Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Infrastructure Tracking with
Passive Monitoring and
Active Probing
Anthony Kasza Dhia Mahjoub
January 18th, 2015
November 11, 2014
Hello,
I am a security researcher at OpenDNS. I have been
tracking the movements of the Gameover Zeus (G...
Registrar Abuse Desk Response Times
Webfusion 1hr 44mins
Enom 2hrs 36mins
Namesilo 21hours 27mins
Bigrock Solutions 2days ...
Speakers
@dhialite
Senior Security Researcher
DNS, networks, data analysis, threat detection, graphs
@anthonykasza
Securit...
Agenda
Importance of Threat Intelligence
Active Probing
Passive Monitoring
Fastflux Case Study: Zbot
Tracking System Overv...
OpenDNS’ world network
STUB
CLIENTS
RECURSIVE
NAME SERVERS
AUTHORITATIVE
NAME SERVERS
root
tld
domain.tld
~2 TB of query logs
per day, compressed...
Threat Intelligence
Relevant, timely, and useful information that helps
take action (strategic, or tactical)
Examples of t...
Network Intelligence Collection
Techniques
Active Probing
Active Probing
Current state, RIGHT NOW
thing being investigated
thing’s neighbors
Direct - touch the thing being investig...
Active Probing: Direct
-Port scan, service banner grabs (shodan/nmap/masscan)
e.g. hosting Angler EK, sharing identical se...
Active Probing: Indirect
DNS
Domain to IP, Domain to Name server, Name server to IP
BGP and IP whois
IP’s ASN and upstream...
Active Probing: Indirect
Query for DNS records
-Domain to IP,
-Domain to Name server,
-Name server to IP,
Can be considere...
Active Probing: Indirect
Query for BGP and IP whois data
-IP to ASN, Team Cymru, or routeviews + PyASN
-Upstream and sibli...
Active Probing: Indirect
Active Probing: Indirect
Both ranges belong to Serverpronto, hosting subdomains
injected under compromised GoDaddy domains...
Active Probing: Indirect
Active Probing: Indirect
Active Probing: Indirect
All SPN ASNs except one ASN has a downstream adjacent ASN
-AS47145: compromised IPs hosting zbot FF CnC domains
-AS44668: ...
Active Probing: Indirect
Domain whois
-Domain, authoritative name server domain
registrar, registrant, created/updated/exp...
Domain Registration Terms
Registrants
Reseller
Registrar
Registry
NS RR
NS RR
Contact Info
Passive Monitoring
Passive Monitoring
Previous state of things or patterns derived from behavior monitoring
Passive DNS reconstruction
pivot ...
Combination of interchangeable models
FF model, sample
network report, DGA
model, traffic pattern
model, any others
Pivot ...
D
D
D
IP
I
P
D
D
D
D
IPs
Domains
Domains
Passive DNS reconstruction
Pivot from a seed
D
D
D
NS
D
D
D
D
NSs
Domains
Domains
Passive DNS reconstruction
NS
Pivot from a seed
Domain detected by
traffic or malware
analysis
Get registrant email
Extract all domains
registered by same
email
Apply fil...
Correlation via registrant email
-Effective for compromised domains registered
by same registrant email
Injected with subd...
Client query patterns
Client IPs
DomainsIP
IP
IP
D
D
D
IP
Time window
Client query patterns
Co-occurring domains
• Temporal proximity of domain lookups
• Bipartite graph of client IPs to domai...
Client query patterns
Pivot from seed sites, e.g.
e.g. seed list of carding sites (monitoring during Target breach)
carder...
Client query patterns
Client query patterns
Some extra carding and stolen credentials sites discovered (there are a lot more):
prvtzone.cc
best4...
Client query patterns
Client query patterns
Client query patterns
Domain detected by
traffic monitoring (FF,
DGA, other models)
Get malware sample
analysis report
Extract queried
domains f...
Correlation via malware network artifacts
Some filtering heuristics:
-Similar traffic patterns (e.g. spikes or shape of tr...
Web-scraping malware samples & reports
Sources:
-VT, totalhash, malwr, ThreatExpert, Sophos and
Microsoft threat reports
-...
Application layer data (sinkhole)
-This could arguably be active…
-Application layer data validation
-Get url patterns for...
Other sources of Intel
-Good old google, other search engines
-Reliable friends, colleagues
-The infosec community
 Autom...
Fast flux case study:
Zbot proxy network
• DNS-based redundancy/evasion technique
• Fast flux domain resolves to many IPs, many ASNs,
many CCs, relatively low TTL
...
