SlideShare uma empresa Scribd logo

Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon 2015 Presentation

Transferir como PPTX, PDF
OpenDNS
OpenDNS

OpenDNS Labs presentation from ShmooCon 2015.

Tecnologia
1 de 88
Infrastructure Tracking with Passive Monitoring and Active Probing Anthony Kasza Dhia Mahjoub January 18th, 2015
November 11, 2014 Hello, I am a security researcher at OpenDNS. I have been tracking the movements of the Gameover Zeus (GOZ) botnet. Your registrar has been used to register domains used for command and control communications between the operators of this botnet and compromised hosts. Are you able to collaborate in tracking and shutting down these domains? -AK
Registrar Abuse Desk Response Times Webfusion 1hr 44mins Enom 2hrs 36mins Namesilo 21hours 27mins Bigrock Solutions 2days 1hr 20mins TodayNic 1 week 101 Domain - Active Registrar - Melbourne IT DBA internet names worldwide - The Registry at Info Avenue - Turncommerce DBA Namebright -
Speakers @dhialite Senior Security Researcher DNS, networks, data analysis, threat detection, graphs @anthonykasza Security Researcher DNS, network protocols, threat detection, Bro IDS github.com/anthonykasza
Agenda Importance of Threat Intelligence Active Probing Passive Monitoring Fastflux Case Study: Zbot Tracking System Overview DGA Case Study: newGOZ Tracking System Overview Conclusion
OpenDNS’ world network
STUB CLIENTS RECURSIVE NAME SERVERS AUTHORITATIVE NAME SERVERS root tld domain.tld ~2 TB of query logs per day, compressed Types of DNS traffic
Threat Intelligence Relevant, timely, and useful information that helps take action (strategic, or tactical) Examples of tactical actions (not an exhaustive list) -Blocking known malicious domains, IPs -Preemptively block suspicious domains, IPs -Further investigate domain patterns, IP infrastructure -Further investigate malware samples, anomalous traffic patterns
Network Intelligence Collection Techniques
Active Probing
Active Probing Current state, RIGHT NOW thing being investigated thing’s neighbors Direct - touch the thing being investigated Indirect - ask around about the thing
Active Probing: Direct -Port scan, service banner grabs (shodan/nmap/masscan) e.g. hosting Angler EK, sharing identical server setup -Collect content (http/ftp) noisy – is detectable block by source or return misleading content 64.251.7.239 – 64.251.7.241 22/tcp open ssh OpenSSH 5.3 (protocol 2.0) 80/tcp open http nginx 1.6.2
Active Probing: Indirect DNS Domain to IP, Domain to Name server, Name server to IP BGP and IP whois IP’s ASN and upstream ASNs Explore sibling ASNs hosting provider Domain whois domain, authoritative name server domain registrar, registrant, created/updated/expire times
Active Probing: Indirect Query for DNS records -Domain to IP, -Domain to Name server, -Name server to IP, Can be considered direct (i.e. noisy & trigger alerts) if authoritative name servers are operated by same bad actors Scalable tools: adns http://www.gnu.org/software/adns/ Massresolver https://github.com/jedisct1/massresolver
Active Probing: Indirect Query for BGP and IP whois data -IP to ASN, Team Cymru, or routeviews + PyASN -Upstream and sibling ASNs (SPN concept, BlackHat 2014) -Hosting provider: rogue, lax or abused e.g. http://www.serverpronto.com/ US https://king-servers.com Russia http://www.mach9servers.com/ US https://www.bacloud.com Lithuania http://www.qhoster.bg/ Bulgaria, reseller, register domains & hosting
Active Probing: Indirect
Active Probing: Indirect Both ranges belong to Serverpronto, hosting subdomains injected under compromised GoDaddy domains to serve EK 64.251.7.239 – 64.251.7.241 22/tcp open ssh OpenSSH 5.3 (protocol 2.0) 80/tcp open http nginx 1.6.2 64.251.22.201 – 64.251.22.207 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u1 (protocol 2.0) 80/tcp open http nginx 1.2.1 111/tcp open rpcbind 2-4 (RPC #100000)
Active Probing: Indirect
Active Probing: Indirect
Active Probing: Indirect
All SPN ASNs except one ASN has a downstream adjacent ASN -AS47145: compromised IPs hosting zbot FF CnC domains -AS44668: compromised IPs hosting zbot FF CnC domains -AS196860: compromised IPs hosting zbot FF CnC domains Active Probing: Indirect
Active Probing: Indirect Domain whois -Domain, authoritative name server domain registrar, registrant, created/updated/expire times problems daily changes are often too coarse client provided information isn’t always accurate Tools: whois client, scrape web-based whois sites, commercial offerings
Domain Registration Terms Registrants Reseller Registrar Registry NS RR NS RR Contact Info
Passive Monitoring
Passive Monitoring Previous state of things or patterns derived from behavior monitoring Passive DNS reconstruction pivot from a seed domain -> IP -> domain domain -> nameserver -> domain Correlation via registrant email -> reliable in specific cases Client query patterns domain lexical analysis query spikes query co-occurrences Correlation via malware samples, domain, IP artifacts Application layer data (sinkhole)
Combination of interchangeable models FF model, sample network report, DGA model, traffic pattern model, any others Pivot around artifacts (domain, IP, sample features, traffic features, co- occurrences, etc.) Apply filtering heuristics to remove FPs (traffic pattern, lexical features, etc.) New domains, IPs can do a feedback loop
D D D IP I P D D D D IPs Domains Domains Passive DNS reconstruction Pivot from a seed
D D D NS D D D D NSs Domains Domains Passive DNS reconstruction NS Pivot from a seed
Domain detected by traffic or malware analysis Get registrant email Extract all domains registered by same email Apply filtering heuristics to remove FPs (traffic, subdomains, resolution, url patterns, etc) Correlation via registrant email
Correlation via registrant email -Effective for compromised domains registered by same registrant email Injected with subdomains for EK, browlock, etc. e.g. GoDaddy compromised domains -Effective for malware dedicated CnC domains e.g. GOZ, zbot, Tinba the.malware.cabal@gmail.com
Client query patterns Client IPs DomainsIP IP IP D D D IP Time window
Client query patterns Co-occurring domains • Temporal proximity of domain lookups • Bipartite graph of client IPs to domains during a short time window • Consider both resolving queries and nxdomains • Use cases of interest:  botnet CnC domains especially DGAs  Domains sharing same theme, campaign, e.g. carding sites, click-fraud, etc.  Compromised sites leading to EK or malware domains
Client query patterns Pivot from seed sites, e.g. e.g. seed list of carding sites (monitoring during Target breach) carderprofit.cc, carder.su, cardersunion.net, cardingworld.cc, cclub.bz, cclub.su, clubr.ru, crdclub.ws, darkmarket.ws, dumps4you.cc, infraud.su, jworldtopcc.su, lampeduza.so, proclub.ws, prov.cc, unclesam.vc, validcc.su, verified.ms, vpro.su Heuristics: Domain -> hosting IP -> Domain Domain -> client IP -> Domain (co-occuring domains) Domain -> name server -> Domain + filtering heuristics to remove FPs
Client query patterns
Client query patterns Some extra carding and stolen credentials sites discovered (there are a lot more): prvtzone.cc best4best.su cardrockcafe.so cardrockcafe.cc cvv.me d4rksys.cc ssndob.cc ssndob.so torcvv.cc darkmoney.cc vini.cc uniccshop.ru
