Fast Detection of New Malicious Domains using DNS
5 likes4,171 views
The document discusses a DNS-based system developed for the fast detection of new malicious domains, focusing on monitoring botnets like Kelihos and exploit kit domains. It outlines a methodology for continuous monitoring, domain filtering, and post-detection checks to enhance early detection of potential attack domains. The research emphasizes the importance of integrating human intelligence with automated systems for effective threat mitigation.
Fast Detection of New Malicious Domains using DNS
- 1. Fast Detection of New Malicious Domains using DNS Dhia Mahjoub OpenDNS October 18th, 2013
- 2. Outline • • • • • • • • DNS infrastructure Monitoring/detec@on system Domain/IP watch list Post-‐detec@on filtering Implementa@on Use cases FF Kelihos domains, EK domains, Ransomware, Trojans Conclusion
- 3. DNS big data querylogs authlogs
- 5. Malicious use of DNS • Botnet/Malware C&C • DGAs • Fast flux • DNS amplifica@on aXacks
- 6. Our Focus • AXack domains, not compromised domains -‐>Exploit kit domains -‐>Malware delivery domains
- 7. Fast Flux Monitoring/Detec@on System • TTL=0 Kelihos Fast Flux domains 7-‐months study presented at APWG eCrime 2013 hXp://labs.umbrella.com/2013/09/24/real-‐@me-‐monitoring-‐kelihos-‐fast-‐ flux-‐botnet-‐case-‐study-‐presented-‐apwg-‐ecrime-‐2013/ • TTL=150 • TTL=300 • TTL=1440, spam domains
- 8. Fast Flux Monitoring/Detec@on System While true 1. Select a seed of Kelihos domains w/ a confirmed profile 2. Con@nuously milk domains for IPs 3. Con@nuously “inverse lookup” IPs in passive DNS, for new domains that start resolving to these IPs 4. Check detected domains for known profile (e.g. TTL, registra@on, existence of payload, etc) 5. Add new domains to the ini@al seed
- 9. Kelihos domains profile • Various gTLDs, ccTLDs, 1 single IP, TTL=0, hosted on Kelihos botnet IP pool (growing), infected individual machines, recent registra@on, delivering malware executables with known names • Recorded case(s) of domain resolving to several IPs with TTL=600, cocala.asia, or TTL=300
- 10. Generalized Monitoring/Detec@on System • While true • Read IP watch list, launch parallel process for every IP • A process performs IP inverse lookup against DNSDB • Every process returns new domains for IP • Join all processes’ output, check against blacklist • Keep only new domains • Perform parallelized post discovery checks using different heuris@cs: traffic paXern, name paXern, extra IP reputa@on check, etc. • Add new domains to blacklist
- 11. Watch list selec@on • Con@nuous background process • Different methods/heuris@cs to harvest new IPs with high risk poten@al • Use fresh blacklist, 3rd party BL domain list
- 12. Watch list selec@on (cont’d) • Resolve IPs and cluster by popularity, age, aXack theme -‐>IP observed to host exclusively EK domains or ransomware -‐>Similar name paXern of hosted domains -‐>Similar traffic paXern • Remove IPs on large shared hos@ng providers unless excep@ons (e.g keep OVH CIDR dedicated to malware), sinkholes, other IP profiles that could cause FPs
- 13. Harves@ng bad IPs • When we discover new high risk IPs, why not just block IPs? Sure, we can, and we open do! • But you lose intel and inves@ga@ve material related to domains: name paXerns, DGAs, dynamic DNS usage, malicious subdomains under legi@mate compromised domains
- 14. Post detec@on checks • Traffic paXern, name paXern, further IP reputa@on check • If a spike or beginning of spike, then poten@al risk domain • Exclude spam domains • But spike means domain has already delivered aXack
- 15. Post detec@on checks (cont’d) • So preemp@ve blocking is necessary if domain has high poten@al of being an aXack domain • Not everything should be automated • Human intel and inves@ga@on needed at @mes to remove FPs and add FN back -‐> Fine-‐tune the model
- 16. Plarorm and tools used -‐Pig on Hadoop cluster -‐Raw logs on HDFS -‐Indexed DNSDB in HBase -‐Python, shell, Gnu Parallel