(1) Initial list of
zbot fast flux
domains
(2) Get IP, TTL via
direct lookup into
DNSDB
(3) Extract IPs s.t
TTL=150
(4) Ge...
Zeus
Config URLs
Binary URLs
Drop Zone URLs
Citadel
KINS
&
Ice IX
Asprox
Zemot/
Rerdom
Phishing
Ursnif
Madness Pro
Pony pa...
Tiny Banker CnCs example
Tinba domains
detected by FF
model
Get network reports
for all associated
known samples
Extract q...
Fastflux Case Study: Zbot
• Collecting live intel helps learn about bad actors TTP
• Register domains with evasive names t...
Registrar
r01-reg
TodayNic
r01-ru
Regru-ru
Paknic
Melbourne IT
Registrar
Netlynx
Web Commerce
Ardis-reg
ru-center-ru
re...
Rogue or abused registrars
http://spamtrackers.eu/wiki/index.php/R01.ru
EmailMX
RR
EmailMX
RR
No MX record
FakeMailGenerator
Picamail - Google 85Mail - Google
Privacy - TopDNS
GMX.com
Hotmail
Yandex
DGA case study:
new GameOver Zeus (newGOZ)
newGOZ Background
What is a DGA?
Conficker 2008
Typically calculated on time/day/date
Letter based vs dictionary based
Gam...
newGOZ Tracking System
Overview
Identify a DGA VirusTotal, TotalHash, Intel sharing
communities
Query patterns: cooccurenc...
newGOZ Domain TTLs
251 different C2 domains resolved
Domain Count TTL Alignment
110 300 Evil
81 10800 Sinkhole
58 666 Sink...
newGOZ C2 Name Servers
31 authoritative domains (2LD)
21 name servers had ns1 and ns2 pairs
5 domains (likely more) are re...
newGOZ C2 Name Servers
a.dns.gandi.net
b.dns.gandi.net
c.dns.gandi.net
dns1.registrar-servers.com
dns2.registrar-servers.c...
newGOZ C2 Name Servers
a.dns.gandi.net
b.dns.gandi.net
c.dns.gandi.net
dns1.registrar-servers.com
dns2.registrar-servers.c...
newGOZ C2 Domain Registrars
Dynadot
GoDaddy
1&1 Internet AG
101Domain
Bigrock Solutions
Enom
Gandi SAS
Melbourne IT DBA In...
Registrar
Registrar
1&1 Internet AG
Dynadot
Gandi
TodayNic
Melbourne IT
Bigrock
Solutions
TurnCommerce
DBA
Namebright
GoDaddy
101Dom...
newGOZ Registrant Email Addresses
99 different registrant emails (C2 and NS domains)
NOT including confirmed researchers
S...
NameBright
Privacy
TodayNic Privacy
(No MX RR)
Yahoo
GMX.com
AOL
Enom Privacy
(whoisguard)
GoDaddy
Privacy
(Domainsbyproxy...
newGOZ C2 and NS Hosting
86 C2 and NS IPs
54 unique hosting locations
3 providers used by known researchers
Mix of VPS, IS...
12 Amazon
8 GoDaddy
4 GANDI SAS
3 Rackspace Hosting
3 OVH
3 Confluence Networks Inc
3 1&1 Internet AG
2 Webfusion Internet...
12 Amazon
8 GoDaddy
4 GANDI SAS
3 Rackspace Hosting
3 OVH
3 Confluence Networks Inc
3 1&1 Internet AG
2 Webfusion Internet...
NS IP Address C2 DomainIP Address
Malware Cabal
Sinkhole
VirusTracker
Sinkhole
???
Godaddy
Arbor Networks
Sinkhole
???
Godaddy
Badness
NS IP Address C2 Doma...
newGOZ Now
No new evil domains registered since 12 Nov 14
why?
speculation:
not resilient without peer-to-peer
abandoned f...
oldGOZ Client Queries
oldGOZ generates 1000 domains every 7 days starting
from first of the month (except 1st and last bat...
oldGOZ Client Queries
oldGOZ Client Queries
newGOZ Client Queries (to add)
newGOZ generates 1000 domains/day using one of the salts
10,000 domains/day using the other...
newGOZ Take Aways
Important things to note about newGOZ infrastructure
TTLs of domain names (300)
Use round-robin DNS (mul...
newGOZ tracker:
Snapshooter
newGOZ Improved Tracking
System
JSON instead of flat text output
Pure Python instead of BASH, Python and C
Client
generate...
GOZ DGA
p1 p2 p3
Client
worker
d
NS RRs
whois
server
whois
server
whois
server
worker
d
worker
d
NS NS
8.8.8.