Client query patterns
Client query patterns
Client query patterns
Domain detected by traffic monitoring (FF, DGA, other models) Get malware sample analysis report Extract queried domains from network traffic report Apply filtering heuristics to remove FPs (traffic, subdomains, resolution, etc) Correlation via malware network artifacts
Correlation via malware network artifacts Some filtering heuristics: -Similar traffic patterns (e.g. spikes or shape of traffic curve) -Similar domain lexical features -Similar subdomain and hosting IPs patterns -Similar website content -Similar url patterns (3rd party analysis report, sinkhole, own sandbox) … Open sources for analysis reports: VirusTotal, totalhash, malwr, ThreatExpert, Sophos and Microsoft threat reports
Web-scraping malware samples & reports Sources: -VT, totalhash, malwr, ThreatExpert, Sophos and Microsoft threat reports -Use commercial version -Scrape online reports using free open proxies to prevent throttling or blocking of your source IP
Application layer data (sinkhole) -This could arguably be active… -Application layer data validation -Get url patterns for sinkholed domains -Or get urls from VirusTotal, totalhash reports, etc. -Use ET signatures to match against traffic
Other sources of Intel -Good old google, other search engines -Reliable friends, colleagues -The infosec community  Automation  Scale  Accuracy are crucial + Human Validation
Fast flux case study: Zbot proxy network
• DNS-based redundancy/evasion technique • Fast flux domain resolves to many IPs, many ASNs, many CCs, relatively low TTL • Fast flux domain resolves to 1 IP with TTL=0 • Ex : Trojan CnCs, spam, scam, pharmacy, dating domains Fastflux definition
(1) Initial list of zbot fast flux domains (2) Get IP, TTL via direct lookup into DNSDB (3) Extract IPs s.t TTL=150 (4) Get domains from IPs via inverse lookup (5) Add domains from (4) to list (1) (6) Extract IPs s.t TTL=150 (7) Add IPs from (6) to list of zbot proxy network IPs Zbot CnCs Monitoring System
Zeus Config URLs Binary URLs Drop Zone URLs Citadel KINS & Ice IX Asprox Zemot/ Rerdom Phishing Ursnif Madness Pro Pony panel newGOZ Tiny Banker Malware phoning to CnC domains
Tiny Banker CnCs example Tinba domains detected by FF model Get network reports for all associated known samples Extract queried domains from network traffic reports Apply filtering heuristics to remove FPs (traffic pattern, lexical features, etc)
Fastflux Case Study: Zbot • Collecting live intel helps learn about bad actors TTP • Register domains with evasive names to confuse trackers e.g. suspended-domains-nic.biz looks as a suspended domain, in reality it’s a recent NS domain (Jan 14th) for zbot FF CnCs • [a-d].suspended-domains-nic.biz [dns1-dns4].suspended-domains-nic.biz -> are authoritative name servers for zbot FF domains The name servers are themselves hosted on the zbot proxy network -> double flux set up
Registrar
r01-reg TodayNic r01-ru Regru-ru Paknic Melbourne IT Registrar Netlynx Web Commerce Ardis-reg ru-center-ru regru-reg
Rogue or abused registrars http://spamtrackers.eu/wiki/index.php/R01.ru
EmailMX RR
EmailMX RR No MX record FakeMailGenerator Picamail - Google 85Mail - Google Privacy - TopDNS GMX.com Hotmail Yandex
DGA case study: new GameOver Zeus (newGOZ)
newGOZ Background What is a DGA? Conficker 2008 Typically calculated on time/day/date Letter based vs dictionary based Gameover Zeus “newGOZ” letter based with salts to extend algorithm (2 known) 11000 possible domains per day Oct 7 – Dec 7 (62 days)
newGOZ Tracking System Overview Identify a DGA VirusTotal, TotalHash, Intel sharing communities Query patterns: cooccurences, spikes, lexical analysis Reverse DGA algorithm Hexrays decompiler, IDA, Hopper, Ollydbg Predict Daily C2 Domains Python+BASH+massresolver Yesterday, today, tomorrow (for overlaps) 682,000 possible C2 domains over 62 days Oct 7 - Dec 7 Identify live C2 Domains Attempt to resolve domains every TTL seconds (5 minutes) 251 resolved (evil and researchers) Probe for information on C2 Domains Whois, DNS, IP, ASN info for C2 and authoritative domains Enrich probe information with passive data PassiveDNS, historic whois, IP reputation
newGOZ Domain TTLs 251 different C2 domains resolved Domain Count TTL Alignment 110 300 Evil 81 10800 Sinkhole 58 666 Sinkhole 9 3600 Sinkhole 5 1800 Sinkhole 4 600 ? 1 7200 ? 1 14400 ? Domain with multiple TTLs changed owners
newGOZ C2 Name Servers 31 authoritative domains (2LD) 21 name servers had ns1 and ns2 pairs 5 domains (likely more) are researchers’ 4 name servers were eventually parked possibly due to not resolving possibly due to not existing
newGOZ C2 Name Servers a.dns.gandi.net b.dns.gandi.net c.dns.gandi.net dns1.registrar-servers.com dns2.registrar-servers.com dns3.registrar-servers.com dns4.registrar-servers.com dns5.registrar-servers.com ns.123-reg.co.uk ns2.123-reg.co.uk ns01.domaincontrol.com ns02.domaincontrol.com pdns05.domaincontrol.com pdns06.domaincontrol.com ns1.torpig-sinkhole.org ns2.torpig-sinkhole.org ns1.sinkhole.ch ns2.sinkhole.ch ns1.dynadot.com ns2.dynadot.com ns1.ilcriminallaw.net.lamedelegation.org ns1.acutica.net.rcom-dns.eu ns1.ezracesite.net.rcom-dns.eu ns1.the-jumbotron.net.rcom-dns.eu ns1.acutica.net ns1.autozphibsnz.com ns1.bethanychildcare.net ns1.borrowbynet.net ns1.bossvietguider.com ns1.bundesligagame.net ns1.energiazielona.net ns1.ezracesite.net ns1.hitzandronum.net ns1.hotinspiritrees.net ns1.ilcriminallaw.net ns1.israelandpalestin.com ns1.longhilpartners.com ns1.lovecapo.net ns1.overbytes.net ns1.rannfyaether.net ns1.the-jumbotron.net ns1.themobpokershop.net ns1.thepurringpiano.net ns1.videohomebing.com ns1.visiteitacares.com ns1.whiterelicons.com ns1.zoogmusics.net ns1.zumbbawecker.net - ns2.autozphibsnz.com ns2.bethanychildcare.net ns2.borrowbynet.net ns2.bossvietguider.com - ns2.energiazielona.net - - - - - ns2.longhilpartners.com ns2.lovecapo.net ns2.overbytes.net ns2.rannfyaether.net - ns2.themobpokershop.net ns2.thepurringpiano.net - ns2.visiteitacares.com - ns2.zoogmusics.net -
newGOZ C2 Name Servers a.dns.gandi.net b.dns.gandi.net c.dns.gandi.net dns1.registrar-servers.com dns2.registrar-servers.com dns3.registrar-servers.com dns4.registrar-servers.com dns5.registrar-servers.com ns.123-reg.co.uk ns2.123-reg.co.uk ns01.domaincontrol.com ns02.domaincontrol.com pdns05.domaincontrol.com pdns06.domaincontrol.com ns1.torpig-sinkhole.org ns2.torpig-sinkhole.org ns1.sinkhole.ch ns2.sinkhole.ch ns1.dynadot.com ns2.dynadot.com ns1.ilcriminallaw.net.lamedelegation.org ns1.acutica.net.rcom-dns.eu ns1.ezracesite.net.rcom-dns.eu ns1.the-jumbotron.net.rcom-dns.eu ns1.acutica.net ns1.autozphibsnz.com ns1.bethanychildcare.net ns1.borrowbynet.net ns1.bossvietguider.com ns1.bundesligagame.net ns1.energiazielona.net ns1.ezracesite.net ns1.hitzandronum.net ns1.hotinspiritrees.net ns1.ilcriminallaw.net ns1.israelandpalestin.com ns1.longhilpartners.com ns1.lovecapo.net ns1.overbytes.net ns1.rannfyaether.net ns1.the-jumbotron.net ns1.themobpokershop.net ns1.thepurringpiano.net ns1.videohomebing.com ns1.visiteitacares.com ns1.whiterelicons.com ns1.zoogmusics.net ns1.zumbbawecker.net - ns2.autozphibsnz.com ns2.bethanychildcare.net ns2.borrowbynet.net ns2.bossvietguider.com - ns2.energiazielona.net - - - - - ns2.longhilpartners.com ns2.lovecapo.net ns2.overbytes.net ns2.rannfyaether.net - ns2.themobpokershop.net ns2.thepurringpiano.net - ns2.visiteitacares.com - ns2.zoogmusics.net - Researchers Parked Evil Evil NS1 Evil NS2