- 17. System in a nutshell -‐>Constantly running process of harves@ng fresh high risk IPs -‐>Constantly running process of discovering fresh malicious domains -‐>Constantly querying DNSDB with IP inverse lookups Backend: -‐>DNSDB constantly fed with authorita@ve traffic from all resolvers
- 18. Whitelist • IPs hos@ng spam domains A lot of IPs on AS15149, e.g. 216.169.100.133 • Shared hos@ng IPs with a large number of general purpose websites
- 19. Use cases • • • • • • • Kelihos fast flux botnet Fake AV .pl domains used for Kovter and other Godaddy compromised domains Cryptolocker CnC discovery NuclearPack EK Browlock domains
- 20. Kelihos Fast flux • • Kelihos fast flux botnet Up un@l Sep 16th, about 984 domains (and subdomains) hosted on 28757 IPs hXp://labs.umbrella.com/2013/09/24/real-‐@me-‐monitoring-‐kelihos-‐fast-‐ flux-‐botnet-‐case-‐study-‐presented-‐apwg-‐ecrime-‐2013/ • • Sample of domains of Aug-‐Sep 399 domains on 8159 IPs
- 22. Fake AV • 82.208.40.11 hos@ng 23502 Fake AV, Fake SW domains for 76 days hXps://www.virustotal.com/en/ip-‐address/82.208.40.11/informa@on/ • • Free domains under cz.cc, uni.me 176.31.125.91 hos@ng 6687 similar domains for 66 days
- 23. .pl used for ransomware Sample of .pl domains 19267 domains on 12 IPs 3 level domains f9photo.ucuphahnui.kepno.pl 95oishi.maimuofief.pisz.pl • First 2 labels are DGAs • • • from malware.dontneedcoffee.com • Used in malver@sing campaigns on adult websites leading to Exploit kit domains and Kovter ransomware dropping hXp://www.malekal.com/2013/07/31/en-‐urausy-‐adulrriendzfinder-‐ malver@sing-‐banner/
- 25. NuclearPack EK -‐>1523 domains on 198.50.225.113 • 2 level domains under .biz • 1st label is random, 16 2LDs registered July 28th • hxxp://[email protected]: 59902/0e724s2d10467436c6149sce02712a.html -‐>1378 domains on 198.50.235.198 • 2 level domains under .biz • 1st label is random • hxxp://u5s1av.diwalipearl.biz: 55252/5a9b00e34d8b18cb571ba56a357cfafc.html
- 26. NuclearPack EK -‐>198.50.235.200 became ac@ve on Oct 15th • Already hos@ng 400+ domains • hxxp://[email protected]: 44142/4078c813508ad60acc95d0744365c68c.html • Shiping on 198.50.128.0/17 OVH prefix
- 27. Compromised GoDaddy domains • Campaign of injec@ng malicious subdomains (3LDs) under legi@mate/compromised Godaddy domains (2LDs) • 5 IPs hos@ng 800 subdomains (3LDs) over 10 days in Aug-‐Sep • Used to serve Cool exploit kit through CookieBomb aXack on compromised websites and finally drop Reveton hXp://quequero.org/2013/09/ac@ve-‐cookiebomb-‐cve-‐2013-‐2465-‐ reveton/ • Happened before in 2012 and happening again hXp://nakedsecurity.sophos.com/2012/11/23/hacked-‐go-‐daddy-‐ ransomware/
- 29. Cryptolocker CnCs • Ransomware released early September 2013 • Encrypts your files and asks for a $300 ransom to get them back • 2 ini@al Cryptolocker CnCs were picked up by the system a day before they were published on Sep 11 • xeogrhxquuubt.com • qaaepodedahnslq.org
- 30. Browlock domains • Browser-‐based ransomware targeted at countries in 3 different con@nents • Example: 194.44.49.150 hos@ng 2629 subdomains over 26 days
- 31. Browlock domains
- 32. Browlock domains (cont’d) • Browser-‐based ransomware targeted at countries in 3 different con@nents • 193.169.87.15, 196.47.100.2, over a period of 13 days, hos@ng 8978 browlock domains and domains with adult-‐ themed names that redirect to browlock
- 34. Conclusion • Ongoing research and work to increase coverage and accuracy of early detec@on of domains before they deliver aXacks • Extend coverage to shared hos@ng IPs • Effec@ve early detec@on/protec@on DNS-‐based system • Use it with other protec@on methods: AV, IDS, etc. • Experimenta@on in our lab with streaming technologies: Storm, Kava, Zeromq -‐> Complementary with DNSDB-‐based detec@on system
- 35. Contact Info • Contact me at [email protected] if you are interested in: • Asking ques@ons • Collabora@ng • Follow me on TwiXer @DhiaLite • Blogs hXp://labs.umbrella.com/author/dhia/
- 36. Thank you (Q & A)