.com1%
    • Cloud%Malware%DistribuGon(II)% 8rjqerkjqet.cmdns.domain.com1%•  We%upload%each%DNS%record%from% a%malicious%DNS%to%Open%Emi`er.% ueirytbdosu.cmdns.domain.com1%•  This%is%made%by%requesGng%each% ktqtr53xase.cmdns.domain.com1% record%to%Open%Emi`er%DNS.%•  Then%Server%caches%each%record.% kzmfzzmfzze.cmdns.domain.com1% Split[1..n].cmdns.domain.com% A?% 8rjqerkjqet.cmdns.domain.com1% Open% ueirytbdosu.cmdns.domain.com1% Emi`er% ktqtr53xase.cmdns.domain.com1% cmdns.domain.com% DNS%AUTH% NS?% DNS% kzmfzzmfzze.cmdns.domain.com1%Freedns.afraid.org% Loading%
    • Cloud%Malware%DistribuGon%(III)% •  Since%the%Open%Emi`er%Server%has%cached%all%records%we% convert%it%into%a%domain%authoritaGve%domain%server.% •  From%now%on,%Open%Emi`er%will%resolve%all%domain%queries.% •  Thus,%all%Internet%DNS%servers%can%resolve%malware%records%and% bots%can%get%them.% DNS%AUTH% % % %Freedns.afraid.org%8rjqerkjqet.cmdns.domain.com1% Open%ueirytbdosu.cmdns.domain.com1%ktqtr53xase.cmdns.domain.com1% Emi`er%kzmfzzmfzze.cmdns.domain.com1% DNS% Downloading%
    • Cloud%Malware%DistribuGon%(IV)% kzmfzzmfzze.cmdns.domain.com1% ktqtr53xase.cmdns.domain.com1% ueirytbdosu.cmdns.domain.com1% 8rjqerkjqet.cmdns.domain.com1% 8rjqerkjqetueirytbdosuktqtr53xasekzmfzzmfzze1% •  With%all%the%retrieved%records%bots% can%rebuild%the%original%file.%% •  Bot%has%now%updated%the%malware% file.%Decoding%
    • %Own%survey%:%yesterday%and%today% Febrero$de$2011$ Marzo$de$2012$ España% EEUU% España% EEUU% Queried%hosts% 10.406% 10.406% 8217% 8217% Replying%hosts% 87,22%% 87,39%% 87,58%% 87,69%% Open%resolvers% 76,46%% 77,28%% 95,45%% 82,08%% Open%emi`ers% 57,76%% 57,33%% 53,78%% 53,51%%Accept%+norecurse% queries% 55,91%% 55,49%% 87,67%% 74,44%% TTL%≥%604800% 43,05%% 42,94%% 51,24%$ 49,32%$
    • A%quick%test…% DNSCrypt$In% the% same% way% the% SSL% turns% HTTP% web% traffic%into% HTTPS% encrypted% Web% traffic,% DNSCrypt%turns% regular% DNS% traffic% into% encrypted% DNS%traffic% that% is% secure% from% eavesdropping% and%manMinMtheMmiddle%a`acks.%%
    • …%a%quick%demo.%Summary:%We%can%use%DNSCrypt%and%CMD%Method%works.%%
    • DNS:%yesterday,%today,%and%tomorrow%DNS$IS$IN$THE$AIR$
    • Are%you%talking%to%me?%•  Let’s%see%some%about…% –  DNS%as%covert%channel.% –  DNS%uses%in%malware%communicaGons.%
    • l% DNS%as%Covert%Channe%%•  OzymanDNS%(Kaminsky)%•  Dnscapy%•  (NSTX)%Iodine:%Use%several%RR%types,% NULL,TXT,CNAME)%•  Dns2tcp%&%TCPMoverMDNS:%relay%TCP%connecGons.%•  LoopcVPN%One%of%ChinaMTelecom%Hotspot% nightmare.%
    • Are%you%talking%to%me?%•  Let’s%see%some%about…% –  DNS%as%covert%channel.% –  DNS%uses%in%malware%communicaGons.%
    • Stateless%malware%(I)%•  TSPY_ZBOT.SMQH –  Another Modified ZeuS Variant Seen in the Wild. –  Reported in September 2011 by Trendmicro. –  Data exchange is also now happening in UDP. –  http://blog.trendmicro.com/another-modified-zeus-variant-seen-in-the-wild/
