DNS The Achilles' Heel of Advanced Persistent Threats and Cyber Crime
10/21/2011
Copyright ©2010 Damballa, Inc. All Rights Reserved Worldwide.
1
About
• Gunter Ollmann – VP of Research, Damballa Inc. – Board of Advisors, IOActive Inc.
• Brief Bio: – Been in IT industry for 2+ decades – Built and run international pentest teams, R&D groups and consulting practices around the world. – Formerly Chief Security Strategist for IBM, Director of X-Force for ISS, Professional Services Director for NGS Software, Head of Attack Services EMEA, etc. – Frequent writer, columnist and blogger with lots of whitepapers… • http://blog.damballa.com & http://technicalinfodotnet.blogspot.com/ • Email:
[email protected]
Twitter: @gollmann
Session includes…
• • • • • • •
10/21/2011
Crimeware lifecycle (Brief) Background on DNS Passive DNS Timeline Reconstruction Malware Chains Authoritative DNS Early Warning Systems
3
Crimeware Lifecycle From downloader, to stealer, to fully-fledged botnet member 10/21/2011
4
Crimeware Lifecycle Update Downloader
Dropper unpacks on the Victim machine and runs
Dropper(s)
Victim
Confirm installation Is this a real machine? Have I seen it before? Update malware location
Updater
Post Unpack Disable local security Prevent updates/patches Inventory victim
Downloader
Post Agent Install Delete dropper/installer Clear logs & events Catalogue & inventory
10/21/2011
Criminal Control Download Bot Agent
Multiple CnC proxies Host bot agent(s) Separate CnC portals Agent selection criteria Updates to bot agent Whitelisted repositories Updates list of agent CnC’s Uniquetobotnet Agent integrity checking Locking of agent to victim DataofRepository Issuing batched commands Logging of install successes Remote access & control Encrypted files from victim Stolen passwords & PII
Repository
CnC Proxies
CnC Portals
5
Domain vs IP
• For cyber-crooks, DNS provides: – Massive scalability – Dynamic network support – Robustness against takedown – Virtual host support (hacked sites) – Evasion of common blacklist approaches
• C&C with explicit IP addresses: – Are infrequently used… – Often limited to older control protocols – Are not agile enough for large botnet operations 10/21/2011
6
(Brief) Background to DNS The minimum stuff you need to know to understand the rest of the material 10/21/2011
7
Brief Background Recursive DNS Server (Resolver) . Root Server
Where is evil.blah.com?
A
I don’t know, let me find out Where is evil.blah.com? I don’t know, ask .com. Where is evil.blah.com?
.com. gTLD Server
A NS A
I don’t know, ask ns.blah.com. Where is evil.blah.com?
NS
ns.blah.com. Authoritative Name Server
A
evil.blah.com is 123.123.123.123 evil.blah.com is 123.123.123.123 10/21/2011
8
Caching Recursive DNS Server (Resolver) . Root Server
Where is evil.blah.com? Some asked me that before, I have that info cached!
.com. gTLD Server
evil.blah.com is 123.123.123.123
Recursive DNS Server * Will likely have .com. gTLD server cached * May have .blah.com. authoritative name server cached
10/21/2011
.blah.com. Authoritative Name Server
9
Other DNS Stuff
• The Terms: – gTLD = Generic top-level domain – ccTLD = Country-code top-level domain – A record = Authoritative DNS record – NS Record = Name Server DNS record
• DNS observations don’t require DPI
10/21/2011
10
A DNS Packet
Obligatory screenshot of a DNS packet
10/21/2011
11
Passive DNS Observing DNS data and discovering artifacts 10/21/2011
12
Passive DNS
• The “passive” part – Info gained by observing DNS traffic
• What is a “passive DNS database”? – Extraction of RR sets – Domain name, IP address, (date/time) – evil.blah.com., 123.123.123.123, 1315535207
• How can it be mined? – Historic information of past DNS query responses – What IP/domain had a domain/IP had in the past 10/21/2011
13
Passive DNS DB pDNS DB
Tell me about evil.blah.com?
