Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE Boston

!
Marauder or Scanning your DNSDB
for Fun and Profit
Dhia!Mahjoub!
OpenDNS!
April!10th,!2014!
Boston!

Short!Bio!
•  Senior!Security!Researcher!at!OpenDNS!
•  PredicAve!threat!detecAon!based!on!DNS!traﬃc!and!
hosAng!infrastructure!analysis!
•  CS!PhD!graduate!from!Southern!Methodist!University!
!!!!IIIIIII>!Go!Mustangs!!
!
•  Graph!Theory!applied!on!Wireless!Sensor!Networks!
problems!(network!lifeAme,!rouAng)!
•  Enjoyed!wriAng!sniﬀers,!port!scanners!in!C…!

Outline!
•  DNSDB!
•  Marauder!
•  ImplementaAon!
•  ASN!graph!
•  Use$case$1:$Suspicious!Sibling!Leaf!ASNs!!
•  Use$Case$2:!Rogue!ASN!deIpeered!or!gone!stealth!
•  Use$Case$3:!ASN(s)!abused!or!lax!about!content!
•  Marauder:!PlaZorm,!tools,!libraries!used!
•  Marauder!in!acAon!
•  Use$case$4:!Malicious!subIallocated!ranges!
•  Use$case$5:!PredicAng!Malicious!domains!IP!infrastructure!
•  Conclusion!

querylogs! authlogs!
DNS$data$

Passive!DNS!
•  Introduced!by!Florian!Weimar!in!2004!
•  Passive!DNS!builds!zone!replicas!without!
cooperaAon!from!zone!administrators!
•  Captures!messages!between!DNS!servers!
•  Messages!are!processed,!deIduplicated,!and!DNS!
records!are!consolidated!in!an!indexed!database!
!I>!Historical!DNS!database!(DNSDB)!

Passive!DNS!(cont’d)!
!Various!Services!
1.  hbp://www.bd.de/bd_dnslogger_en.html!
2.  DNSDB!(Farsight!Security)!
hbps://www.dnsdb.info/!
3.  Umbrella!SGraph!(reIdubbed!InvesAgate)!
hbps://sgraph.opendns.com/main!
4.  VirusTotal!DNSDB!
•  hbps://github.com/gamelinux/passivedns!
•  hbps://github.com/chrislee35/passivednsIclient!

Why!is!DNSDB!useful?!
D!
D!
D!
D!
IP!
IP!
NS!
IP!
NS!
+$TIME$
Domain!
IP!address!
Name!server!

Streaming!AuthoritaAve!DNS!
•  Tap!into!processed!authoritaAve!DNS!stream!before!
it’s!consolidated!into!a!persistent!DB!
•  asn,!domain,!2LD,!IP,!NS_IP,!Amestamp,!TTL,!type!
•  Faster!
•  100s!–!1000s!entries/sec!(from!subset!of!resolvers)!
•  Need!to!implement!your!own!ﬁlters,!detecAon!
heurisAcs!

Marauder!
•  Maraud!(def):!To!rove!and!raid!in!search!for!plunder!
•  MarAn!BI26!Marauder!
•  WW2!mediumIrange!bomber!
•  Paciﬁc,!Mediterranean,!Western!Europe!theaters!

Marauder!
•  Cruise!the!IP,!DNS!space!in!search!for!new!aback!
domains,!IP!infrastructures!!

ImplementaAon!
1.  IP!watchlist!+!domain!filter(s)!+!more!post!detecAon!
filter(s)!
•  IP!watchlist!<I!blacklist!feeds!+!other!heurisAcs!to!
build!malicious/suspicious!IP!lists!
2.  Domain!detecAon!heurisAcs:!name!pabern,!IP,!NS,!
age,!traffic!volume!

Building!the!IP!watchlist!!
Mo<va<on!
•  Assess!malicious!IP!ranges!in!BGP!prefixes,!ASNs!
from!a!new!perspecAve!
•  Look!beyond!the!simple!counAng!of!number!of!bad!
domains,!bad!IPs!hosted!on!prefixes!of!an!ASN!
How$?$
•  Look!at!topology!of!AS$graph$
•  Look!at!smaller!granularity!than!BGP!prefix:!!
!subGallocated$ranges$within!BGP!prefixes!

AS!graph!
•  BGP!rouAng!tables!
•  Valuable!data!sources!
•  Routeviews!hbp://archive.routeviews.org/bgpdata/!
•  CidrIreport!hbp://www.cidrIreport.org/as2.0/!
•  Hurricane!Electric!database!hbp://bgp.he.net/!
•  Your!own!rouAng!tables!if!you!operate!your!own!
worldwide!BGP!routers!
•  500,000+$BGP$preﬁxes$
•  46,000+$ASNs$

AS!graph!
•  Route!Views!hbp://archive.routeviews.org/bgpdata/!

