SlideShare a Scribd company logo

HITCON 2015 - DGAs, DNS and Threat Intelligence

Download as PPTX, PDF
John Bambenek
John Bambenek

Domain Generation Algorithms (DGAs) and DNS provide a layer of resilience to botnets and malware. They also provide new and novel ways to monitor and surveil malicious networks. This talk will discuss methods you can use to turn DGAs and DNS against malware operators in order to better protect your enterprise.

Internet
1 of 49
DGAs and Threat Intelligence John Bambenek – Fidelis Cybersecurity Threat Research Team HITCON 2015
Intro  Sr. Threat Analyst for Fidelis Cybersecurity  Adjunct Faculty in CS Department at the University of Illinois at Urbana-Champaign  Producer of open-source intel feeds  Work with companies and LE all over the world to address growth in cybercrime
About Threat Intelligence  Information is a set of unprocessed data that may or may not contain actionable intelligence.  Intelligence is the art of critically examining information to draw meaningful and actionable conclusions based on observations and information.  Involves analyzing adversary capabilities, intentions and motivations.
Adversarial objectives  Here we are generally talking about organized crime, usually financially motivated.  What we know:  Highly rational actors  May hire “outside experts” for specific tasks  Generally technological sophisticated  Desire to remain “quiet” and resilient
My Objectives  Any good intelligence program needs to also analyze your own objectives.  I investigate and try to disrupt criminal networks, so my objective is externally focused.  These efforts are directed toward “criminal” actors, nation-state / APT threats would require a different focus.  Most people are defensively focused so their information priorities are different.
Malware C2 Network Types  Static IP / Hostname Lists  Proxied C2s  Dynamic DNS  Fast Flux / Double Flux Networks  Domain Generation Algorithms  Tor / i2p hidden services
A History of Malware C2 Networks  An adversary wants to persist over the long-term and make their networks more resilient against enforcement actions.  Domains tend to be easier to take down the IPs due to avoidance of jurisdictional issues.  Development over time will largely show adversaries have acted in ways to ensure increased resiliency.  We can continue to map forward over time where they are likely to go in the future as a result.
Use of Multiple Techniques  The most resilient malware C2 use multiple methods of callback.  Static Lists  DGAs  Tor/I2P  If one or two are blocked, still able to control machine.  To affect a takedown, need to block all means of communication and updating victim machines.
Domain Generation Algorithms  Usually a complex math algorithm to create pseudo-random but predictable domain names.  Now instead of a static list, you have a dynamic list of hundreds or thousands of domains and adversary only needs to have a couple registered at a time.  Can search for “friendly” registrars to avoid suspension.
Reverse Engineering DGAs  Many blog posts about reversing specific DGAs, Johannes Bader has the most online at his blog:  Johannesbader.ch  No real shortcuts except working through IDA/Debugger and reversing the function.  Look for functions that iterate many times.  There will be at least a function to generate the domains and a function to connect to all of them to find the C2.  As with all reverse engineering, be aware of obfuscation and decoy code meant to deceive you.
Reversing DGAs Example From http://johannesbader.ch/2015/05/the-dga-of-ranbyus/
Types of DGAs  Almost all DGAs use some time of “Seed”.  Types:  Date-based  Static seed  Dynamic seed  Seed has to be globally consistent so all victims use the same one at the same time.
Other DGA Hardening Techniques  Choice of gTLD matters.  Some doing have WHOIS protection, make it hard to sinkhole  Rotation of seeds  Some malware has rudimentary “sinkhole awareness”  Adversarial objectives: Maintain control, limit surveillance
Examples of select DGAs - Cryptolocker  Used 1000 domains a day across 7 gTLDs. Order domains are queries in based on GetTickCount()  Eerily similar to DGA described in Wikipedia article on DGAs.  Used previously by Flashback OSX Worm.  Never changed during the life of the malware campaign.  Successfully taken down in June 2014.  Special thanks to Vladimir Kropotov for his help on this!
Examples of select DGAs - Cryptolocker  Intel conclusions:  Likely written by a third party.  Went days without a domain registered, actor wanted to get paid but wasn’t overly concerned about keeping everything going 24x7.  Tended not to shift registrar even after domains were suspended.  Likely didn’t monitor his own domains because the ratio of malicious to sinkholed domains was about 1:125.  Way to go on the OPSEC good guys. D
Examples of select DGAs - Tinba  Generated 1,000 domains a day, not date- seeded.  Seeded by an initial hostname and a defined gTLD (one or more).  Changes seeds often and tends to update already infected machines.  At least sinkholing tended to be ineffective for more than a few days.
Examples of select DGAs - Tinba  Intelligence conclusions:  These guys care about their infrastructure.  Likely they are actively monitoring to see when their DGA is cracked and adapting accordingly.  Likely they wrote DGA with this kind of flexibility in mind.