newGOZ C2 Domain Registrars Dynadot GoDaddy 1&1 Internet AG 101Domain Bigrock Solutions Enom Gandi SAS Melbourne IT DBA Internet Names Worldwide Network Solutions TodayNIC Turncommerce DBA NameBright Webfusion
Registrar
Registrar 1&1 Internet AG Dynadot Gandi TodayNic Melbourne IT Bigrock Solutions TurnCommerce DBA Namebright GoDaddy 101Domain Enom Webfusion Network Solutions
newGOZ Registrant Email Addresses 99 different registrant emails (C2 and NS domains) NOT including confirmed researchers Some accounts were created, some weren’t medicallaserss@ymail.com medicallassers@ymail.com educationreport@insurer.com educationreportt@insurer.com
NameBright Privacy TodayNic Privacy (No MX RR) Yahoo GMX.com AOL Enom Privacy (whoisguard) GoDaddy Privacy (Domainsbyproxy) GMX.net Hotmail Zoho FakeMailGenerator
newGOZ C2 and NS Hosting 86 C2 and NS IPs 54 unique hosting locations 3 providers used by known researchers Mix of VPS, ISP, and compromised
12 Amazon 8 GoDaddy 4 GANDI SAS 3 Rackspace Hosting 3 OVH 3 Confluence Networks Inc 3 1&1 Internet AG 2 Webfusion Internet Solutions 2 ViaWest 2 SoftLayer Technologies Inc. 2 PT Jastrindo Dinamika 2 Black Lotus Communications 1 Yuli Azarch trading as YaiSales 1 XL Internet Services B.V. 1 Viet Solutions Services Trading Company Limited 1 Viasat Communications Inc. 1 VDSINA VDS Hosting 1 TTNETDC Turkiye Telekom Data Center 1 TANET-BNETA, Taiwan 1 Symphony Communication Plc 1 SPARK NEW ZEALAND TRADING LIMITED 1 Shandong technology university 1 Rook Media USA, Inc. 1 RIPE Sinkhole 1 RCS & RDS Business 1 Radore Veri Merkezi Hizmetleri A.S. 1 NOS COMUNICACOES S.A. (TVCABO- Portugal) 1 Namecheap, Inc. 1 MonsterCommerce, LLC 1 Ministry of Education Computer Center, Taiwan 1 Ministère de l'aménagement du territoire de l'équipement et des transports 1 Kornet - Korea Telecom 1 KMS-Hosting.com Customers 1 Kabel Baden-Wuerttemberg GmbH & Co. KG 1 Joe's Datacenter, LLC 1 Indiana University 1 ID Uppal Private Limited 1 HOST1FREE.COM VPS services 1 HONGIK UNIVERSITY 1 HANANET - broadNnet 1 Google Cloud 1 GHOSTnet Network used for VPS Hosting Services 1 Gelderland Internet Exchange - Dedicated Servers 1 FortaTrust USA Corporation 1 EXMOS-LIMITED 1 ERX-NETBLOCK 1 CloudFlare, Inc. 1 Cizgi Telekom 1 China Mobile communications corporation 1 Bharti Tele-Ventures Limited 1 Belgacom ISP SKYNET-CUSTOMERS 1 Argon Data Communication
12 Amazon 8 GoDaddy 4 GANDI SAS 3 Rackspace Hosting 3 OVH 3 Confluence Networks Inc 3 1&1 Internet AG 2 Webfusion Internet Solutions 2 ViaWest 2 SoftLayer Technologies Inc. 2 PT Jastrindo Dinamika 2 Black Lotus Communications 1 Yuli Azarch trading as YaiSales 1 XL Internet Services B.V. 1 Viet Solutions Services Trading Company Limited 1 Viasat Communications Inc. 1 VDSINA VDS Hosting 1 TTNETDC Turkiye Telekom Data Center 1 TANET-BNETA, Taiwan 1 Symphony Communication Plc 1 SPARK NEW ZEALAND TRADING LIMITED 1 Shandong technology university 1 Rook Media USA, Inc. 1 RIPE Sinkhole 1 RCS & RDS Business 1 Radore Veri Merkezi Hizmetleri A.S. 1 NOS COMUNICACOES S.A. (TVCABO- Portugal) 1 Namecheap, Inc. 1 MonsterCommerce, LLC 1 Ministry of Education Computer Center, Taiwan 1 Ministère de l'aménagement du territoire de l'équipement et des transports 1 Kornet - Korea Telecom 1 KMS-Hosting.com Customers 1 Kabel Baden-Wuerttemberg GmbH & Co. KG 1 Joe's Datacenter, LLC 1 Indiana University 1 ID Uppal Private Limited 1 HOST1FREE.COM VPS services 1 HONGIK UNIVERSITY 1 HANANET - broadNnet 1 Google Cloud 1 GHOSTnet Network used for VPS Hosting Services 1 Gelderland Internet Exchange - Dedicated Servers 1 FortaTrust USA Corporation 1 EXMOS-LIMITED 1 ERX-NETBLOCK 1 CloudFlare, Inc. 1 Cizgi Telekom 1 China Mobile communications corporation 1 Bharti Tele-Ventures Limited 1 Belgacom ISP SKYNET-CUSTOMERS 1 Argon Data Communication
NS IP Address C2 DomainIP Address
Malware Cabal Sinkhole VirusTracker Sinkhole ??? Godaddy Arbor Networks Sinkhole ??? Godaddy Badness NS IP Address C2 DomainIP Address
newGOZ Now No new evil domains registered since 12 Nov 14 why? speculation: not resilient without peer-to-peer abandoned for new malware silent LE take down Sinkholes are still active
oldGOZ Client Queries oldGOZ generates 1000 domains every 7 days starting from first of the month (except 1st and last batch) Dec 1 - Dec 6 Jan 1 – Jan 6 Dec 7 - Dec 13 Jan 7 – Jan 13 Dec 14 – Dec 20 Jan 14 – Jan 20 Dec 21 – Dec 27 Jan 21 – Jan 27 Dec 28 – Dec 31 Jan 28 – Jan 31
oldGOZ Client Queries
oldGOZ Client Queries
newGOZ Client Queries (to add) newGOZ generates 1000 domains/day using one of the salts 10,000 domains/day using the other salt
newGOZ Take Aways Important things to note about newGOZ infrastructure TTLs of domain names (300) Use round-robin DNS (multiple IPs per domain) Registrar preferences (TodayNic, Melbourne IT, BigRock) Registration to resolution delta (~1 day) Registrant email pattern Many C2 IPs, many NS IPs Use of compromised (and possibly dedicated) IPs
newGOZ tracker: Snapshooter
newGOZ Improved Tracking System JSON instead of flat text output Pure Python instead of BASH, Python and C Client generates GOZ domains identifies resolving domains maps resolving domains to workers spawns a dedicated client process for each worker asynchronously sends requests to workers Workers daemon waiting for client tasks requests queries the DNS, whois, etc.
GOZ DGA p1 p2 p3 Client worker d NS RRs whois server whois server whois server worker d worker d NS NS 8.8.8. 8 IP RR
COUNT=0; while [ ${COUNT} -lt 20 ]; do dig +short whois.verisign-grs.com; COUNT=$[${COUNT}+1]; sleep 1; done | sort | uniq -c 5 199.7.48.74 4 199.7.50.74 11 199.7.56.74
newGOZ Snapshooter Demo github.com/anthonykasza/snapshooter
Snapshooter: ToDo - Automatically contact registrars and hosting providers with complaints - Collect content hosted on domain - Graph database backend - Pray for RDAP draft https://tools.ietf.org/html/draft-ietf-weirds-json-response-10
Conclusion • Threat Intelligence is crucial to make strategic & tactical decisions for reactive & proactive security • Different techniques to collect network threat intel. – Active probing – Passive Monitoring • Fastflux: Zbot fast flux proxy network • DGA: GameOver Zeus botnet • Snapshooter
References -Catching malware en masse: DNS & IP style, D. Mahjoub, T. Reuille, A, Toonk, BlackHat 2014, DefCon 2014 -Sweeping the IP space: The Hunt for Evil on the Internet, D. Mahjoub, Virus Bulletin 2014 -A New Look at Fast Flux Proxy Networks, D. Mahjoub, H. Adrian, BotConf 2014 -DNS Analytics, O. Kamal, BotConf 2014 -ZeuS Tracker -Massresolver, F. Denis, github.com/jedisct1/massresolver -http://www.malware-traffic-analysis.net/
Acknowledgements OpenDNS ShmooCon Arbor Networks (initial newGOZ DGA) John Bambenek
Thank You. Questions? @dhialite @anthonykasza

