Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Exploiting Redundancy Properties of Malicious Infrastructure for Incident Detection


Published on

Author: John Bambenek

The cat-and-mouse game between malware researchers and malware operators has been going for years. The defense community is getting faster at responding to growing threats and taking down command and control centers of malware operators before they causes too much damage. Meanwhile, “bad guys” are building multitier redundant architectures utilizing P2P networks, Tor, and domain generation algorithms (DGA) to improve availability of supporting infrastructure against take-down operations. This report will cover the research of both American and Russian analysts into the use of such techniques and what can be learned about the adversaries who use them. Additionally, the speaker will introduce a new tool that helps researchers dig into DGAs.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Exploiting Redundancy Properties of Malicious Infrastructure for Incident Detection

  1. 1. Exploiting Redundancy Properties of Malicious Infrastructure John Bambenek, Manager of Threat Systems Fidelis Cybersecurity PHDays 6 – Moscow, Russia
  2. 2. © Fidelis Cybersecurity Intro • Manager at Fidelis Cybersecurity of a team responsible for automation and data mining threat information. • Faculty at University of Illinois – Urbana-Champaign in Computer Science. • Participate (and run) many private groups investigating major criminal threats on the internet. • I generally focus only on criminal threats and avoid nation- state/espionage. 2
  3. 3. © Fidelis Cybersecurity Agenda • Single Point of Failure vs Redundancy • Redundancy techniques • Detection • Sinkholing • Increased Fingerprints • Targeted Intelligence Operations • Surveillance • Towards more Effective Disruption 3
  4. 4. © Fidelis Cybersecurity Single Point of Failure vs Redundancy • Many malware attacks rely on a single method of communication (a single IP, DNS name, tor node, etc). • Easy to set up and maintain, low cost of entry. • However, only two states: up or down. • Cannot establish a pattern on a single data point. • Many RATs are single C2 based. • Attackers who want to persist need something else. 4
  5. 5. © Fidelis Cybersecurity Single C2 Examples 5 Example of static C2 config (more on barncat later)
  6. 6. © Fidelis Cybersecurity Multi C2 example 6 Example of static C2 config (more on barncat later)
  7. 7. © Fidelis Cybersecurity Redundancy Techniques • Multiple IPs/Hostnames (static lists) • Use of Fast Flux / Double Flux • DGAs • Tor/I2P • Multiple Methods • If done right, uses multiple ISPs/providers 7
  8. 8. © Fidelis Cybersecurity Detection • If you already know about a threat, you can protect based on a single piece of information. • For unknown threats, you need to have a pattern and single data points aren’t a pattern. • Redundancy helps us by forcing the adversary to create fingerprints we can use to detect otherwise “unknown” threats. • Allows for data mining, statistical analysis, etc. 8
  9. 9. © Fidelis Cybersecurity Goal • Goal: Force adversary to behavior that inherently requires them to create patterns. • Takedowns are risky because the attacker can adapt back into an “unknown threat”. Patterns, however, tend to persist if you have visibility into their behavior. 9
  10. 10. © Fidelis Cybersecurity Detection • Double flux networks rely on a massive pool of endpoints and nameservers so taking down a single IP has no impact to adversary. 1800 IN A [] 1800 IN A [SBIS-AS - AT&T Internet Services] 1800 IN A [] 1800 IN A [] 1800 IN A [] 10
  11. 11. © Fidelis Cybersecurity Detection – Flux networks • Besides CDNs, very few valid DNS queries will have multiple low TTL A records across geographies and network boundaries (especially in residential IP space). • Almost no one has low TTL NS records (very limited use case). • Can combine with domain/IP rep or alexa to increase confidence. 11
  12. 12. © Fidelis Cybersecurity Detection - DGAs • Pseudorandom domain names (or hostnames) usually many hundreds or thousands generated (potentially per day). • Attacker only needs to control one of the domains, if it gets suspended they can just register another to reassert control. 12
  13. 13. © Fidelis Cybersecurity Detection – DGAs (tinba) •,,| •,,| •,,|| •,,| •,,|| • Easy to load known DGA domains into RPZ to block at DNS level. 13
  14. 14. © Fidelis Cybersecurity Detection - DGAs • Easy to find “unknown” DGAs. • The biggest obvious network behavior of DGA enabled malware is a large number of NXDOMAIN responses to queries. • Most DGAs have a majority of domains unregistered) • Looking at DNS logs for repetitive queries to NXDOMAIN or known sinkholed IPs. 14
  15. 15. © Fidelis Cybersecurity Detection - DGAs • For non-word list DGAs, checking domain names for high entropy finds “random” looking domains. • N-Gram analysis can also be used to find DGA-like domains. • Based on looking at sequences of characters that do not naturally occur in a given language to create a score (essentially anti- patterns). • i.e. “QQ” is not naturally occurring 2-letter combination in English • Based on statistical comparisons of letter combinations in “natural” language and observed domain names, you can make some conclusions. 15