127.000.000.001 123.123.123.123 123.123.123.129 201.070.112.044 212.213.101.067 212.213.101.069 212.213.103.088
bad.blah.com cnc.bad.blah.com ns.blah.com www.phish.com ww2.phish.com barclays.login.phish.com barclays.login.blah.com www.barclays-banking.cn www.chase-banking.cn ftp.gonefishing.biz Sh0wmon3y.3322.com
10/21/2011
040.221.146.076 040.221.148.015 123.123.123.120 123.123.123.123 123.123.123.124 123.123.123.126 123.123.123.129 189.114.070.155 189.114.070.156 201.070.112.044 212.213.101.067 212.213.101.069 212.213.103.068 212.213.103.080 212.213.103.098 212.213.103.114 212.213.103.174 14
Passive DNS DB pDNS DB
Tell me about evil.blah.com?
127.000.000.001 123.123.123.123 123.123.123.129 201.070.112.044 212.213.101.067 212.213.101.069 212.213.103.088
10/21/2011
040.221.146.076 040.221.148.015 123.123.123.120 bad.blah.com 123.123.123.123 cnc.bad.blah.com 123.123.123.124 ns.blah.com 123.123.123.126 New host names 123.123.123.129 identified www.phish.com 189.114.070.155 ww2.phish.com 189.114.070.156 barclays.login.phish.com 201.070.112.044 barclays.login.blah.com 212.213.101.067 212.213.101.069 www.barclays-banking.cn 212.213.103.068 www.chase-banking.cn 212.213.103.080 212.213.103.098 ftp.gonefishing.biz 212.213.103.114 Sh0wmon3y.3322.com 212.213.103.174 15
Passive DNS DB pDNS DB
Tell me about evil.blah.com?
127.000.000.001 123.123.123.123 123.123.123.129 201.070.112.044 212.213.101.067 212.213.101.069 212.213.103.088
bad.blah.com cnc.bad.blah.com ns.blah.com www.phish.com ww2.phish.com barclays.login.phish.com barclays.login.blah.com www.barclays-banking.cn www.chase-banking.cn ftp.gonefishing.biz Sh0wmon3y.3322.com
10/21/2011
040.221.146.076 040.221.148.015 123.123.123.120 123.123.123.123 123.123.123.124 123.123.123.126 123.123.123.129 189.114.070.155 189.114.070.156 New (related) 201.070.112.044 domain name 212.213.101.067 identified 212.213.101.069 212.213.103.068 212.213.103.080 212.213.103.098 212.213.103.114 212.213.103.174 16
Passive DNS DB pDNS DB
Tell me about evil.blah.com?
127.000.000.001 123.123.123.123 123.123.123.129 201.070.112.044 212.213.101.067 Probable phishing 212.213.101.069 212.213.103.088 domains & campaign
bad.blah.com cnc.bad.blah.com ns.blah.com www.phish.com ww2.phish.com barclays.login.phish.com barclays.login.blah.com www.barclays-banking.cn www.chase-banking.cn ftp.gonefishing.biz Sh0wmon3y.3322.com
10/21/2011
040.221.146.076 040.221.148.015 123.123.123.120 123.123.123.123 123.123.123.124 123.123.123.126 123.123.123.129 189.114.070.155 189.114.070.156 201.070.112.044 212.213.101.067 212.213.101.069 212.213.103.068 212.213.103.080 212.213.103.098 212.213.103.114 212.213.103.174 17
Passive DNS DB pDNS DB
Tell me about evil.blah.com?