Recomendados

Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Paladion Networks
 
Angler talk
Angler talkAngler talk
Angler talkArtsiom Holub
 
Cryptolocker Webcast
Cryptolocker WebcastCryptolocker Webcast
Cryptolocker WebcastOpenDNS
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsOpenDNS
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS
 
Fast Detection of New Malicious Domains using DNS
Fast Detection of New Malicious Domains using DNSFast Detection of New Malicious Domains using DNS
Fast Detection of New Malicious Domains using DNSOpenDNS
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyCrowdStrike
 

Recomendados

Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Paladion Networks
 
Angler talk
Angler talkAngler talk
Angler talkArtsiom Holub
 
Cryptolocker Webcast
Cryptolocker WebcastCryptolocker Webcast
Cryptolocker WebcastOpenDNS
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsOpenDNS
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS
 
Fast Detection of New Malicious Domains using DNS
Fast Detection of New Malicious Domains using DNSFast Detection of New Malicious Domains using DNS
Fast Detection of New Malicious Domains using DNSOpenDNS
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyCrowdStrike
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the nameSecurity BSides London
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sightRob Gillen
 
Umbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & ContainmentUmbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & ContainmentOpenDNS
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS DefenseJames Dickenson
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorPositive Hack Days
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume CompromiseZach Grace
 
Detecting dns-tunneling-34152
Detecting dns-tunneling-34152Detecting dns-tunneling-34152
Detecting dns-tunneling-34152huynhvanphuc
 
Class Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingClass Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingBeibei Yang
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...Felipe Prado
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?Deploy360 Programme (Internet Society)
 
Detecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using BroDetecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using BroAndrew Beard
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP SinghBipin Upadhyay
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) ShenPROIDEA
 
DNS Security
DNS SecurityDNS Security
DNS Securityjohnmcclure00
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunterAndrew McNicol
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentNahidul Kibria
 
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...BlueHat Security Conference
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELKTripwire
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessLeon Teale
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 

Mais conteúdo relacionado

Mais procurados

Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sightRob Gillen
 
Umbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & ContainmentUmbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & ContainmentOpenDNS
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS DefenseJames Dickenson
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorPositive Hack Days
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume CompromiseZach Grace
 
Detecting dns-tunneling-34152
Detecting dns-tunneling-34152Detecting dns-tunneling-34152
Detecting dns-tunneling-34152huynhvanphuc
 
Class Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingClass Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingBeibei Yang
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...Felipe Prado
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Detecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using BroDetecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using BroAndrew Beard
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP SinghBipin Upadhyay
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) ShenPROIDEA
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentNahidul Kibria
 
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...BlueHat Security Conference
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELKTripwire
 

Mais procurados (20)

Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the name
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sight
 
Umbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & ContainmentUmbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & Containment
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS Defense
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume Compromise
 
Detecting dns-tunneling-34152
Detecting dns-tunneling-34152Detecting dns-tunneling-34152
Detecting dns-tunneling-34152
 
Class Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingClass Project Showcase: DNS Spoofing
Class Project Showcase: DNS Spoofing
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?
 
Detecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using BroDetecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using Bro
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
 
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELK
 

Semelhante a Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon 2015 Presentation

Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessLeon Teale
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisJason Trost
 
MATATABI: Cyber Threat Analysis and Defense Platform using Huge Amount of Dat...
MATATABI: Cyber Threat Analysis and Defense Platform using Huge Amount of Dat...MATATABI: Cyber Threat Analysis and Defense Platform using Huge Amount of Dat...
MATATABI: Cyber Threat Analysis and Defense Platform using Huge Amount of Dat...APNIC
 
Malicious Domain Profiling
Malicious Domain Profiling Malicious Domain Profiling
Malicious Domain Profiling E Hacking
 
Network Situational Awareness with d00gle
Network Situational Awareness with d00gleNetwork Situational Awareness with d00gle
Network Situational Awareness with d00gleDug Song
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdfMarceloCunha571649
 
DNS Measurements
DNS MeasurementsDNS Measurements
DNS MeasurementsAFRINIC
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunickamiable_indian
 
A fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainA fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainChristian Martorella
 
Gates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringGates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringChris Gates
 
Peer-to-Peer Networking Systems and Streaming
Peer-to-Peer Networking Systems and StreamingPeer-to-Peer Networking Systems and Streaming
Peer-to-Peer Networking Systems and StreamingDilum Bandara
 
Red Team: Emulating Advanced Adversaries in Cyberspace
Red Team: Emulating Advanced Adversaries in CyberspaceRed Team: Emulating Advanced Adversaries in Cyberspace
Red Team: Emulating Advanced Adversaries in CyberspaceDon Anto
 
Kentik Network@Scale (Dan Ellis)
Kentik Network@Scale (Dan Ellis)Kentik Network@Scale (Dan Ellis)
Kentik Network@Scale (Dan Ellis)gvillain
 

Semelhante a Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon 2015 Presentation (20)

Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awareness
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
footscan.PPT
footscan.PPTfootscan.PPT
footscan.PPT
 
ch01.ppt
ch01.pptch01.ppt
ch01.ppt
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
 
MATATABI: Cyber Threat Analysis and Defense Platform using Huge Amount of Dat...
MATATABI: Cyber Threat Analysis and Defense Platform using Huge Amount of Dat...MATATABI: Cyber Threat Analysis and Defense Platform using Huge Amount of Dat...
MATATABI: Cyber Threat Analysis and Defense Platform using Huge Amount of Dat...
 