AS!graph!
•  Cidr!Report!hbp://www.cidrIreport.org/as2.0/!

AS!graph!
•  Hurricane!Electric!database!hbp://bgp.he.net/!

AS!graph!
•  Show!one!line!of!the!BGP!rouAng!table!
•  TABLE_DUMP2|1392422403|B|96.4.0.55|11686|
67.215.94.0/24|11686!4436!2914!36692|IGP|
96.4.0.55|0|0||NAG||!
•  The!AS!graph!changes!constantly:!
•  New!preﬁxes!(with!their!routes)!are!announced!
•  Old!preﬁxes!are!dropped!
•  IntenAonal,!human!error,!hardware!faults,!or!malicious!

AS!graph!
•  TABLE_DUMP2|1392422403|B|96.4.0.55|11686|
67.215.94.0/24|11686!4436!2914!36692|IGP|
96.4.0.55|0|0||NAG||!
•  We!can!extract!two!types!of!useful!data:!
!1.!Upstream!and!downstream!ASNs!of!every!ASN!
!2.!IP!to!ASN!mapping!(via!preﬁx!to!ASN!mapping)!
•  pyasn,!Python!IP!to!ASN!lookup!module!!
!hbps://code.google.com/p/pyasn/!
•  Team!Cymru!IP!to!ASN!mapping!
•  GeoIPASNum.dat!from!maxmind!
•  curl!ipinfo.io/8.8.8.8/org!

AS!graph!
•  Build!AS!graph!
•  Directed!graph:!node=ASN,!a!directed!edge!from!an!
ASN!to!an!upstream!ASN!
•  TABLE_DUMP2|1392422403|B|96.4.0.55|11686|67.215.94.0/24|
11686!4436!2914!36692|IGP|96.4.0.55|0|0||NAG||!

AS!graph!
•  Directed!graph:!node=ASN,!a!directed!edge!from!an!
ASN!to!an!upstream!ASN!
Interes<ng$cases:$
•  Leaf!ASNs!that!are!siblings,!i.e.!they!have!common!
parents!in!the!AS!graph!(share!same!upstream!AS)!
•  Cluster!the!leaves!by!country!
•  Find!interesAng!paberns:!certain!siblings!in!certain!
countries!are!delivering!similar!suspicious!campaigns!

$
Use$Case$1:$
Suspicious$Sibling$leaf$ASNs$
$

Leaf!ASNs!and!their!upstreams!
•  January!8th!topology!snapshot,!Ukraine,!Russia!
•  10!sibling!leaf!ASNs!with!2!upstream!ASNs!
•  /23!or!/24!serving!TrojWare.Win32.KrypAk.AXJX!
•  !TrojanIDownloader.Win32.Ldmon.A!
•  hbp://telussecuritylabs.com/threats/show/TSL20130715I08!

•  February!21st!topology!snapshot,!Ukraine,!Russia!
!
•  AS31500!detached!itself!from!the!leaves!(stopped!
announcing!their!preﬁxes)!
•  More!leaves!started!hosAng!suspicious!payload!domains!
•  3100+!malware!domains!on!1020+!IPs!hosAng!malware!

•  Taking!a!sample!of!160!live!IPs!
•  Server!setup!is!similar:!
50!IPs!with:!
22/tcp$$$open$$ssh$$$$$$$$OpenSSH$6.2_hpn13v11$(FreeBSD$20130515;$
protocol$2.0)$
8080/tcp$open$$h[pGproxy$3Proxy$h[p$proxy$
Service$Info:$OS:$FreeBSD$
!
108!IPs!with:$
22/tcp$open$$ssh$$$$$OpenSSH$5.3$(protocol$1.99)$
80/tcp$open$$h[p?$

•  The!payload!url!were!live!on!the!enAre!range!of!IPs!
before!any!domains!were!hosted!on!them!
•  So,!the!IP!infrastructure!is!set!up!in!bulk!and!in!advance!
•  hbp://pastebin.com/X83gkPY4!
$

$
Use$Case$2:$
ASN$abused$or$lax$about$shady$
content$
$

Example!ASNs!abused!or!lax!
•  Wordstream!hosAng!fake!merchandise,!Exploit!kit!
domains,!XXX!themed!sites,!etc!
•  Resellers!using!IP!space!of!larger!providers!
•  e.g.!IxamIhosAng!uses!Voxility!
•  Other!abused!ASNs!like!OVH,!LeaseWeb,!etc!
•  Ranking!of!ASNs:!sitevet.com!
$

