Chris Baker-Dynamic DNS Abuse-威脅情報技術(shù)與趨勢論壇

DynamicDNSAbuse

Analyst

ChrisBakerSeniorPrincipalData

dig@slide.deckchris.baker

;<<>>DiG9.8.3-P1<<>>

;;globaloptions:+cmd

;;Gotanswer:

;;->>HEADER<<-opcode:QUERY,status:NOERROR,id:1337H@X0R

;;flags:qraara;QUERY:1,ANSWER:1,AUTHORITY:1,ADDITIONAL:0

;;QUESTIONSECTION:

chris.baker.3600INNS.

chris.baker.138547INMXcbaker@baker@

chris.baker.3600INTWEET@datumrich

;;Querytime:111msec

;;SERVER:#53()

;;WHEN:WedAug1612:00:002016

;;MSGSIZErcvd:99

Contents

Overview

1.DynamicDNSService

?CriminalCostModel

2.DataAvailableforAnalysis

3.InteractionPatterns

4.AdaptingMethodology

?JscriptInfection

?DNSBeaconing

WhyDynamicDNS?

FrankDenis@jedisct1:

“ThepriceofanIPAddress(V4ofcourse)isgreaterthanthepriceofadomainnameandthepriceofadomainisgreaterthanthepriceofasubdomain.”

ThebusinessofDynamicDNSisprovidingsubdomainsasaservice

InvestmentModel

Acriminalexpendsanaccountoracreditcard

whentheycreateanaccountonourplatform

Theoperating

profitabilitytheir

costneedstobedwarfedbythe

activityotherwisewouldn’ttheydo

somethingelse?

ddns.hostname.tld

ddns.hostname.tld

ddns.hostname.tld

ddns.hostname.tld

Overview/Summary

Creates:

Phishedpersonrequests

Theyareredirectto:

/wordpress/wp-content/plugins/rthytrghf/index.htm

ExamplePage

MileHighTechnicalSummary

Modifies:

ChangetosinkholeSinkhole->http://<Sinkhole-IP>/campaigntag-html.htm

TotalPossibleAudience

(everyoneinthespamlist)

AudienceSolicited

Messagereachedinbox

MessageOpened

LinkClicked

CredentialsSubmitted

AppleAccounts

WehavesomesampledatarelatedtoApplephishingthatareinteresting

SampleSetof45Campaigns

Summarystats:Userswhoclickedthelink/visitedtheredirectionlandingpage

–Min:18

–Median:187

–Mean:467

–Max1689

ResaleValueofAccounts

90%70%50%30%

Min:$88.00$71.50$49.50$27.50

Median:$924.00$720.50$517.00$308.00

Mean:$2,310.00$1,798.50$1,287.00$770.00

Max$8,360.00$6,501.00$4,647.50$2,788.50

Ifwetakethemedianpriceof$5.50peraccountwecan

estimatetheprofitabilityofvariousratesofcredential

submissionandresale

DataTrail:DDNSHostCreation

Username

Datetime

IPAddress

UserAgentString

Datetime

Hostname

IPAddress

URL

Whatistherateofhostnamecreation?Howmanydifferentendpoints?Howmanydifferenthostnames?

EndUserDataTrail:Contrast

AccountCreation

Username

Datetime

IPAddress

UserAgent

HostnameCreation

Datetime

Hostname

IPAddress

URL

UserAgent

WastheaccountcreatedfromanIPinthesamenetblockastheIPthehostnameissettoresolveto?

DoestheGeoIPofaddressplacetheminthesamecountry?Continent?