Malicious Domain Profiling
Malicious Domain Profiling Malicious Domain Profiling
Malicious Domain Profiling
 
Footprinting tools for security auditors
Footprinting tools for security auditorsFootprinting tools for security auditors
Footprinting tools for security auditors
 
Network Situational Awareness with d00gle
Network Situational Awareness with d00gleNetwork Situational Awareness with d00gle
Network Situational Awareness with d00gle
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdf
 
DNS Measurements
DNS MeasurementsDNS Measurements
DNS Measurements
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunick
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
A fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainA fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP Spain
 
Gates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringGates Toorcon X New School Information Gathering
Gates Toorcon X New School Information Gathering
 
Peer-to-Peer Networking Systems and Streaming
Peer-to-Peer Networking Systems and StreamingPeer-to-Peer Networking Systems and Streaming
Peer-to-Peer Networking Systems and Streaming
 
Red Team: Emulating Advanced Adversaries in Cyberspace
Red Team: Emulating Advanced Adversaries in CyberspaceRed Team: Emulating Advanced Adversaries in Cyberspace
Red Team: Emulating Advanced Adversaries in Cyberspace
 
Dns firewalls null-may2020
Dns firewalls null-may2020Dns firewalls null-may2020
Dns firewalls null-may2020
 
Kentik Network@Scale (Dan Ellis)
Kentik Network@Scale (Dan Ellis)Kentik Network@Scale (Dan Ellis)
Kentik Network@Scale (Dan Ellis)
 

Mais de OpenDNS

Blackhat USA 2015: BGP Stream Presentation
Blackhat USA 2015: BGP Stream PresentationBlackhat USA 2015: BGP Stream Presentation
Blackhat USA 2015: BGP Stream PresentationOpenDNS
 
What Happens Before the Kill Chain
What Happens Before the Kill Chain What Happens Before the Kill Chain
What Happens Before the Kill Chain OpenDNS
 
Highly Available Docker Networking With BGP
Highly Available Docker Networking With BGPHighly Available Docker Networking With BGP
Highly Available Docker Networking With BGPOpenDNS
 
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
One Phish, Two Phish, Red Phish, Your Account Details Just Got StolenOne Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
One Phish, Two Phish, Red Phish, Your Account Details Just Got StolenOpenDNS
 
OpenDNS CTO Dan Hubbard VizSec 2014 Keynote Slides
OpenDNS CTO Dan Hubbard VizSec 2014 Keynote SlidesOpenDNS CTO Dan Hubbard VizSec 2014 Keynote Slides
OpenDNS CTO Dan Hubbard VizSec 2014 Keynote SlidesOpenDNS
 
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsOpenDNS
 
Docker at OpenDNS
Docker at OpenDNSDocker at OpenDNS
Docker at OpenDNSOpenDNS
 
IP Routing, AWS, and Docker
IP Routing, AWS, and DockerIP Routing, AWS, and Docker
IP Routing, AWS, and DockerOpenDNS
 
Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE Boston
Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE BostonMarauder or Scanning Your DNSDB for Fun and Profit - SOURCE Boston
Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE BostonOpenDNS
 
Network Security: A Four Point Analysis of Appliances vs. the Cloud
Network Security: A Four Point Analysis of Appliances vs. the CloudNetwork Security: A Four Point Analysis of Appliances vs. the Cloud
Network Security: A Four Point Analysis of Appliances vs. the CloudOpenDNS
 
CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...
CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...
CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...OpenDNS
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadRethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadOpenDNS
 
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...OpenDNS
 
Baythreat Cryptolocker Presentation
Baythreat Cryptolocker PresentationBaythreat Cryptolocker Presentation
Baythreat Cryptolocker PresentationOpenDNS
 
MSP Webcast - Leveraging Cloud Security to Become a Virtual CIO
MSP Webcast - Leveraging Cloud Security to Become a Virtual CIOMSP Webcast - Leveraging Cloud Security to Become a Virtual CIO
MSP Webcast - Leveraging Cloud Security to Become a Virtual CIOOpenDNS
 
Umbrella for MSPs: Cloud Security via N-able
Umbrella for MSPs: Cloud Security via N-ableUmbrella for MSPs: Cloud Security via N-able
Umbrella for MSPs: Cloud Security via N-ableOpenDNS
 

Mais de OpenDNS (17)

Blackhat USA 2015: BGP Stream Presentation
Blackhat USA 2015: BGP Stream PresentationBlackhat USA 2015: BGP Stream Presentation
Blackhat USA 2015: BGP Stream Presentation
 
What Happens Before the Kill Chain
What Happens Before the Kill Chain What Happens Before the Kill Chain
What Happens Before the Kill Chain
 
Highly Available Docker Networking With BGP
Highly Available Docker Networking With BGPHighly Available Docker Networking With BGP
Highly Available Docker Networking With BGP
 
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
One Phish, Two Phish, Red Phish, Your Account Details Just Got StolenOne Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
 
OpenDNS CTO Dan Hubbard VizSec 2014 Keynote Slides
OpenDNS CTO Dan Hubbard VizSec 2014 Keynote SlidesOpenDNS CTO Dan Hubbard VizSec 2014 Keynote Slides
OpenDNS CTO Dan Hubbard VizSec 2014 Keynote Slides
 
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
 
Docker at OpenDNS
Docker at OpenDNSDocker at OpenDNS
Docker at OpenDNS
 
IP Routing, AWS, and Docker
IP Routing, AWS, and DockerIP Routing, AWS, and Docker
IP Routing, AWS, and Docker
 
Defcon
DefconDefcon
Defcon
 
Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE Boston
Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE BostonMarauder or Scanning Your DNSDB for Fun and Profit - SOURCE Boston
Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE Boston
 
Network Security: A Four Point Analysis of Appliances vs. the Cloud
Network Security: A Four Point Analysis of Appliances vs. the CloudNetwork Security: A Four Point Analysis of Appliances vs. the Cloud
Network Security: A Four Point Analysis of Appliances vs. the Cloud
 
CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...
CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...
CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadRethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
 
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
 
Baythreat Cryptolocker Presentation
Baythreat Cryptolocker PresentationBaythreat Cryptolocker Presentation
Baythreat Cryptolocker Presentation
 
MSP Webcast - Leveraging Cloud Security to Become a Virtual CIO
MSP Webcast - Leveraging Cloud Security to Become a Virtual CIOMSP Webcast - Leveraging Cloud Security to Become a Virtual CIO
MSP Webcast - Leveraging Cloud Security to Become a Virtual CIO
 
Umbrella for MSPs: Cloud Security via N-able
Umbrella for MSPs: Cloud Security via N-ableUmbrella for MSPs: Cloud Security via N-able
Umbrella for MSPs: Cloud Security via N-able
 

Último

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

Último (20)