8
IP RR
COUNT=0;
while [ ${COUNT} -lt 20 ];
do dig +short whois.verisign-grs.com;
COUNT=$[${COUNT}+1];
sleep 1;
done | sort | uniq...
newGOZ Snapshooter Demo
github.com/anthonykasza/snapshooter
Snapshooter: ToDo
- Automatically contact registrars and hosting
providers with complaints
- Collect content hosted on dom...
Conclusion
• Threat Intelligence is crucial to make strategic &
tactical decisions for reactive & proactive security
• Dif...
References
-Catching malware en masse: DNS & IP style, D. Mahjoub,
T. Reuille, A, Toonk, BlackHat 2014, DefCon 2014
-Sweep...
Acknowledgements
OpenDNS
ShmooCon
Arbor Networks (initial newGOZ DGA)
John Bambenek
Thank You.
Questions?
@dhialite
@anthonykasza
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon 2015 Presentation
Upcoming SlideShare
Loading in …5
×

Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon 2015 Presentation

8,271 views

Published on

OpenDNS Labs presentation from ShmooCon 2015.

Published in: Technology
  • DOWNLOAD FULL. BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL. BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon 2015 Presentation

  1. 1. Infrastructure Tracking with Passive Monitoring and Active Probing Anthony Kasza Dhia Mahjoub January 18th, 2015
  2. 2. November 11, 2014 Hello, I am a security researcher at OpenDNS. I have been tracking the movements of the Gameover Zeus (GOZ) botnet. Your registrar has been used to register domains used for command and control communications between the operators of this botnet and compromised hosts. Are you able to collaborate in tracking and shutting down these domains? -AK
  3. 3. Registrar Abuse Desk Response Times Webfusion 1hr 44mins Enom 2hrs 36mins Namesilo 21hours 27mins Bigrock Solutions 2days 1hr 20mins TodayNic 1 week 101 Domain - Active Registrar - Melbourne IT DBA internet names worldwide - The Registry at Info Avenue - Turncommerce DBA Namebright -
  4. 4. Speakers @dhialite Senior Security Researcher DNS, networks, data analysis, threat detection, graphs @anthonykasza Security Researcher DNS, network protocols, threat detection, Bro IDS github.com/anthonykasza
  5. 5. Agenda Importance of Threat Intelligence Active Probing Passive Monitoring Fastflux Case Study: Zbot Tracking System Overview DGA Case Study: newGOZ Tracking System Overview Conclusion
  6. 6. OpenDNS’ world network
  7. 7. STUB CLIENTS RECURSIVE NAME SERVERS AUTHORITATIVE NAME SERVERS root tld domain.tld ~2 TB of query logs per day, compressed Types of DNS traffic
  8. 8. Threat Intelligence Relevant, timely, and useful information that helps take action (strategic, or tactical) Examples of tactical actions (not an exhaustive list) -Blocking known malicious domains, IPs -Preemptively block suspicious domains, IPs -Further investigate domain patterns, IP infrastructure -Further investigate malware samples, anomalous traffic patterns
  9. 9. Network Intelligence Collection Techniques
  10. 10. Active Probing
  11. 11. Active Probing Current state, RIGHT NOW thing being investigated thing’s neighbors Direct - touch the thing being investigated Indirect - ask around about the thing
  12. 12. Active Probing: Direct -Port scan, service banner grabs (shodan/nmap/masscan) e.g. hosting Angler EK, sharing identical server setup -Collect content (http/ftp) noisy – is detectable block by source or return misleading content 64.251.7.239 – 64.251.7.241 22/tcp open ssh OpenSSH 5.3 (protocol 2.0) 80/tcp open http nginx 1.6.2
  13. 13. Active Probing: Indirect DNS Domain to IP, Domain to Name server, Name server to IP BGP and IP whois IP’s ASN and upstream ASNs Explore sibling ASNs hosting provider Domain whois domain, authoritative name server domain registrar, registrant, created/updated/expire times
