Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE Boston
-
Upload
opendns -
Category
Technology
-
view
1.632 -
download
0
description
Transcript of Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE Boston
!
Marauder or Scanning your DNSDB for Fun and Profit
Dhia!Mahjoub!OpenDNS!
April!10th,!2014!Boston!
Short!Bio!
• Senior!Security!Researcher!at!OpenDNS!
• PredicAve!threat!detecAon!based!on!DNS!traffic!and!hosAng!infrastructure!analysis!
• CS!PhD!graduate!from!Southern!Methodist!University!
!!!!IIIIIII>!Go!Mustangs!!
!
• Graph!Theory!applied!on!Wireless!Sensor!Networks!problems!(network!lifeAme,!rouAng)!
• Enjoyed!wriAng!sniffers,!port!scanners!in!C…!
Outline!
• DNSDB!
• Marauder!
• ImplementaAon!
• ASN!graph!
• Use$case$1:$Suspicious!Sibling!Leaf!ASNs!!• Use$Case$2:!Rogue!ASN!deIpeered!or!gone!stealth!• Use$Case$3:!ASN(s)!abused!or!lax!about!content!• Marauder:!PlaZorm,!tools,!libraries!used!
• Marauder!in!acAon!
• Use$case$4:!Malicious!subIallocated!ranges!
• Use$case$5:!PredicAng!Malicious!domains!IP!infrastructure!
• Conclusion!
querylogs! authlogs!
DNS$data$
OpenDNS’!Network!Map!
$DNSDB$
$
Passive!DNS!
• Introduced!by!Florian!Weimar!in!2004!
• Passive!DNS!builds!zone!replicas!without!cooperaAon!from!zone!administrators!
• Captures!messages!between!DNS!servers!
• Messages!are!processed,!deIduplicated,!and!DNS!records!are!consolidated!in!an!indexed!database!
!I>!Historical!DNS!database!(DNSDB)!
Passive!DNS!(cont’d)!
!Various!Services!
1. hbp://www.bd.de/bd_dnslogger_en.html!
2. DNSDB!(Farsight!Security)!hbps://www.dnsdb.info/!
3. Umbrella!SGraph!(reIdubbed!InvesAgate)!hbps://sgraph.opendns.com/main!
4. VirusTotal!DNSDB!• hbps://github.com/gamelinux/passivedns!
• hbps://github.com/chrislee35/passivednsIclient!
Why!is!DNSDB!useful?!
D!
D!
D!
D!
IP!
IP!
NS!
IP!
NS!
+$TIME$
Domain!
IP!address!
Name!server!
Streaming!AuthoritaAve!DNS!
• Tap!into!processed!authoritaAve!DNS!stream!before!it’s!consolidated!into!a!persistent!DB!
• asn,!domain,!2LD,!IP,!NS_IP,!Amestamp,!TTL,!type!
• Faster!
• 100s!–!1000s!entries/sec!(from!subset!of!resolvers)!
• Need!to!implement!your!own!filters,!detecAon!heurisAcs!
$Marauder$
$
Marauder!
• Maraud!(def):!To!rove!and!raid!in!search!for!plunder!
• MarAn!BI26!Marauder!
• WW2!mediumIrange!bomber!
• Pacific,!Mediterranean,!Western!Europe!theaters!
Marauder!
• Cruise!the!IP,!DNS!space!in!search!for!new!aback!domains,!IP!infrastructures!!
ImplementaAon!
1. IP!watchlist!+!domain!filter(s)!+!more!post!detecAon!filter(s)!
• IP!watchlist!<I!blacklist!feeds!+!other!heurisAcs!to!build!malicious/suspicious!IP!lists!
2. Domain!detecAon!heurisAcs:!name!pabern,!IP,!NS,!age,!traffic!volume!
Building!the!IP!watchlist!!
Mo<va<on!• Assess!malicious!IP!ranges!in!BGP!prefixes,!ASNs!
from!a!new!perspecAve!
• Look!beyond!the!simple!counAng!of!number!of!bad!domains,!bad!IPs!hosted!on!prefixes!of!an!ASN!
How$?$• Look!at!topology!of!AS$graph$• Look!at!smaller!granularity!than!BGP!prefix:!!
!subGallocated$ranges$within!BGP!prefixes!
AS!graph!
• BGP!rouAng!tables!
• Valuable!data!sources!
• Routeviews!hbp://archive.routeviews.org/bgpdata/!
• CidrIreport!hbp://www.cidrIreport.org/as2.0/!
• Hurricane!Electric!database!hbp://bgp.he.net/!