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 

Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon 2015 Presentation

  • 1. Infrastructure Tracking with Passive Monitoring and Active Probing Anthony Kasza Dhia Mahjoub January 18th, 2015
  • 2. November 11, 2014 Hello, I am a security researcher at OpenDNS. I have been tracking the movements of the Gameover Zeus (GOZ) botnet. Your registrar has been used to register domains used for command and control communications between the operators of this botnet and compromised hosts. Are you able to collaborate in tracking and shutting down these domains? -AK
  • 3. Registrar Abuse Desk Response Times Webfusion 1hr 44mins Enom 2hrs 36mins Namesilo 21hours 27mins Bigrock Solutions 2days 1hr 20mins TodayNic 1 week 101 Domain - Active Registrar - Melbourne IT DBA internet names worldwide - The Registry at Info Avenue - Turncommerce DBA Namebright -
  • 4. Speakers @dhialite Senior Security Researcher DNS, networks, data analysis, threat detection, graphs @anthonykasza Security Researcher DNS, network protocols, threat detection, Bro IDS github.com/anthonykasza
  • 5. Agenda Importance of Threat Intelligence Active Probing Passive Monitoring Fastflux Case Study: Zbot Tracking System Overview DGA Case Study: newGOZ Tracking System Overview Conclusion
  • 7. STUB CLIENTS RECURSIVE NAME SERVERS AUTHORITATIVE NAME SERVERS root tld domain.tld ~2 TB of query logs per day, compressed Types of DNS traffic
  • 8. Threat Intelligence Relevant, timely, and useful information that helps take action (strategic, or tactical) Examples of tactical actions (not an exhaustive list) -Blocking known malicious domains, IPs -Preemptively block suspicious domains, IPs -Further investigate domain patterns, IP infrastructure -Further investigate malware samples, anomalous traffic patterns
  • 11. Active Probing Current state, RIGHT NOW thing being investigated thing’s neighbors Direct - touch the thing being investigated Indirect - ask around about the thing
  • 12. Active Probing: Direct -Port scan, service banner grabs (shodan/nmap/masscan) e.g. hosting Angler EK, sharing identical server setup -Collect content (http/ftp) noisy – is detectable block by source or return misleading content 64.251.7.239 – 64.251.7.241 22/tcp open ssh OpenSSH 5.3 (protocol 2.0) 80/tcp open http nginx 1.6.2
  • 13. Active Probing: Indirect DNS Domain to IP, Domain to Name server, Name server to IP BGP and IP whois IP’s ASN and upstream ASNs Explore sibling ASNs hosting provider Domain whois domain, authoritative name server domain registrar, registrant, created/updated/expire times
  • 14. Active Probing: Indirect Query for DNS records -Domain to IP, -Domain to Name server, -Name server to IP, Can be considered direct (i.e. noisy & trigger alerts) if authoritative name servers are operated by same bad actors Scalable tools: adns http://www.gnu.org/software/adns/ Massresolver https://github.com/jedisct1/massresolver
  • 15. Active Probing: Indirect Query for BGP and IP whois data -IP to ASN, Team Cymru, or routeviews + PyASN -Upstream and sibling ASNs (SPN concept, BlackHat 2014) -Hosting provider: rogue, lax or abused e.g. http://www.serverpronto.com/ US https://king-servers.com Russia http://www.mach9servers.com/ US https://www.bacloud.com Lithuania http://www.qhoster.bg/ Bulgaria, reseller, register domains & hosting
  • 17. Active Probing: Indirect Both ranges belong to Serverpronto, hosting subdomains injected under compromised GoDaddy domains to serve EK 64.251.7.239 – 64.251.7.241 22/tcp open ssh OpenSSH 5.3 (protocol 2.0) 80/tcp open http nginx 1.6.2 64.251.22.201 – 64.251.22.207 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u1 (protocol 2.0) 80/tcp open http nginx 1.2.1 111/tcp open rpcbind 2-4 (RPC #100000)
  • 21. All SPN ASNs except one ASN has a downstream adjacent ASN -AS47145: compromised IPs hosting zbot FF CnC domains -AS44668: compromised IPs hosting zbot FF CnC domains -AS196860: compromised IPs hosting zbot FF CnC domains Active Probing: Indirect
  • 22. Active Probing: Indirect Domain whois -Domain, authoritative name server domain registrar, registrant, created/updated/expire times problems daily changes are often too coarse client provided information isn’t always accurate Tools: whois client, scrape web-based whois sites, commercial offerings
  • 25. Passive Monitoring Previous state of things or patterns derived from behavior monitoring Passive DNS reconstruction pivot from a seed domain -> IP -> domain domain -> nameserver -> domain Correlation via registrant email -> reliable in specific cases Client query patterns domain lexical analysis query spikes query co-occurrences Correlation via malware samples, domain, IP artifacts Application layer data (sinkhole)
  • 26. Combination of interchangeable models FF model, sample network report, DGA model, traffic pattern model, any others Pivot around artifacts (domain, IP, sample features, traffic features, co- occurrences, etc.) Apply filtering heuristics to remove FPs (traffic pattern, lexical features, etc.) New domains, IPs can do a feedback loop
  • 29. Domain detected by traffic or malware analysis Get registrant email Extract all domains registered by same email Apply filtering heuristics to remove FPs (traffic, subdomains, resolution, url patterns, etc) Correlation via registrant email
  • 30. Correlation via registrant email -Effective for compromised domains registered by same registrant email Injected with subdomains for EK, browlock, etc. e.g. GoDaddy compromised domains -Effective for malware dedicated CnC domains e.g. GOZ, zbot, Tinba the.malware.cabal@gmail.com
  • 31. Client query patterns Client IPs DomainsIP IP IP D D D IP Time window
  • 32. Client query patterns Co-occurring domains • Temporal proximity of domain lookups • Bipartite graph of client IPs to domains during a short time window • Consider both resolving queries and nxdomains • Use cases of interest:  botnet CnC domains especially DGAs  Domains sharing same theme, campaign, e.g. carding sites, click-fraud, etc.  Compromised sites leading to EK or malware domains
  • 33. Client query patterns Pivot from seed sites, e.g. e.g. seed list of carding sites (monitoring during Target breach) carderprofit.cc, carder.su, cardersunion.net, cardingworld.cc, cclub.bz, cclub.su, clubr.ru, crdclub.ws, darkmarket.ws, dumps4you.cc, infraud.su, jworldtopcc.su, lampeduza.so, proclub.ws, prov.cc, unclesam.vc, validcc.su, verified.ms, vpro.su Heuristics: Domain -> hosting IP -> Domain Domain -> client IP -> Domain (co-occuring domains) Domain -> name server -> Domain + filtering heuristics to remove FPs
  • 35. Client query patterns Some extra carding and stolen credentials sites discovered (there are a lot more): prvtzone.cc best4best.su cardrockcafe.so cardrockcafe.cc cvv.me d4rksys.cc ssndob.cc ssndob.so torcvv.cc darkmoney.cc vini.cc uniccshop.ru
