#rootedcon2012 - dns: a botnet dialect - carlos diaz & francisco j. gomez
DESCRIPTION
Showed in RootedCON 2012, Madrid. Review Cloud Malware Distribution and shows data-leak methods. Release new Flu-trojan flavor that uses DNS as communication channel.TRANSCRIPT
![Page 1: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/1.jpg)
CMD: Look who’s talking too
DNS: a botnet dialect
![Page 2: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/2.jpg)
Francisco J. Gómez Rodríguez ([email protected]): • Computer Engineering (EUI-‐UPM) • Security Research (Telefonica R&D) • dig fran.rootedcon.themafia.info TXT
Carlos Díaz Hidalgo ([email protected]): • TelecommunicaGons Engineer (ETSITM-‐UPM), GPEN, GCIH,
OPST, ITILF and CCNA. • Technology Specialist in Ethical Hacking (Telefonica R&D) • dig charlie.rootedcon.themafia.info TXT
![Page 3: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/3.jpg)
look who’s talking too
This presenta9on contains: one year ago ………………………………………….... 3 mg cloud malware distribuGon …………………..…. 10 mg dns is in the air ………………………………………… 10 mg suspicion …………………………………………………. 8 mg data leak …………………………………………………. 10 mg laboratory ………………………………………………. 10 mg
THIS PACKAGE FOR HOUSEHOLDS WITHOUT YOUNG CHILDREN
Tamper-‐Evident: Do not accept if sealed blister unit has been broken or opened
Nasal Spray
4.4 FL OZ (130mL)
![Page 4: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/4.jpg)
INTRODUCTION
![Page 5: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/5.jpg)
One year ago …
• We talked about DNS and Malware. • We released Cloud Malware DistribuGon (CMD): – An alternaGve method for malware distribuGon using Cache DNS services.
– Using client default DNS se_ngs. – Malware source virtually untraceable.
![Page 6: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/6.jpg)
A DNS shot
![Page 7: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/7.jpg)
CMD Cloud Malware DistribuGon in a nutshell
![Page 8: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/8.jpg)
Cloud Malware DistribuGon 1. Encoding: Split malware payload into DNS Records.
2. Publishing: Publish domain and each record in a public Name Server.
3. Loading: Force an Open Emi`er DNS Cache Server to store all records.
4. Downloading: Download records from an infected host (bot).
5. Decoding: Rebuild malware payload from records.
1,2 3
Open Emi`er DNS
4
8rjqerkjqet.cmdns.domain.com ueirytbdosu.cmdns.domain.com ktqtr53xase.cmdns.domain.com kzmfzzmfzze.cmdns.domain.com
8rjqerkjqet.cmdns.domain.com ueirytbdosu.cmdns.domain.com ktqtr53xase.cmdns.domain.com kzmfzzmfzze.cmdns.domain.com
5
![Page 9: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/9.jpg)
Cloud Malware DistribuGon (I) 8rjqerkjqet.cmdns.domain.com
ueirytbdosu.cmdns.domain.com
ktqtr53xase.cmdns.domain.com
kzmfzzmfzze.cmdns.domain.com
8rjqerkjqet ueirytbdosu ktqtr53xase kzmfzzmfzze
Encoding & Pub
lish
DNS AUTH Freedns.afraid.org
8rjqerkjqetueirytbdosuktqtr53xasekzmfzzmfzze
8rjqerkjqet.cmdns.domain.com
ueirytbdosu.cmdns.domain.com
ktqtr53xase.cmdns.domain.com
kzmfzzmfzze.cmdns.domain.com
• From malware file we create a base32 coded string.
• So we split the string into DNS compliance records.
![Page 10: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/10.jpg)
Cloud Malware DistribuGon(II)
Open Emi`er DNS
8rjqerkjqet.cmdns.domain.com
ueirytbdosu.cmdns.domain.com
ktqtr53xase.cmdns.domain.com
kzmfzzmfzze.cmdns.domain.com
8rjqerkjqet.cmdns.domain.com
ueirytbdosu.cmdns.domain.com
ktqtr53xase.cmdns.domain.com kzmfzzmfzze.cmdns.domain.com
Loading
cmdns.domain.com NS?