• Your!own!rouAng!tables!if!you!operate!your!own!worldwide!BGP!routers!
• 500,000+$BGP$prefixes$• 46,000+$ASNs$
AS!graph!
• Route!Views!hbp://archive.routeviews.org/bgpdata/!
AS!graph!
• Cidr!Report!hbp://www.cidrIreport.org/as2.0/!
AS!graph!
• Hurricane!Electric!database!hbp://bgp.he.net/!
AS!graph!
• Show!one!line!of!the!BGP!rouAng!table!
• TABLE_DUMP2|1392422403|B|96.4.0.55|11686|67.215.94.0/24|11686!4436!2914!36692|IGP|96.4.0.55|0|0||NAG||!
• The!AS!graph!changes!constantly:!• New!prefixes!(with!their!routes)!are!announced!
• Old!prefixes!are!dropped!
• IntenAonal,!human!error,!hardware!faults,!or!malicious!
AS!graph!
AS!graph!
• TABLE_DUMP2|1392422403|B|96.4.0.55|11686|67.215.94.0/24|11686!4436!2914!36692|IGP|96.4.0.55|0|0||NAG||!
• We!can!extract!two!types!of!useful!data:!
!1.!Upstream!and!downstream!ASNs!of!every!ASN!
!2.!IP!to!ASN!mapping!(via!prefix!to!ASN!mapping)!• pyasn,!Python!IP!to!ASN!lookup!module!!
!hbps://code.google.com/p/pyasn/!
• Team!Cymru!IP!to!ASN!mapping!
• GeoIPASNum.dat!from!maxmind!
• curl!ipinfo.io/8.8.8.8/org!
AS!graph!
• Build!AS!graph!
• Directed!graph:!node=ASN,!a!directed!edge!from!an!ASN!to!an!upstream!ASN!
• TABLE_DUMP2|1392422403|B|96.4.0.55|11686|67.215.94.0/24|11686!4436!2914!36692|IGP|96.4.0.55|0|0||NAG||!
AS!graph!
• Directed!graph:!node=ASN,!a!directed!edge!from!an!ASN!to!an!upstream!ASN!
Interes<ng$cases:$• Leaf!ASNs!that!are!siblings,!i.e.!they!have!common!
parents!in!the!AS!graph!(share!same!upstream!AS)!
• Cluster!the!leaves!by!country!
• Find!interesAng!paberns:!certain!siblings!in!certain!countries!are!delivering!similar!suspicious!campaigns!
$Use$Case$1:$
Suspicious$Sibling$leaf$ASNs$$
Leaf!ASNs!and!their!upstreams!
• January!8th!topology!snapshot,!Ukraine,!Russia!
• 10!sibling!leaf!ASNs!with!2!upstream!ASNs!
• /23!or!/24!serving!TrojWare.Win32.KrypAk.AXJX!
• !TrojanIDownloader.Win32.Ldmon.A!• hbp://telussecuritylabs.com/threats/show/TSL20130715I08!
Leaf!ASNs!and!their!upstreams!
Leaf!ASNs!and!their!upstreams!
• February!21st!topology!snapshot,!Ukraine,!Russia!
!
• AS31500!detached!itself!from!the!leaves!(stopped!announcing!their!prefixes)!
• More!leaves!started!hosAng!suspicious!payload!domains!
• 3100+!malware!domains!on!1020+!IPs!hosAng!malware!
Leaf!ASNs!and!their!upstreams!
• Taking!a!sample!of!160!live!IPs!
• Server!setup!is!similar:!
50!IPs!with:!22/tcp$$$open$$ssh$$$$$$$$OpenSSH$6.2_hpn13v11$(FreeBSD$20130515;$protocol$2.0)$8080/tcp$open$$h[pGproxy$3Proxy$h[p$proxy$Service$Info:$OS:$FreeBSD$!
108!IPs!with:$22/tcp$open$$ssh$$$$$OpenSSH$5.3$(protocol$1.99)$80/tcp$open$$h[p?$
Leaf!ASNs!and!their!upstreams!
• The!payload!url!were!live!on!the!enAre!range!of!IPs!before!any!domains!were!hosted!on!them!
• So,!the!IP!infrastructure!is!set!up!in!bulk!and!in!advance!
• hbp://pastebin.com/X83gkPY4!$
$Use$Case$2:$
ASN$abused$or$lax$about$shady$content$
$
Example!ASNs!abused!or!lax!
• Wordstream!hosAng!fake!merchandise,!Exploit!kit!domains,!XXX!themed!sites,!etc!
