Chris Baker-Dynamic DNS Abuse-威胁情报技术与趋势论坛

DynamicDNSAbuse

Analyst

ChrisBakerSeniorPrincipalData

dig@slide.deckchris.baker

;<<>>DiG9.8.3-P1<<>>

;;globaloptions:+cmd

;;Gotanswer:

;;->>HEADER<<-opcode:QUERY,status:NOERROR,id:1337H@X0R

;;flags:qraara;QUERY:1,ANSWER:1,AUTHORITY:1,ADDITIONAL:0

;;QUESTIONSECTION:

chris.baker.3600INNS.

chris.baker.138547INMXcbaker@baker@

chris.baker.3600INTWEET@datumrich

;;Querytime:111msec

;;SERVER:#53()

;;WHEN:WedAug1612:00:002016

;;MSGSIZErcvd:99

Contents

Overview

1.DynamicDNSService

•CriminalCostModel

2.DataAvailableforAnalysis

3.InteractionPatterns

4.AdaptingMethodology

•JscriptInfection

•DNSBeaconing

WhyDynamicDNS?

FrankDenis@jedisct1:

“ThepriceofanIPAddress(V4ofcourse)isgreaterthanthepriceofadomainnameandthepriceofadomainisgreaterthanthepriceofasubdomain.”

ThebusinessofDynamicDNSisprovidingsubdomainsasaservice

InvestmentModel

Acriminalexpendsanaccountoracreditcard

whentheycreateanaccountonourplatform

Theoperating

profitabilitytheir

costneedstobedwarfedbythe

activityotherwisewouldn’ttheydo

somethingelse?

ddns.hostname.tld

ddns.hostname.tld

ddns.hostname.tld

ddns.hostname.tld

Overview/Summary

Creates:

Phishedpersonrequests

Theyareredirectto:

/wordpress/wp-content/plugins/rthytrghf/index.htm

ExamplePage

MileHighTechnicalSummary

Modifies:

ChangetosinkholeSinkhole->http://<Sinkhole-IP>/campaigntag-html.htm

TotalPossibleAudience

(everyoneinthespamlist)

AudienceSolicited

Messagereachedinbox

MessageOpened

LinkClicked

CredentialsSubmitted

AppleAccounts

WehavesomesampledatarelatedtoApplephishingthatareinteresting

SampleSetof45Campaigns

Summarystats:Userswhoclickedthelink/visitedtheredirectionlandingpage

–Min:18

–Median:187

–Mean:467

–Max1689

ResaleValueofAccounts

90%70%50%30%

Min:$88.00$71.50$49.50$27.50

Median:$924.00$720.50$517.00$308.00

Mean:$2,310.00$1,798.50$1,287.00$770.00

Max$8,360.00$6,501.00$4,647.50$2,788.50

Ifwetakethemedianpriceof$5.50peraccountwecan

estimatetheprofitabilityofvariousratesofcredential

submissionandresale

DataTrail:DDNSHostCreation

Username

Datetime

IPAddress

UserAgentString

Datetime

Hostname

IPAddress

URL

Whatistherateofhostnamecreation?Howmanydifferentendpoints?Howmanydifferenthostnames?

EndUserDataTrail:Contrast

AccountCreation

Username

Datetime

IPAddress

UserAgent

HostnameCreation

Datetime

Hostname

IPAddress

URL

UserAgent

WastheaccountcreatedfromanIPinthesamenetblockastheIPthehostnameissettoresolveto?

DoestheGeoIPofaddressplacetheminthesamecountry?Continent?