  14. 14. Active Probing: Indirect Query for DNS records -Domain to IP, -Domain to Name server, -Name server to IP, Can be considered direct (i.e. noisy & trigger alerts) if authoritative name servers are operated by same bad actors Scalable tools: adns http://www.gnu.org/software/adns/ Massresolver https://github.com/jedisct1/massresolver
  15. 15. Active Probing: Indirect Query for BGP and IP whois data -IP to ASN, Team Cymru, or routeviews + PyASN -Upstream and sibling ASNs (SPN concept, BlackHat 2014) -Hosting provider: rogue, lax or abused e.g. http://www.serverpronto.com/ US https://king-servers.com Russia http://www.mach9servers.com/ US https://www.bacloud.com Lithuania http://www.qhoster.bg/ Bulgaria, reseller, register domains & hosting
  16. 16. Active Probing: Indirect
  17. 17. Active Probing: Indirect Both ranges belong to Serverpronto, hosting subdomains injected under compromised GoDaddy domains to serve EK 64.251.7.239 – 64.251.7.241 22/tcp open ssh OpenSSH 5.3 (protocol 2.0) 80/tcp open http nginx 1.6.2 64.251.22.201 – 64.251.22.207 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u1 (protocol 2.0) 80/tcp open http nginx 1.2.1 111/tcp open rpcbind 2-4 (RPC #100000)
  18. 18. Active Probing: Indirect
  19. 19. Active Probing: Indirect
  20. 20. Active Probing: Indirect
  21. 21. All SPN ASNs except one ASN has a downstream adjacent ASN -AS47145: compromised IPs hosting zbot FF CnC domains -AS44668: compromised IPs hosting zbot FF CnC domains -AS196860: compromised IPs hosting zbot FF CnC domains Active Probing: Indirect
  22. 22. Active Probing: Indirect Domain whois -Domain, authoritative name server domain registrar, registrant, created/updated/expire times problems daily changes are often too coarse client provided information isn’t always accurate Tools: whois client, scrape web-based whois sites, commercial offerings
  23. 23. Domain Registration Terms Registrants Reseller Registrar Registry NS RR NS RR Contact Info
  24. 24. Passive Monitoring
  25. 25. Passive Monitoring Previous state of things or patterns derived from behavior monitoring Passive DNS reconstruction pivot from a seed domain -> IP -> domain domain -> nameserver -> domain Correlation via registrant email -> reliable in specific cases Client query patterns domain lexical analysis query spikes query co-occurrences Correlation via malware samples, domain, IP artifacts Application layer data (sinkhole)
  26. 26. Combination of interchangeable models FF model, sample network report, DGA model, traffic pattern model, any others Pivot around artifacts (domain, IP, sample features, traffic features, co- occurrences, etc.) Apply filtering heuristics to remove FPs (traffic pattern, lexical features, etc.) New domains, IPs can do a feedback loop
  27. 27. D D D IP I P D D D D IPs Domains Domains Passive DNS reconstruction Pivot from a seed
  28. 28. D D D NS D D D D NSs Domains Domains Passive DNS reconstruction NS Pivot from a seed
  29. 29. Domain detected by traffic or malware analysis Get registrant email Extract all domains registered by same email Apply filtering heuristics to remove FPs (traffic, subdomains, resolution, url patterns, etc) Correlation via registrant email
  30. 30. Correlation via registrant email -Effective for compromised domains registered by same registrant email Injected with subdomains for EK, browlock, etc. e.g. GoDaddy compromised domains -Effective for malware dedicated CnC domains e.g. GOZ, zbot, Tinba the.malware.cabal@gmail.com
  31. 31. Client query patterns Client IPs DomainsIP IP IP D D D IP Time window
  32. 32. Client query patterns Co-occurring domains • Temporal proximity of domain lookups • Bipartite graph of client IPs to domains during a short time window • Consider both resolving queries and nxdomains • Use cases of interest:  botnet CnC domains especially DGAs  Domains sharing same theme, campaign, e.g. carding sites, click-fraud, etc.  Compromised sites leading to EK or malware domains