Split[1..n].cmdns.domain.com A?
• We upload each DNS record from a malicious DNS to Open Emi`er.
• This is made by requesGng each record to Open Emi`er DNS.
• Then Server caches each record.
DNS AUTH Freedns.afraid.org
![Page 11: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/11.jpg)
Cloud Malware DistribuGon (III)
Open Emi`er DNS
Downloading
DNS AUTH
Freedns.afraid.org
• Since the Open Emi`er Server has cached all records we convert it into a domain authoritaGve domain server.
• From now on, Open Emi`er will resolve all domain queries. • Thus, all Internet DNS servers can resolve malware records and
bots can get them.
8rjqerkjqet.cmdns.domain.com ueirytbdosu.cmdns.domain.com ktqtr53xase.cmdns.domain.com kzmfzzmfzze.cmdns.domain.com
![Page 12: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/12.jpg)
Cloud Malware DistribuGon (IV)
Decoding
8rjqerkjqetueirytbdosuktqtr53xasekzmfzzmfzze
8rjqerkjqet.cmdns.domain.com
ueirytbdosu.cmdns.domain.com
ktqtr53xase.cmdns.domain.com
kzmfzzmfzze.cmdns.domain.com
• With all the retrieved records bots can rebuild the original file.
• Bot has now updated the malware file.
![Page 13: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/13.jpg)
Own survey : yesterday and today
Febrero de 2011
España EEUU
Queried hosts 10.406 10.406
Replying hosts 87,22% 87,39%
Open resolvers 76,46% 77,28%
Open emi`ers 57,76% 57,33%
Accept +norecurse queries 55,91% 55,49%
TTL ≥ 604800 43,05% 42,94%
Marzo de 2012
España EEUU
8217 8217
87,58% 87,69%
95,45% 82,08%
53,78% 53,51%
87,67% 74,44%
51,24% 49,32%
![Page 14: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/14.jpg)
A quick test…
In the same way the SSL turns HTTP web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-‐in-‐the-‐middle a`acks.
DNSCrypt
![Page 15: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/15.jpg)
… a quick demo.
Summary: We can use DNSCrypt and CMD Method works.
![Page 16: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/16.jpg)
DNS IS IN THE AIR DNS: yesterday, today, and tomorrow
![Page 17: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/17.jpg)
Are you talking to me?
• Let’s see some about… – DNS as covert channel. – DNS uses in malware communicaGons.
![Page 18: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/18.jpg)
l DNS as Covert Channe
• OzymanDNS (Kaminsky) • Dnscapy • (NSTX) Iodine: Use several RR types, NULL,TXT,CNAME)
• Dns2tcp & TCP-‐over-‐DNS: relay TCP connecGons. • LoopcVPN One of China-‐Telecom Hotspot nightmare.
![Page 19: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/19.jpg)
Are you talking to me?
• Let’s see some about… – DNS as covert channel. – DNS uses in malware communicaGons.
![Page 20: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/20.jpg)
Stateless malware (I) • TSPY_ZBOT.SMQH
– Another Modified ZeuS Variant Seen in the Wild. – Reported in September 2011 by Trendmicro. – Data exchange is also now happening in UDP. – http://blog.trendmicro.com/another-modified-zeus-variant-seen-in-the-wild/
![Page 21: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/21.jpg)
Stateless malware(II) • Older version using TCP to exchange configura7on files. However,
The new version exchanges all data in UDP – http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet
![Page 22: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/22.jpg)
Stateless malware(II) • Older version using TCP to exchange configura7on files. However,
The new version exchanges all data in UDP – http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet
TCP
![Page 23: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/23.jpg)
Where there's smoke, there's fire.
