#rootedcon2012 - dns: a botnet dialect - carlos diaz & francisco j. gomez

CMD: Look who’s talking too

DNS: a botnet dialect

Francisco J. Gómez Rodríguez ([email protected]): •  Computer Engineering (EUI-‐UPM) •  Security Research (Telefonica R&D) •  dig fran.rootedcon.themafia.info TXT

Carlos Díaz Hidalgo ([email protected]): •  TelecommunicaGons Engineer (ETSITM-‐UPM), GPEN, GCIH,

OPST, ITILF and CCNA. •  Technology Specialist in Ethical Hacking (Telefonica R&D) •  dig charlie.rootedcon.themafia.info TXT

look who’s talking too

This presenta9on contains: one year ago ………………………………………….... 3 mg cloud malware distribuGon …………………..…. 10 mg dns is in the air ………………………………………… 10 mg suspicion …………………………………………………. 8 mg data leak …………………………………………………. 10 mg laboratory ………………………………………………. 10 mg

THIS PACKAGE FOR HOUSEHOLDS WITHOUT YOUNG CHILDREN

Tamper-‐Evident: Do not accept if sealed blister unit has been broken or opened

Nasal Spray

4.4 FL OZ (130mL)

INTRODUCTION

One year ago …

•  We talked about DNS and Malware. •  We released Cloud Malware DistribuGon (CMD): – An alternaGve method for malware distribuGon using Cache DNS services.

– Using client default DNS se_ngs. – Malware source virtually untraceable.

A DNS shot

CMD Cloud Malware DistribuGon in a nutshell

Cloud Malware DistribuGon 1.   Encoding: Split malware payload into DNS Records.

2.   Publishing: Publish domain and each record in a public Name Server.

3.   Loading: Force an Open Emi`er DNS Cache Server to store all records.

4.   Downloading: Download records from an infected host (bot).

5.   Decoding: Rebuild malware payload from records.

1,2 3

Open Emi`er DNS

4

8rjqerkjqet.cmdns.domain.com ueirytbdosu.cmdns.domain.com ktqtr53xase.cmdns.domain.com kzmfzzmfzze.cmdns.domain.com


5

Cloud Malware DistribuGon (I) 8rjqerkjqet.cmdns.domain.com

ueirytbdosu.cmdns.domain.com

ktqtr53xase.cmdns.domain.com

kzmfzzmfzze.cmdns.domain.com

8rjqerkjqet ueirytbdosu ktqtr53xase kzmfzzmfzze

Encoding & Pub

lish

DNS AUTH Freedns.afraid.org

8rjqerkjqetueirytbdosuktqtr53xasekzmfzzmfzze

8rjqerkjqet.cmdns.domain.com




•  From malware file we create a base32 coded string.

•  So we split the string into DNS compliance records.

Cloud Malware DistribuGon(II)

Open Emièr DNS







ktqtr53xase.cmdns.domain.com kzmfzzmfzze.cmdns.domain.com

Loading

cmdns.domain.com NS?

Split[1..n].cmdns.domain.com A?

•  We upload each DNS record from a malicious DNS to Open Emièr.

•  This is made by requesGng each record to Open Emièr DNS.

•  Then Server caches each record.

DNS AUTH Freedns.afraid.org

Cloud Malware DistribuGon (III)

Open Emièr DNS

Downloading

DNS AUTH

Freedns.afraid.org

•  Since the Open Emièr Server has cached all records we convert it into a domain authoritaGve domain server.

•  From now on, Open Emièr will resolve all domain queries. •  Thus, all Internet DNS servers can resolve malware records and

bots can get them.


Cloud Malware DistribuGon (IV)

Decoding

8rjqerkjqetueirytbdosuktqtr53xasekzmfzzmfzze





•  With all the retrieved records bots can rebuild the original file.

•  Bot has now updated the malware file.