Example:

HostnameCreated

u876trtr.fuettertdasnetz.de

3

2

3

Phishing

Ifwestripoffthedomainportion

u876trtr

uy85rr

3yi87

awu7o

hguy5434rer

ui783ert

d3678iyhgfd

xey6hg

2hmmn7

a54hgh

yu74er

3gtij5

NamesandEndpoints

Letsreviewthedata

•Usercreatedatotalof12domains

•User’saccountcontains12domainnames

•Namesappeartobepseudo-randomlygenerated

•Allcreatedwithin10minsofpurchasingtheservice

•Allofthedomainsresolvetothesamewordpressinstance

•WordpressinstanceURIcontainsstring“wp-content”

•WordpressinstanceURIcontainspseudo-randomgeneratedhtmlendpoint

Rateofnamecreation,numberofpersistentnames,andtheendpointsallpointtophishing

ExploitKits

Exploitkitsareapplicationinfrastructuredesignedforcompromisingendusersystems

•Keeptrackofwheretheendusercamefrom

−Sourceoftraffic

−Geographyofenduser

•Mosthaveanumberofdifferentvulnerabilitiestheycanleveragetoaccomplishtheirgoal

-Trackwhatvulnerabilitywasusedtocompromisetheenduserssystem

-Tracksuccessrate

•Impressivefocusonbusinessmetrics

TrafficDirectionServices

FindingendusertraffictoexploitisadifferentcorecompetencythanoperatingexploitationinfrastructureTrafficDirectionServicesservethreebasicfunctions

•Steeringtraffic

•ByGeoIP,UserAgent,OperatingSystem,Referral

•Filteringtraffic

•Rulesfordealingwithsecurityfirms,searchenginecontentreviewbots…etc

•Example:IfIPbelongstoGoogleBotredirecttocleanpage

•Collectingtrafficmetrics

•Reportingonthetwofunctionsabovefortracking/billing

SegmentationofExploitKitsandTrafficDirectionServices

•Allowgroups/actorstofocusontheircorecompetency

•Trafficdirectionserviceshelpprotectexploitkits/mitigatetheriskoflosingtheexploitnode

•Exploitkitsarecenteredaroundmaximizingtheinfectionrateoftrafficwhichtheyreceive

•

•

•

•

•

•

Activity

•

•

•

•

•

•

•

•

•

•

FingerPrint

45400f3233e52d15694cf990.worse-than.tv

26745522c585519482f0e3e3.worse-than.tv

d22a34203ed4dc4571e361de.worse-than.tv

Accountscontain3to5hostnamesactiveatatime

Domainsarepseudo-randomlygenerated

Theyrotateonafixedinterval5min/30min/1hour

TheendpointisusuallythesameIPaddressforadayormore

Rateofnamecreation,numberofpersistentnames,andendpoints=TDS/ExploitKit

Howaretheydifferent?

ScenarioDifference

•Phishersneedthedomainusedintheircampaignemailtostayactive

•Exploit/TDScampaignsrotatethesedomainsfrequentlytoavoiddetection

•KeyVariables:Totalnumberofdomainsactiveatonetime&Persistence

•PhishershavebeenusingcompromisedCMSinstancestohosttheirpages

•Exploit/TDScampaigns,onesthatuseourDDNS,areallusingcloud/VPSproviders

•KeyVariable:Endpointclassification

IdentifyingInfrastructure

•IPReputationProfiling

•DoesanaccounthavemultipledomainsorIPsfromknownquestionableASes?

•Doesanaccounthaveacollectionofdomainswithsimilarqueryvolume?

•Howlonghasthehostexisted?

•Howmanynewhostshavebeencreatedordeleted?

•ForthosedefendingnetworksthisisacasewherelookingatpassiveDNSwouldhelp

RateandProviderIndicators

•Identifycustomerswiththehighratesofdomaincreation

•Isitaccompaniedbyahighrateofremoval

•QuantifythediversityofIPscreatingrecordswiththeArecordIP

•Thishelpsclarifyiftheaccountisbeingshared

•QuantifythediversityofIPsbeingusedforArecordIPs

•ASProfilingofIPs

•Infrastructureasaserviceprovider

•Small/MidsizedISP

•VPNprovider/TorExitNodes

2638UniqueASNs946UniqueASNs1991UniqueASNs

443UniqueASNs89UniqueASNs719UniqueASNs

476UniqueASNs722UniqueASNs

Sinkfirstthenblock

Wecanclosetheaccountstoppingtheirabilitytocreatemoredomains

Reportthecredentialstheyusedtopayfortheaccount

Butfirstitiskeytopointthedomainstoasinkhole

•Ifwejustcloseandblockthemwehavenoinsightintothevolumeoftrafficandthetypeoftrafficassociatedwiththedomain