$
Use$Case$3:$
Rogue$ASN$deGpeered$or$gone$
stealth$$
$

Rogue!ASN!deIpeered!or!gone!stealth!
•  AS48031!XSERVERIIPINETWORKIAS!PE!Ivanov!Vitaliy!
Sergeevich!86400!
•  Serving!browlock,!porn,!radical!forums,!spam,!etc!
•  “PE!Ivanov!Vitaliy!Sergeevich!malware”!

Romanian!Man!Commits!Suicide!and!Kills!His!4IYearIOld!ayer!Falling!for!Police!Ransomware!

•  AS48031!XSERVERIIPINETWORKIAS!PE!Ivanov!Vitaliy!Sergeevich!86400!
•  176.103.48.0/20!48031!
•  193.169.86.0/23!48031!
•  193.203.48.0/22!48031!
•  193.30.244.0/22!48031!
•  194.15.112.0/22!48031!
•  196.47.100.0/24!48031!
•  91.207.60.0/23!48031!
•  91.213.8.0/24!48031!
•  91.217.90.0/23!48031!
•  91.226.212.0/23!48031!
•  91.228.68.0/22!48031!
•  93.170.48.0/22!48031!
•  94.154.112.0/20!48031!

Rogue!ASN!deIpeered!or!stealth!

$
Marauder:$Pla_orm,$tools,$
libraries$used$
$

PlaZorm!and!tools!used!
IHadoop!cluster!
!
IRaw!logs!on!HDFS!
!
IIndexed!DNSDB!in!HBase!
!
IPython,!shell,!Gnu!Parallel!
!
IStreaming,!zmq!
!

Python!libraries!
•  Happybase:!developerIfriendly!Python!library!to!
interact!with!Apache!HBase!
!hbp://happybase.readthedocs.org/en/latest/!
!Column!I>!value!
!Single!row:!domain,$<me,$type,$IP$G>$TTL$
•  Search!DNSDB!by!IP,!name!
•  Forward!lookup!for!domain!to!get!history!of!IPs,!TTL!
•  Inverse!lookup!for!IP!to!get!mapping!domain(s)!over!
Ame!

Python!libraries!
•  Happybase:!!
import$happybase$
#protect$in$a$try$catch$
connec<on$=$happybase.Connec<on(’server.com',$compat='0.90')$
table$=$connec<on.table('authlogs')$
_domain$=$“google.com”$
for$key,$data$in$table.scan(row_preﬁx=_domain):$
$domain,<me,type,$ip$=$key.split(":")$
$ip_[l$=$ip$+$"$"$+$data['name2rr:v']$#$if$you$need$the$TTL$

Python!libraries!
•  IPy:!Python!class!and!tools!for!handling!of!IPv4!and!
IPv6!addresses!and!networks!
!hbps://github.com/haypo/pythonIipy/wiki!
!Use!it!to!ﬂaben!a!CIDR!into!a!list!of!IPs$
!from$IPy$import$IP$
$cidr$=$IP('127.0.0.0/30')$
$for$ip$in$cidr:$
$ $print$ip$

Python!libraries!
•  PySubnetTree:!Python!data!structure!SubnetTree!
which!maps!subnets!given!in!CIDR!notaAon!to!
Python!objects.!!
•  Lookups!are!performed!by!longestIprefix!matching.!
!hbp://www.bro.org/download/README.pysubnebree.html!
!Use!it!to!map!IP!to!BGP!prefix!and/or!ASN!
!!
•  A!row!in!the!prefix!to!ASN!database!(file):!
$1.22.232.0/24$45528$

Python!libraries!
•  PySubnetTree:!!
Load!pref_asn!db!then!do!lookups!on!IPs!
import$SubnetTree$
pref_asn_db$=$SubnetTree.SubnetTree()$
f_pref_asn$=$open(“prefGasn",$'r')$
….$
pref_asn_db[“1.22.232.0/24”]=“1.22.232.0/24$45528”$
ip$=$“1.22.232.7”$
cidr$=$pref_asn_db[ip].split()[0]$

Python!libraries!
•  PyASN:!Python!extension!module!(wriben!in!C)!that!
allows!to!perform!very!fast!IP!to!ASN!lookups!
!hbps://code.google.com/p/pyasn/!
•  pygeoip:$Map!IP!to!country!code!
hbps://pypi.python.org/pypi/pygeoip!
•  networkx:!Python!package!to!manipulate!graphs!
!hbp://networkx.github.io/!
!

