Weitere ähnliche Inhalte Ähnlich wie Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012] (20) Kürzlich hochgeladen (20) Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]8. Cloud%Malware%DistribuGon%
1. Encoding:%Split%malware%payload%into%DNS%Records.%
%
2. Publishing:%Publish%domain%and%each%record%in%a%public%Name%Server.%
%
3. Loading:%Force%an%Open%Emi`er%DNS%Cache%Server%to%store%all%records.%
%
4. Downloading:%Download%records%from%an%infected%host%(bot).%
%
5. Decoding:%Rebuild%malware%payload%from%records.%
8rjqerkjqet.cmdns.domain.com1%
ueirytbdosu.cmdns.domain.com1%
ktqtr53xase.cmdns.domain.com1%
kzmfzzmfzze.cmdns.domain.com1%
8rjqerkjqet.cmdns.domain.com1%
1,2%
ueirytbdosu.cmdns.domain.com1%
3% 4% 5
ktqtr53xase.cmdns.domain.com1%
kzmfzzmfzze.cmdns.domain.com1%
Open%Emi`er%
DNS%
9. Encoding%&%Publish% Cloud%Malware%DistribuGon%(I)%
8rjqerkjqet.cmdns.domain.com1%
8rjqerkjqet1 ueirytbdosu.cmdns.domain.com1%
ueirytbdosu1
ktqtr53xase1 ktqtr53xase.cmdns.domain.com1%
kzmfzzmfzze1% kzmfzzmfzze.cmdns.domain.com1%
• From%malware%file%we%create%
a%base32%coded%string.%
• So%we%split%the%string%into%
DNS%compliance%records.%
DNS%AUTH% 8rjqerkjqetueirytbdosuktqtr53xasekzmfzzmfzze1%
Freedns.afraid.org%
8rjqerkjqet.cmdns.domain.com1% kzmfzzmfzze.cmdns.domain.com1%
ueirytbdosu.cmdns.domain.com1%
ktqtr53xase.cmdns.domain.com1%
10. Cloud%Malware%DistribuGon(II)%
8rjqerkjqet.cmdns.domain.com1%
• We%upload%each%DNS%record%from%
a%malicious%DNS%to%Open%Emi`er.% ueirytbdosu.cmdns.domain.com1%
• This%is%made%by%requesGng%each% ktqtr53xase.cmdns.domain.com1%
record%to%Open%Emi`er%DNS.%
• Then%Server%caches%each%record.% kzmfzzmfzze.cmdns.domain.com1%
Split[1..n].cmdns.domain.com%
A?%
8rjqerkjqet.cmdns.domain.com1%
Open% ueirytbdosu.cmdns.domain.com1%
Emi`er% ktqtr53xase.cmdns.domain.com1%
cmdns.domain.com%
DNS%AUTH% NS?%
DNS% kzmfzzmfzze.cmdns.domain.com1%
Freedns.afraid.org%
Loading%
11. Cloud%Malware%DistribuGon%(III)%
• Since%the%Open%Emi`er%Server%has%cached%all%records%we%
convert%it%into%a%domain%authoritaGve%domain%server.%
• From%now%on,%Open%Emi`er%will%resolve%all%domain%queries.%
• Thus,%all%Internet%DNS%servers%can%resolve%malware%records%and%
bots%can%get%them.%
DNS%AUTH%
%
%
%
Freedns.afraid.org%
8rjqerkjqet.cmdns.domain.com1% Open%
ueirytbdosu.cmdns.domain.com1%
ktqtr53xase.cmdns.domain.com1% Emi`er%
kzmfzzmfzze.cmdns.domain.com1%
DNS%
Downloading%
12. Cloud%Malware%DistribuGon%(IV)%
kzmfzzmfzze.cmdns.domain.com1%
ktqtr53xase.cmdns.domain.com1%
ueirytbdosu.cmdns.domain.com1%
8rjqerkjqet.cmdns.domain.com1%
8rjqerkjqetueirytbdosuktqtr53xasekzmfzzmfzze1%
• With%all%the%retrieved%records%bots%
can%rebuild%the%original%file.%%
• Bot%has%now%updated%the%malware%
file.%
Decoding%
13. %
Own%survey%:%yesterday%and%today%
Febrero$de$2011$ Marzo$de$2012$
España% EEUU% España% EEUU%
Queried%hosts% 10.406% 10.406% 8217% 8217%
Replying%hosts% 87,22%% 87,39%% 87,58%% 87,69%%