![Page 24: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/24.jpg)
Feedorbot
• Using DNS protocol. – Feedorbot share encrypted commands from C&C. – Encapsuling data in TXT records and Base64 encoded. – http://www.cj2s.de/On-Botnets-that-use-DNS-for-Command-and-Control.pdf
![Page 25: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/25.jpg)
HiloG
• Thanks DNS querys HiloG monitors infected host status. – h`p://blog.forGnet.com/hiloG-‐the-‐botmaster-‐of-‐disguise
142625.bc7a3d45.01.0AC1FD9D62074E6D9D2889088284DAB5.n.empty.1148.empty.5_1._t_i.ffffffff.explorer_exe.173.rc2.a4h9uploading.com
• Although It uses DNS as control protocol, bots download update files from “file hosGng” servers by HTTP.
![Page 26: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/26.jpg)
Morto
• From IRC to DNS. – Morto, like Feedorbot, uses TXT records to comnunicate. – http://www.symantec.com/connect/blogs/morto-worm-sets-dns-record
![Page 27: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/27.jpg)
GATHERING & EVALUATING INFORMATION
![Page 28: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/28.jpg)
Gathering & EvaluaGng InformaGon (I)
• h`p://www.wombat-‐project.eu/
• h`p://exposure.iseclab.org/index.html
![Page 29: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/29.jpg)
Gathering & EvaluaGng InformaGon (II) • h`ps://dnsdb.isc.org/#Home
• h`p://www.webboar.com
![Page 30: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/30.jpg)
Gathering & EvaluaGng InformaGon (III) • Don´t forget the classics:
– h`p://www.robtex.com/
![Page 31: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/31.jpg)
Learned in #Rooted2012 • h`p://labs.alienvault.com/labs/index.php/projects/open-‐source-‐ip-‐reputaGon-‐portal/
![Page 32: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/32.jpg)
SomeGmes … I see dead people
• September, 2011 (Top 10 Malicious Domains)
![Page 33: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/33.jpg)
Scratch & Win
![Page 34: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/34.jpg)
Ten Li`le Niggers • h`p://www.webboar.com/ip/67.15.149.70/
– 25 Domain(s) on IP Address 67.15.149.70 • azxdf.com • mjuyh.com • hjuyv.com • plokm.com • nbgtr.com • vcxde.com • asljd.com • bruGllor5.com
• civiGcle0.com • ckubf.com • djhbw.com • himovingto8.com • hiuxd.com • liunj.com • loijm.com • mjrth.com
• morewallfalls7.com • okjyu.com • orn2hcb.com • qlovg.com • quiluGon2.com • uncdt.com • xvfar.com • zscdw.com • zukamosion3.com
![Page 35: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/35.jpg)
SomeGmes … I see dead people
![Page 36: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/36.jpg)
CMD could be alive!
![Page 37: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/37.jpg)
DATA LEAK OVER DNS
![Page 38: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/38.jpg)
DATA LEAK OVER DNS
![Page 39: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/39.jpg)
TradiGonal data leak using DNS
1
Bot
DataLeakRecord2.[OUTPUT_DOMAIN] [OUTPUT_DOMAIN] DataLeakRecord1
DataLeakRecord2
…
DataLeakRecord1.[OUTPUT_DOMAIN]
2
Cache DNS (public or private) DNS Auth.
OUTPUT_DOMAIN
![Page 40: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/40.jpg)
Using a DNS reflector
1
Bot [PUBLICATION_DOMAIN] Data1 Data2
…
DataLeakRecord1.[OUTPUT_DOMAIN]
2
Cache DNS (public or private)
DNS Auth. (OUTPUT_DOMAIN)
DNS Auth. (Open emi`er + cache) PUBLICATION_DOMAIN
Force Data Leak Upload CMD
3
Cache DNS
4
5
(PUBLICATION_DOMAIN) Data1 -‐> DataLeakRecord1
Data1.[PUBLICATION_DOMAIN]
Data1
Data1 -‐> DataLeakRecord1
![Page 41: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/41.jpg)
DNS reflector (demo)
![Page 42: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/42.jpg)
Using Fast-‐Flux DNS reflectors
DataLeakRecord1.[OUTPUT_DOMAIN]
1
Bot [PUBLICATION_DOMAIN] Data1 Data2
…
DataLeakRecord1.[OUTPUT_DOMAIN]
2
Cache DNS (public or private)
DNS Auth. (OUTPUT_DOMAIN)
DNS Auth. (Open emi`er + cache)
Force Data Leak Upload CMD
3
Cache DNS
4
5
(PUBLICATION_DOMAIN) Data1 -‐> DataLeakRecord1
Data1.[PUBLICATION_DOMAIN]
Data1
![Page 43: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/43.jpg)
Data Leak using NXDOMAIN responses
• NXDOMAIN responses are cached: – NegaGve caching is useful. – TTL value: The SOA 'minimum' parameter is used as the negaGve (NXDOMAIN) caching Gme (defined in RFC 2308).