Marauder!in!acAon!
•  Input:!IP,!BGP!prefix,!or!ASN!
•  Use!DNSDB!(HBase)!
•  Use!auth!DNS!stream!
HBase:$
1) !IP:!direct!lookup!
2) !BGP!prefix!I>!flaben!prefixI>!fork!processes!(GNU!
parallel!processes!or!threads)!to!query!HBase!for!every!IP!
3) !ASN!I>!get!list!of!prefixes!from!pref_asn_db!I>!
process!every!prefix!like!in!2)!

$
Use$Case$4:$
Malicious$subGallocated$ranges$
$

Malicious!subIallocated!ranges!
•  Case!of!OVH!
•  SubIallocated!ranges!reserved!by!same!suspicious!
customers,!serving!Nuclear!Exploit!kit!domains!
•  Users!are!lead!to!the!Exploit!landing!sites!through!
malverAsing!campaigns,!then!malware!is!dropped!on!
vicAms’!machines!(e.g.!zbot)!
•  Monitoring!paberns!for!5!months:!Oct$2013GFeb$2014$

•  For!several!months,!OVH!ranges!were!abused!
•  Notable!fact:!IPs!were!exclusively!used!for!hosAng!
Nuclear!Exploit!subdomains,!no!other!sites!hosted!
!
!
!

•  Some!OVH!subIallocated!ranges!used!in!JanIFeb!2014!
192.95.50.208!I!192.95.50.215!
198.50.183.68!I!198.50.183.71!
192.95.42.112!I!192.95.42.127!
192.95.6.112!I!192.95.6.127!
192.95.10.208!I!192.95.10.223!
192.95.7.224!I!192.95.7.239!
192.95.43.160!I!192.95.43.175!
192.95.43.176!I!192.95.43.191!
198.50.131.0!I!198.50.131.15!

•  Feb!7th,!bad!actors!moved!to!a!Ukrainian!hosAng!
provider!hbp://www.besthosAng.ua/!
•  31.41.221.143!2014I02I14!2014I02I14!0!
•  31.41.221.142!2014I02I12!2014I02I14!2!
•  31.41.221.130!2014I02I12!2014I02I14!2!
•  31.41.221.140!2014I02I12!2014I02I12!0!
•  31.41.221.139!2014I02I12!2014I02I12!0!
•  31.41.221.138!2014I02I11!2014I02I12!1!
•  31.41.221.137!2014I02I10!2014I02I11!1!
•  31.41.221.136!2014I02I10!2014I02I11!1!
•  31.41.221.135!2014I02I10!2014I02I10!0!
•  31.41.221.134!2014I02I09!2014I02I19!10!
•  31.41.221.132!2014I02I08!2014I02I09!1!
•  31.41.221.131!2014I02I07!2014I02I08!1!

•  Feb!14th,!bad!actors!moved!to!a!Russian!hosAng!
provider!hbp://pinspb.ru/!
•  5.101.173.10!2014I02I21!2014I02I22!1!
•  5.101.173.9!2014I02I19!2014I02I21!2!
•  5.101.173.8!2014I02I19!2014I02I19!0!
•  5.101.173.7!2014I02I18!2014I02I19!1!
•  5.101.173.6!2014I02I18!2014I02I18!0!
•  5.101.173.5!2014I02I17!2014I02I18!1!
•  5.101.173.4!2014I02I17!2014I02I17!0!
•  5.101.173.3!2014I02I16!2014I02I17!1!
•  5.101.173.2!2014I02I15!2014I02I16!1!
•  5.101.173.1!2014I02I14!2014I02I15!1!

•  Feb!22nd,!bad!actors!moved!back!to!OVH!
!
!
•  Notable!fact:!They!change!MO,!IPs!have!been!
allocated!and!used!in!the!past!for!other!content!I>!
evasion!technique!or!resource!recycling!
•  But!during!all!this!Ame,!bad!actors!sAll!kept!the!
name!server!infrastructure!on!OVH!on!ranges!
reserved!by!same!customers!