  33. 33. Client query patterns Pivot from seed sites, e.g. e.g. seed list of carding sites (monitoring during Target breach) carderprofit.cc, carder.su, cardersunion.net, cardingworld.cc, cclub.bz, cclub.su, clubr.ru, crdclub.ws, darkmarket.ws, dumps4you.cc, infraud.su, jworldtopcc.su, lampeduza.so, proclub.ws, prov.cc, unclesam.vc, validcc.su, verified.ms, vpro.su Heuristics: Domain -> hosting IP -> Domain Domain -> client IP -> Domain (co-occuring domains) Domain -> name server -> Domain + filtering heuristics to remove FPs
  34. 34. Client query patterns
  35. 35. Client query patterns Some extra carding and stolen credentials sites discovered (there are a lot more): prvtzone.cc best4best.su cardrockcafe.so cardrockcafe.cc cvv.me d4rksys.cc ssndob.cc ssndob.so torcvv.cc darkmoney.cc vini.cc uniccshop.ru
  36. 36. Client query patterns
  37. 37. Client query patterns
  38. 38. Client query patterns
  39. 39. Domain detected by traffic monitoring (FF, DGA, other models) Get malware sample analysis report Extract queried domains from network traffic report Apply filtering heuristics to remove FPs (traffic, subdomains, resolution, etc) Correlation via malware network artifacts
  40. 40. Correlation via malware network artifacts Some filtering heuristics: -Similar traffic patterns (e.g. spikes or shape of traffic curve) -Similar domain lexical features -Similar subdomain and hosting IPs patterns -Similar website content -Similar url patterns (3rd party analysis report, sinkhole, own sandbox) … Open sources for analysis reports: VirusTotal, totalhash, malwr, ThreatExpert, Sophos and Microsoft threat reports
  41. 41. Web-scraping malware samples & reports Sources: -VT, totalhash, malwr, ThreatExpert, Sophos and Microsoft threat reports -Use commercial version -Scrape online reports using free open proxies to prevent throttling or blocking of your source IP
  42. 42. Application layer data (sinkhole) -This could arguably be active… -Application layer data validation -Get url patterns for sinkholed domains -Or get urls from VirusTotal, totalhash reports, etc. -Use ET signatures to match against traffic
  43. 43. Other sources of Intel -Good old google, other search engines -Reliable friends, colleagues -The infosec community  Automation  Scale  Accuracy are crucial + Human Validation
  44. 44. Fast flux case study: Zbot proxy network
  45. 45. • DNS-based redundancy/evasion technique • Fast flux domain resolves to many IPs, many ASNs, many CCs, relatively low TTL • Fast flux domain resolves to 1 IP with TTL=0 • Ex : Trojan CnCs, spam, scam, pharmacy, dating domains Fastflux definition
  46. 46. (1) Initial list of zbot fast flux domains (2) Get IP, TTL via direct lookup into DNSDB (3) Extract IPs s.t TTL=150 (4) Get domains from IPs via inverse lookup (5) Add domains from (4) to list (1) (6) Extract IPs s.t TTL=150 (7) Add IPs from (6) to list of zbot proxy network IPs Zbot CnCs Monitoring System
  47. 47. Zeus Config URLs Binary URLs Drop Zone URLs Citadel KINS & Ice IX Asprox Zemot/ Rerdom Phishing Ursnif Madness Pro Pony panel newGOZ Tiny Banker Malware phoning to CnC domains
  48. 48. Tiny Banker CnCs example Tinba domains detected by FF model Get network reports for all associated known samples Extract queried domains from network traffic reports Apply filtering heuristics to remove FPs (traffic pattern, lexical features, etc)
  49. 49. Fastflux Case Study: Zbot • Collecting live intel helps learn about bad actors TTP • Register domains with evasive names to confuse trackers e.g. suspended-domains-nic.biz looks as a suspended domain, in reality it’s a recent NS domain (Jan 14th) for zbot FF CnCs • [a-d].suspended-domains-nic.biz [dns1-dns4].suspended-domains-nic.biz -> are authoritative name servers for zbot FF domains The name servers are themselves hosted on the zbot proxy network -> double flux set up
  50. 50. Registrar