• Other queries may reuse some parts of the lookup (quick response).
![Page 44: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/44.jpg)
Caching NXDOMAIN responses (I)
![Page 45: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/45.jpg)
Caching NXDOMAIN responses (II)
![Page 46: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/46.jpg)
Caching NXDOMAIN responses (III)
![Page 47: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/47.jpg)
Data leak with “dig”
RCODE
TTL
QUERY TIME
![Page 48: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/48.jpg)
Leak recovery with “dig” (I)
TTL < 86400
QUERY TIME < 300 msec
![Page 49: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/49.jpg)
Leak recovery with “dig” (II)
TTL = 86400
QUERY TIME approx. 300 msec
It is not a good method for recovery!
![Page 50: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/50.jpg)
Leak recovery with “dig” (III)
TTL < 86400
QUERY TIME < 300 msec
![Page 51: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/51.jpg)
Leak recovery with “dig” (IV)
RCODE ≠ NXDOMAIN
QUERY TIME < 300 msec
It is the preferred method for recovery!
![Page 52: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/52.jpg)
DataLeakRecord1.[OUTPUT_DOMAIN] ataLeakRecord1.[OUTPUT_DOMAIN]
dataleakrecord1.
[OUTPUT_DOMAIN] ataleakr
ecord1.[OUTPUT_D
OMAIN]
Data Leak using NXDOMAIN responses da
tale
akre
cord
1 1
Bot
d1.[OUTPUT_DOMAIN] 1.[OUTPUT_DOMAIN]
2 DNS (Open emi`er + cache)
1.[OUTPUT_DOMAIN
]
d1.[OUTPUT_DOMAI
N]
rd1.[OUTPUT_DOMA
IN] …
DNS Auth. (OUTPUT_DOMAIN)
…
![Page 53: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/53.jpg)
b.[OUTPUT_DOMAIN] a.[OUTPUT_DOMAIN]
…
DataLeakRecord1.[OUTPUT_DOMAIN] ataLeakRecord1.[OUTPUT_DOMAIN]
dataleakrecord1.
[OUTPUT_DOMAIN] ataleakr
ecord1.[OUTPUT_D
OMAIN]
Data Leak using NXDOMAIN responses da
tale
akre
cord
1 1
Bot
d1.[OUTPUT_DOMAIN] 1.[OUTPUT_DOMAIN]
2 DNS (Open emi`er + cache)
3
1.[OUTPUT_DOMAIN
]
d1.[OUTPUT_DOMAI
N]
rd1.[OUTPUT_DOMA
IN] …
DNS Auth. (OUTPUT_DOMAIN)
…
dataleakrecord1
z.[OUTPUT_DOMAIN] 1.[OUTPUT_DOMAIN] a1.[OUTPUT_DOMAIN] …
QUERY: +norecurse
RESPONSE: RCODE? TTL value?
Query Gme?
![Page 54: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/54.jpg)
NXDOMAIN (demo)
![Page 55: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/55.jpg)
Data Leak using “nice” domains
• There are authoritaGve DNS server that: – Simply point all unknown DNS queries to a single IP address.
– Minimum TTL value on the order of 1-‐7 days.
• Where can I find them? – Alexa “Tops Sites”: h`p://www.alexa.com/topsites
inbox.com imgur.com motherless.com wikia.com wikispaces.com pbworks.com …
![Page 56: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/56.jpg)
Caching ‘nice’ responses (II)
![Page 57: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/57.jpg)
Caching ‘nice’ responses (II)
![Page 58: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/58.jpg)
Data Leak using ‘nice’ domains da
tale
akre
cord
1 1
Bot
d1.[OUTPUT_DOMAIN] 1.[OUTPUT_DOMAIN]
2 DNS (Open emi`er + cache)
1.[OUTPUT_DOMAIN
]
d1.[OUTPUT_DOMAI
N]
rd1.[OUTPUT_DOMA
IN] …
ataleakrecord1.[
OUTPUT_DOMAIN]
dataleakrecord1.