•  198.50.143.73$2013G11G25$2014G02G24$91$
•  198.50.143.69$2013G11G25$2014G02G24$91$
•  198.50.143.68$2013G11G25$2014G02G24$91$
•  198.50.143.67$2013G11G26$2014G02G24$90$
•  198.50.143.65$2013G11G24$2014G02G23$91$
•  198.50.143.66$2013G11G25$2014G02G23$90$
•  198.50.143.64!2013I11I24!2014I01I25!62!
•  198.50.143.75!2013I12I03!2013I12I10!7!
•  198.50.143.79!2013I11I25!2013I12I10!15!
•  198.50.143.78!2013I11I25!2013I12I10!15!
•  198.50.143.74!2013I11I25!2013I12I10!15!
•  198.50.143.72!2013I11I25!2013I12I10!15!
•  198.50.143.71!2013I11I25!2013I12I10!15!
•  198.50.143.76!2013I11I25!2013I12I09!14!
•  198.50.143.70!2013I11I26!2013I12I09!13!
•  198.50.143.77!2013I11I26!2013I12I05!9!

•  hbp://labs.umbrella.com/2014/02/14/whenIipsIgoInuclear/!
•  hbp://pastebin.com/SX5R69vY!
•  hbp://pastebin.com/KuxpNJwV!

Abused!TLDs!
•  Nuclear!has!been!abusing!various!TLDs,!ccTLDs!(Feb!2014)!
•  .pw!for!a!while!
•  Take!down!campaign!with!MalwareMustDie!
•  Moved!to!.ru!and!.in.net!
•  Then!back!to!.pw!

$
Use$Case$5:$
Predic<ng$malicious$domains$IP$
infrastructure$
$

Malicious!subIallocated!ranges!(Feb!2014)!
•  For!Nuclear,!In!addiAon!to!subIallocated!ranges!
reserved!by!same!actors!(for!OVH!case)!
•  The!live!IPs!all!have!same!server!setup!(ﬁngerprint):!
•  31.41.221.131!to!31.41.221.143!
22/tcp$$open$$ssh$$$$$OpenSSH$5.5p1$Debian$6+squeeze4$(protocol$2.0)$
80/tcp$$open$$h[p$$$$nginx$web$server$0.7.67$
111/tcp$open$$rpcbind$
•  5.101.173.1!to!5.101.173.10!
22/tcp$$open$$ssh$$$$$OpenSSH$6.0p1$Debian$4$(protocol$2.0)$
80/tcp$$open$$h[p$$$$nginx$web$server$1.2.1$
111/tcp$open$$rpcbind$

Malicious!subIallocated!ranges!(Feb!2014)!
•  198.50.143.64!to!198.50.143.79!
22/tcp$$open$$$$$ssh$$$$$$$$$$OpenSSH$5.5p1$Debian$6+squeeze4$(protocol$2.0)$
80/tcp$$open$$$$$h[p$$$$$$$$$nginx$web$server$0.7.67$
445/tcp$filtered$microsoqGds!
•  In!some!cases,!IPs!are!brought!online!in!small!chunks!
•  The!name!server!IPs!also!have!the!same!fingerprint!
•  CombinaAon!of!these!different!indicators!has!made!
predicAons!100%!accurate!for!the!past!months.!Bad!actors!
change!their!MO,!but!this!approach!works!on!other!abacks!
•  I>!We!block/monitor!IPs!before!they!start$hos<ng$domains!

Conclusion!
•  PredicAve!threat!detecAon!based!on:!
•  Monitoring!of!DNS!traﬃc!(recursive!and!authoritaAve)!
!and!!
•  hosAng!infrastructure!
•  Shut!down!the!bad!actors!infrastructure!at!the!hosAng!
provider;!reseller!level!or!lowest!common!upstream!
ancestor!(with!bad!reputaAon!and!repeated!oﬀenses)!

References!
•  Discovering!Fast!Flux!domains!using!Machine!Learning!
!Presented!at!BSides$New$Orleans$2013$
•  Real!Ame!monitoring!of!Kelihos!Fast!Flux!botnet!
!Presented!at!APWG$eCrime$2013$
•  Fast!detecAon!of!malicious!domains!using!DNS!
!Presented!at!BSides$Raleigh$2013$
•  The!power!of!the!team!work!–!Management!of!DissecAng!Kelihos!Fast!
Flux!Botnet!“Unleashed”!!
!Presented!at!BotConf$2013$
!

Contact!Info!
•  Contact!me!at!dhia@opendns.com!if!you!are!
interested!in:!
•  Asking!quesAons!
•  CollaboraAng!
•  Twiber!@DhiaLite!
•  Blogs!hbp://labs.umbrella.com/author/dhia/!

Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE Boston

Recommended

Recommended

More Related Content

Similar to Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE Boston

Similar to Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE Boston (14)

More from OpenDNS

More from OpenDNS (20)

Recently uploaded

Recently uploaded (20)

Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE Boston