    • Stateless%malware(II)%•  Older&version&using&TCP&to&exchange&configura7on&files.&However,& The&new&version&exchanges&all&data&in&UDP –  http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet
    • Stateless%malware(II)%•  Older&version&using&TCP&to&exchange&configura7on&files.&However,& The&new&version&exchanges&all&data&in&UDP –  http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet TCP%
    • Where%theres%smoke,%theres%fire.%
    • Feedorbot%•  Using DNS protocol. –  Feedorbot share encrypted commands from C&C. –  Encapsuling data in TXT records and Base64 encoded. –  http://www.cj2s.de/On-Botnets-that-use-DNS-for-Command-and-Control.pdf
    • HiloG%•  Thanks%DNS%querys%HiloG%monitors%infected%host%status.% –  h`p://blog.forGnet.com/hiloGMtheMbotmasterMofMdisguise% ! 142625.bc7a3d45.01.0AC1FD9D62074E6D9D2889088284DAB5.n.empty.1148.empty. 5_1._t_i.ffffffff.explorer_exe.173.rc2.a4h9uploading.com%•  Although%It%uses%DNS%as%control%protocol,%bots%download% update%files%from%“file%hosGng”%servers%by%HTTP.%% !
    • Morto%•  From IRC to DNS. –  Morto, like Feedorbot, uses TXT records to comnunicate. –  http://www.symantec.com/connect/blogs/morto-worm-sets-dns-record
    • GATHERING$&$EVALUATING$INFORMATION$
    • Gathering%&%EvaluaGng%InformaGon%(I)%•  h`p://www.wombatMproject.eu/%%•  h`p://exposure.iseclab.org/index.html%%
    • Gathering%&%EvaluaGng%InformaGon%(II)%•  h`ps://dnsdb.isc.org/#Home%%•  h`p://www.webboar.com%%
    • Gathering%&%EvaluaGng%InformaGon%(III)%•  Don´t%forget%the%classics:% –  h`p://www.robtex.com/%
    • Learned%in%#Rooted2012%•  h`p://labs.alienvault.com/labs/index.php/projects/openMsourceMipMreputaGonMportal/%%
    • SomeGmes%…%I%see%dead%people% •  September,%2011% %%%%(Top%10%Malicious%Domains)%
    • Scratch%&%Win%
    • Ten%Li`le%Niggers%•  h`p://www.webboar.com/ip/67.15.149.70/% –  25%Domain(s)%on%IP%Address%67.15.149.70% •  azxdf.com% •  civiGcle0.com% •  morewallfalls7.com% •  mjuyh.com% •  ckubf.com% •  okjyu.com% •  hjuyv.com% •  djhbw.com% •  orn2hcb.com% •  plokm.com% •  himovingto8.com% •  qlovg.com% •  nbgtr.com% •  hiuxd.com% •  quiluGon2.com% •  vcxde.com% •  liunj.com% •  uncdt.com% •  asljd.com% •  loijm.com% •  xvfar.com% •  bruGllor5.com% •  mjrth.com% •  zscdw.com% •  zukamosion3.com%
    • SomeGmes%…%I%see%dead%people%
    • CMD%could%be%alive!%
    • DATA$LEAK$OVER$DNS$
    • DATA$LEAK$OVER$DNS$
    • TradiGonal%data%leak%using%DNS% [OUTPUT_DOMAIN]1 DataLeakRecord1.[OUTPUT_DOMAIN] DataLeakRecord11 DataLeakRecord2.[OUTPUT_DOMAIN] DataLeakRecord21 …! 1% 2% Cache%DNS% (public or private) DNS%Auth.% OUTPUT_DOMAIN% Bot