[OUTPUT_DOMAIN]
‘nice’ DNS Auth. (OUTPUT_DOMAIN)
…
DataLeakRecord1.[OUTPUT_DOMAIN] ataLeakRecord1.[OUTPUT_DOMAIN]
![Page 59: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/59.jpg)
Data Leak using ‘nice’ domains da
tale
akre
cord
1 1
Bot
d1.[OUTPUT_DOMAIN] 1.[OUTPUT_DOMAIN]
2 DNS (Open emi`er + cache)
3
1.[OUTPUT_DOMAIN
]
d1.[OUTPUT_DOMAI
N]
rd1.[OUTPUT_DOMA
IN] …
ataleakrecord1.[
OUTPUT_DOMAIN]
dataleakrecord1.
[OUTPUT_DOMAIN]
‘nice’ DNS Auth. (OUTPUT_DOMAIN)
…
DataLeakRecord1.[OUTPUT_DOMAIN] ataLeakRecord1.[OUTPUT_DOMAIN]
a.[OUTPUT_DOMAIN]
dataleakrecord1
b.[OUTPUT_DOMAIN] z.[OUTPUT_DOMAIN] 1.[OUTPUT_DOMAIN] a1.[OUTPUT_DOMAIN] … …
QUERY: +norecurse
ANSWER SECTION? TTL value?
![Page 60: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/60.jpg)
Conclusions data-‐leak
Use client default DNS seings
Upload queries needed
Expose cybercrime
infrastructure
Download queries needed
Score (0-‐10)
TradiGonal DNS tunneling YES 2 queries/kB YES -‐ 5
Using Fast-‐Flux DNS reflectors YES 2 queries/kB YES 2 queries/kB 4
Using NXDOMAIN response
NO 2 queries/B NO 20 queries/B 2
Using “nice” domains NO 2 queries/B NO 20 queries/B 6
![Page 61: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/61.jpg)
ToDo: Improvement++ • Data Leak using ‘nice’ domains. But remembering that: – Must use client default DNS se_ngs.
• Maybe can use three party resources … (once again) – … Use misconfigured DNS (proxy DNS, cache DNS, authoritaGve server, …).
– e.g. must ignore “+norecurse” flag, “minimal-‐response” configured, etc.
• Result: Untraceable data leaks
![Page 62: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/62.jpg)
Harder than finding a needle in a haystack!
![Page 63: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/63.jpg)
LABORATORY Are we infected?
![Page 64: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/64.jpg)
Making the lab.
• We need a “real” threat… • But we are “ethical”… • And we are not developers…
Searching…
![Page 65: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/65.jpg)
And the winner is…
• Wri`en in C# and PHP • GNU/GPL • Geared to build botnets • HTTP communicaGon
![Page 66: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/66.jpg)
How Flu works
• Flu server share XML commands file. • Infected hosts get XML file through
HTTP request.
Flu Infected Host
Flu SERVER
HTTP
![Page 67: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/67.jpg)
Flu and CMD
• We use CMD to distribute XML commands file. • Our dream: Flu become stateless Trojan. • Then we’ll have stateless-‐Trojan-‐GPL botnet.
Open Emi`er DNS
Flu Infected Host
Flu DNS
DNS DNS
HTTP/TCP DNS/UDP
Vs 1 query 2 pkts. 0 conn.
1 GET 11 pkts. 1 conn.
![Page 68: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/68.jpg)
Flu and CMD: Server
• PHP 5.3.0 or higher required. • Three steps:
1. domain.db file create. (external lib: Tar.php) 2. Load XML file into DNS server. (NaGve lib) 3. Download data from infected host. (NaGve lib)
![Page 69: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/69.jpg)
Flu and CMD: 3th Party
• ISC Bind • FreeDNS.afraid.org • HE free DNS service • Misconfigured DNS server.