127.000.000.001 123.123.123.123 123.123.123.129 201.070.112.044 212.213.101.067 212.213.101.069 212.213.103.088
Could that be an alias? 10/21/2011
040.221.146.076 040.221.148.015 123.123.123.120 bad.blah.com 123.123.123.123 cnc.bad.blah.com 123.123.123.124 ns.blah.com 123.123.123.126 123.123.123.129 www.phish.com 189.114.070.155 ww2.phish.com 189.114.070.156 barclays.login.phish.com 201.070.112.044 barclays.login.blah.com 212.213.101.067 212.213.101.069 www.barclays-banking.cn Free dynamic DNS 212.213.103.068 www.chase-banking.cn 212.213.103.080 provider in China 212.213.103.098 ftp.gonefishing.biz 212.213.103.114 Sh0wmon3y.3322.com 212.213.103.174 18
IP ASN knowledge Residential ISP Commercial Private & Hosting
040.221.146.076 040.221.148.015 189.114.070.155 189.114.070.156 Education Open network
201.070.112.044
10/21/2011
123.123.123.120 123.123.123.123 123.123.123.124 123.123.123.126 123.123.123.129 212.213.101.067 212.213.101.069 212.213.103.068 212.213.103.080 212.213.103.098 212.213.103.114 212.213.103.174
040.221.146.076 040.221.148.015 123.123.123.120 123.123.123.123 123.123.123.124 123.123.123.126 123.123.123.129 189.114.070.155 189.114.070.156 201.070.112.044 212.213.101.067 212.213.101.069 212.213.103.068 212.213.103.080 212.213.103.098 212.213.103.114 212.213.103.174 19
IP ASN knowledge Residential ISP Commercial Private & Hosting
Two residential networks 040.221.146.076 040.221.148.015 189.114.070.155 189.114.070.156 Education Open network
201.070.112.044
10/21/2011
123.123.123.120 123.123.123.123 123.123.123.124 123.123.123.126 123.123.123.129 212.213.101.067 212.213.101.069 212.213.103.068 212.213.103.080 212.213.103.098 212.213.103.114 212.213.103.174
040.221.146.076 040.221.148.015 123.123.123.120 123.123.123.123 123.123.123.124 123.123.123.126 123.123.123.129 189.114.070.155 189.114.070.156 201.070.112.044 212.213.101.067 DHCP 212.213.101.069 churn of 212.213.103.068 IP addresses 212.213.103.080 212.213.103.098 212.213.103.114 212.213.103.174 20
IP ASN knowledge Residential ISP Commercial Private & Hosting
040.221.146.076 040.221.148.015 189.114.070.155 189.114.070.156 Education Open network
201.070.112.044
10/21/2011
123.123.123.120 Fortune 100 123.123.123.123 company (hacked) 123.123.123.124 123.123.123.126 123.123.123.129
Bullet-proof 212.213.101.067 212.213.101.069 server hosting
212.213.103.068 212.213.103.080 212.213.103.098 212.213.103.114 212.213.103.174
040.221.146.076 040.221.148.015 123.123.123.120 123.123.123.123 123.123.123.124 123.123.123.126 123.123.123.129 189.114.070.155 189.114.070.156 201.070.112.044 212.213.101.067 212.213.101.069 212.213.103.068 212.213.103.080 212.213.103.098 212.213.103.114 212.213.103.174 21
IP ASN knowledge Residential ISP Commercial Private & Hosting
040.221.146.076 040.221.148.015 189.114.070.155 189.114.070.156 Education Open network
201.070.112.044
123.123.123.120 123.123.123.123 123.123.123.124 123.123.123.126 123.123.123.129 212.213.101.067 212.213.101.069 212.213.103.068 212.213.103.080 212.213.103.098 212.213.103.114 212.213.103.174
Public FTP server 10/21/2011
040.221.146.076 040.221.148.015 123.123.123.120 123.123.123.123 123.123.123.124 123.123.123.126 123.123.123.129 189.114.070.155 189.114.070.156 201.070.112.044 212.213.101.067 212.213.101.069 212.213.103.068 212.213.103.080 212.213.103.098 212.213.103.114 212.213.103.174 22
Network Graphing
10/21/2011
23
Graph Partitioning
• Graph structure is very informative 92.14.32.151 92.14.71.40 92.14.76.193 92.22.126.182 92.22.131.124 92.22.133.175 92.22.138.8 92.22.141.90 92.22.143.186 92.22.154.164 92.22.171.101 92.22.191.31
www.handcreatedcards.com www.nutshellurl.com nutshellurl.com
TT-AOLUK-AS TalkTalk Communications Limited 43234 | 92.14.76.193 | 92.8.0.0/13 |GB|ripencc|2007-06-28 43234 | 92.22.131.175| 92.22.0.0/15|GB|ripencc|2007-06-28 10/21/2011
24
Timeline reconstruction
Timeline Reconstruction Tapping pDNS to rebuild an attack and constituent campaigns 10/21/2011