  51. 51. r01-reg TodayNic r01-ru Regru-ru Paknic Melbourne IT Registrar Netlynx Web Commerce Ardis-reg ru-center-ru regru-reg
  52. 52. Rogue or abused registrars http://spamtrackers.eu/wiki/index.php/R01.ru
  53. 53. EmailMX RR
  54. 54. EmailMX RR No MX record FakeMailGenerator Picamail - Google 85Mail - Google Privacy - TopDNS GMX.com Hotmail Yandex
  55. 55. DGA case study: new GameOver Zeus (newGOZ)
  56. 56. newGOZ Background What is a DGA? Conficker 2008 Typically calculated on time/day/date Letter based vs dictionary based Gameover Zeus “newGOZ” letter based with salts to extend algorithm (2 known) 11000 possible domains per day Oct 7 – Dec 7 (62 days)
  57. 57. newGOZ Tracking System Overview Identify a DGA VirusTotal, TotalHash, Intel sharing communities Query patterns: cooccurences, spikes, lexical analysis Reverse DGA algorithm Hexrays decompiler, IDA, Hopper, Ollydbg Predict Daily C2 Domains Python+BASH+massresolver Yesterday, today, tomorrow (for overlaps) 682,000 possible C2 domains over 62 days Oct 7 - Dec 7 Identify live C2 Domains Attempt to resolve domains every TTL seconds (5 minutes) 251 resolved (evil and researchers) Probe for information on C2 Domains Whois, DNS, IP, ASN info for C2 and authoritative domains Enrich probe information with passive data PassiveDNS, historic whois, IP reputation
  58. 58. newGOZ Domain TTLs 251 different C2 domains resolved Domain Count TTL Alignment 110 300 Evil 81 10800 Sinkhole 58 666 Sinkhole 9 3600 Sinkhole 5 1800 Sinkhole 4 600 ? 1 7200 ? 1 14400 ? Domain with multiple TTLs changed owners
  59. 59. newGOZ C2 Name Servers 31 authoritative domains (2LD) 21 name servers had ns1 and ns2 pairs 5 domains (likely more) are researchers’ 4 name servers were eventually parked possibly due to not resolving possibly due to not existing
  60. 60. newGOZ C2 Name Servers a.dns.gandi.net b.dns.gandi.net c.dns.gandi.net dns1.registrar-servers.com dns2.registrar-servers.com dns3.registrar-servers.com dns4.registrar-servers.com dns5.registrar-servers.com ns.123-reg.co.uk ns2.123-reg.co.uk ns01.domaincontrol.com ns02.domaincontrol.com pdns05.domaincontrol.com pdns06.domaincontrol.com ns1.torpig-sinkhole.org ns2.torpig-sinkhole.org ns1.sinkhole.ch ns2.sinkhole.ch ns1.dynadot.com ns2.dynadot.com ns1.ilcriminallaw.net.lamedelegation.org ns1.acutica.net.rcom-dns.eu ns1.ezracesite.net.rcom-dns.eu ns1.the-jumbotron.net.rcom-dns.eu ns1.acutica.net ns1.autozphibsnz.com ns1.bethanychildcare.net ns1.borrowbynet.net ns1.bossvietguider.com ns1.bundesligagame.net ns1.energiazielona.net ns1.ezracesite.net ns1.hitzandronum.net ns1.hotinspiritrees.net ns1.ilcriminallaw.net ns1.israelandpalestin.com ns1.longhilpartners.com ns1.lovecapo.net ns1.overbytes.net ns1.rannfyaether.net ns1.the-jumbotron.net ns1.themobpokershop.net ns1.thepurringpiano.net ns1.videohomebing.com ns1.visiteitacares.com ns1.whiterelicons.com ns1.zoogmusics.net ns1.zumbbawecker.net - ns2.autozphibsnz.com ns2.bethanychildcare.net ns2.borrowbynet.net ns2.bossvietguider.com - ns2.energiazielona.net - - - - - ns2.longhilpartners.com ns2.lovecapo.net ns2.overbytes.net ns2.rannfyaether.net - ns2.themobpokershop.net ns2.thepurringpiano.net - ns2.visiteitacares.com - ns2.zoogmusics.net -
  61. 61. newGOZ C2 Name Servers a.dns.gandi.net b.dns.gandi.net c.dns.gandi.net dns1.registrar-servers.com dns2.registrar-servers.com dns3.registrar-servers.com dns4.registrar-servers.com dns5.registrar-servers.com ns.123-reg.co.uk ns2.123-reg.co.uk ns01.domaincontrol.com ns02.domaincontrol.com pdns05.domaincontrol.com pdns06.domaincontrol.com ns1.torpig-sinkhole.org ns2.torpig-sinkhole.org ns1.sinkhole.ch ns2.sinkhole.ch ns1.dynadot.com ns2.dynadot.com ns1.ilcriminallaw.net.lamedelegation.org ns1.acutica.net.rcom-dns.eu ns1.ezracesite.net.rcom-dns.eu ns1.the-jumbotron.net.rcom-dns.eu ns1.acutica.net ns1.autozphibsnz.com ns1.bethanychildcare.net ns1.borrowbynet.net ns1.bossvietguider.com ns1.bundesligagame.net