Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffic Analysis
Fast Detection of New Malicious Domains using DNS
-
Upload
opendns -
Category
Technology
-
view
1.854 -
download
0
description
Transcript of Fast Detection of New Malicious Domains using DNS
Fast Detection of New Malicious Domains using DNS
Dhia Mahjoub OpenDNS
October 18th, 2013
Outline • DNS infrastructure • Monitoring/detec@on system • Domain/IP watch list • Post-‐detec@on filtering • Implementa@on • Use cases • FF Kelihos domains, EK domains, Ransomware, Trojans • Conclusion
querylogs authlogs
DNS big data
OpenDNS’ Network Map
Malicious use of DNS
• Botnet/Malware C&C
• DGAs
• Fast flux
• DNS amplifica@on aXacks
Our Focus
• AXack domains, not compromised domains -‐>Exploit kit domains -‐>Malware delivery domains
Fast Flux Monitoring/Detec@on System
• TTL=0 Kelihos Fast Flux domains 7-‐months study presented at APWG eCrime 2013 hXp://labs.umbrella.com/2013/09/24/real-‐@me-‐monitoring-‐kelihos-‐fast-‐flux-‐botnet-‐case-‐study-‐presented-‐apwg-‐ecrime-‐2013/
• TTL=150
• TTL=300
• TTL=1440, spam domains
Fast Flux Monitoring/Detec@on System
While true 1. Select a seed of Kelihos domains w/ a confirmed profile 2. Con@nuously milk domains for IPs 3. Con@nuously “inverse lookup” IPs in passive DNS, for
new domains that start resolving to these IPs 4. Check detected domains for known profile (e.g. TTL,
registra@on, existence of payload, etc) 5. Add new domains to the ini@al seed
Kelihos domains profile
• Various gTLDs, ccTLDs, 1 single IP, TTL=0, hosted on Kelihos botnet IP pool (growing), infected individual machines, recent registra@on, delivering malware executables with known names
• Recorded case(s) of domain resolving to several IPs with TTL=600, cocala.asia, or TTL=300
Generalized Monitoring/Detec@on System
• While true • Read IP watch list, launch parallel process for every IP • A process performs IP inverse lookup against DNSDB • Every process returns new domains for IP • Join all processes’ output, check against blacklist • Keep only new domains • Perform parallelized post discovery checks using
different heuris@cs: traffic paXern, name paXern, extra IP reputa@on check, etc.
• Add new domains to blacklist
Watch list selec@on • Con@nuous background process
• Different methods/heuris@cs to harvest new IPs with high risk poten@al
• Use fresh blacklist, 3rd party BL domain list
Watch list selec@on (cont’d) • Resolve IPs and cluster by popularity, age, aXack theme
-‐>IP observed to host exclusively EK domains or ransomware -‐>Similar name paXern of hosted domains -‐>Similar traffic paXern
• Remove IPs on large shared hos@ng providers unless excep@ons (e.g keep OVH CIDR dedicated to malware), sinkholes, other IP profiles that could cause FPs
Harves@ng bad IPs • When we discover new high risk IPs, why not just block
IPs? Sure, we can, and we open do!