25
Timelines
• Date/time reconstruction of domain to IP – Identify common criminal features/tactics – Identify C&C transitions
• Spot transitions – Reputation inheritance – Registration vs activation – Change of campaigns & operators – Campaign development
10/21/2011
26
pDNS Timeline Reconstruction
• “evil.blah.com” IP history First-ever DNS lookup * 123.123.123.123 * Residential DHCP-assigned IP
Initial C&C server * 189.114.070.155 * 189.114.070.156 * Bullet-proof host
C&C server * 189.114.070.155 * 189.114.070.156 * Bullet-proof host C&C server * 220.181.111.42 * China residential IP
Sinkhole * 76.74.239.238 Point to “good” IP * 74.125.45.147 * Google Web server Point to “good” IP * 74.125.45.147 * Google Web server 10/21/2011
C&C server * 040.221.146.076 * 040.221.148.015 * 123.123.123.123 * 212.213.101.069 * Hacked servers 27
pDNS Timeline Reconstruction
• “evil.blah.com” IP history First-ever DNS lookup * 123.123.123.123 * Residential DHCP-assigned IP
Initial C&C server * 189.114.070.155 * 189.114.070.156 * Bullet-proof host
C&C server * 189.114.070.155 * 189.114.070.156 * Bullet-proof host C&C server * 220.181.111.42 * China residential IP
Sinkhole * 76.74.239.238 Point to “good” IP * 74.125.45.147 * Google Web server Point to “good” IP * 74.125.45.147 * Google Web server 10/21/2011
C&C server * 040.221.146.076 * 040.221.148.015 * 123.123.123.123 * 212.213.101.069 * Hacked servers 28
Malware Chains Finding links between malware campaigns 10/21/2011
29
Extracting Network Behaviors Malware Analysis Cloud AV Scanning
Auto-Analysis
Application Shuffling
Internet
Virtualization
CnC Traffic Inspection Portfolio Applications
Vendor products Bot Agent
Vulnerable Applications
“Victim” Portfolios
“Live” Credentials
Transparent Proxies
Emulation
Static Analysis
Gaming Platform Dropper
Binary Dissection Multiple OS
Packet Captures
10/21/2011
Advanced Honeypot
Bare-metal
Dilation & Acceleration
Feature Extraction
User Mimicry
Dynamic Network
Randomness DNS Manipulation
Clustering Signatures
30
Malware as seed & evidence • Extraction of CnC’s from crimeware – Along with unique hash, date/time & cluster ID
• Cyber-criminals change crimeware families – Network infrastructure changes slower
• Combine with passive DNS – Crimeware CnC domain > IP > domain > …
• Malware samples that are discovered/analyzed are not necessarily in the order the criminals released them – May be big delta’s and missing links 10/21/2011
31
Building a malware chain bad.blah.com cnc.bad.johnny.com make.my.day.com cnc.thinking.co.cc ww2.phish.com barclays.login.phish.com Sh0wmon3y.3322.com
123.123.123.123 123.123.123.129 201.070.112.044 212.213.101.067 212.213.101.069 212.213.103.088 10/21/2011
Domain names Extracted from binary
IP Addresses Extracted from binary or derived from domains
32
Building a malware chain bad.blah.com cnc.bad.johnny.com make.my.day.com cnc.thinking.co.cc ww2.phish.com barclays.login.phish.com Sh0wmon3y.3322.com
Serial Variants Identical network behaviors & features 123.123.123.123 123.123.123.129 201.070.112.044 212.213.101.067 212.213.101.069 212.213.103.088 10/21/2011
33
Building a malware chain bad.blah.com cnc.bad.johnny.com make.my.day.com cnc.thinking.co.cc ww2.phish.com barclays.login.phish.com Sh0wmon3y.3322.com New malware family
abc.flatter.br cnc.bad.johnny.com day.make.my cnc.fatter888.com Sh0wmon3y.3322.com
Cluster based upon network behaviors & features
123.123.123.123 123.123.123.129 201.070.112.044 212.213.101.067 212.213.101.069 212.213.103.088 10/21/2011
123.123.123.101 201.070.112.044 212.213.101.067 212.213.101.069 212.213.103.089
34
Building a malware chain bad.blah.com cnc.bad.johnny.com make.my.day.com CnC domains cnc.thinking.co.cc Same domains between ww2.phish.com crimeware familiesbarclays.login.phish.com Sh0wmon3y.3322.com
abc.flatter.br cnc.bad.johnny.com day.make.my cnc.fatter888.com Sh0wmon3y.3322.com
CnC IP addresses 123.123.123.123 123.123.123.129 201.070.112.044 212.213.101.067 212.213.101.069 212.213.103.088 10/21/2011