  16. 16. © Fidelis Cybersecurity Detection - DGAs • Can be language specific so care needs to be done for other languages. • Using n-grams is not a 100% confidence prospect, other checking needs to be done. • See “Use of n-Gram models for DGA detection” once published. 16
  17. 17. © Fidelis Cybersecurity Sinkholing • For DGAs, most domains are unregistered. • If researcher registers one (or several) of those domains, victims will beacon to them. • Useful for telemetry data or developing signatures. • Some adversaries have started creating sinkhole-aware malware. 17
  18. 18. © Fidelis Cybersecurity Other uses of sinkholing • If you can make victims thinking you are the C2, you can, to an extent, control the victim. • May require other data (encryption keys) and mimicking the C2 protocol. • Some (but not all) malware families have a self-destruct option to uninstall on victim’s machine. • This has been done in the past as part of takedowns. 18
  19. 19. © Fidelis Cybersecurity Other users of sinkholing • You can also engage in direct control of the victim. • A “white hat” hacker, recently breached part of an exploit kit network to install Avira instead of the intended malware by replacing the binary. • Transient benefit. • If you do this, please just install Flash/Adobe/Java patches instead. • More persistent benefit 19
  20. 20. © Fidelis Cybersecurity Important Note • Doing any of the above without legal authority is probably criminal in almost every jurisdiction represented in this room. • Going to jail is bad, I don’t recommend it. 20
  21. 21. © Fidelis Cybersecurity Targeted Intelligence Operations • Our biggest difficulty in prosecuting cybercrime is the difficulty in getting information between nations. • International cooperation is often marred by unrelated foreign policy constraints, sometimes even with private sector actors. • To make matters worse, as a consequence of the amount of data and metadata created by computers and networks, there is a huge amount of tools available to hide. 21
  22. 22. © Fidelis Cybersecurity Targeted Intelligence Operations • When the adversary has only a single static C2, your options are limited: • Take it down • Get a wiretap • If you take it down and lack other tracking ability, the attacker will just set up their operation elsewhere… and potentially break your visibility into their operations. 22
  23. 23. © Fidelis Cybersecurity Targeted Intelligence Operations • When an adversary uses redundant C2 methods, a disruption in part of their communications is not critical. • They may not make wholesale changes. • The key to a targeted intelligence operation is to have enough impact so the adversary does something but not enough impact where they disappear and stop operating. 23
  24. 24. © Fidelis Cybersecurity Examples • During Cryptolocker, they often used the same Chinese registrar (DNSPOD) for their DGA registrations. • In 2013, Chinese-American cooperation was not great. • Objectives: • I wanted to build a relationship with a Chinese company to deal with obvious abuse. • I wanted to see how they would change if that registrar suspended a few domains. 24
  25. 25. © Fidelis Cybersecurity Examples • Results: • For a few days, they kept using DNSPOD. • For two weeks, they used a different register before going back to DNSPOD. • The cycling of registrant accounts led to some good leads available to “western” law enforcement for their investigation. • I opened the door to working with other Chinese companies on criminal matters. 25
  26. 26. © Fidelis Cybersecurity Example #2 • I was tracking a criminal service provider who used a “shared hosting” account to manage their infrastructure. • I paid “a premium” to get an account on the same box to see if I can use poor file system permissions to gather additional intelligence (perfectly legal). • It didn’t work but attacker didn’t know that. • Attacker was aware of who I am and that I was tracking him, so I subtly let him know I got an account on the same box. 26
  27. 27. © Fidelis Cybersecurity Example #2 • Attacker very quickly moved their C2 operations using a control panel “move” function. • Also required them to reissue binaries and cause some disruption and a poor “customer experience”. • Most important, using the “move function” left files behind after they left. This allows for possibility of a search warrant to obtain that data without the adversary being aware. 27
  28. 28. © Fidelis Cybersecurity More Fingerprints • The use of redundancy also comes with new fingerprints that can be used to identify adversaries. • DGAs inherently mean WHOIS artifacts could be used to find and track specific adversaries in all their operations. 28
  29. 29. © Fidelis Cybersecurity Whois Info • Many actors will use WHOIS protection… some just use fake information. • “David Bowers” ( is common for Bedep. $ grep "David Bowers" *.txt | grep Registrant Name: David Bowers Name: David Bowers Name: David Bowers Name: David Bowers Name: David Bowers Name: David Bowers
  30. 30. © Fidelis Cybersecurity David Bowers,Domain used by bedep (-4 days to today),2015-08-16,Domain used by bedep (-4 days to today),2015-08- 16,Domain used by bedep (-4 days to today),2015- 08-16,Domain used by bedep (-4 days to today),2015- 08-16 But why stop with just known DGAs, what other domains are associated with “David Bowers”?