Open Emi`er
![Page 70: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/70.jpg)
Flu and CMD: 3th Party
• ISC Bind • FreeDNS.afraid.org • HE free DNS service • Misconfigured DNS server.
Open Emi`er
![Page 71: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/71.jpg)
Flu and CMD: Client
• We use ARSoD.Tools.Net library. • Without GUI changes:
– We use domainload to data leak. – We use domaindownload to get XML file.
![Page 72: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/72.jpg)
Flu and CMD: How it works (I)
Open Emi`er DNS
Flu Infected Host
Flu DNS
DNS DNS
XML2DNS LOADXML DOWNLOADXML
![Page 73: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/73.jpg)
Flu and CMD: How it works (II)
Open Emi`er DNS
Flu Infected Host
Flu C&C
DNS DNS
• How flu call back? – NXDOMAIN can: Track new bots. – NXDOMAIN can’t: Send huge files.
DNS Server Nxdomainquery Noerror
Nxdomainquery Noerror
![Page 74: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/74.jpg)
Flu and CMD: How it works (II)
Open Emi`er DNS
Flu Infected Host
Flu C&C
DNS DNS
1. How flu call back? – NXDOMAIN can: Track new bots. – NXDOMAIN can’t: Send huge files.
2. Then… we need to expose DNS server.
Cache DNS
Flu Infected Host
Flu DNS
DNS DNS
Nxdomainquery Noerror DNS Server
Nxdomainquery Noerror
2
1
![Page 75: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/75.jpg)
Flu and CMD: Demo
![Page 76: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/76.jpg)
Conclusions
• DNS is a botnet dialect… – One year ago DNS was a possibility, today could be a real threat.
• Data leak using DNS need an improvement… – ...but we are working progress.
• Malware need to communicate undetected, and IDS want to detect malware. – Both must be looking for the same… DNS.
• Don’t forget DNS Protocol
![Page 77: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/77.jpg)
QuesGons?
Who invented the rootedcon?
Rootedcon is your parents
Three Magic Kings Santa
Perez the mouse
![Page 78: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/78.jpg)
References § h`p://code.kryo.se/iodine/ § h`p://dns.measurement-‐factory.com/ § h`p://darkwing.uoregon.edu/~joe/secprof10-‐dns/secprof10-‐dns.pdf § h`p://www.blackhat.com/presentaGons/bh-‐europe-‐05/BH_EU_05-‐Kaminsky.pdf § h`p://www.blackhat.com/presentaGons/bh-‐usa-‐04/bh-‐us-‐04-‐kaminsky/bh-‐us-‐04-‐kaminsky.ppt § h`p://www.pcworld.com/arGcle/220024/feds_accidentally_seize_84000_innocent_domains_link_them_with_child_porn.html § h`p://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf § h`p://www.secdev.org/projects/scapy/ § h`ps://www.isc.org/so�ware/bind/documentaGon/arm95#man.dig § h`p://dns.measurement-‐factory.com/cgi-‐bin/openresolvercheck.pl § h`p://hakin9.org/magazine/1652-‐mobile-‐malware-‐the-‐new-‐cyber-‐threat § h`p://www.ie�.org/rfc/rfc{1033,1034,1035,1183,2181}.txt § h`p://tools.ie�.org/id/dra�-‐cmd-‐prevent-‐malware-‐dns-‐distribute-‐00.txt § h`p://www.wombat-‐project.eu/ § h`p://exposure.iseclab.org/index.html § h`ps://dnsdb.isc.org/#Home § h`p://www.webboar.com § h`ps://dns.he.net/ § h`p://www.flu-‐project.com/ § h`p://arso�toolsnet.codeplex.com/
![Page 79: #RootedCON2012 - DNS: A botnet dialect - Carlos Diaz & Francisco J. Gomez](https://reader031.vdocuments.us/reader031/viewer/2022013118/54859334b4af9f820d8b4e4f/html5/thumbnails/79.jpg)
Thanks for your Gme! @{Hlexpired,ffranz} {charlie,fran}@7d.es