Same IP’s being recycled between campaigns 123.123.123.101 201.070.112.044 212.213.101.067 212.213.101.069 212.213.103.089
35
Building a malware chain IP.1 IP.2 IP.3
IP.1 IP.2 IP.3
IP.1 IP.2 IP.3
IP.1 IP.2 IP.3
IP.1 IP.2 IP.3
domain.a domain.b domain.c
domain.a domain.c domain.e
domain.a domain.e domain.f
domain.f domain.g domain.h
domain.g domain.h domain.e
Crimeware Campaigns Serial variants with same or very similar network features
10/21/2011
36
Building a malware chain IP.1 IP.2 IP.3
IP.1 IP.2 IP.3
IP.1 IP.2 IP.3
IP.1 IP.2 IP.3
IP.1 IP.2 IP.3
domain.a domain.b domain.c
domain.a domain.c domain.e
domain.a domain.e domain.f
domain.f domain.g domain.h
domain.g domain.h domain.e
Commonality IP and domain associations combine to build timeline
Timeline
10/21/2011
37
Building a malware chain IP.1 IP.2 IP.3
IP.1 IP.2 IP.3
IP.1 IP.2 IP.3
IP.1 IP.2 IP.3
IP.1 IP.2 IP.3
domain.a domain.b domain.c
domain.a domain.c domain.e
domain.a domain.e domain.f
domain.f domain.g domain.h
domain.g domain.h domain.e
Branching Parallel campaigns and/or sub-leasing of botnets 10/21/2011
38
Building a malware chain
Malware campaign timeline Campaign or APT? Show history of operator Identify “mistakes” by operator
Start When, where and how did the criminal begin?
10/21/2011
39
Authoritative DNS
Authoritative DNS Observing DNS traffic at the authoritative level 10/21/2011
40
Authoritative DNS Recursive DNS Server (Resolver) . Root Server
.com. gTLD Server
bad.blah.com cnc.bad.blah.com ns.blah.com barclays.login.blah.com …
.blah.com. Authoritative Name Server
Authoritative for .blah.com domains 10/21/2011
41
Authoritative DNS Recursive DNS Server (Resolver)
Recursive’s around the world query authoritative name server for evil.blah.com
. Root Server
.com. gTLD Server
.blah.com. Authoritative Name Server
10/21/2011
42
Authoritative DNS
• Authoritative DNS server: – Provides definitive answer to domain request – All recursive DNS lookups must use it’s answer …otherwise the answer is “spoofed”
• Monitoring at the authoritative DNS level: – Visibility of all non-cached lookups for the domain – Reconstruction of global lookups – Identification of IP’s making the lookup – Derive likely rate of infection & victims 10/21/2011
43
Timeline Reconstruction Healthcare * First victim
Primary Domain Setup * 2010/03/15 08:18:59am
US University * First victim
First US Corp victim * 2010/03/15 09:13:41am
March
February
January
2011
December
November
October
September
August
July
June
May
April
March
2010
Infamy * “APT” Victim
US Federal * First victim
Search engine crawler * First crawl
10/21/2011
Story Breaks * “APT”
44
“Kopis” & the DNS upper-levels Early warning of malicious domains with authoritative DNS query visibility 10/21/2011
45
Threat forecasting using DNS • General premises: – DNS lookup’s for malware related domains are different to normal sites • Not human originated • Infection/remediation of the infected machine(s)
– Botnet, malware and other threat lifecycles have discernable features – Time gap between the day malware is released and the day samples are captured and analyzed
• Statistical modeling of DNS resolution patterns can be used for forecasting… 10/21/2011
46
Kopis
• Global identification of malicious domains • Hierarchical DNS observations – Passive monitoring of DNS traffic in the upper levels of the DNS hierarchy
• Analyzes streams of DNS queries and responses at AuthNS (or TLD) servers – Extracts a set of statistical features and trains a detector using labeled training data
Overview Recursive DNS Requestors
Root Server
Detection Reports
TLD Server
Statistical Classifier AuthNS Server
Knowledge Base
Learning Module
Feature Calculations
Kopis Detection System 10/21/2011
48
Statistical Features • Requester Diversity (RD)
Feature Calculations
– Are the machines (e.g., RDNS, NATS, Stubs) that query a given domain name localized or have network diversity?