Open%resolvers% 76,46%% 77,28%% 95,45%% 82,08%%
Open%emi`ers% 57,76%% 57,33%% 53,78%% 53,51%%
Accept%+norecurse%
queries%
55,91%% 55,49%% 87,67%% 74,44%%
TTL%≥%604800% 43,05%% 42,94%% 51,24%$ 49,32%$
14. A%quick%test…%
DNSCrypt$
In% the% same% way% the% SSL% turns% HTTP% web% traffic%
into% HTTPS% encrypted% Web% traffic,% DNSCrypt%
turns% regular% DNS% traffic% into% encrypted% DNS%
traffic% that% is% secure% from% eavesdropping% and%
manMinMtheMmiddle%a`acks.%%
18. l%
DNS%as%Covert%Channe%%
• OzymanDNS%(Kaminsky)%
• Dnscapy%
• (NSTX)%Iodine:%Use%several%RR%types,%
NULL,TXT,CNAME)%
• Dns2tcp%&%TCPMoverMDNS:%relay%TCP%connecGons.%
• LoopcVPN%One%of%ChinaMTelecom%Hotspot%
nightmare.%
20. Stateless%malware%(I)%
• TSPY_ZBOT.SMQH
– Another Modified ZeuS Variant Seen in the Wild.
– Reported in September 2011 by Trendmicro.
– Data exchange is also now happening in UDP.
– http://blog.trendmicro.com/another-modified-zeus-variant-seen-in-the-wild/
24. Feedorbot%
• Using DNS protocol.
– Feedorbot share encrypted commands from C&C.
– Encapsuling data in TXT records and Base64 encoded.
– http://www.cj2s.de/On-Botnets-that-use-DNS-for-Command-and-Control.pdf
25. HiloG%
• Thanks%DNS%querys%HiloG%monitors%infected%host%status.%
– h`p://blog.forGnet.com/hiloGMtheMbotmasterMofMdisguise%
!
142625.bc7a3d45.01.0AC1FD9D62074E6D9D2889088284DAB5.n.empty.1148.empty.
5_1._t_i.ffffffff.explorer_exe.173.rc2.a4h9uploading.com%
• Although%It%uses%DNS%as%control%protocol,%bots%download%
update%files%from%“file%hosGng”%servers%by%HTTP.%
%
!
26. Morto%
• From IRC to DNS.
– Morto, like Feedorbot, uses TXT records to comnunicate.
– http://www.symantec.com/connect/blogs/morto-worm-sets-dns-record
34. Ten%Li`le%Niggers%
• h`p://www.webboar.com/ip/67.15.149.70/%
– 25%Domain(s)%on%IP%Address%67.15.149.70%
• azxdf.com% • civiGcle0.com% • morewallfalls7.com%
• mjuyh.com% • ckubf.com% • okjyu.com%
• hjuyv.com% • djhbw.com% • orn2hcb.com%
• plokm.com% • himovingto8.com% • qlovg.com%
• nbgtr.com% • hiuxd.com% • quiluGon2.com%
• vcxde.com% • liunj.com% • uncdt.com%
• asljd.com% • loijm.com% • xvfar.com%
• bruGllor5.com% • mjrth.com% • zscdw.com%
• zukamosion3.com%
39. TradiGonal%data%leak%using%DNS%
[OUTPUT_DOMAIN]1
DataLeakRecord1.[OUTPUT_DOMAIN] DataLeakRecord11
DataLeakRecord2.[OUTPUT_DOMAIN] DataLeakRecord21
…!
1% 2%
Cache%DNS%
(public or private) DNS%Auth.%
OUTPUT_DOMAIN%
Bot
40. Using%a%DNS%reflector%
DNS%Auth.%
DataLeakRecord1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)%
2%
1%
(PUBLICATION_DOMAIN)!
Cache%DNS% !Data1!R>!DataLeakRecord1
(public or private) 3%
Force%Data%Leak%Upload%
CMD$
5%
Bot Data1
[PUBLICATION_DOMAIN]1
Data11
4% Data21
…!
Data1.[PUBLICATION_DOMAIN]
Cache%DNS% DNS%Auth.%
(Open%emi`er%+%cache)%
PUBLICATION_DOMAIN%
!Data1!R>!DataLeakRecord1
42. Using%FastMFlux%DNS%reflectors%
DNS%Auth.%
DataLeakRecord1.[OUTPUT_DOMAIN]
(OUTPUT_DOMAIN)%
2%
1%
Cache%DNS% (PUBLICATION_DOMAIN)!