Examples of select DGAs - Bedep  Uses a dynamic seed – currency exchange values for foreign currency  European Central Bank produces daily feeds of the rates, this is used as source data.  Impossible to predict in advance even though code to generate the domains is publicly available.  http://asert.arbornetworks.com/bedeps-dga-trading-foreign- exchange-for-malware-domains/
Examples of select DGAs - Bedep  To date, all successful takedowns (and for that matter unsuccessful takedowns) seized malicious DGA domains in advance while simultaneously suspending current domains.  This would decapitate a botnet if and only if there was no fallback mechanism to reach the C2 (i.e. tor).  How can you do this for Bedep when you don’t know future currency values?  Intelligence conclusion: this is obviously an intentional choice.
Examples of Select DGAs – Matsnu and Rovnix  Matsnu and Rovnix both use wordlists to generate domains that appear like they would be “reasonable”. Rovnix uses the US Declaration of Independence.  Problem is that sometimes there is collisions with real domains. teamroomthing.com,Domain used by matsnu DGA for 16 Aug 2015,2015-08- 16 transitionoccur.com,Domain used by matsnu DGA for 16 Aug 2015,2015-08- 16 windbearboxreceive.com,Domain used by matsnu DGA for 16 Aug 2015,2015-08-16 winner-care-sir.com,Domain used by matsnu DGA for 16 Aug 2015,2015-08- 16 theirtheandaloneinto.com, Domain used by Rovnix DGA thathistoryformertrial.com, Domain used by Rovnix DGA tothelayingthatarefor.com, Domain used by Rovnix DGA definebritainhasforhe.com, Domain used by Rovnix DGA tosecureonweestablishment.com, Domain used by Rovnix DGA
What the use of DGAs gives the good guys  Easy ability to sinkhole unused DGA domains to gather additional intelligence.  Easier ability to do bulk takedowns.  *IF* you can predict domains in advance.  The ability to surveil malicious infrastructure in near real-time.
What the use of DGAs gives the good guys  The use of DNS in malware severely limits the ability of the adversary to play games.  They need the world to be able to find their infrastructure in order to control victim machines.  Even when DGA changes, the adversary **tends** not to immediately change their infrastructure too.  Allows for the use of passive DNS to see the extent of DGA changes.
Sinkholing  Many security companies do this.  Many want to hide the fact they do this.  Most adversaries aren’t stupid enough to not notice.  Remember, Cryptolocker we had 125 or so sinkholed domain for every 1 malicious domain.
Feed generation on DGAs sjuemopwhollev.co.uk,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 meeeqyblgbussq.info,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 ntjqyqhqwcwost.com,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13, nvtvqpjmstuvju.net,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 olyiyhprjuwrsl.biz,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 sillomslltbgyu.ru,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 gmqjihgsfulcau.org,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13, From here you could easily feed this into RPZ or other technology to protect your organization. But we want more.
How to set up surveillance on a DGA  Easy to set up with shell scripting and a non- t1.micro AWS instance.  Requires GNU parallel and adns-tools to handle bulk DNS queries.
DGA surveillance  Pre-generate all domains 2 days before to 2 days in future.  Pipe all those domains into adnshost using parallel to limit the number of lines.  Able to process over 700,000 domains inside 10 minutes (and I’m not done optimizing). parallel -j4 --max-lines=3500 --pipe adnshost -a -f < $list-of- domains | fgrep -v nxdomain >> $outputfile
Tinba DGA feed example bcldleeivfii.com,Domain used by tinba,2015-08-15 04:15 bfoxyvqtolmn.com,Domain used by tinba,2015-08-15 04:15 cniuybkgxelo.com,Domain used by tinba,2015-08-15 04:15 dgscodhlppkk.com,Domain used by tinba,2015-08-15 04:15 djnmllhgwtff.net,Domain used by tinba,2015-08-15 04:15 This is active not-known-sinkhole domains current resolving.
A note on intelligence bias  How we look at threats and what we tend to do with information will affect how we gather intel and how we process it.  I tend to be involved in takedowns so I am generally uninterested in sinkholes.  If you protect an organization, however, you care about your client machines reaching out to sinkholes because they are still infected.
Tinba IP list 5.230.193.215,IP used by tinba C&C,2015-08-15 04:15 54.72.9.51,IP used by tinba C&C,2015-08-15 04:15 95.163.121.201,IP used by tinba C&C,2015-08-15 04:15 104.27.169.12,IP used by tinba C&C,2015-08-15 04:15 104.28.13.180,IP used by tinba C&C,2015-08-15 04:15 Seems like a good list to firewall… More on that in a moment.
Should also check NS info too 5.230.193.215,Nameserver IP used by tinba C&C,2015-08-15 04:21 5.45.69.31,Nameserver IP used by tinba C&C,2015-08-15 04:21 46.166.189.99,Nameserver IP used by tinba C&C,2015-08-15 04:21 50.7.230.28,Nameserver IP used by tinba C&C,2015-08-15 04:21 54.75.226.194,Nameserver IP used by tinba C&C,2015-08-15 04:21