    • Using%a%DNS%reflector% DNS%Auth.% DataLeakRecord1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)% 2% 1% (PUBLICATION_DOMAIN)! Cache%DNS% !Data1!R>!DataLeakRecord1 (public or private) 3% Force%Data%Leak%Upload% CMD$ 5%Bot Data1 [PUBLICATION_DOMAIN]1 Data11 4% Data21 …! Data1.[PUBLICATION_DOMAIN] Cache%DNS% DNS%Auth.% (Open%emi`er%+%cache)% PUBLICATION_DOMAIN% !Data1!R>!DataLeakRecord1
    • DNS%reflector%(demo)%
    • Using%FastMFlux%DNS%reflectors% DNS%Auth.% DataLeakRecord1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)% 2% 1% Cache%DNS% (PUBLICATION_DOMAIN)! !Data1!R>!DataLeakRecord1 (public or private) 3%DataLeakRecord1.[OUTPUT_DOMAIN] Force%Data%Leak%Upload% CMD$ 5% Bot Data1 [PUBLICATION_DOMAIN]1 Data11 4% Data21 …! Data1.[PUBLICATION_DOMAIN] Cache%DNS% DNS%Auth.% (Open%emi`er%+%cache)%
    • Data%Leak%using%NXDOMAIN%responses%•  NXDOMAIN%responses%are%cached:% –  NegaGve%caching%is%useful.% –  TTL%value:%The%SOA%minimum%parameter%is%used% as%the%negaGve%(NXDOMAIN)%caching%Gme% (defined%in%RFC%2308).%•  Other%queries%may%reuse%some%parts%of%the% lookup%(quick%response).%
    • Caching%NXDOMAIN%responses%(I)%%
    • Caching%NXDOMAIN%responses%(II)%%
    • Caching%NXDOMAIN%responses%(III)%%
    • Data%leak%with%“dig”% RCODE$ TTL$ QUERY$TIME$
    • Leak%recovery%with%“dig”%(I)% TTL$<$86400$ QUERY$TIME$<$300$msec$
    • Leak%recovery%with%“dig”%(II)% TTL$=$86400$ QUERY$TIME$approx.$300$msec$ It$is$not$a$good$method$for$recovery!$
    • Leak%recovery%with%“dig”%(III)% TTL$<$86400$ QUERY$TIME$<$300$msec$
    • Leak%recovery%with%“dig”%(IV)% RCODE$≠$NXDOMAIN$ QUERY$TIME$<$300$msec$ It$is$the$preferred$method$for$recovery!$
    • Data%Leak%using%NXDOMAIN%responses% DNS% 2% 1% (Open%emi`er%+%cache)% DNS%Auth.% UT_DOM AIN] 1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)% 1.[OUTP d1.[OUTPUT_DOMAIN] OMAIN] TPUT_D d1.[OU … AIN] dataleakrecord1 UT_DOM rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN] … DataLeakRecord1.[OUTPUT_DOMAIN] IN] T_DOMA d1.[OUTPU krecor atalea MAIN] PUT_DO rd1.[OUT akreco datale Bot
    • Data%Leak%using%NXDOMAIN%responses% DNS% 2% 1% (Open%emi`er%+%cache)% DNS%Auth.% UT_DOM AIN] 1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)% 1.[OUTP d1.[OUTPUT_DOMAIN] OMAIN] TPUT_D d1.[OU … AIN] dataleakrecord1 UT_DOM rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN] … DataLeakRecord1.[OUTPUT_DOMAIN] IN] T_DOMA d1.[OUTPU krecor atalea MAIN] PUT_DO rd1.[OUT akreco a1.[OUTPUT_DOMAIN] datale 1.[OUTPUT_DOMAIN] z.[OUTPUT_DOMAIN] b.[OUTPUT_DOMAIN] a.[OUTPUT_DOMAIN] … … Bot QUERY:%+norecurse% % 3% RESPONSE:%RCODE?% dataleakrecord1 TTL%value?% Query%Gme?%
    • NXDOMAIN%(demo)%
    • Data%Leak%using%“nice”%domains%•  There%are%authoritaGve%DNS%server%that:% –  Simply%point%all%unknown%DNS%queries%to%a%single% IP%address.% –  Minimum%TTL%value%on%the%order%of%1M7%days.%•  Where%can%I%find%them?% inbox.com% imgur.com% –  Alexa%“Tops%Sites”:% motherless.com% h`p://www.alexa.com/topsites%% wikia.com% wikispaces.com% pbworks.com% %%%%%%%%%%%%…%