!Data1!R>!DataLeakRecord1
(public or private)
3%
DataLeakRecord1.[OUTPUT_DOMAIN] Force%Data%Leak%Upload%
CMD$
5%
Bot Data1
[PUBLICATION_DOMAIN]1
Data11
4% Data21
…!
Data1.[PUBLICATION_DOMAIN]
Cache%DNS% DNS%Auth.%
(Open%emi`er%+%cache)%
52. Data%Leak%using%NXDOMAIN%responses%
DNS% 2%
1%
(Open%emi`er%+%cache)% DNS%Auth.%
UT_DOM
AIN] 1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)%
1.[OUTP
d1.[OUTPUT_DOMAIN]
OMAIN]
TPUT_D
d1.[OU …
AIN]
dataleakrecord1
UT_DOM
rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN]
… DataLeakRecord1.[OUTPUT_DOMAIN]
IN]
T_DOMA
d1.[OUTPU
krecor
atalea MAIN]
PUT_DO
rd1.[OUT
akreco
datale
Bot
53. Data%Leak%using%NXDOMAIN%responses%
DNS% 2%
1%
(Open%emi`er%+%cache)% DNS%Auth.%
UT_DOM
AIN] 1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)%
1.[OUTP
d1.[OUTPUT_DOMAIN]
OMAIN]
TPUT_D
d1.[OU …
AIN]
dataleakrecord1
UT_DOM
rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN]
… DataLeakRecord1.[OUTPUT_DOMAIN]
IN]
T_DOMA
d1.[OUTPU
krecor
atalea MAIN]
PUT_DO
rd1.[OUT
akreco
a1.[OUTPUT_DOMAIN]
datale
1.[OUTPUT_DOMAIN]
z.[OUTPUT_DOMAIN]
b.[OUTPUT_DOMAIN]
a.[OUTPUT_DOMAIN]
…
…
Bot
QUERY:%+norecurse%
%
3% RESPONSE:%RCODE?%
dataleakrecord1 TTL%value?%
Query%Gme?%
58. Data%Leak%using%‘nice’%domains%
DNS% 2% ‘nice’%DNS%Auth.%
1%
(Open%emi`er%+%cache)% (OUTPUT_DOMAIN)%
AIN] 1.[OUTPUT_DOMAIN]
UT_DOM
1.[OUTP
d1.[OUTPUT_DOMAIN]
OMAIN]
TPUT_D
d1.[OU …
AIN]
dataleakrecord1
UT_DOM
rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN]
… DataLeakRecord1.[OUTPUT_DOMAIN]
IN]
T_DOMA
d1.[OUTPU
krecor
atalea MAIN]
PUT_DO
rd1.[OUT
akreco
datale
Bot
59. Data%Leak%using%‘nice’%domains%
DNS% 2% ‘nice’%DNS%Auth.%
1%
(Open%emi`er%+%cache)% (OUTPUT_DOMAIN)%
AIN] 1.[OUTPUT_DOMAIN]
UT_DOM
1.[OUTP
d1.[OUTPUT_DOMAIN]
OMAIN]
TPUT_D
d1.[OU …
AIN]
dataleakrecord1
UT_DOM
rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN]
… DataLeakRecord1.[OUTPUT_DOMAIN]
IN]
T_DOMA
d1.[OUTPU
krecor
atalea MAIN]
PUT_DO
rd1.[OUT
akreco
a1.[OUTPUT_DOMAIN]
datale
1.[OUTPUT_DOMAIN]
z.[OUTPUT_DOMAIN]
b.[OUTPUT_DOMAIN]
a.[OUTPUT_DOMAIN]
…
…
Bot
QUERY:%+norecurse%
%
3% ANSWER%SECTION?%
dataleakrecord1 TTL%value?%
60. Conclusions%dataMleak%
Use$client$ Upload$ Expose$ Download$ Score$
default$DNS$ queries$ cybercrime$ queries$ (0;10)$
seings$ needed$ infrastructure$ needed$
TradiGonal%
YES% 2%queries/kB% YES$ M% 5%
DNS%tunneling%
Using%FastMFlux%
YES% 2%queries/kB% YES$ 2%queries/kB% 4%
DNS%reflectors%
Using%
NXDOMAIN% NO$ 2$queries/B$ NO% 20%queries/B% 2%
response%
Using%“nice”%
NO$ 2$queries/B$ NO% 20%queries/B% 6%
domains%
61. ToDo:%Improvement++%
• Data%Leak%using%‘nice’%domains.%But$
remembering$that:$
– Must%use%client%default%DNS%se_ngs.%