Should also check NS info too ns3.freedns.ws,Nameserver used by tinba C&C,2015-08-15 04:21 ns4.freedns.ws,Nameserver used by tinba C&C,2015-08-15 04:21 ns-canada.topdns.com,Nameserver used by tinba C&C,2015-08-15 04:21 ns-uk.topdns.com,Nameserver used by tinba C&C,2015-08-15 04:21 ns-usa.topdns.com,Nameserver used by tinba C&C,2015-08-15 04:21 With these two data points you can usually quickly validate what is a sinkhole and what is likely malicious and bears further investigation.
DGA Surveillance  Looking at those four data points you now have solid information to make decisions based on the data.  You could block domains/IPs.  You could block nameservers (some times).
Adversarial Response  Adversaries know we are doing this.  In response:  They change seeds frequently  They have non-DGA communication mechanisms  They engage in counterintelligence
Counterintelligence  The tactics by which an adversary thwarts attempts to gather information on itself.  Remember the domain and IP lists before?  What if an adversary registers domains that they aren’t using?
Counterintelligence – or worse version  What if adversary knows you pump these IP lists directly into your firewall (and I know people do this with my feeds)?  Anyone recognize these IP addresses? They are the DNS Root Servers 198.41.0.4 192.228.79.201 192.33.4.12 199.7.91.13 192.203.230.10 192.5.5.241 192.112.36.4 128.63.2.53 192.36.148.17 192.58.128.30 193.0.14.129 199.7.83.42 202.12.27.33
Counterintelligence – or worse version  Taking action on information without analysis is generally a bad idea, especially when the information is under the complete control of the adversary.  This is why intelligence analysis is so important.  (I whitelisted the root servers after I noticed an adversary tried to do an attack similar to this.)
Whois Registrar Intel  Often actors may re-use registrant information across different campaigns. There may be other indicators too.  Sometimes *even with WHOIS privacy protection* it may be possible to correlate domains and by extension the actor.  Most criminal prosecution in cybercrime is due to an OPSEC fail and the ability to map backwards in time of what the actor did to find that fail that exposes them.
Whois Info • Many actors will use WHOIS protection… some just use fake information. • “David Bowers” is common for Bedep. ubuntu$ grep "David Bowers" *.txt | grep Registrant whois-bfzflqejohxmq.com.txt:Registrant Name: David Bowers whois-demoqmfritwektsd.com.txt:Registrant Name: David Bowers whois-eulletnyrxagvokz.com.txt:Registrant Name: David Bowers whois-lepnzsiqowk94.com.txt:Registrant Name: David Bowers whois-mhqfmrapcgphff4y.com.txt:Registrant Name: David Bowers whois-natrhkylqoxjtqt45.com.txt:Registrant Name: David Bowers whois-nrqagzfcsnneozu.com.txt:Registrant Name: David Bowers whois-ofkjmtvsnmy1k.com.txt:Registrant Name: David Bowers
David Bowers bfzflqejohxmq.com,Domain used by bedep (-4 days to today),2015-08-16 eulletnyrxagvokz.com,Domain used by bedep (-4 days to today),2015-08-16 natrhkylqoxjtqt45.com,Domain used by bedep (-4 days to today),2015-08-16 nrqagzfcsnneozu.com,Domain used by bedep (-4 days to today),2015-08-16 But why stop with just known DGAs, what other domains are associated with “David Bowers”?
David Bowers
Surveillance is nice, what about notification?  Creation of feeds and intake is still a passive tactic.  It is all possible to automate notifications when key changes happen to allow for more near-time actions.  This uses the Pushover application (Apple and Google stores) which has a very simple API.
New Dyre domain registered
New Bedep Domain Registered
New Matsnu domains registered
Pivoting  Now that I know the-fancastar.com and j- manage.com serve NS for Matsnu, I can see what else is served by those nameservers to find additional intelligence.  As of 24 Aug, this has switched to nausoccer.net and kanesth.com  Caution is due, this may not always yield results and may yield false positives. Always correlate with something else before making a final judgement.
Pivoting Using IP from Matsnu 31.210.120.103 hostkale.com. IN A 31.210.120.103 ns1.hostkale.com. IN A 31.210.120.103 ns2.hostkale.com. IN A 31.210.120.103 linuxtr.hostkale.com. IN A 31.210.120.103 mobiluzman.com. IN A 31.210.120.103 habertemasi.com. IN A 31.210.120.103 kinghackerz.com. IN A 31.210.120.103 eglencekeyfi.com. IN A 31.210.120.103 ns1.eglencekeyfi.com. IN A 31.210.120.103 nejdetkuafor.com. IN A 31.210.120.103 profitstring.com. IN A 31.210.120.103 sirketrehber.com. IN A 31.210.120.103 actstudy-meat.com. IN A 31.210.120.103 ….
Last adversarial response  Starting to see sinkhole-aware malware.  Some malware always authenticated the C2, but sinkholes still could gather intel.  Now malware is being written to attempt to bypass sinkholes altogether.
The Future?  DGAs will be around for awhile as part of several methods of communication to victim machines.  Tor/I2P will continue to be used because of its advantages but DGAs still needed due to ease of blocking tor.  Increase in the use of “interesting” dynamic seeds.
Questions? Thanks Daniel Plohmann, April Lorenzen, Andrew Abakumov, Anubis Networks, many others. And thanks HITCON! My feeds: osint.bambenekconsulting.com/feeds/ jcb@bambenekconsulting.com www.bambenekconsulting.com +1 312 425 7225