  31. 31. © Fidelis Cybersecurity David Bowers • Using, it’s possible to see all domains registered by a name, email, etc. • Domains seen associated with necurs and angler as well. • Can also set up registrant alerts on e-mail addresses used to register domains. 31
  32. 32. © Fidelis Cybersecurity David Bowers
  33. 33. © Fidelis Cybersecurity Registrant Alert 33
  34. 34. © Fidelis Cybersecurity Fingerprints Example #2 • In a single static C2, the use of SSL could be a one-time cert, could use a dedicated key or specific certificate details, there is no way to know. • If there are many redundant C2s, they may re-use some information. For malware that does certificate pinning, they HAVE to use the same cert. 34
  35. 35. © Fidelis Cybersecurity Fingerprints Example #2 Certificate: Data: Version: 1 (0x0) Serial Number: fa:21:6b:2c:8e:6c:35:f6 Signature Algorithm: sha1WithRSAEncryption Issuer: C=EU, ST=Oregon, L=Cincinati, O=Oracle Corporation, OU=Oracle, CN=Oracle Developer/ 35
  36. 36. © Fidelis Cybersecurity More fingerprints • Shodan (and other tools) can search for specific SSL certs on internet facing services. • Possible to programmatically hunt application stores for malicious certs in applications. 36
  37. 37. © Fidelis Cybersecurity Surveillance • DNS data can change, IPs can come and go. • Use adnstools to bulk resolve all DNS indicators on a frequent basis (this is what my DGA feeds is based on). • C2s can start or stop listening or issuing instructions. • These changes (and the related metadata) can prove key in an investigation. 37
  38. 38. © Fidelis Cybersecurity Surveillance  Creation of feeds and intake is still a passive tactic.  Possible to see C2 changes and notify in near-time to potentially take action on the data.  This uses the Pushover application (Apple and Google stores) which has a very simple API.
  39. 39. © Fidelis Cybersecurity New Matsnu domains registered
  40. 40. © Fidelis Cybersecurity Pushover curl -s --form-string "token=$appkey" --form-string "user=$userkey" --form-string "message=$message" 40
  41. 41. © Fidelis Cybersecurity Pairing with other data • Barncat (the malware config data earlier) is a bulk malware config ripping engine to statically get config data from malware binaries. • Includes fields like “campaign ID”, Mutex, and C2 information that can be correlated. 41
  42. 42. © Fidelis Cybersecurity More effective disruption • The “good guys” need to get lucky only once to attribute the adversary. The adversary has to be lucky every time to ensure this doesn’t happen. • The more they have to do, the harder this becomes. • All successful prosecutions involve monitoring an adversary over the long-term to find the one time they screw up and expose themselves. • Exploiting redundancy provides the opportunity to make this happen. 42
  43. 43. © Fidelis Cybersecurity Free Resources • For my DGA feeds, go to (no authentication needed) • For static malware configs, go to (email me for access at 43
  44. 44. Questions & Thank You! Find more of our research at: John Bambenek / Thanks to Vladimir Kropotov, Fyodor Yarochkin, Kevin Breen and Tim Leedy for their research and contributions to these efforts.