• Maybe%can%use%three%party%resources%…%(once%
again)%
– %…%Use%misconfigured%DNS%(proxy%DNS,%cache%DNS,%
authoritaGve%server,%…).%
– e.g.%must%ignore%“+norecurse”%flag,%“minimalM
response”%configured,%etc.%
• Result:%Untraceable%data%leaks%
65. And%the%winner%is…%
• Wri`en%in%C#%and%PHP%
• GNU/GPL%
• Geared%to%build%botnets%
• HTTP%communicaGon%
69. Flu%and%CMD:%3th%Party%
• ISC%Bind%
• FreeDNS.afraid.org%
• HE%free%DNS%service%
• Misconfigured%DNS%server.%
Open%
Emi`er%
70. Flu%and%CMD:%3th%Party%
• ISC%Bind%
• FreeDNS.afraid.org%
• HE%free%DNS%service%
• Misconfigured%DNS%server.%
Open%
Emi`er%
71. Flu%and%CMD:%Client%
• We%use%ARSoD.Tools.Net%library.%
• Without%GUI%changes:%
– We%use%domainload&to%data%leak.%
– We%use%domaindownload&to%get%XML%file.%
74. Flu%and%CMD:%How%it%works%(II)%
1. How%flu%call%back?%
– NXDOMAIN%can:%Track%new%bots.%
– NXDOMAIN%can’t:%Send%huge%files.%%
2. Then…%we%need%to%expose%DNS%server.%
DNS$ Open% DNS$ Flu%
Flu%
Emi`er% Infected%
C&C% Nxdomainquery% Nxdomainquery%
1% Noerror%
DNS% Noerror%
Host%
DNS%Server%
DNS$ DNS$ Flu%
Flu% Cache%
2% Infected%
DNS% DNS%
Host%
76. Conclusions%
• DNS%is%a%botnet%dialect…%
– One%year%ago%DNS%was%a%possibility,%today%could%be%a%real%
threat.%
• Data%leak%using%DNS%need%an%improvement…%
– ...but%we%are%working%progress.%
• Malware%need%to%communicate%undetected,%and%IDS%
want%to%detect%malware.%
– Both%must%be%looking%for%the%same…%DNS.%
• Don’t%forget%DNS%Protocol%
77. QuesGons?%
Who$invented$the$rootedcon?$
Perez$the$mouse$ Rootedcon$is$your$parents$
Santa$ Three$Magic$Kings$
78. References%
! h`p://code.kryo.se/iodine/%%
! h`p://dns.measurementMfactory.com/%%
! h`p://darkwing.uoregon.edu/~joe/secprof10Mdns/secprof10Mdns.pdf%%%
! h`p://www.blackhat.com/presentaGons/bhMeuropeM05/BH_EU_05MKaminsky.pdf%%
! h`p://www.blackhat.com/presentaGons/bhMusaM04/bhMusM04Mkaminsky/bhMusM04Mkaminsky.ppt%%
! h`p://www.pcworld.com/arGcle/220024/feds_accidentally_seize_84000_innocent_domains_link_them_with_child_porn.html%%%
! h`p://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf%%%
! h`p://www.secdev.org/projects/scapy/%%
! h`ps://www.isc.org/soÉware/bind/documentaGon/arm95#man.dig%%
! h`p://dns.measurementMfactory.com/cgiMbin/openresolvercheck.pl%%%
! h`p://hakin9.org/magazine/1652MmobileMmalwareMtheMnewMcyberMthreat%%
! h`p://www.ieÑ.org/rfc/rfc{1033,1034,1035,1183,2181}.txt%%
! h`p://tools.ieÑ.org/id/draÉMcmdMpreventMmalwareMdnsMdistributeM00.txt%%%
! h`p://www.wombatMproject.eu/%%
! h`p://exposure.iseclab.org/index.html%%
! h`ps://dnsdb.isc.org/#Home%%%
! h`p://www.webboar.com%%
! h`ps://dns.he.net/%%
! h`p://www.fluMproject.com/%%
! h`p://arsoÉtoolsnet.codeplex.com/%%