Recommended

PHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligencePHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat Intelligence
John Bambenek
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
John Bambenek
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
John Bambenek
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using Crypto
John Bambenek
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
John Bambenek
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing Felonies
John Bambenek
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
John Bambenek
 
THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS Queries
John Bambenek
 

Recommended

PHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligencePHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat Intelligence
John Bambenek
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
John Bambenek
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
John Bambenek
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using Crypto
John Bambenek
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
John Bambenek
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing Felonies
John Bambenek
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
John Bambenek
 
THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS Queries
John Bambenek
 
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersHITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
John Bambenek
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"
Christiaan Beek
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
Christiaan Beek
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
Chi En (Ashley) Shen
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
Andrew Morris
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
MITRE - ATT&CKcon
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
John Bambenek
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home Workforce
Christopher Gerritz
 
"There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow""There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow"
Christiaan Beek
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
Greg Foss
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Andrew Morris
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CanSecWest
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
EC-Council
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
Arpan Raval
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
EC-Council
 
Shamoon
ShamoonShamoon
Shamoon
Shakacon
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
EC-Council
 
Malware vs Big Data
Malware vs Big DataMalware vs Big Data
Malware vs Big DataFrank Denis
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS
 

More Related Content

What's hot

HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersHITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
John Bambenek
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"
Christiaan Beek
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
Christiaan Beek
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
Chi En (Ashley) Shen
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
Andrew Morris
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
MITRE - ATT&CKcon
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
John Bambenek
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home Workforce
Christopher Gerritz
 
"There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow""There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow"
Christiaan Beek
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
Greg Foss
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Andrew Morris
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CanSecWest
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
EC-Council
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
Arpan Raval
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
EC-Council
 
Shamoon
ShamoonShamoon
Shamoon
Shakacon
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
EC-Council
 

What's hot (20)

HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersHITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home Workforce
 
"There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow""There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow"
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
 
Shamoon
ShamoonShamoon
Shamoon
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
 

Similar to HITCON 2015 - DGAs, DNS and Threat Intelligence

Malware vs Big Data
Malware vs Big DataMalware vs Big Data
Malware vs Big DataFrank Denis
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS
 
Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018
African Cyber Security Summit
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg
Tunde Ogunkoya
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
Phillip Maddux
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
Hafez Kamal
 
DApps_ Security Issues, Hacks, and Preventive Measures.pptx
DApps_ Security Issues, Hacks, and Preventive Measures.pptxDApps_ Security Issues, Hacks, and Preventive Measures.pptx
DApps_ Security Issues, Hacks, and Preventive Measures.pptx
Cyphersheild.tech
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7
Jesse Burke
 
Backtrack Manual Part5
Backtrack Manual Part5Backtrack Manual Part5
Backtrack Manual Part5
Nutan Kumar Panda
 