• Resellers!using!IP!space!of!larger!providers!
• e.g.!IxamIhosAng!uses!Voxility!
• Other!abused!ASNs!like!OVH,!LeaseWeb,!etc!
• Ranking!of!ASNs:!sitevet.com!
$
$Use$Case$3:$
Rogue$ASN$deGpeered$or$gone$stealth$$
$
Rogue!ASN!deIpeered!or!gone!stealth!
• AS48031!XSERVERIIPINETWORKIAS!PE!Ivanov!Vitaliy!Sergeevich!86400!
• Serving!browlock,!porn,!radical!forums,!spam,!etc!
• “PE!Ivanov!Vitaliy!Sergeevich!malware”!
Rogue!ASN!deIpeered!or!gone!stealth!
Romanian!Man!Commits!Suicide!and!Kills!His!4IYearIOld!ayer!Falling!for!Police!Ransomware!
Rogue!ASN!deIpeered!or!gone!stealth!
Rogue!ASN!deIpeered!or!gone!stealth!
• AS48031!XSERVERIIPINETWORKIAS!PE!Ivanov!Vitaliy!Sergeevich!86400!• 176.103.48.0/20!48031!
• 193.169.86.0/23!48031!
• 193.203.48.0/22!48031!
• 193.30.244.0/22!48031!
• 194.15.112.0/22!48031!
• 196.47.100.0/24!48031!
• 91.207.60.0/23!48031!
• 91.213.8.0/24!48031!
• 91.217.90.0/23!48031!
• 91.226.212.0/23!48031!
• 91.228.68.0/22!48031!
• 93.170.48.0/22!48031!
• 94.154.112.0/20!48031!
Rogue!ASN!deIpeered!or!stealth!
Rogue!ASN!deIpeered!or!stealth!
$Marauder:$Pla_orm,$tools,$
libraries$used$$
PlaZorm!and!tools!used!IHadoop!cluster!!IRaw!logs!on!HDFS!!IIndexed!DNSDB!in!HBase!!IPython,!shell,!Gnu!Parallel!!IStreaming,!zmq!!
Python!libraries!
• Happybase:!developerIfriendly!Python!library!to!interact!with!Apache!HBase!
!hbp://happybase.readthedocs.org/en/latest/!
!Column!I>!value!
!Single!row:!domain,$<me,$type,$IP$G>$TTL$• Search!DNSDB!by!IP,!name!
• Forward!lookup!for!domain!to!get!history!of!IPs,!TTL!
• Inverse!lookup!for!IP!to!get!mapping!domain(s)!over!Ame!
Python!libraries!
• Happybase:!!import$happybase$#protect$in$a$try$catch$connec<on$=$happybase.Connec<on(’server.com',$compat='0.90')$table$=$connec<on.table('authlogs')$_domain$=$“google.com”$for$key,$data$in$table.scan(row_prefix=_domain):$
$domain,<me,type,$ip$=$key.split(":")$$ip_[l$=$ip$+$"$"$+$data['name2rr:v']$#$if$you$need$the$TTL$
Python!libraries!
• IPy:!Python!class!and!tools!for!handling!of!IPv4!and!IPv6!addresses!and!networks!
!hbps://github.com/haypo/pythonIipy/wiki!
!Use!it!to!flaben!a!CIDR!into!a!list!of!IPs$!from$IPy$import$IP$$cidr$=$IP('127.0.0.0/30')$$for$ip$in$cidr:$$ $print$ip$
Python!libraries!
• PySubnetTree:!Python!data!structure!SubnetTree!which!maps!subnets!given!in!CIDR!notaAon!to!Python!objects.!!
• Lookups!are!performed!by!longestIprefix!matching.!
!hbp://www.bro.org/download/README.pysubnebree.html!
!Use!it!to!map!IP!to!BGP!prefix!and/or!ASN!
!!
• A!row!in!the!prefix!to!ASN!database!(file):!
$1.22.232.0/24$45528$
Python!libraries!
• PySubnetTree:!!Load!pref_asn!db!then!do!lookups!on!IPs!
import$SubnetTree$pref_asn_db$=$SubnetTree.SubnetTree()$f_pref_asn$=$open(“prefGasn",$'r')$….$pref_asn_db[“1.22.232.0/24”]=“1.22.232.0/24$45528”$ip$=$“1.22.232.7”$cidr$=$pref_asn_db[ip].split()[0]$
Python!libraries!
• PyASN:!Python!extension!module!(wriben!in!C)!that!allows!to!perform!very!fast!IP!to!ASN!lookups!