Example:

HostnameCreated

u876trtr.fuettertdasnetz.de

3

2

3

Phishing

Ifwestripoffthedomainportion

u876trtr

uy85rr

3yi87

awu7o

hguy5434rer

ui783ert

d3678iyhgfd

xey6hg

2hmmn7

a54hgh

yu74er

3gtij5

NamesandEndpoints

Letsreviewthedata

?Usercreatedatotalof12domains

?User’saccountcontains12domainnames

?Namesappeartobepseudo-randomlygenerated

?Allcreatedwithin10minsofpurchasingtheservice

?Allofthedomainsresolvetothesamewordpressinstance

?WordpressinstanceURIcontainsstring“wp-content”

?WordpressinstanceURIcontainspseudo-randomgeneratedhtmlendpoint

Rateofnamecreation,numberofpersistentnames,andtheendpointsallpointtophishing

ExploitKits

Exploitkitsareapplicationinfrastructuredesignedforcompromisingendusersystems

?Keeptrackofwheretheendusercamefrom

?Sourceoftraffic

?Geographyofenduser

?Mosthaveanumberofdifferentvulnerabilitiestheycanleveragetoaccomplishtheirgoal

-Trackwhatvulnerabilitywasusedtocompromisetheenduserssystem

-Tracksuccessrate

?Impressivefocusonbusinessmetrics

TrafficDirectionServices

FindingendusertraffictoexploitisadifferentcorecompetencythanoperatingexploitationinfrastructureTrafficDirectionServicesservethreebasicfunctions

?Steeringtraffic

?ByGeoIP,UserAgent,OperatingSystem,Referral

?Filteringtraffic

?Rulesfordealingwithsecurityfirms,searchenginecontentreviewbots…etc

?Example:IfIPbelongstoGoogleBotredirecttocleanpage

?Collectingtrafficmetrics

?Reportingonthetwofunctionsabovefortracking/billing

SegmentationofExploitKitsandTrafficDirectionServices

?Allowgroups/actorstofocusontheircorecompetency

?Trafficdirectionserviceshelpprotectexploitkits/mitigatetheriskoflosingtheexploitnode

?Exploitkitsarecenteredaroundmaximizingtheinfectionrateoftrafficwhichtheyreceive

?

?

?

?

?

?

Activity

?

?

?

?

?

?

?

?

?

?

FingerPrint

45400f3233e52d15694cf990.worse-than.tv

26745522c585519482f0e3e3.worse-than.tv

d22a34203ed4dc4571e361de.worse-than.tv

Accountscontain3to5hostnamesactiveatatime

Domainsarepseudo-randomlygenerated

Theyrotateonafixedinterval5min/30min/1hour

TheendpointisusuallythesameIPaddressforadayormore

Rateofnamecreation,numberofpersistentnames,andendpoints=TDS/ExploitKit

Howaretheydifferent?

ScenarioDifference

?Phishersneedthedomainusedintheircampaignemailtostayactive

?Exploit/TDScampaignsrotatethesedomainsfrequentlytoavoiddetection

?KeyVariables:Totalnumberofdomainsactiveatonetime&Persistence

?PhishershavebeenusingcompromisedCMSinstancestohosttheirpages

?Exploit/TDScampaigns,onesthatuseourDDNS,areallusingcloud/VPSproviders

?KeyVariable:Endpointclassification

IdentifyingInfrastructure

?IPReputationProfiling

?DoesanaccounthavemultipledomainsorIPsfromknownquestionableASes?

?Doesanaccounthaveacollectionofdomainswithsimilarqueryvolume?

?Howlonghasthehostexisted?

?Howmanynewhostshavebeencreatedordeleted?

?ForthosedefendingnetworksthisisacasewherelookingatpassiveDNSwouldhelp

RateandProviderIndicators

?Identifycustomerswiththehighratesofdomaincreation

?Isitaccompaniedbyahighrateofremoval

?QuantifythediversityofIPscreatingrecordswiththeArecordIP

?Thishelpsclarifyiftheaccountisbeingshared

?QuantifythediversityofIPsbeingusedforArecordIPs

?ASProfilingofIPs

?Infrastructureasaserviceprovider

?Small/MidsizedISP

?VPNprovider/TorExitNodes

2638UniqueASNs946UniqueASNs1991UniqueASNs

443UniqueASNs89UniqueASNs719UniqueASNs

476UniqueASNs722UniqueASNs

Sinkfirstthenblock

Wecanclosetheaccountstoppingtheirabilitytocreatemoredomains

Reportthecredentialstheyusedtopayfortheaccount

Butfirstitiskeytopointthedomainstoasinkhole

?Ifwejustcloseandblockthemwehavenoinsightintothevolumeoftrafficandthetypeoftrafficassociatedwiththedomain