Network security monitoring elastic webinar - 16 june 2021
Network security monitoring elastic webinar - 16 june 2021Network security monitoring elastic webinar - 16 june 2021
Network security monitoring elastic webinar - 16 june 2021
Mouaz Alnouri
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC Perspective
Positive Hack Days
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
APNIC
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Barry Greene
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublin
Derek King
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
Ernest Staats
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
Phillip Maddux
 
Hitbkl 2012
Hitbkl 2012Hitbkl 2012
Hitbkl 2012F _
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security tool
Jisc
 

Similar to HITCON 2015 - DGAs, DNS and Threat Intelligence (20)

Malware vs Big Data
Malware vs Big DataMalware vs Big Data
Malware vs Big Data
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
 
Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
 
DApps_ Security Issues, Hacks, and Preventive Measures.pptx
DApps_ Security Issues, Hacks, and Preventive Measures.pptxDApps_ Security Issues, Hacks, and Preventive Measures.pptx
DApps_ Security Issues, Hacks, and Preventive Measures.pptx
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7
 
Backtrack Manual Part5
Backtrack Manual Part5Backtrack Manual Part5
Backtrack Manual Part5
 
Network security monitoring elastic webinar - 16 june 2021
Network security monitoring elastic webinar - 16 june 2021Network security monitoring elastic webinar - 16 june 2021
Network security monitoring elastic webinar - 16 june 2021
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC Perspective
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublin
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
 
Hitbkl 2012
Hitbkl 2012Hitbkl 2012
Hitbkl 2012
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security tool
 

More from John Bambenek

I'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the NazisI'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the Nazis
John Bambenek
 
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware SurveillanceMISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
John Bambenek
 
SANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political BreachesSANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political Breaches
John Bambenek
 
Blackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareBlackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of Ransomware
John Bambenek
 
IESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekIESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John Bambenek
John Bambenek
 
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
John Bambenek
 
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
John Bambenek
 
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
John Bambenek
 
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
John Bambenek
 

More from John Bambenek (9)

I'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the NazisI'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the Nazis
 
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware SurveillanceMISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
 
SANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political BreachesSANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political Breaches
 
Blackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareBlackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of Ransomware
 
IESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekIESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John Bambenek
 
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
 
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
 
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
 
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
 

Recently uploaded

Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
laozhuseo02
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
harveenkaur52
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
nirahealhty
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
CIOWomenMagazine
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
nhiyenphan2005
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
GTProductions1
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
JungkooksNonexistent
 

Recently uploaded (20)

Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
 

HITCON 2015 - DGAs, DNS and Threat Intelligence

  • 1. DGAs and Threat Intelligence John Bambenek – Fidelis Cybersecurity Threat Research Team HITCON 2015
  • 2. Intro  Sr. Threat Analyst for Fidelis Cybersecurity  Adjunct Faculty in CS Department at the University of Illinois at Urbana-Champaign  Producer of open-source intel feeds  Work with companies and LE all over the world to address growth in cybercrime
  • 3. About Threat Intelligence  Information is a set of unprocessed data that may or may not contain actionable intelligence.  Intelligence is the art of critically examining information to draw meaningful and actionable conclusions based on observations and information.  Involves analyzing adversary capabilities, intentions and motivations.
  • 4. Adversarial objectives  Here we are generally talking about organized crime, usually financially motivated.  What we know:  Highly rational actors  May hire “outside experts” for specific tasks  Generally technological sophisticated  Desire to remain “quiet” and resilient
  • 5. My Objectives  Any good intelligence program needs to also analyze your own objectives.  I investigate and try to disrupt criminal networks, so my objective is externally focused.  These efforts are directed toward “criminal” actors, nation-state / APT threats would require a different focus.  Most people are defensively focused so their information priorities are different.
  • 6. Malware C2 Network Types  Static IP / Hostname Lists  Proxied C2s  Dynamic DNS  Fast Flux / Double Flux Networks  Domain Generation Algorithms  Tor / i2p hidden services
  • 7. A History of Malware C2 Networks  An adversary wants to persist over the long-term and make their networks more resilient against enforcement actions.  Domains tend to be easier to take down the IPs due to avoidance of jurisdictional issues.  Development over time will largely show adversaries have acted in ways to ensure increased resiliency.  We can continue to map forward over time where they are likely to go in the future as a result.
  • 8. Use of Multiple Techniques  The most resilient malware C2 use multiple methods of callback.  Static Lists  DGAs  Tor/I2P  If one or two are blocked, still able to control machine.  To affect a takedown, need to block all means of communication and updating victim machines.
  • 9. Domain Generation Algorithms  Usually a complex math algorithm to create pseudo-random but predictable domain names.  Now instead of a static list, you have a dynamic list of hundreds or thousands of domains and adversary only needs to have a couple registered at a time.  Can search for “friendly” registrars to avoid suspension.
  • 10. Reverse Engineering DGAs  Many blog posts about reversing specific DGAs, Johannes Bader has the most online at his blog:  Johannesbader.ch  No real shortcuts except working through IDA/Debugger and reversing the function.  Look for functions that iterate many times.  There will be at least a function to generate the domains and a function to connect to all of them to find the C2.  As with all reverse engineering, be aware of obfuscation and decoy code meant to deceive you.
  • 11. Reversing DGAs Example From http://johannesbader.ch/2015/05/the-dga-of-ranbyus/
  • 12. Types of DGAs  Almost all DGAs use some time of “Seed”.  Types:  Date-based  Static seed  Dynamic seed  Seed has to be globally consistent so all victims use the same one at the same time.
  • 13. Other DGA Hardening Techniques  Choice of gTLD matters.  Some doing have WHOIS protection, make it hard to sinkhole  Rotation of seeds  Some malware has rudimentary “sinkhole awareness”  Adversarial objectives: Maintain control, limit surveillance
  • 14. Examples of select DGAs - Cryptolocker  Used 1000 domains a day across 7 gTLDs. Order domains are queries in based on GetTickCount()  Eerily similar to DGA described in Wikipedia article on DGAs.  Used previously by Flashback OSX Worm.  Never changed during the life of the malware campaign.  Successfully taken down in June 2014.  Special thanks to Vladimir Kropotov for his help on this!
  • 15. Examples of select DGAs - Cryptolocker  Intel conclusions:  Likely written by a third party.  Went days without a domain registered, actor wanted to get paid but wasn’t overly concerned about keeping everything going 24x7.  Tended not to shift registrar even after domains were suspended.  Likely didn’t monitor his own domains because the ratio of malicious to sinkholed domains was about 1:125.  Way to go on the OPSEC good guys. D
  • 16. Examples of select DGAs - Tinba  Generated 1,000 domains a day, not date- seeded.  Seeded by an initial hostname and a defined gTLD (one or more).  Changes seeds often and tends to update already infected machines.  At least sinkholing tended to be ineffective for more than a few days.
  • 17. Examples of select DGAs - Tinba  Intelligence conclusions:  These guys care about their infrastructure.  Likely they are actively monitoring to see when their DGA is cracked and adapting accordingly.  Likely they wrote DGA with this kind of flexibility in mind.
