Day 2 Dns Cert 4c Malicious Use


Published on

Presentation by ICANN

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Day 2 Dns Cert 4c Malicious Use

  1. 1. DNS Security for CERTs - Attack Scenarios & Demonstrations – Malicious Use Chris Evans Delta Risk, LLC 7 March 2010 1
  2. 2. What You Will Need for the Exercises • Your Windows Terminal Server – From Windows, Run ‘mstsc’ – From MAC, please download the Terminal Server Client from the wiki – Run the DNS-Bot.vbs file when instructed – Open a command prompt, and run cscript.exe c:/users/studentX/Desktop/DNS-Bot.vbs – Don’t forget – X is your student number 2
  3. 3. Description – Malicious Use • Using the DNS to propagate malware or conduct attacks in a malicious manner, yet consistent with the DNS protocols – BotNet Command & Control (indirect) – Amplification Attacks (direct) • These attacks do not necessarily target DNS servers – rather, they use your servers to conduct an attack elsewhere NS Victim 3
  4. 4. Case Study – Conficker • Conficker - the Conficker worm appeared in late 2008, with most of the attention starting in Jan/Feb of 2009. – The worm used pseudo-randomly generated domains from several top level domains (ccTLDs included) as its command and control points. – The worm would contact servers on these random domains for instructions. 4
  5. 5. Case Study – Conficker • The Conficker Working Group (Conficker Cabal) was started to address response actions to the worm – Comprised of businesses, DNS operations, Internet organizations, and security researchers – Requested top level organizations with suspected domain names involved in Conficker to register them in hopes of preempting Conficker activity • Conficker mutated to thwart activity of the Working Group and started using P2P methods vs. DNS How Should a ccTLD React to a Request to Register (at no cost) Hundreds of Domain Names to Prevent Malicious Activity? 5
  6. 6. Attack Demonstration • The “DNS Bot” receives its instructions and sends information back to the hacker via DNS Caching Server NS Run Command & Post Results Rogue Server Double-click Remember, the bot won’t do DNS-Bot.vbs anything malicious! 6
  7. 7. Demonstration – Attacker View • Rogue DNS Bind File & Web Post Directory 7
  8. 8. Demonstration – Server View 8
  9. 9. Demonstration – User View • Please run your bot now – Open a command prompt and run the command: cscript.exe c:/users/studentX/Desktop/DNS-Bot.vbs • wireshark view 9
  10. 10. Demonstration – User View • If you’d like to start Wireshark… – Double click icon on desktop – Select Options from Capture Menu – In “capture filter” type port 53 – Click “Start” 10
  11. 11. Demonstration – User View Encoded Data Sent to DNS Server 11
  12. 12. Demonstration – User View • The bot will periodically request instructions over DNS from a rogue DNS server ( – Can you find the rogue DNS server with wireshark or DNS tools? • The bot will execute the instructions: – Wait, Download a File, Run a Command & Post Results, Quit – Can you “reverse engineer” the instructions? – Can you see what is being posted? 12
  13. 13. Impact • DNS resources used for malicious purposes • Possible brand or reputation loss due to apparent attacks originating from servers • Widespread bot proliferation 13
  14. 14. Mitigation & Response Strategies • Domain “Blackholes” – but only if domains don’t change rapidly – you have to keep up! • Strengthen registrant information validation • Develop policies for determining what’s malicious • Add detection mechanisms for malicious use – Host based (Antivirus, patching, etc) – Network based (traffic & domain analysis) • Develop policies for domain takedown • Develop cooperative agreements with other registries, CERTs, law enforcement, and security organizations to address malicious use scenarios 14
  15. 15. Questions? ? 15