?SinkingdomainsinthecaseofTDS/Exploitkitsprovidesinsightintothereferrersandorcriminalinfrastructure

?SinkingdomainsinthecaseofphishingexposesadditionalURIsofinterest

AdaptingIdentificationMethodology

1:JscriptInfection

2:DNSBeaconMalware

Case1:JSBackdoor

Thereisacompromisedmachinewithabackdooronasinglehost.Vendordetectionisnon-existent.ItisaJSbackdoormakingC2connectionsatregularintervals.

C2connectionsaremadetothebelow:

60,*.

GET

https[:]//offpotubeda.endofinternet[.]net:443/related/?action=get_config

&guid=<redacted>&version=1115

FirstSteps

Quantify

?22accountsatthetimehadhostnamesrelatedto60

Identify

?Theaccountassociatedwiththesuppliedmalicioushostnamecreateditfrom2

Theimpactedpartyprovidedacopyofthe.jsfiletheyfoundontheinfectedmachine

Betweentheemailandaccountusagehistory,itseemsclearadomaingenerationalgorithmwasbeingused

DNSTrafficIntel

Whoaskedforwhat?Whendidtheyaskforit?Howoftenaretheyasking?

<Epoch>#8899

<Epoch>#8899

<Epoch>#8899

<Epoch>#8899

RecursiveDNSServers

Authoritative

DNSServer

EndpointsRequestingDGADomains

Lookingatwhoisasking…

InmostcasestherequestorforauthoritativeDNSrecordsisarecursiveresolver

Thisisonewaytoassesspotentiallyimpactedorganizationsorgeographies

AmajorityofrecursiveresolversontheinternetimplementDNSsourceportrandomization

?/html/rfc5452

40and2001:67c:2070:8b06::2whereonlyrequestingDGAdomainsandalwaysusingsourceport53(forIPv4)

DGAdomainsandalwaysusingsourceport53(forIPv4)

?"Delta-X”LTDUkriane,Kyiv.

40Connectivity

ASN200000

OtherAnomalies

Unlikealloftheotherrequests40wasalsoappendingahashtoeachauthoritativerequestwhilerequestingthebasedomaininthesamesecond

?1431410081a3f34ef153f6b09091ad104add8e5e987.isctm.isteingeek.de

?1431410081isctm.isteingeek.de

?1431410081

?1431410081

?1431410081

?1431410081

?1431410081a2bf47eb9d1297cc614fcc876af7ac28e.webgdame.isteingeek.de

?1431410081webgdame.isteingeek.de

LookingattheDGA

WhilediggingintothisportionDanielPlohmannwasabletoreverseengineertheDGA

ThehoststheDGAwastargeting:

?

?isteingeek.de

?

Aswellasthecollectionofngramswhichareusedtogeneratethethirdtierdomainname:

ohuswhatsiasisoffnetwebcallhowaskelcodeqctupogtmtubedamernokosiledsitenafpkunbonrimakeinnahostadoldforjownto

Mitigation/OutReach

WiththeDGAsolveditbecamefeasibletoregisterthedomainnamesbeforetheactor

?Insteadofreclaimingthedomainsaftertheywereregistered

Preregistrationbegan…

?IPsfrom1,358ASNsmadeconnectionstothesinkhole

?ASNswithtiesto117countries

?14,185uniqueIPsmadeconnectionstothesinkholeduringthefirst5daysofobservation

DuetothenumberofinfectedendpointsandtheirprofilewegeneratedafeedforShadowServer

WindowsEndpointstoSinkhole

AdditionstotheSinkhole

DespitelookinglikeJavascript,themalwarewaswrittenin"Jscript”