  • 18. Examples of select DGAs - Bedep  Uses a dynamic seed – currency exchange values for foreign currency  European Central Bank produces daily feeds of the rates, this is used as source data.  Impossible to predict in advance even though code to generate the domains is publicly available.  http://asert.arbornetworks.com/bedeps-dga-trading-foreign- exchange-for-malware-domains/
  • 19. Examples of select DGAs - Bedep  To date, all successful takedowns (and for that matter unsuccessful takedowns) seized malicious DGA domains in advance while simultaneously suspending current domains.  This would decapitate a botnet if and only if there was no fallback mechanism to reach the C2 (i.e. tor).  How can you do this for Bedep when you don’t know future currency values?  Intelligence conclusion: this is obviously an intentional choice.
  • 20. Examples of Select DGAs – Matsnu and Rovnix  Matsnu and Rovnix both use wordlists to generate domains that appear like they would be “reasonable”. Rovnix uses the US Declaration of Independence.  Problem is that sometimes there is collisions with real domains. teamroomthing.com,Domain used by matsnu DGA for 16 Aug 2015,2015-08- 16 transitionoccur.com,Domain used by matsnu DGA for 16 Aug 2015,2015-08- 16 windbearboxreceive.com,Domain used by matsnu DGA for 16 Aug 2015,2015-08-16 winner-care-sir.com,Domain used by matsnu DGA for 16 Aug 2015,2015-08- 16 theirtheandaloneinto.com, Domain used by Rovnix DGA thathistoryformertrial.com, Domain used by Rovnix DGA tothelayingthatarefor.com, Domain used by Rovnix DGA definebritainhasforhe.com, Domain used by Rovnix DGA tosecureonweestablishment.com, Domain used by Rovnix DGA
  • 21. What the use of DGAs gives the good guys  Easy ability to sinkhole unused DGA domains to gather additional intelligence.  Easier ability to do bulk takedowns.  *IF* you can predict domains in advance.  The ability to surveil malicious infrastructure in near real-time.
  • 22. What the use of DGAs gives the good guys  The use of DNS in malware severely limits the ability of the adversary to play games.  They need the world to be able to find their infrastructure in order to control victim machines.  Even when DGA changes, the adversary **tends** not to immediately change their infrastructure too.  Allows for the use of passive DNS to see the extent of DGA changes.
  • 23. Sinkholing  Many security companies do this.  Many want to hide the fact they do this.  Most adversaries aren’t stupid enough to not notice.  Remember, Cryptolocker we had 125 or so sinkholed domain for every 1 malicious domain.
  • 24. Feed generation on DGAs sjuemopwhollev.co.uk,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 meeeqyblgbussq.info,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 ntjqyqhqwcwost.com,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13, nvtvqpjmstuvju.net,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 olyiyhprjuwrsl.biz,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 sillomslltbgyu.ru,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 gmqjihgsfulcau.org,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13, From here you could easily feed this into RPZ or other technology to protect your organization. But we want more.
  • 25. How to set up surveillance on a DGA  Easy to set up with shell scripting and a non- t1.micro AWS instance.  Requires GNU parallel and adns-tools to handle bulk DNS queries.
  • 26. DGA surveillance  Pre-generate all domains 2 days before to 2 days in future.  Pipe all those domains into adnshost using parallel to limit the number of lines.  Able to process over 700,000 domains inside 10 minutes (and I’m not done optimizing). parallel -j4 --max-lines=3500 --pipe adnshost -a -f < $list-of- domains | fgrep -v nxdomain >> $outputfile
  • 27. Tinba DGA feed example bcldleeivfii.com,Domain used by tinba,2015-08-15 04:15 bfoxyvqtolmn.com,Domain used by tinba,2015-08-15 04:15 cniuybkgxelo.com,Domain used by tinba,2015-08-15 04:15 dgscodhlppkk.com,Domain used by tinba,2015-08-15 04:15 djnmllhgwtff.net,Domain used by tinba,2015-08-15 04:15 This is active not-known-sinkhole domains current resolving.
  • 28. A note on intelligence bias  How we look at threats and what we tend to do with information will affect how we gather intel and how we process it.  I tend to be involved in takedowns so I am generally uninterested in sinkholes.  If you protect an organization, however, you care about your client machines reaching out to sinkholes because they are still infected.
  • 29. Tinba IP list 5.230.193.215,IP used by tinba C&C,2015-08-15 04:15 54.72.9.51,IP used by tinba C&C,2015-08-15 04:15 95.163.121.201,IP used by tinba C&C,2015-08-15 04:15 104.27.169.12,IP used by tinba C&C,2015-08-15 04:15 104.28.13.180,IP used by tinba C&C,2015-08-15 04:15 Seems like a good list to firewall… More on that in a moment.
  • 30. Should also check NS info too 5.230.193.215,Nameserver IP used by tinba C&C,2015-08-15 04:21 5.45.69.31,Nameserver IP used by tinba C&C,2015-08-15 04:21 46.166.189.99,Nameserver IP used by tinba C&C,2015-08-15 04:21 50.7.230.28,Nameserver IP used by tinba C&C,2015-08-15 04:21 54.75.226.194,Nameserver IP used by tinba C&C,2015-08-15 04:21