    • Caching%‘nice’%responses%(II)%%
    • Caching%‘nice’%responses%(II)%%
    • Data%Leak%using%‘nice’%domains% DNS% 2% ‘nice’%DNS%Auth.% 1% (Open%emi`er%+%cache)% (OUTPUT_DOMAIN)% AIN] 1.[OUTPUT_DOMAIN] UT_DOM 1.[OUTP d1.[OUTPUT_DOMAIN] OMAIN] TPUT_D d1.[OU … AIN]dataleakrecord1 UT_DOM rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN] … DataLeakRecord1.[OUTPUT_DOMAIN] IN] T_DOMA d1.[OUTPU krecor atalea MAIN] PUT_DO rd1.[OUT akreco datale Bot
    • Data%Leak%using%‘nice’%domains% DNS% 2% ‘nice’%DNS%Auth.% 1% (Open%emi`er%+%cache)% (OUTPUT_DOMAIN)% AIN] 1.[OUTPUT_DOMAIN] UT_DOM 1.[OUTP d1.[OUTPUT_DOMAIN] OMAIN] TPUT_D d1.[OU … AIN]dataleakrecord1 UT_DOM rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN] … DataLeakRecord1.[OUTPUT_DOMAIN] IN] T_DOMA d1.[OUTPU krecor atalea MAIN] PUT_DO rd1.[OUT akreco a1.[OUTPUT_DOMAIN] datale 1.[OUTPUT_DOMAIN] z.[OUTPUT_DOMAIN] b.[OUTPUT_DOMAIN] a.[OUTPUT_DOMAIN] … … Bot QUERY:%+norecurse% % 3% ANSWER%SECTION?% dataleakrecord1 TTL%value?%
    • Conclusions%dataMleak% Use$client$ Upload$ Expose$ Download$ Score$ default$DNS$ queries$ cybercrime$ queries$ (0;10)$ seings$ needed$ infrastructure$ needed$ TradiGonal% YES% 2%queries/kB% YES$ M% 5%DNS%tunneling%Using%FastMFlux% YES% 2%queries/kB% YES$ 2%queries/kB% 4%DNS%reflectors% Using% NXDOMAIN% NO$ 2$queries/B$ NO% 20%queries/B% 2% response% Using%“nice”% NO$ 2$queries/B$ NO% 20%queries/B% 6% domains%
    • ToDo:%Improvement++%•  Data%Leak%using%‘nice’%domains.%But$ remembering$that:$ –  Must%use%client%default%DNS%se_ngs.%•  Maybe%can%use%three%party%resources%…%(once% again)% –  %…%Use%misconfigured%DNS%(proxy%DNS,%cache%DNS,% authoritaGve%server,%…).% –  e.g.%must%ignore%“+norecurse”%flag,%“minimalM response”%configured,%etc.%•  Result:%Untraceable%data%leaks%
    • Harder%than%finding%a%needle%in%a% haystack!%
    • Are%we%infected?%LABORATORY$
    • Making%the%lab.%•  We%need%a%“real”%threat…%•  But%we%are%“ethical”…%•  And%we%are%not%developers…% Searching…$
    • And%the%winner%is…%•  Wri`en%in%C#%and%PHP%•  GNU/GPL%•  Geared%to%build%botnets%•  HTTP%communicaGon%
    • How%Flu%works%•  Flu%server%share%XML%commands%file.%•  Infected%hosts%get%XML%file%through% HTTP%request.% HTTP$ Flu% Flu% Infected% SERVER% Host%
    • Flu%and%CMD%•  We%use%CMD%to%distribute%XML%commands%file.%•  Our%dream:%Flu%become%stateless%Trojan.%•  Then%we’ll%have%statelessMTrojanMGPL%botnet.% 1%GET% 1%query% 11%pkts.% HTTP/TCP% Vs% DNS/UDP% 2%pkts.% 1%conn.% % 0%conn.% DNS$ Open% DNS$ Flu% Flu% Emi`er% Infected% DNS% DNS% Host%
    • Flu%and%CMD:%Server%•  PHP%5.3.0%or%higher%required.%•  Three%steps:% 1.  &domain.db%file%create.%(external%lib:%Tar.php)% 2.  Load%XML%file%into%DNS%server.%(NaGve%lib)% 3.  Download%data%from%infected%host.%(NaGve%lib)%