• Requester Profile (RP) – What are the characteristics of the querying machines? – Are requesters located in ISPs, small business, stand-alone users? – Human driven lookups follow a diurnal distribution, which deviates from the distribution of malware driven lookups.
• Resolved-IPs Reputation (IPR) – Has the IP address space pointed to by a given domain been historically linked with known malicious activities, or known legitimate services. – This set of features is used but is not mandatory. 10/21/2011
49
Requestor Profile Number of requestor IP’s per CIDR
Average Weight
Evasion protection Weighted RP features 10/21/2011
50
Early Warning
Early warning Days before malware is publicly uncovered
10/21/2011
51
Approach Success • Kopis has high detection rates (98.4%) and low false positive rates (0.3%) - Based upon eight months of real-world data • Long-term evaluation with real data shows that Kopis can reliable detect new malicious domain names, while maintain low FP rates
10/21/2011
52
Kopis - Early Detection Proof Points 1. IMDDoS (taken down & Announced) • Commercial DDoS botnet discovered in 3rd quarter of 2010 • Number of compromised machines close to 10K in average
2. The 0ki Botnet (taken down) • Hosted in multiple US and CA networks • 96 different networks • Turkojan (a.k.a. UK TROJAN) - a Backdoor Trojan
3. First major phishing campaign discovered by Kopis (taken down) • Brand High-Jacking and Fake UGGs • 25K IPs visited these domains over 2 months from 193 different networks
4. Lenovo Botnet hosted in China (taken down) • Very low detection rate – VirusTotal - 7 /43 (16.3%) • 358 infected networks
5. The H1 Botnet (taken down) • Lower estimate of 4K infected IPs in 676 networks • C&Cs hosted in US(2), SA(1) and CN(1)
6. C1c0 Botnet (still investigating - no MD5 yet) • (Potentially) infected IPs ~3.5K in 44 different countries. • 1324 CN, 661 TW, 238 KR, 223 US, 91 JP, 82 ES, 66 HK, 52 FR, ….
Wrapping Up Bringing it all together 10/21/2011
54
Summary
• Passive DNS is pretty useful! – Expanding upon domain/IP relationships – Domain timeline reconstruction – Relationship graphing & threat categorization
• Bulk malware feature extraction – Clustering of crimeware & campaigns – Rebuilding threat history (and mistakes) – Threat determination: • targeted, persistent, campaign or leased 10/21/2011
55
Summary
• Authoritative DNS observations – Global visibility using passive data – Reconstruction of threat timeline – Determination of victims & threat nature
• Forecasting at the authoritative level – Application of statistical modeling – “Big data” processing techniques – Warning in advance of malware interception 10/21/2011
56
Conclusions
• Passive DNS can provide new evidence trails and threat context – if you know how to look! • Combined with malware, gain a greater threat understanding • Auth DNS can provide global (silent) visibility • DNS is core to the Internet 10/21/2011
57
10/21/2011
58