ns1.energiazielona.net ns1.ezracesite.net ns1.hitzandronum.net ns1.hotinspiritrees.net ns1.ilcriminallaw.net ns1.israelandpalestin.com ns1.longhilpartners.com ns1.lovecapo.net ns1.overbytes.net ns1.rannfyaether.net ns1.the-jumbotron.net ns1.themobpokershop.net ns1.thepurringpiano.net ns1.videohomebing.com ns1.visiteitacares.com ns1.whiterelicons.com ns1.zoogmusics.net ns1.zumbbawecker.net - ns2.autozphibsnz.com ns2.bethanychildcare.net ns2.borrowbynet.net ns2.bossvietguider.com - ns2.energiazielona.net - - - - - ns2.longhilpartners.com ns2.lovecapo.net ns2.overbytes.net ns2.rannfyaether.net - ns2.themobpokershop.net ns2.thepurringpiano.net - ns2.visiteitacares.com - ns2.zoogmusics.net - Researchers Parked Evil Evil NS1 Evil NS2
  62. 62. newGOZ C2 Domain Registrars Dynadot GoDaddy 1&1 Internet AG 101Domain Bigrock Solutions Enom Gandi SAS Melbourne IT DBA Internet Names Worldwide Network Solutions TodayNIC Turncommerce DBA NameBright Webfusion
  63. 63. Registrar
  64. 64. Registrar 1&1 Internet AG Dynadot Gandi TodayNic Melbourne IT Bigrock Solutions TurnCommerce DBA Namebright GoDaddy 101Domain Enom Webfusion Network Solutions
  65. 65. newGOZ Registrant Email Addresses 99 different registrant emails (C2 and NS domains) NOT including confirmed researchers Some accounts were created, some weren’t medicallaserss@ymail.com medicallassers@ymail.com educationreport@insurer.com educationreportt@insurer.com
  66. 66. NameBright Privacy TodayNic Privacy (No MX RR) Yahoo GMX.com AOL Enom Privacy (whoisguard) GoDaddy Privacy (Domainsbyproxy) GMX.net Hotmail Zoho FakeMailGenerator
  67. 67. newGOZ C2 and NS Hosting 86 C2 and NS IPs 54 unique hosting locations 3 providers used by known researchers Mix of VPS, ISP, and compromised
  68. 68. 12 Amazon 8 GoDaddy 4 GANDI SAS 3 Rackspace Hosting 3 OVH 3 Confluence Networks Inc 3 1&1 Internet AG 2 Webfusion Internet Solutions 2 ViaWest 2 SoftLayer Technologies Inc. 2 PT Jastrindo Dinamika 2 Black Lotus Communications 1 Yuli Azarch trading as YaiSales 1 XL Internet Services B.V. 1 Viet Solutions Services Trading Company Limited 1 Viasat Communications Inc. 1 VDSINA VDS Hosting 1 TTNETDC Turkiye Telekom Data Center 1 TANET-BNETA, Taiwan 1 Symphony Communication Plc 1 SPARK NEW ZEALAND TRADING LIMITED 1 Shandong technology university 1 Rook Media USA, Inc. 1 RIPE Sinkhole 1 RCS & RDS Business 1 Radore Veri Merkezi Hizmetleri A.S. 1 NOS COMUNICACOES S.A. (TVCABO- Portugal) 1 Namecheap, Inc. 1 MonsterCommerce, LLC 1 Ministry of Education Computer Center, Taiwan 1 Ministère de l'aménagement du territoire de l'équipement et des transports 1 Kornet - Korea Telecom 1 KMS-Hosting.com Customers 1 Kabel Baden-Wuerttemberg GmbH & Co. KG 1 Joe's Datacenter, LLC 1 Indiana University 1 ID Uppal Private Limited 1 HOST1FREE.COM VPS services 1 HONGIK UNIVERSITY 1 HANANET - broadNnet 1 Google Cloud 1 GHOSTnet Network used for VPS Hosting Services 1 Gelderland Internet Exchange - Dedicated Servers 1 FortaTrust USA Corporation 1 EXMOS-LIMITED 1 ERX-NETBLOCK 1 CloudFlare, Inc. 1 Cizgi Telekom 1 China Mobile communications corporation 1 Bharti Tele-Ventures Limited 1 Belgacom ISP SKYNET-CUSTOMERS 1 Argon Data Communication
  69. 69. 12 Amazon 8 GoDaddy 4 GANDI SAS 3 Rackspace Hosting 3 OVH 3 Confluence Networks Inc 3 1&1 Internet AG 2 Webfusion Internet Solutions 2 ViaWest 2 SoftLayer Technologies Inc. 2 PT Jastrindo Dinamika 2 Black Lotus Communications 1 Yuli Azarch trading as YaiSales 1 XL Internet Services B.V. 1 Viet Solutions Services Trading Company Limited 1 Viasat Communications Inc. 1 VDSINA VDS Hosting 1 TTNETDC Turkiye Telekom Data Center 1 TANET-BNETA, Taiwan 1 Symphony Communication Plc 1 SPARK NEW ZEALAND TRADING LIMITED 1 Shandong technology university 1 Rook Media USA, Inc. 1 RIPE Sinkhole 1 RCS & RDS Business 1 Radore Veri Merkezi Hizmetleri A.S. 1 NOS COMUNICACOES S.A. (TVCABO- Portugal) 1 Namecheap, Inc. 