1. DNS Security for CERTs
- Attack Scenarios & Demonstrations –
Malicious Use
Chris Evans
Delta Risk, LLC
7 March 2010
1
2. What You Will Need for the Exercises
• Your Windows Terminal Server
– From Windows, Run ‘mstsc’
– From MAC, please download the Terminal Server Client
from the wiki
– Run the DNS-Bot.vbs file when instructed
– Open a command prompt, and run
cscript.exe c:/users/studentX/Desktop/DNS-Bot.vbs
– Don’t forget – X is your student number
2
3. Description – Malicious Use
• Using the DNS to propagate malware or conduct
attacks in a malicious manner, yet consistent with
the DNS protocols
– BotNet Command & Control (indirect)
– Amplification Attacks (direct)
• These attacks do not necessarily target DNS servers
– rather, they use your servers to conduct an attack
elsewhere
NS
Victim
3
4. Case Study – Conficker
• Conficker - the Conficker worm appeared in late 2008, with
most of the attention starting in Jan/Feb of 2009.
– The worm used pseudo-randomly generated domains from several
top level domains (ccTLDs included) as its command and control
points.
– The worm would contact servers on these random domains for
instructions.
4
5. Case Study – Conficker
• The Conficker Working Group (Conficker Cabal) was
started to address response actions to the worm
– Comprised of businesses, DNS operations, Internet
organizations, and security researchers
– Requested top level organizations with suspected
domain names involved in Conficker to register them in
hopes of preempting Conficker activity
• Conficker mutated to thwart activity of the
Working Group and started using P2P methods vs.
DNS
How Should a ccTLD React to a Request to Register (at no cost)
Hundreds of Domain Names to Prevent Malicious Activity?
5
6. Attack Demonstration
• The “DNS Bot” receives its instructions and sends
information back to the hacker via DNS
Caching
Server
NS
Run Command &
Post Results
Rogue
Server
Double-click
Remember, the bot won’t do
DNS-Bot.vbs
anything malicious!
6
9. Demonstration – User View
• Please run your bot now
– Open a command prompt and run the command:
cscript.exe
c:/users/studentX/Desktop/DNS-Bot.vbs
• wireshark view
9
10. Demonstration – User View
• If you’d like to start Wireshark…
– Double click icon on desktop
– Select Options from Capture Menu
– In “capture filter” type port 53
– Click “Start”
10
12. Demonstration – User View
• The bot will periodically request instructions over
DNS from a rogue DNS server (192.168.85.5)
– Can you find the rogue DNS server with wireshark or
DNS tools?
• The bot will execute the instructions:
– Wait, Download a File, Run a Command & Post Results,
Quit
– Can you “reverse engineer” the instructions?
– Can you see what is being posted?
12
13. Impact
• DNS resources used for malicious purposes
• Possible brand or reputation loss due to apparent
attacks originating from servers
• Widespread bot proliferation
13
14. Mitigation & Response Strategies
• Domain “Blackholes” – but only if domains don’t
change rapidly – you have to keep up!
• Strengthen registrant information validation
• Develop policies for determining what’s malicious
• Add detection mechanisms for malicious use
– Host based (Antivirus, patching, etc)
– Network based (traffic & domain analysis)
• Develop policies for domain takedown
• Develop cooperative agreements with other
registries, CERTs, law enforcement, and security
organizations to address malicious use scenarios
14