•SinkingdomainsinthecaseofTDS/Exploitkitsprovidesinsightintothereferrersandorcriminalinfrastructure

•SinkingdomainsinthecaseofphishingexposesadditionalURIsofinterest

AdaptingIdentificationMethodology

1:JscriptInfection

2:DNSBeaconMalware

Case1:JSBackdoor

Thereisacompromisedmachinewithabackdooronasinglehost.Vendordetectionisnon-existent.ItisaJSbackdoormakingC2connectionsatregularintervals.

C2connectionsaremadetothebelow:

60,*.

GET

https[:]//offpotubeda.endofinternet[.]net:443/related/?action=get_config

&guid=<redacted>&version=1115

FirstSteps

Quantify

•22accountsatthetimehadhostnamesrelatedto60

Identify

•Theaccountassociatedwiththesuppliedmalicioushostnamecreateditfrom2

Theimpactedpartyprovidedacopyofthe.jsfiletheyfoundontheinfectedmachine

Betweentheemailandaccountusagehistory,itseemsclearadomaingenerationalgorithmwasbeingused

DNSTrafficIntel

Whoaskedforwhat?Whendidtheyaskforit?Howoftenaretheyasking?

<Epoch>#8899

<Epoch>#8899

<Epoch>#8899

<Epoch>#8899

RecursiveDNSServers

Authoritative

DNSServer

EndpointsRequestingDGADomains

Lookingatwhoisasking…

InmostcasestherequestorforauthoritativeDNSrecordsisarecursiveresolver

Thisisonewaytoassesspotentiallyimpactedorganizationsorgeographies

AmajorityofrecursiveresolversontheinternetimplementDNSsourceportrandomization

•/html/rfc5452

40and2001:67c:2070:8b06::2whereonlyrequestingDGAdomainsandalwaysusingsourceport53(forIPv4)

DGAdomainsandalwaysusingsourceport53(forIPv4)

•"Delta-X”LTDUkriane,Kyiv.

40Connectivity

ASN200000

OtherAnomalies

Unlikealloftheotherrequests40wasalsoappendingahashtoeachauthoritativerequestwhilerequestingthebasedomaininthesamesecond

•1431410081a3f34ef153f6b09091ad104add8e5e987.isctm.isteingeek.de

•1431410081isctm.isteingeek.de

•1431410081

•1431410081

•1431410081

•1431410081

•1431410081a2bf47eb9d1297cc614fcc876af7ac28e.webgdame.isteingeek.de

•1431410081webgdame.isteingeek.de

LookingattheDGA

WhilediggingintothisportionDanielPlohmannwasabletoreverseengineertheDGA

ThehoststheDGAwastargeting:

•

•isteingeek.de

•

Aswellasthecollectionofngramswhichareusedtogeneratethethirdtierdomainname:

ohuswhatsiasisoffnetwebcallhowaskelcodeqctupogtmtubedamernokosiledsitenafpkunbonrimakeinnahostadoldforjownto

Mitigation/OutReach

WiththeDGAsolveditbecamefeasibletoregisterthedomainnamesbeforetheactor

•Insteadofreclaimingthedomainsaftertheywereregistered

Preregistrationbegan…

•IPsfrom1,358ASNsmadeconnectionstothesinkhole

•ASNswithtiesto117countries

•14,185uniqueIPsmadeconnectionstothesinkholeduringthefirst5daysofobservation

DuetothenumberofinfectedendpointsandtheirprofilewegeneratedafeedforShadowServer

WindowsEndpointstoSinkhole

AdditionstotheSinkhole

DespitelookinglikeJavascript,themalwarewaswrittenin"Jscript”