1 MonsterCommerce, LLC 1 Ministry of Education Computer Center, Taiwan 1 Ministère de l'aménagement du territoire de l'équipement et des transports 1 Kornet - Korea Telecom 1 KMS-Hosting.com Customers 1 Kabel Baden-Wuerttemberg GmbH & Co. KG 1 Joe's Datacenter, LLC 1 Indiana University 1 ID Uppal Private Limited 1 HOST1FREE.COM VPS services 1 HONGIK UNIVERSITY 1 HANANET - broadNnet 1 Google Cloud 1 GHOSTnet Network used for VPS Hosting Services 1 Gelderland Internet Exchange - Dedicated Servers 1 FortaTrust USA Corporation 1 EXMOS-LIMITED 1 ERX-NETBLOCK 1 CloudFlare, Inc. 1 Cizgi Telekom 1 China Mobile communications corporation 1 Bharti Tele-Ventures Limited 1 Belgacom ISP SKYNET-CUSTOMERS 1 Argon Data Communication
  70. 70. NS IP Address C2 DomainIP Address
  71. 71. Malware Cabal Sinkhole VirusTracker Sinkhole ??? Godaddy Arbor Networks Sinkhole ??? Godaddy Badness NS IP Address C2 DomainIP Address
  72. 72. newGOZ Now No new evil domains registered since 12 Nov 14 why? speculation: not resilient without peer-to-peer abandoned for new malware silent LE take down Sinkholes are still active
  73. 73. oldGOZ Client Queries oldGOZ generates 1000 domains every 7 days starting from first of the month (except 1st and last batch) Dec 1 - Dec 6 Jan 1 – Jan 6 Dec 7 - Dec 13 Jan 7 – Jan 13 Dec 14 – Dec 20 Jan 14 – Jan 20 Dec 21 – Dec 27 Jan 21 – Jan 27 Dec 28 – Dec 31 Jan 28 – Jan 31
  74. 74. oldGOZ Client Queries
  75. 75. oldGOZ Client Queries
  76. 76. newGOZ Client Queries (to add) newGOZ generates 1000 domains/day using one of the salts 10,000 domains/day using the other salt
  77. 77. newGOZ Take Aways Important things to note about newGOZ infrastructure TTLs of domain names (300) Use round-robin DNS (multiple IPs per domain) Registrar preferences (TodayNic, Melbourne IT, BigRock) Registration to resolution delta (~1 day) Registrant email pattern Many C2 IPs, many NS IPs Use of compromised (and possibly dedicated) IPs
  78. 78. newGOZ tracker: Snapshooter
  79. 79. newGOZ Improved Tracking System JSON instead of flat text output Pure Python instead of BASH, Python and C Client generates GOZ domains identifies resolving domains maps resolving domains to workers spawns a dedicated client process for each worker asynchronously sends requests to workers Workers daemon waiting for client tasks requests queries the DNS, whois, etc.
  80. 80. GOZ DGA p1 p2 p3 Client worker d NS RRs whois server whois server whois server worker d worker d NS NS 8.8.8. 8 IP RR
  81. 81. COUNT=0; while [ ${COUNT} -lt 20 ]; do dig +short whois.verisign-grs.com; COUNT=$[${COUNT}+1]; sleep 1; done | sort | uniq -c 5 199.7.48.74 4 199.7.50.74 11 199.7.56.74
  82. 82. newGOZ Snapshooter Demo github.com/anthonykasza/snapshooter
  83. 83. Snapshooter: ToDo - Automatically contact registrars and hosting providers with complaints - Collect content hosted on domain - Graph database backend - Pray for RDAP draft https://tools.ietf.org/html/draft-ietf-weirds-json-response-10
  84. 84. Conclusion • Threat Intelligence is crucial to make strategic & tactical decisions for reactive & proactive security • Different techniques to collect network threat intel. – Active probing – Passive Monitoring • Fastflux: Zbot fast flux proxy network • DGA: GameOver Zeus botnet • Snapshooter
  85. 85. References -Catching malware en masse: DNS & IP style, D. Mahjoub, T. Reuille, A, Toonk, BlackHat 2014, DefCon 2014 -Sweeping the IP space: The Hunt for Evil on the Internet, D. Mahjoub, Virus Bulletin 2014 -A New Look at Fast Flux Proxy Networks, D. Mahjoub, H. Adrian, BotConf 2014 -DNS Analytics, O. Kamal, BotConf 2014 -ZeuS Tracker -Massresolver, F. Denis, github.com/jedisct1/massresolver -http://www.malware-traffic-analysis.net/
  86. 86. Acknowledgements OpenDNS ShmooCon Arbor Networks (initial newGOZ DGA) John Bambenek
  87. 87. Thank You. Questions? @dhialite @anthonykasza

×