!hbps://code.google.com/p/pyasn/!
• pygeoip:$Map!IP!to!country!code!
hbps://pypi.python.org/pypi/pygeoip!
• networkx:!Python!package!to!manipulate!graphs!
!hbp://networkx.github.io/!
!
!
$
$Marauder$in$ac<on$
$
Marauder!in!acAon!
• Input:!IP,!BGP!prefix,!or!ASN!
• Use!DNSDB!(HBase)!
• Use!auth!DNS!stream!
HBase:$1) !IP:!direct!lookup!
2) !BGP!prefix!I>!flaben!prefixI>!fork!processes!(GNU!parallel!processes!or!threads)!to!query!HBase!for!every!IP!
3) !ASN!I>!get!list!of!prefixes!from!pref_asn_db!I>!process!every!prefix!like!in!2)!
$Use$Case$4:$
Malicious$subGallocated$ranges$$
Malicious!subIallocated!ranges!
• Case!of!OVH!
• SubIallocated!ranges!reserved!by!same!suspicious!customers,!serving!Nuclear!Exploit!kit!domains!
• Users!are!lead!to!the!Exploit!landing!sites!through!malverAsing!campaigns,!then!malware!is!dropped!on!vicAms’!machines!(e.g.!zbot)!
• Monitoring!paberns!for!5!months:!Oct$2013GFeb$2014$
Malicious!subIallocated!ranges!
• For!several!months,!OVH!ranges!were!abused!
• Notable!fact:!IPs!were!exclusively!used!for!hosAng!Nuclear!Exploit!subdomains,!no!other!sites!hosted!
!
!
!
Malicious!subIallocated!ranges!
Malicious!subIallocated!ranges!
• Some!OVH!subIallocated!ranges!used!in!JanIFeb!2014!
192.95.50.208!I!192.95.50.215!
198.50.183.68!I!198.50.183.71!
192.95.42.112!I!192.95.42.127!
192.95.6.112!I!192.95.6.127!
192.95.10.208!I!192.95.10.223!
192.95.7.224!I!192.95.7.239!
192.95.43.160!I!192.95.43.175!
192.95.43.176!I!192.95.43.191!
198.50.131.0!I!198.50.131.15!
Malicious!subIallocated!ranges!
• Feb!7th,!bad!actors!moved!to!a!Ukrainian!hosAng!provider!hbp://www.besthosAng.ua/!
• 31.41.221.143!2014I02I14!2014I02I14!0!
• 31.41.221.142!2014I02I12!2014I02I14!2!
• 31.41.221.130!2014I02I12!2014I02I14!2!• 31.41.221.140!2014I02I12!2014I02I12!0!
• 31.41.221.139!2014I02I12!2014I02I12!0!
• 31.41.221.138!2014I02I11!2014I02I12!1!
• 31.41.221.137!2014I02I10!2014I02I11!1!
• 31.41.221.136!2014I02I10!2014I02I11!1!
• 31.41.221.135!2014I02I10!2014I02I10!0!
• 31.41.221.134!2014I02I09!2014I02I19!10!
• 31.41.221.132!2014I02I08!2014I02I09!1!
• 31.41.221.131!2014I02I07!2014I02I08!1!
!
!
Malicious!subIallocated!ranges!
• Feb!14th,!bad!actors!moved!to!a!Russian!hosAng!provider!hbp://pinspb.ru/!
• 5.101.173.10!2014I02I21!2014I02I22!1!
• 5.101.173.9!2014I02I19!2014I02I21!2!
• 5.101.173.8!2014I02I19!2014I02I19!0!• 5.101.173.7!2014I02I18!2014I02I19!1!
• 5.101.173.6!2014I02I18!2014I02I18!0!
• 5.101.173.5!2014I02I17!2014I02I18!1!
• 5.101.173.4!2014I02I17!2014I02I17!0!
• 5.101.173.3!2014I02I16!2014I02I17!1!
• 5.101.173.2!2014I02I15!2014I02I16!1!
• 5.101.173.1!2014I02I14!2014I02I15!1!
Malicious!subIallocated!ranges!
• Feb!22nd,!bad!actors!moved!back!to!OVH!
!
!
• Notable!fact:!They!change!MO,!IPs!have!been!allocated!and!used!in!the!past!for!other!content!I>!evasion!technique!or!resource!recycling!
• But!during!all!this!Ame,!bad!actors!sAll!kept!the!name!server!infrastructure!on!OVH!on!ranges!reserved!by!same!customers!
