7. Fast
Flux
Monitoring/Detec@on
System
• TTL=0
Kelihos
Fast
Flux
domains
7-‐months
study
presented
at
APWG
eCrime
2013
hXp://labs.umbrella.com/2013/09/24/real-‐@me-‐monitoring-‐kelihos-‐fast-‐
flux-‐botnet-‐case-‐study-‐presented-‐apwg-‐ecrime-‐2013/
• TTL=150
• TTL=300
• TTL=1440,
spam
domains
8. Fast
Flux
Monitoring/Detec@on
System
While
true
1. Select
a
seed
of
Kelihos
domains
w/
a
confirmed
profile
2. Con@nuously
milk
domains
for
IPs
3. Con@nuously
“inverse
lookup”
IPs
in
passive
DNS,
for
new
domains
that
start
resolving
to
these
IPs
4. Check
detected
domains
for
known
profile
(e.g.
TTL,
registra@on,
existence
of
payload,
etc)
5. Add
new
domains
to
the
ini@al
seed
9. Kelihos
domains
profile
• Various
gTLDs,
ccTLDs,
1
single
IP,
TTL=0,
hosted
on
Kelihos
botnet
IP
pool
(growing),
infected
individual
machines,
recent
registra@on,
delivering
malware
executables
with
known
names
• Recorded
case(s)
of
domain
resolving
to
several
IPs
with
TTL=600,
cocala.asia,
or
TTL=300
10. Generalized
Monitoring/Detec@on
System
• While
true
• Read
IP
watch
list,
launch
parallel
process
for
every
IP
• A
process
performs
IP
inverse
lookup
against
DNSDB
• Every
process
returns
new
domains
for
IP
• Join
all
processes’
output,
check
against
blacklist
• Keep
only
new
domains
• Perform
parallelized
post
discovery
checks
using
different
heuris@cs:
traffic
paXern,
name
paXern,
extra
IP
reputa@on
check,
etc.
• Add
new
domains
to
blacklist
11. Watch
list
selec@on
• Con@nuous
background
process
• Different
methods/heuris@cs
to
harvest
new
IPs
with
high
risk
poten@al
• Use
fresh
blacklist,
3rd
party
BL
domain
list
12. Watch
list
selec@on
(cont’d)
• Resolve
IPs
and
cluster
by
popularity,
age,
aXack
theme
-‐>IP
observed
to
host
exclusively
EK
domains
or
ransomware
-‐>Similar
name
paXern
of
hosted
domains
-‐>Similar
traffic
paXern
• Remove
IPs
on
large
shared
hos@ng
providers
unless
excep@ons
(e.g
keep
OVH
CIDR
dedicated
to
malware),
sinkholes,
other
IP
profiles
that
could
cause
FPs
13. Harves@ng
bad
IPs
• When
we
discover
new
high
risk
IPs,
why
not
just
block
IPs?
Sure,
we
can,
and
we
open
do!
• But
you
lose
intel
and
inves@ga@ve
material
related
to
domains:
name
paXerns,
DGAs,
dynamic
DNS
usage,
malicious
subdomains
under
legi@mate
compromised
domains
14. Post
detec@on
checks
• Traffic
paXern,
name
paXern,
further
IP
reputa@on
check
• If
a
spike
or
beginning
of
spike,
then
poten@al
risk
domain
• Exclude
spam
domains
• But
spike
means
domain
has
already
delivered
aXack
15. Post
detec@on
checks
(cont’d)
• So
preemp@ve
blocking
is
necessary
if
domain
has
high
poten@al
of
being
an
aXack
domain
• Not
everything
should
be
automated
• Human
intel
and
inves@ga@on
needed
at
@mes
to
remove
FPs
and
add
FN
back
-‐>
Fine-‐tune
the
model
16. Plarorm
and
tools
used
-‐Pig
on
Hadoop
cluster
-‐Raw
logs
on
HDFS
-‐Indexed
DNSDB
in
HBase
-‐Python,
shell,
Gnu
Parallel
17. System
in
a
nutshell
-‐>Constantly
running
process
of
harves@ng
fresh
high
risk
IPs
-‐>Constantly
running
process
of
discovering
fresh
malicious
domains
-‐>Constantly
querying
DNSDB
with
IP
inverse
lookups
Backend:
-‐>DNSDB
constantly
fed
with
authorita@ve
traffic
from
all
resolvers
18. Whitelist
• IPs
hos@ng
spam
domains
A
lot
of
IPs
on
AS15149,
e.g.
