Your SlideShare is downloading. ×
Day 2   Dns Cert 4c Malicious Use
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Day 2 Dns Cert 4c Malicious Use


Published on

Presentation by ICANN

Presentation by ICANN

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. DNS Security for CERTs - Attack Scenarios & Demonstrations – Malicious Use Chris Evans Delta Risk, LLC 7 March 2010 1
  • 2. What You Will Need for the Exercises • Your Windows Terminal Server – From Windows, Run ‘mstsc’ – From MAC, please download the Terminal Server Client from the wiki – Run the DNS-Bot.vbs file when instructed – Open a command prompt, and run cscript.exe c:/users/studentX/Desktop/DNS-Bot.vbs – Don’t forget – X is your student number 2
  • 3. Description – Malicious Use • Using the DNS to propagate malware or conduct attacks in a malicious manner, yet consistent with the DNS protocols – BotNet Command & Control (indirect) – Amplification Attacks (direct) • These attacks do not necessarily target DNS servers – rather, they use your servers to conduct an attack elsewhere NS Victim 3
  • 4. Case Study – Conficker • Conficker - the Conficker worm appeared in late 2008, with most of the attention starting in Jan/Feb of 2009. – The worm used pseudo-randomly generated domains from several top level domains (ccTLDs included) as its command and control points. – The worm would contact servers on these random domains for instructions. 4
  • 5. Case Study – Conficker • The Conficker Working Group (Conficker Cabal) was started to address response actions to the worm – Comprised of businesses, DNS operations, Internet organizations, and security researchers – Requested top level organizations with suspected domain names involved in Conficker to register them in hopes of preempting Conficker activity • Conficker mutated to thwart activity of the Working Group and started using P2P methods vs. DNS How Should a ccTLD React to a Request to Register (at no cost) Hundreds of Domain Names to Prevent Malicious Activity? 5
  • 6. Attack Demonstration • The “DNS Bot” receives its instructions and sends information back to the hacker via DNS Caching Server NS Run Command & Post Results Rogue Server Double-click Remember, the bot won’t do DNS-Bot.vbs anything malicious! 6
  • 7. Demonstration – Attacker View • Rogue DNS Bind File & Web Post Directory 7
  • 8. Demonstration – Server View 8
  • 9. Demonstration – User View • Please run your bot now – Open a command prompt and run the command: cscript.exe c:/users/studentX/Desktop/DNS-Bot.vbs • wireshark view 9
  • 10. Demonstration – User View • If you’d like to start Wireshark… – Double click icon on desktop – Select Options from Capture Menu – In “capture filter” type port 53 – Click “Start” 10
  • 11. Demonstration – User View Encoded Data Sent to DNS Server 11
  • 12. Demonstration – User View • The bot will periodically request instructions over DNS from a rogue DNS server ( – Can you find the rogue DNS server with wireshark or DNS tools? • The bot will execute the instructions: – Wait, Download a File, Run a Command & Post Results, Quit – Can you “reverse engineer” the instructions? – Can you see what is being posted? 12
  • 13. Impact • DNS resources used for malicious purposes • Possible brand or reputation loss due to apparent attacks originating from servers • Widespread bot proliferation 13
  • 14. Mitigation & Response Strategies • Domain “Blackholes” – but only if domains don’t change rapidly – you have to keep up! • Strengthen registrant information validation • Develop policies for determining what’s malicious • Add detection mechanisms for malicious use – Host based (Antivirus, patching, etc) – Network based (traffic & domain analysis) • Develop policies for domain takedown • Develop cooperative agreements with other registries, CERTs, law enforcement, and security organizations to address malicious use scenarios 14
  • 15. Questions? ? 15