  • 31. Should also check NS info too ns3.freedns.ws,Nameserver used by tinba C&C,2015-08-15 04:21 ns4.freedns.ws,Nameserver used by tinba C&C,2015-08-15 04:21 ns-canada.topdns.com,Nameserver used by tinba C&C,2015-08-15 04:21 ns-uk.topdns.com,Nameserver used by tinba C&C,2015-08-15 04:21 ns-usa.topdns.com,Nameserver used by tinba C&C,2015-08-15 04:21 With these two data points you can usually quickly validate what is a sinkhole and what is likely malicious and bears further investigation.
  • 32. DGA Surveillance  Looking at those four data points you now have solid information to make decisions based on the data.  You could block domains/IPs.  You could block nameservers (some times).
  • 33. Adversarial Response  Adversaries know we are doing this.  In response:  They change seeds frequently  They have non-DGA communication mechanisms  They engage in counterintelligence
  • 34. Counterintelligence  The tactics by which an adversary thwarts attempts to gather information on itself.  Remember the domain and IP lists before?  What if an adversary registers domains that they aren’t using?
  • 35. Counterintelligence – or worse version  What if adversary knows you pump these IP lists directly into your firewall (and I know people do this with my feeds)?  Anyone recognize these IP addresses? They are the DNS Root Servers 198.41.0.4 192.228.79.201 192.33.4.12 199.7.91.13 192.203.230.10 192.5.5.241 192.112.36.4 128.63.2.53 192.36.148.17 192.58.128.30 193.0.14.129 199.7.83.42 202.12.27.33
  • 36. Counterintelligence – or worse version  Taking action on information without analysis is generally a bad idea, especially when the information is under the complete control of the adversary.  This is why intelligence analysis is so important.  (I whitelisted the root servers after I noticed an adversary tried to do an attack similar to this.)
  • 37. Whois Registrar Intel  Often actors may re-use registrant information across different campaigns. There may be other indicators too.  Sometimes *even with WHOIS privacy protection* it may be possible to correlate domains and by extension the actor.  Most criminal prosecution in cybercrime is due to an OPSEC fail and the ability to map backwards in time of what the actor did to find that fail that exposes them.
  • 38. Whois Info • Many actors will use WHOIS protection… some just use fake information. • “David Bowers” is common for Bedep. ubuntu$ grep "David Bowers" *.txt | grep Registrant whois-bfzflqejohxmq.com.txt:Registrant Name: David Bowers whois-demoqmfritwektsd.com.txt:Registrant Name: David Bowers whois-eulletnyrxagvokz.com.txt:Registrant Name: David Bowers whois-lepnzsiqowk94.com.txt:Registrant Name: David Bowers whois-mhqfmrapcgphff4y.com.txt:Registrant Name: David Bowers whois-natrhkylqoxjtqt45.com.txt:Registrant Name: David Bowers whois-nrqagzfcsnneozu.com.txt:Registrant Name: David Bowers whois-ofkjmtvsnmy1k.com.txt:Registrant Name: David Bowers
  • 39. David Bowers bfzflqejohxmq.com,Domain used by bedep (-4 days to today),2015-08-16 eulletnyrxagvokz.com,Domain used by bedep (-4 days to today),2015-08-16 natrhkylqoxjtqt45.com,Domain used by bedep (-4 days to today),2015-08-16 nrqagzfcsnneozu.com,Domain used by bedep (-4 days to today),2015-08-16 But why stop with just known DGAs, what other domains are associated with “David Bowers”?
  • 41. Surveillance is nice, what about notification?  Creation of feeds and intake is still a passive tactic.  It is all possible to automate notifications when key changes happen to allow for more near-time actions.  This uses the Pushover application (Apple and Google stores) which has a very simple API.
  • 42. New Dyre domain registered
  • 43. New Bedep Domain Registered
  • 44. New Matsnu domains registered
  • 45. Pivoting  Now that I know the-fancastar.com and j- manage.com serve NS for Matsnu, I can see what else is served by those nameservers to find additional intelligence.  As of 24 Aug, this has switched to nausoccer.net and kanesth.com  Caution is due, this may not always yield results and may yield false positives. Always correlate with something else before making a final judgement.
  • 46. Pivoting Using IP from Matsnu 31.210.120.103 hostkale.com. IN A 31.210.120.103 ns1.hostkale.com. IN A 31.210.120.103 ns2.hostkale.com. IN A 31.210.120.103 linuxtr.hostkale.com. IN A 31.210.120.103 mobiluzman.com. IN A 31.210.120.103 habertemasi.com. IN A 31.210.120.103 kinghackerz.com. IN A 31.210.120.103 eglencekeyfi.com. IN A 31.210.120.103 ns1.eglencekeyfi.com. IN A 31.210.120.103 nejdetkuafor.com. IN A 31.210.120.103 profitstring.com. IN A 31.210.120.103 sirketrehber.com. IN A 31.210.120.103 actstudy-meat.com. IN A 31.210.120.103 ….
  • 47. Last adversarial response  Starting to see sinkhole-aware malware.  Some malware always authenticated the C2, but sinkholes still could gather intel.  Now malware is being written to attempt to bypass sinkholes altogether.
  • 48. The Future?  DGAs will be around for awhile as part of several methods of communication to victim machines.  Tor/I2P will continue to be used because of its advantages but DGAs still needed due to ease of blocking tor.  Increase in the use of “interesting” dynamic seeds.
  • 49. Questions? Thanks Daniel Plohmann, April Lorenzen, Andrew Abakumov, Anubis Networks, many others. And thanks HITCON! My feeds: osint.bambenekconsulting.com/feeds/ jcb@bambenekconsulting.com www.bambenekconsulting.com +1 312 425 7225