•AJavascriptlikevbscriptalternativecreatedbyMicrosoft

•Thisnuancehintedthatitmightbeagoodideatoensurethatwep0foranotherOSfingerprintingtoolwasdeployedtothesinkhole

•Thegoalofthisbeingtheabilitytosegment“possiblyinfected”from“researchrelated”requestorsoperatingunderthetheorythatonlythingswithWindowsfingerprintsshouldbeconsidered

Verifyingp0ffingerprints

2%

3%

0%

95%

Windows7or8

WindowsNTkernel

Linux

FreeBSD

Thispatternsoundsfamiliar

Whydidn’tyourExploitKit/TrafficDirectionServicepatternpickthisup?

•Itsregisteringdomainsonafixedinterval

•Itsaddinganddeletingdomainstoaccountsthatresolvetothesame

endpoint

Theysplittheactivityupacrossmultipleaccounts…

•Oneaccountwouldaddadomain

•Anotheraccountwouldaddthefollowupdomain…etc

Oneimportanttakeawayfromthiswastotakeawiderviewandlookat

findingactivitysplayedacrossendpoints

Alsolookingatrecursivetrafficforthedomainiskey

HigherQualityDGA

Theyusedasetofngramswhichmake

“lessanomalouslooking”names

Someofthedomainsareevenallreal

words!

Earlierwewerelookingatdomainslike:

•Longrunsofonlyconsonants

•Alackofcommonvowelconsonant

groupings…

•owhatnetweb.isteingeek.de

•

•

•whatishowask.isteingeek.de

•

•isweblcode.isteingeek.de

•

•

•webaskctu.isteingeek.de

•

Case2:DNSBeaconingMalware

InearlyDecember2014wereceivedasamplefromShadowServerunlikeothersseeninthepast

•ItwasofspecificinterestbecausethesandboxshowedsomeveryinterestingDNStraffic

OnJan11th2015postedadetailedlookattheNorthKoreanCentralNewsAgencywebserver

Theposthaddetailsaboutaspecifictypeofmalwarebeingdistributedfromthewebsite

CylanceReport:KCNAMalware

Thedomain,a.gwas.perl.sh,isrequestedbythemalware

TheresultingIPaddressoftheDNSqueryofa.gwas.perl.sh(3)isthensentaDNSquery

Thetargetdomainisastringwhichpresumablyidentifiesfeaturesabouttheinfectedvictim.

ImageandDetailsfrom/infinity-vs.-the-real-world-kcna-malware

SamePatternDifferentHash

Asthiswasmakingitswastotheblog-o-spherearagtagbandwaslookingintoasimilarsample

•DanielPlohmannofFraunhoferFKIE

•StevenAdairofVolexity

Theinitialrelationshipwascenteredonthedomaina.gwas.perl.sh

ThenafterseeingwhatCylancepublishedaboutthedomainnamesusedforbeaconingwecouldconfirmthatthenetworkcommunicationlookedthesame

C&CDomain

Thebinaryourteamwasfocusingonused3hardcodedC&Cnodes:

•a.gwas.perl.sh

•

•

ThelatterofthedomainsisonewhichisusingDyn’sDynamicDNSplatform

AftergoingovertheincidentwithourCustomerServiceteamthedomainwasmovetoasinkhole

Whoisasking?

WiththedomainresolvingtoasinkholewenowwerereceivingallofthetrafficoriginallydestinedfortheC&Cdomain

ThisallowedustocapturetheDNSbeaconqueries

AtfirstwewereusingBroIDStologalloftheDNStraffic,howeveritwasrunningalowercasefunctionontheCNAME

Thisleadtoaswitchtothemostrichdatastreamfullnetworkcapture!

akatcpdump

RecursiveResolversQueryingfor

Thescalehelpsshowthediversitybut>99%ofthequeriesare

fromCN

EndpointssendingDNSBeaconstothesinkhole

Thescalehelpsshowthediversitybut>99%ofthebeaconscome

fromCN

Reversing