  • 39. Domain detected by traffic monitoring (FF, DGA, other models) Get malware sample analysis report Extract queried domains from network traffic report Apply filtering heuristics to remove FPs (traffic, subdomains, resolution, etc) Correlation via malware network artifacts
  • 40. Correlation via malware network artifacts Some filtering heuristics: -Similar traffic patterns (e.g. spikes or shape of traffic curve) -Similar domain lexical features -Similar subdomain and hosting IPs patterns -Similar website content -Similar url patterns (3rd party analysis report, sinkhole, own sandbox) … Open sources for analysis reports: VirusTotal, totalhash, malwr, ThreatExpert, Sophos and Microsoft threat reports
  • 41. Web-scraping malware samples & reports Sources: -VT, totalhash, malwr, ThreatExpert, Sophos and Microsoft threat reports -Use commercial version -Scrape online reports using free open proxies to prevent throttling or blocking of your source IP
  • 42. Application layer data (sinkhole) -This could arguably be active… -Application layer data validation -Get url patterns for sinkholed domains -Or get urls from VirusTotal, totalhash reports, etc. -Use ET signatures to match against traffic
  • 43. Other sources of Intel -Good old google, other search engines -Reliable friends, colleagues -The infosec community  Automation  Scale  Accuracy are crucial + Human Validation
  • 44. Fast flux case study: Zbot proxy network
  • 45. • DNS-based redundancy/evasion technique • Fast flux domain resolves to many IPs, many ASNs, many CCs, relatively low TTL • Fast flux domain resolves to 1 IP with TTL=0 • Ex : Trojan CnCs, spam, scam, pharmacy, dating domains Fastflux definition
  • 46. (1) Initial list of zbot fast flux domains (2) Get IP, TTL via direct lookup into DNSDB (3) Extract IPs s.t TTL=150 (4) Get domains from IPs via inverse lookup (5) Add domains from (4) to list (1) (6) Extract IPs s.t TTL=150 (7) Add IPs from (6) to list of zbot proxy network IPs Zbot CnCs Monitoring System
  • 47. Zeus Config URLs Binary URLs Drop Zone URLs Citadel KINS & Ice IX Asprox Zemot/ Rerdom Phishing Ursnif Madness Pro Pony panel newGOZ Tiny Banker Malware phoning to CnC domains
  • 48. Tiny Banker CnCs example Tinba domains detected by FF model Get network reports for all associated known samples Extract queried domains from network traffic reports Apply filtering heuristics to remove FPs (traffic pattern, lexical features, etc)
  • 49. Fastflux Case Study: Zbot • Collecting live intel helps learn about bad actors TTP • Register domains with evasive names to confuse trackers e.g. suspended-domains-nic.biz looks as a suspended domain, in reality it’s a recent NS domain (Jan 14th) for zbot FF CnCs • [a-d].suspended-domains-nic.biz [dns1-dns4].suspended-domains-nic.biz -> are authoritative name servers for zbot FF domains The name servers are themselves hosted on the zbot proxy network -> double flux set up
  • 52. Rogue or abused registrars http://spamtrackers.eu/wiki/index.php/R01.ru
  • 54. EmailMX RR No MX record FakeMailGenerator Picamail - Google 85Mail - Google Privacy - TopDNS GMX.com Hotmail Yandex
  • 55. DGA case study: new GameOver Zeus (newGOZ)
  • 56. newGOZ Background What is a DGA? Conficker 2008 Typically calculated on time/day/date Letter based vs dictionary based Gameover Zeus “newGOZ” letter based with salts to extend algorithm (2 known) 11000 possible domains per day Oct 7 – Dec 7 (62 days)
  • 57. newGOZ Tracking System Overview Identify a DGA VirusTotal, TotalHash, Intel sharing communities Query patterns: cooccurences, spikes, lexical analysis Reverse DGA algorithm Hexrays decompiler, IDA, Hopper, Ollydbg Predict Daily C2 Domains Python+BASH+massresolver Yesterday, today, tomorrow (for overlaps) 682,000 possible C2 domains over 62 days Oct 7 - Dec 7 Identify live C2 Domains Attempt to resolve domains every TTL seconds (5 minutes) 251 resolved (evil and researchers) Probe for information on C2 Domains Whois, DNS, IP, ASN info for C2 and authoritative domains Enrich probe information with passive data PassiveDNS, historic whois, IP reputation
  • 58. newGOZ Domain TTLs 251 different C2 domains resolved Domain Count TTL Alignment 110 300 Evil 81 10800 Sinkhole 58 666 Sinkhole 9 3600 Sinkhole 5 1800 Sinkhole 4 600 ? 1 7200 ? 1 14400 ? Domain with multiple TTLs changed owners
  • 59. newGOZ C2 Name Servers 31 authoritative domains (2LD) 21 name servers had ns1 and ns2 pairs 5 domains (likely more) are researchers’ 4 name servers were eventually parked possibly due to not resolving possibly due to not existing
  • 60. newGOZ C2 Name Servers a.dns.gandi.net b.dns.gandi.net c.dns.gandi.net dns1.registrar-servers.com dns2.registrar-servers.com dns3.registrar-servers.com dns4.registrar-servers.com dns5.registrar-servers.com ns.123-reg.co.uk ns2.123-reg.co.uk ns01.domaincontrol.com ns02.domaincontrol.com pdns05.domaincontrol.com pdns06.domaincontrol.com ns1.torpig-sinkhole.org ns2.torpig-sinkhole.org ns1.sinkhole.ch ns2.sinkhole.ch ns1.dynadot.com ns2.dynadot.com ns1.ilcriminallaw.net.lamedelegation.org ns1.acutica.net.rcom-dns.eu ns1.ezracesite.net.rcom-dns.eu ns1.the-jumbotron.net.rcom-dns.eu ns1.acutica.net ns1.autozphibsnz.com ns1.bethanychildcare.net ns1.borrowbynet.net ns1.bossvietguider.com ns1.bundesligagame.net ns1.energiazielona.net ns1.ezracesite.net ns1.hitzandronum.net ns1.hotinspiritrees.net ns1.ilcriminallaw.net ns1.israelandpalestin.com ns1.longhilpartners.com ns1.lovecapo.net ns1.overbytes.net ns1.rannfyaether.net ns1.the-jumbotron.net ns1.themobpokershop.net ns1.thepurringpiano.net ns1.videohomebing.com ns1.visiteitacares.com ns1.whiterelicons.com ns1.zoogmusics.net ns1.zumbbawecker.net - ns2.autozphibsnz.com ns2.bethanychildcare.net ns2.borrowbynet.net ns2.bossvietguider.com - ns2.energiazielona.net - - - - - ns2.longhilpartners.com ns2.lovecapo.net ns2.overbytes.net ns2.rannfyaether.net - ns2.themobpokershop.net ns2.thepurringpiano.net - ns2.visiteitacares.com - ns2.zoogmusics.net -
  • 61. newGOZ C2 Name Servers a.dns.gandi.net b.dns.gandi.net c.dns.gandi.net dns1.registrar-servers.com dns2.registrar-servers.com dns3.registrar-servers.com dns4.registrar-servers.com dns5.registrar-servers.com ns.123-reg.co.uk ns2.123-reg.co.uk ns01.domaincontrol.com ns02.domaincontrol.com pdns05.domaincontrol.com pdns06.domaincontrol.com ns1.torpig-sinkhole.org ns2.torpig-sinkhole.org ns1.sinkhole.ch ns2.sinkhole.ch ns1.dynadot.com ns2.dynadot.com ns1.ilcriminallaw.net.lamedelegation.org ns1.acutica.net.rcom-dns.eu ns1.ezracesite.net.rcom-dns.eu ns1.the-jumbotron.net.rcom-dns.eu ns1.acutica.net ns1.autozphibsnz.com ns1.bethanychildcare.net ns1.borrowbynet.net ns1.bossvietguider.com ns1.bundesligagame.net ns1.energiazielona.net ns1.ezracesite.net ns1.hitzandronum.net ns1.hotinspiritrees.net ns1.ilcriminallaw.net ns1.israelandpalestin.com ns1.longhilpartners.com ns1.lovecapo.net ns1.overbytes.net ns1.rannfyaether.net ns1.the-jumbotron.net ns1.themobpokershop.net ns1.thepurringpiano.net ns1.videohomebing.com ns1.visiteitacares.com ns1.whiterelicons.com ns1.zoogmusics.net ns1.zumbbawecker.net - ns2.autozphibsnz.com ns2.bethanychildcare.net ns2.borrowbynet.net ns2.bossvietguider.com - ns2.energiazielona.net - - - - - ns2.longhilpartners.com ns2.lovecapo.net ns2.overbytes.net ns2.rannfyaether.net - ns2.themobpokershop.net ns2.thepurringpiano.net - ns2.visiteitacares.com - ns2.zoogmusics.net - Researchers Parked Evil Evil NS1 Evil NS2