Malicious!subIallocated!ranges!• 198.50.143.73$2013G11G25$2014G02G24$91$• 198.50.143.69$2013G11G25$2014G02G24$91$• 198.50.143.68$2013G11G25$2014G02G24$91$• 198.50.143.67$2013G11G26$2014G02G24$90$• 198.50.143.65$2013G11G24$2014G02G23$91$• 198.50.143.66$2013G11G25$2014G02G23$90$• 198.50.143.64!2013I11I24!2014I01I25!62!
• 198.50.143.75!2013I12I03!2013I12I10!7!
• 198.50.143.79!2013I11I25!2013I12I10!15!• 198.50.143.78!2013I11I25!2013I12I10!15!
• 198.50.143.74!2013I11I25!2013I12I10!15!
• 198.50.143.72!2013I11I25!2013I12I10!15!
• 198.50.143.71!2013I11I25!2013I12I10!15!
• 198.50.143.76!2013I11I25!2013I12I09!14!
• 198.50.143.70!2013I11I26!2013I12I09!13!
• 198.50.143.77!2013I11I26!2013I12I05!9!
Malicious!subIallocated!ranges!
• hbp://labs.umbrella.com/2014/02/14/whenIipsIgoInuclear/!
• hbp://pastebin.com/SX5R69vY!
• hbp://pastebin.com/KuxpNJwV!
Abused!TLDs!
• Nuclear!has!been!abusing!various!TLDs,!ccTLDs!(Feb!2014)!
• .pw!for!a!while!
• Take!down!campaign!with!MalwareMustDie!
• Moved!to!.ru!and!.in.net!
• Then!back!to!.pw!
$Use$Case$5:$
Predic<ng$malicious$domains$IP$infrastructure$
$
Malicious!subIallocated!ranges!(Feb!2014)!
• For!Nuclear,!In!addiAon!to!subIallocated!ranges!reserved!by!same!actors!(for!OVH!case)!
• The!live!IPs!all!have!same!server!setup!(fingerprint):!
• 31.41.221.131!to!31.41.221.143!22/tcp$$open$$ssh$$$$$OpenSSH$5.5p1$Debian$6+squeeze4$(protocol$2.0)$80/tcp$$open$$h[p$$$$nginx$web$server$0.7.67$111/tcp$open$$rpcbind$
• 5.101.173.1!to!5.101.173.10!22/tcp$$open$$ssh$$$$$OpenSSH$6.0p1$Debian$4$(protocol$2.0)$80/tcp$$open$$h[p$$$$nginx$web$server$1.2.1$111/tcp$open$$rpcbind$
Malicious!subIallocated!ranges!(Feb!2014)!
• 198.50.143.64!to!198.50.143.79!22/tcp$$open$$$$$ssh$$$$$$$$$$OpenSSH$5.5p1$Debian$6+squeeze4$(protocol$2.0)$80/tcp$$open$$$$$h[p$$$$$$$$$nginx$web$server$0.7.67$445/tcp$filtered$microsoqGds!
• In!some!cases,!IPs!are!brought!online!in!small!chunks!
• The!name!server!IPs!also!have!the!same!fingerprint!
• CombinaAon!of!these!different!indicators!has!made!predicAons!100%!accurate!for!the!past!months.!Bad!actors!change!their!MO,!but!this!approach!works!on!other!abacks!
• I>!We!block/monitor!IPs!before!they!start$hos<ng$domains!
Conclusion!• PredicAve!threat!detecAon!based!on:!
• Monitoring!of!DNS!traffic!(recursive!and!authoritaAve)!
!and!!
• hosAng!infrastructure!
• Shut!down!the!bad!actors!infrastructure!at!the!hosAng!provider;!reseller!level!or!lowest!common!upstream!ancestor!(with!bad!reputaAon!and!repeated!offenses)!
References!• Discovering!Fast!Flux!domains!using!Machine!Learning!
!Presented!at!BSides$New$Orleans$2013$
• Real!Ame!monitoring!of!Kelihos!Fast!Flux!botnet!!Presented!at!APWG$eCrime$2013$
• Fast!detecAon!of!malicious!domains!using!DNS!!Presented!at!BSides$Raleigh$2013$
• The!power!of!the!team!work!–!Management!of!DissecAng!Kelihos!Fast!Flux!Botnet!“Unleashed”!!!Presented!at!BotConf$2013$
!
Contact!Info!
• [email protected]!if!you!are!interested!in:!
• Asking!quesAons!• CollaboraAng!
• Twiber!@DhiaLite!
• Blogs!hbp://labs.umbrella.com/author/dhia/!
Thank!you!!
(Q!&!A)!