?AJavascriptlikevbscriptalternativecreatedbyMicrosoft

?Thisnuancehintedthatitmightbeagoodideatoensurethatwep0foranotherOSfingerprintingtoolwasdeployedtothesinkhole

?Thegoalofthisbeingtheabilitytosegment“possiblyinfected”from“researchrelated”requestorsoperatingunderthetheorythatonlythingswithWindowsfingerprintsshouldbeconsidered

Verifyingp0ffingerprints

2%

3%

0%

95%

Windows7or8

WindowsNTkernel

Linux

FreeBSD

Thispatternsoundsfamiliar

Whydidn’tyourExploitKit/TrafficDirectionServicepatternpickthisup?

?Itsregisteringdomainsonafixedinterval

?Itsaddinganddeletingdomainstoaccountsthatresolvetothesame

endpoint

Theysplittheactivityupacrossmultipleaccounts…

?Oneaccountwouldaddadomain

?Anotheraccountwouldaddthefollowupdomain…etc

Oneimportanttakeawayfromthiswastotakeawiderviewandlookat

findingactivitysplayedacrossendpoints

Alsolookingatrecursivetrafficforthedomainiskey

HigherQualityDGA

Theyusedasetofngramswhichmake

“l(fā)essanomalouslooking”names

Someofthedomainsareevenallreal

words!

Earlierwewerelookingatdomainslike:

?Longrunsofonlyconsonants

?Alackofcommonvowelconsonant

groupings…

?owhatnetweb.isteingeek.de

?

?

?whatishowask.isteingeek.de

?

?isweblcode.isteingeek.de

?

?

?webaskctu.isteingeek.de

?

Case2:DNSBeaconingMalware

InearlyDecember2014wereceivedasamplefromShadowServerunlikeothersseeninthepast

?ItwasofspecificinterestbecausethesandboxshowedsomeveryinterestingDNStraffic

OnJan11th2015postedadetailedlookattheNorthKoreanCentralNewsAgencywebserver

Theposthaddetailsaboutaspecifictypeofmalwarebeingdistributedfromthewebsite

CylanceReport:KCNAMalware

Thedomain,a.gwas.perl.sh,isrequestedbythemalware

TheresultingIPaddressoftheDNSqueryofa.gwas.perl.sh(3)isthensentaDNSquery

Thetargetdomainisastringwhichpresumablyidentifiesfeaturesabouttheinfectedvictim.

ImageandDetailsfrom/infinity-vs.-the-real-world-kcna-malware

SamePatternDifferentHash

Asthiswasmakingitswastotheblog-o-spherearagtagbandwaslookingintoasimilarsample

?DanielPlohmannofFraunhoferFKIE

?StevenAdairofVolexity

Theinitialrelationshipwascenteredonthedomaina.gwas.perl.sh

ThenafterseeingwhatCylancepublishedaboutthedomainnamesusedforbeaconingwecouldconfirmthatthenetworkcommunicationlookedthesame

C&CDomain

Thebinaryourteamwasfocusingonused3hardcodedC&Cnodes:

?a.gwas.perl.sh

?

?

ThelatterofthedomainsisonewhichisusingDyn’sDynamicDNSplatform

AftergoingovertheincidentwithourCustomerServiceteamthedomainwasmovetoasinkhole

Whoisasking?

WiththedomainresolvingtoasinkholewenowwerereceivingallofthetrafficoriginallydestinedfortheC&Cdomain

ThisallowedustocapturetheDNSbeaconqueries

AtfirstwewereusingBroIDStologalloftheDNStraffic,howeveritwasrunningalowercasefunctionontheCNAME

Thisleadtoaswitchtothemostrichdatastreamfullnetworkcapture!

akatcpdump

RecursiveResolversQueryingfor

Thescalehelpsshowthediversitybut>99%ofthequeriesare

fromCN

EndpointssendingDNSBeaconstothesinkhole

Thescalehelpsshowthediversitybut>99%ofthebeaconscome

fromCN

Reversing