• But you lose intel and inves@ga@ve material related to domains: name paXerns, DGAs, dynamic DNS usage, malicious subdomains under legi@mate compromised domains
Post detec@on checks • Traffic paXern, name paXern, further IP reputa@on check
• If a spike or beginning of spike, then poten@al risk domain
• Exclude spam domains
• But spike means domain has already delivered aXack
Post detec@on checks (cont’d) • So preemp@ve blocking is necessary if domain has high
poten@al of being an aXack domain
• Not everything should be automated
• Human intel and inves@ga@on needed at @mes to remove FPs and add FN back -‐> Fine-‐tune the model
Plarorm and tools used -‐Pig on Hadoop cluster -‐Raw logs on HDFS -‐Indexed DNSDB in HBase -‐Python, shell, Gnu Parallel
System in a nutshell -‐>Constantly running process of harves@ng fresh high risk IPs -‐>Constantly running process of discovering fresh malicious domains -‐>Constantly querying DNSDB with IP inverse lookups Backend: -‐>DNSDB constantly fed with authorita@ve traffic from all resolvers
Whitelist
• IPs hos@ng spam domains A lot of IPs on AS15149, e.g. 216.169.100.133
• Shared hos@ng IPs with a large number of general purpose websites
Use cases • Kelihos fast flux botnet • Fake AV • .pl domains used for Kovter and other • Godaddy compromised domains • Cryptolocker CnC discovery • NuclearPack EK • Browlock domains
Kelihos Fast flux • Kelihos fast flux botnet • Up un@l Sep 16th, about 984 domains (and subdomains)
hosted on 28757 IPs hXp://labs.umbrella.com/2013/09/24/real-‐@me-‐monitoring-‐kelihos-‐fast-‐flux-‐botnet-‐case-‐study-‐presented-‐apwg-‐ecrime-‐2013/
• Sample of domains of Aug-‐Sep • 399 domains on 8159 IPs
Fake AV • 82.208.40.11 hos@ng 23502 Fake AV, Fake SW domains for
76 days
hXps://www.virustotal.com/en/ip-‐address/82.208.40.11/informa@on/
• Free domains under cz.cc, uni.me • 176.31.125.91 hos@ng 6687 similar domains for 66 days
.pl used for ransomware • Sample of .pl domains • 19267 domains on 12 IPs • 3 level domains
f9photo.ucuphahnui.kepno.pl 95oishi.maimuofief.pisz.pl
• First 2 labels are DGAs
• Used in malver@sing campaigns on adult websites leading to Exploit kit domains and Kovter ransomware dropping hXp://www.malekal.com/2013/07/31/en-‐urausy-‐adulrriendzfinder-‐malver@sing-‐banner/
from malware.dontneedcoffee.com
NuclearPack EK -‐>1523 domains on 198.50.225.113 • 2 level domains under .biz • 1st label is random, 16 2LDs registered July 28th • hxxp://[email protected]:
59902/0e724s2d10467436c6149sce02712a.html -‐>1378 domains on 198.50.235.198 • 2 level domains under .biz • 1st label is random • hxxp://u5s1av.diwalipearl.biz:
55252/5a9b00e34d8b18cb571ba56a357cfafc.html
NuclearPack EK -‐>198.50.235.200 became ac@ve on Oct 15th • Already hos@ng 400+ domains • hxxp://[email protected]:
44142/4078c813508ad60acc95d0744365c68c.html • Shiping on 198.50.128.0/17 OVH prefix
Compromised GoDaddy domains • Campaign of injec@ng malicious subdomains (3LDs) under
legi@mate/compromised Godaddy domains (2LDs) • 5 IPs hos@ng 800 subdomains (3LDs) over 10 days in Aug-‐Sep • Used to serve Cool exploit kit through CookieBomb aXack on
compromised websites and finally drop Reveton hXp://quequero.org/2013/09/ac@ve-‐cookiebomb-‐cve-‐2013-‐2465-‐reveton/
• Happened before in 2012 and happening again hXp://nakedsecurity.sophos.com/2012/11/23/hacked-‐go-‐daddy-‐ransomware/
Compromised GoDaddy domains
Cryptolocker CnCs • Ransomware released early September 2013 • Encrypts your files and asks for a $300 ransom to get them
back • 2 ini@al Cryptolocker CnCs were picked up by the system a
day before they were published on Sep 11
• xeogrhxquuubt.com
• qaaepodedahnslq.org
Browlock domains • Browser-‐based ransomware targeted at countries in 3
different con@nents • Example: 194.44.49.150 hos@ng 2629 subdomains over 26
days
Browlock domains
Browlock domains (cont’d) • Browser-‐based ransomware targeted at countries in 3
different con@nents • 193.169.87.15, 196.47.100.2, over a period of 13 days,
hos@ng 8978 browlock domains and domains with adult-‐themed names that redirect to browlock
Browlock domains (cont’d)
Conclusion • Ongoing research and work to increase coverage and
accuracy of early detec@on of domains before they deliver aXacks
• Extend coverage to shared hos@ng IPs
• Effec@ve early detec@on/protec@on DNS-‐based system • Use it with other protec@on methods: AV, IDS, etc. • Experimenta@on in our lab with streaming technologies:
Storm, Kava, Zeromq -‐> Complementary with DNSDB-‐based detec@on system
Contact Info • Contact me at [email protected] if you are interested in: • Asking ques@ons • Collabora@ng
• Follow me on TwiXer @DhiaLite • Blogs hXp://labs.umbrella.com/author/dhia/
Thank you
(Q & A)