216.169.100.133
• Shared
hos@ng
IPs
with
a
large
number
of
general
purpose
websites
19. Use
cases
•
•
•
•
•
•
•
Kelihos
fast
flux
botnet
Fake
AV
.pl
domains
used
for
Kovter
and
other
Godaddy
compromised
domains
Cryptolocker
CnC
discovery
NuclearPack
EK
Browlock
domains
20. Kelihos
Fast
flux
•
•
Kelihos
fast
flux
botnet
Up
un@l
Sep
16th,
about
984
domains
(and
subdomains)
hosted
on
28757
IPs
hXp://labs.umbrella.com/2013/09/24/real-‐@me-‐monitoring-‐kelihos-‐fast-‐
flux-‐botnet-‐case-‐study-‐presented-‐apwg-‐ecrime-‐2013/
•
•
Sample
of
domains
of
Aug-‐Sep
399
domains
on
8159
IPs
21.
22. Fake
AV
•
82.208.40.11
hos@ng
23502
Fake
AV,
Fake
SW
domains
for
76
days
hXps://www.virustotal.com/en/ip-‐address/82.208.40.11/informa@on/
•
•
Free
domains
under
cz.cc,
uni.me
176.31.125.91
hos@ng
6687
similar
domains
for
66
days
23. .pl
used
for
ransomware
Sample
of
.pl
domains
19267
domains
on
12
IPs
3
level
domains
f9photo.ucuphahnui.kepno.pl
95oishi.maimuofief.pisz.pl
• First
2
labels
are
DGAs
•
•
•
from
malware.dontneedcoffee.com
•
Used
in
malver@sing
campaigns
on
adult
websites
leading
to
Exploit
kit
domains
and
Kovter
ransomware
dropping
hXp://www.malekal.com/2013/07/31/en-‐urausy-‐adulrriendzfinder-‐
malver@sing-‐banner/
24.
25. NuclearPack
EK
-‐>1523
domains
on
198.50.225.113
• 2
level
domains
under
.biz
• 1st
label
is
random,
16
2LDs
registered
July
28th
• hxxp://dreut.valen@nespell.biz:
59902/0e724s2d10467436c6149sce02712a.html
-‐>1378
domains
on
198.50.235.198
• 2
level
domains
under
.biz
• 1st
label
is
random
• hxxp://u5s1av.diwalipearl.biz:
55252/5a9b00e34d8b18cb571ba56a357cfafc.html
26. NuclearPack
EK
-‐>198.50.235.200
became
ac@ve
on
Oct
15th
• Already
hos@ng
400+
domains
• hxxp://clgang.elec@ondayfabulous.biz:
44142/4078c813508ad60acc95d0744365c68c.html
• Shiping
on
198.50.128.0/17
OVH
prefix
27. Compromised
GoDaddy
domains
• Campaign
of
injec@ng
malicious
subdomains
(3LDs)
under
legi@mate/compromised
Godaddy
domains
(2LDs)
• 5
IPs
hos@ng
800
subdomains
(3LDs)
over
10
days
in
Aug-‐Sep
• Used
to
serve
Cool
exploit
kit
through
CookieBomb
aXack
on
compromised
websites
and
finally
drop
Reveton
hXp://quequero.org/2013/09/ac@ve-‐cookiebomb-‐cve-‐2013-‐2465-‐
reveton/
• Happened
before
in
2012
and
happening
again
hXp://nakedsecurity.sophos.com/2012/11/23/hacked-‐go-‐daddy-‐
ransomware/
29. Cryptolocker
CnCs
• Ransomware
released
early
September
2013
• Encrypts
your
files
and
asks
for
a
$300
ransom
to
get
them
back
• 2
ini@al
Cryptolocker
CnCs
were
picked
up
by
the
system
a
day
before
they
were
published
on
Sep
11
• xeogrhxquuubt.com
• qaaepodedahnslq.org
30. Browlock
domains
• Browser-‐based
ransomware
targeted
at
countries
in
3
different
con@nents
• Example:
194.44.49.150
hos@ng
2629
subdomains
over
26
days
32. Browlock
domains
(cont’d)
• Browser-‐based
ransomware
targeted
at
countries
in
3
different
con@nents
• 193.169.87.15,
196.47.100.2,
over
a
period
of
13
days,
hos@ng
8978
browlock
domains
and
domains
with
adult-‐
themed
names
that
redirect
to
browlock
34. Conclusion
• Ongoing
research
and
work
to
increase
coverage
and
accuracy
of
early
detec@on
of
domains
before
they
deliver
aXacks
• Extend
coverage
to
shared
hos@ng
IPs
• Effec@ve
early
detec@on/protec@on
DNS-‐based
system
• Use
it
with
other
protec@on
methods:
AV,
IDS,
etc.
• Experimenta@on
in
our
lab
with
streaming
technologies:
Storm,
Kava,
Zeromq
-‐>
Complementary
with
DNSDB-‐based
detec@on
system
35. Contact
Info
• Contact
me
at
dhia@opendns.com
if
you
are
interested
in:
• Asking
ques@ons
• Collabora@ng
• Follow
me
on
TwiXer
@DhiaLite
• Blogs
hXp://labs.umbrella.com/author/dhia/