    • Flu%and%CMD:%3th%Party%•  ISC%Bind%•  FreeDNS.afraid.org%•  HE%free%DNS%service%•  Misconfigured%DNS%server.% Open% Emi`er%
    • Flu%and%CMD:%3th%Party%•  ISC%Bind%•  FreeDNS.afraid.org%•  HE%free%DNS%service%•  Misconfigured%DNS%server.% Open% Emi`er%
    • Flu%and%CMD:%Client% •  We%use%ARSoD.Tools.Net%library.% •  Without%GUI%changes:% –  We%use%domainload&to%data%leak.% –  We%use%domaindownload&to%get%XML%file.%
    • Flu%and%CMD:%How%it%works%(I)%XML2DNS$ LOADXML$ DOWNLOADXML$ DNS$ Open% DNS$ Flu% Flu% Emi`er% Infected% DNS% DNS% Host%
    • Flu%and%CMD:%How%it%works%(II)% •  How%flu%call%back?% –  NXDOMAIN%can:%Track%new%bots.% –  NXDOMAIN%can’t:%Send%huge%files.%% DNS$ Open% DNS$ Flu% Flu% Emi`er% Infected% C&C% Nxdomainquery% Nxdomainquery% Noerror% DNS% Noerror% Host%DNS%Server%
    • Flu%and%CMD:%How%it%works%(II)% 1.  How%flu%call%back?% –  NXDOMAIN%can:%Track%new%bots.% –  NXDOMAIN%can’t:%Send%huge%files.%% 2.  Then…%we%need%to%expose%DNS%server.% DNS$ Open% DNS$ Flu% Flu% Emi`er% Infected% C&C% Nxdomainquery% Nxdomainquery%1% Noerror% DNS% Noerror% Host% DNS%Server% DNS$ DNS$ Flu% Flu% Cache%2% Infected% DNS% DNS% Host%
    • Flu%and%CMD:%Demo%
    • Conclusions%•  DNS%is%a%botnet%dialect…% –  One%year%ago%DNS%was%a%possibility,%today%could%be%a%real% threat.%•  Data%leak%using%DNS%need%an%improvement…% –  ...but%we%are%working%progress.%•  Malware%need%to%communicate%undetected,%and%IDS% want%to%detect%malware.% –  Both%must%be%looking%for%the%same…%DNS.%•  Don’t%forget%DNS%Protocol%
    • QuesGons?% Who$invented$the$rootedcon?$Perez$the$mouse$ Rootedcon$is$your$parents$Santa$ Three$Magic$Kings$
    • References%!  h`p://code.kryo.se/iodine/%%!  h`p://dns.measurementMfactory.com/%%!  h`p://darkwing.uoregon.edu/~joe/secprof10Mdns/secprof10Mdns.pdf%%%!  h`p://www.blackhat.com/presentaGons/bhMeuropeM05/BH_EU_05MKaminsky.pdf%%!  h`p://www.blackhat.com/presentaGons/bhMusaM04/bhMusM04Mkaminsky/bhMusM04Mkaminsky.ppt%%!  h`p://www.pcworld.com/arGcle/220024/feds_accidentally_seize_84000_innocent_domains_link_them_with_child_porn.html%%%!  h`p://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf%%%!  h`p://www.secdev.org/projects/scapy/%%!  h`ps://www.isc.org/soÉware/bind/documentaGon/arm95#man.dig%%!  h`p://dns.measurementMfactory.com/cgiMbin/openresolvercheck.pl%%%!  h`p://hakin9.org/magazine/1652MmobileMmalwareMtheMnewMcyberMthreat%%!  h`p://www.ieÑ.org/rfc/rfc{1033,1034,1035,1183,2181}.txt%%!  h`p://tools.ieÑ.org/id/draÉMcmdMpreventMmalwareMdnsMdistributeM00.txt%%%!  h`p://www.wombatMproject.eu/%%!  h`p://exposure.iseclab.org/index.html%%!  h`ps://dnsdb.isc.org/#Home%%%!  h`p://www.webboar.com%%!  h`ps://dns.he.net/%%!  h`p://www.fluMproject.com/%%!  h`p://arsoÉtoolsnet.codeplex.com/%%
    • Thanks%for%your%Gme!% @{Hlexpired,ffranz}& {charlie,fran}@7d.es%