  • 62. newGOZ C2 Domain Registrars Dynadot GoDaddy 1&1 Internet AG 101Domain Bigrock Solutions Enom Gandi SAS Melbourne IT DBA Internet Names Worldwide Network Solutions TodayNIC Turncommerce DBA NameBright Webfusion
  • 64. Registrar 1&1 Internet AG Dynadot Gandi TodayNic Melbourne IT Bigrock Solutions TurnCommerce DBA Namebright GoDaddy 101Domain Enom Webfusion Network Solutions
  • 65. newGOZ Registrant Email Addresses 99 different registrant emails (C2 and NS domains) NOT including confirmed researchers Some accounts were created, some weren’t medicallaserss@ymail.com medicallassers@ymail.com educationreport@insurer.com educationreportt@insurer.com
  • 66.
  • 67. NameBright Privacy TodayNic Privacy (No MX RR) Yahoo GMX.com AOL Enom Privacy (whoisguard) GoDaddy Privacy (Domainsbyproxy) GMX.net Hotmail Zoho FakeMailGenerator
  • 68. newGOZ C2 and NS Hosting 86 C2 and NS IPs 54 unique hosting locations 3 providers used by known researchers Mix of VPS, ISP, and compromised
  • 69. 12 Amazon 8 GoDaddy 4 GANDI SAS 3 Rackspace Hosting 3 OVH 3 Confluence Networks Inc 3 1&1 Internet AG 2 Webfusion Internet Solutions 2 ViaWest 2 SoftLayer Technologies Inc. 2 PT Jastrindo Dinamika 2 Black Lotus Communications 1 Yuli Azarch trading as YaiSales 1 XL Internet Services B.V. 1 Viet Solutions Services Trading Company Limited 1 Viasat Communications Inc. 1 VDSINA VDS Hosting 1 TTNETDC Turkiye Telekom Data Center 1 TANET-BNETA, Taiwan 1 Symphony Communication Plc 1 SPARK NEW ZEALAND TRADING LIMITED 1 Shandong technology university 1 Rook Media USA, Inc. 1 RIPE Sinkhole 1 RCS & RDS Business 1 Radore Veri Merkezi Hizmetleri A.S. 1 NOS COMUNICACOES S.A. (TVCABO- Portugal) 1 Namecheap, Inc. 1 MonsterCommerce, LLC 1 Ministry of Education Computer Center, Taiwan 1 Ministère de l'aménagement du territoire de l'équipement et des transports 1 Kornet - Korea Telecom 1 KMS-Hosting.com Customers 1 Kabel Baden-Wuerttemberg GmbH & Co. KG 1 Joe's Datacenter, LLC 1 Indiana University 1 ID Uppal Private Limited 1 HOST1FREE.COM VPS services 1 HONGIK UNIVERSITY 1 HANANET - broadNnet 1 Google Cloud 1 GHOSTnet Network used for VPS Hosting Services 1 Gelderland Internet Exchange - Dedicated Servers 1 FortaTrust USA Corporation 1 EXMOS-LIMITED 1 ERX-NETBLOCK 1 CloudFlare, Inc. 1 Cizgi Telekom 1 China Mobile communications corporation 1 Bharti Tele-Ventures Limited 1 Belgacom ISP SKYNET-CUSTOMERS 1 Argon Data Communication
  • 70. 12 Amazon 8 GoDaddy 4 GANDI SAS 3 Rackspace Hosting 3 OVH 3 Confluence Networks Inc 3 1&1 Internet AG 2 Webfusion Internet Solutions 2 ViaWest 2 SoftLayer Technologies Inc. 2 PT Jastrindo Dinamika 2 Black Lotus Communications 1 Yuli Azarch trading as YaiSales 1 XL Internet Services B.V. 1 Viet Solutions Services Trading Company Limited 1 Viasat Communications Inc. 1 VDSINA VDS Hosting 1 TTNETDC Turkiye Telekom Data Center 1 TANET-BNETA, Taiwan 1 Symphony Communication Plc 1 SPARK NEW ZEALAND TRADING LIMITED 1 Shandong technology university 1 Rook Media USA, Inc. 1 RIPE Sinkhole 1 RCS & RDS Business 1 Radore Veri Merkezi Hizmetleri A.S. 1 NOS COMUNICACOES S.A. (TVCABO- Portugal) 1 Namecheap, Inc. 1 MonsterCommerce, LLC 1 Ministry of Education Computer Center, Taiwan 1 Ministère de l'aménagement du territoire de l'équipement et des transports 1 Kornet - Korea Telecom 1 KMS-Hosting.com Customers 1 Kabel Baden-Wuerttemberg GmbH & Co. KG 1 Joe's Datacenter, LLC 1 Indiana University 1 ID Uppal Private Limited 1 HOST1FREE.COM VPS services 1 HONGIK UNIVERSITY 1 HANANET - broadNnet 1 Google Cloud 1 GHOSTnet Network used for VPS Hosting Services 1 Gelderland Internet Exchange - Dedicated Servers 1 FortaTrust USA Corporation 1 EXMOS-LIMITED 1 ERX-NETBLOCK 1 CloudFlare, Inc. 1 Cizgi Telekom 1 China Mobile communications corporation 1 Bharti Tele-Ventures Limited 1 Belgacom ISP SKYNET-CUSTOMERS 1 Argon Data Communication
  • 71. NS IP Address C2 DomainIP Address
  • 73. newGOZ Now No new evil domains registered since 12 Nov 14 why? speculation: not resilient without peer-to-peer abandoned for new malware silent LE take down Sinkholes are still active
  • 74. oldGOZ Client Queries oldGOZ generates 1000 domains every 7 days starting from first of the month (except 1st and last batch) Dec 1 - Dec 6 Jan 1 – Jan 6 Dec 7 - Dec 13 Jan 7 – Jan 13 Dec 14 – Dec 20 Jan 14 – Jan 20 Dec 21 – Dec 27 Jan 21 – Jan 27 Dec 28 – Dec 31 Jan 28 – Jan 31
  • 77. newGOZ Client Queries (to add) newGOZ generates 1000 domains/day using one of the salts 10,000 domains/day using the other salt
  • 78. newGOZ Take Aways Important things to note about newGOZ infrastructure TTLs of domain names (300) Use round-robin DNS (multiple IPs per domain) Registrar preferences (TodayNic, Melbourne IT, BigRock) Registration to resolution delta (~1 day) Registrant email pattern Many C2 IPs, many NS IPs Use of compromised (and possibly dedicated) IPs
  • 80. newGOZ Improved Tracking System JSON instead of flat text output Pure Python instead of BASH, Python and C Client generates GOZ domains identifies resolving domains maps resolving domains to workers spawns a dedicated client process for each worker asynchronously sends requests to workers Workers daemon waiting for client tasks requests queries the DNS, whois, etc.
  • 81. GOZ DGA p1 p2 p3 Client worker d NS RRs whois server whois server whois server worker d worker d NS NS 8.8.8. 8 IP RR
  • 82. COUNT=0; while [ ${COUNT} -lt 20 ]; do dig +short whois.verisign-grs.com; COUNT=$[${COUNT}+1]; sleep 1; done | sort | uniq -c 5 199.7.48.74 4 199.7.50.74 11 199.7.56.74
  • 84. Snapshooter: ToDo - Automatically contact registrars and hosting providers with complaints - Collect content hosted on domain - Graph database backend - Pray for RDAP draft https://tools.ietf.org/html/draft-ietf-weirds-json-response-10
  • 85. Conclusion • Threat Intelligence is crucial to make strategic & tactical decisions for reactive & proactive security • Different techniques to collect network threat intel. – Active probing – Passive Monitoring • Fastflux: Zbot fast flux proxy network • DGA: GameOver Zeus botnet • Snapshooter
  • 86. References -Catching malware en masse: DNS & IP style, D. Mahjoub, T. Reuille, A, Toonk, BlackHat 2014, DefCon 2014 -Sweeping the IP space: The Hunt for Evil on the Internet, D. Mahjoub, Virus Bulletin 2014 -A New Look at Fast Flux Proxy Networks, D. Mahjoub, H. Adrian, BotConf 2014 -DNS Analytics, O. Kamal, BotConf 2014 -ZeuS Tracker -Massresolver, F. Denis, github.com/jedisct1/massresolver -http://www.malware-traffic-analysis.net/

Notas do Editor

  1. Monitoring HTTP traffic to CnCs using: -Sinkhole -VirusTotal