Own survey : yesterday and today

Febrero de 2011

España EEUU

Queried hosts 10.406 10.406

Replying hosts 87,22% 87,39%

Open resolvers 76,46% 77,28%

Open emi`ers 57,76% 57,33%

Accept +norecurse queries 55,91% 55,49%

TTL ≥ 604800 43,05% 42,94%

Marzo de 2012

España EEUU

8217 8217

87,58% 87,69%

95,45% 82,08%

53,78% 53,51%

87,67% 74,44%

51,24% 49,32%

A quick test…

In the same way the SSL turns HTTP web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-‐in-‐the-‐middle a`acks.

DNSCrypt

… a quick demo.

Summary: We can use DNSCrypt and CMD Method works.

DNS IS IN THE AIR DNS: yesterday, today, and tomorrow

Are you talking to me?

•  Let’s see some about… – DNS as covert channel. – DNS uses in malware communicaGons.

l DNS as Covert Channe

•  OzymanDNS (Kaminsky) •  Dnscapy •  (NSTX) Iodine: Use several RR types, NULL,TXT,CNAME)

•  Dns2tcp & TCP-‐over-‐DNS: relay TCP connecGons. •  LoopcVPN One of China-‐Telecom Hotspot nightmare.

Are you talking to me?

•  Let’s see some about… – DNS as covert channel. – DNS uses in malware communicaGons.

Stateless malware (I) •  TSPY_ZBOT.SMQH

–  Another Modified ZeuS Variant Seen in the Wild. –  Reported in September 2011 by Trendmicro. –  Data exchange is also now happening in UDP. –  http://blog.trendmicro.com/another-modified-zeus-variant-seen-in-the-wild/

Stateless malware(II) •  Older version using TCP to exchange configura7on files. However,

The new version exchanges all data in UDP –  http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet

Stateless malware(II) •  Older version using TCP to exchange configura7on files. However,

The new version exchanges all data in UDP –  http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet

TCP

Where there's smoke, there's fire.

Feedorbot

•  Using DNS protocol. –  Feedorbot share encrypted commands from C&C. –  Encapsuling data in TXT records and Base64 encoded. –  http://www.cj2s.de/On-Botnets-that-use-DNS-for-Command-and-Control.pdf

HiloG

•  Thanks DNS querys HiloG monitors infected host status. –  h`p://blog.forGnet.com/hiloG-‐the-‐botmaster-‐of-‐disguise

142625.bc7a3d45.01.0AC1FD9D62074E6D9D2889088284DAB5.n.empty.1148.empty.5_1._t_i.ffffffff.explorer_exe.173.rc2.a4h9uploading.com

•  Although It uses DNS as control protocol, bots download update files from “file hosGng” servers by HTTP.

Morto

•  From IRC to DNS. –  Morto, like Feedorbot, uses TXT records to comnunicate. –  http://www.symantec.com/connect/blogs/morto-worm-sets-dns-record

GATHERING & EVALUATING INFORMATION

Gathering & EvaluaGng InformaGon (I)

•  h`p://www.wombat-‐project.eu/

•  h`p://exposure.iseclab.org/index.html

Gathering & EvaluaGng InformaGon (II) •  h`ps://dnsdb.isc.org/#Home

•  h`p://www.webboar.com

Gathering & EvaluaGng InformaGon (III) •  Don´t forget the classics:

– h`p://www.robtex.com/

Learned in #Rooted2012 •  h`p://labs.alienvault.com/labs/index.php/projects/open-‐source-‐ip-‐reputaGon-‐portal/

SomeGmes … I see dead people

•  September, 2011 (Top 10 Malicious Domains)

Scratch & Win

Ten Li`le Niggers •  h`p://www.webboar.com/ip/67.15.149.70/

– 25 Domain(s) on IP Address 67.15.149.70 •  azxdf.com •  mjuyh.com •  hjuyv.com •  plokm.com •  nbgtr.com •  vcxde.com •  asljd.com •  bruGllor5.com

•  civiGcle0.com •  ckubf.com •  djhbw.com •  himovingto8.com •  hiuxd.com •  liunj.com •  loijm.com •  mjrth.com

•  morewallfalls7.com •  okjyu.com •  orn2hcb.com •  qlovg.com •  quiluGon2.com •  uncdt.com •  xvfar.com •  zscdw.com •  zukamosion3.com

SomeGmes … I see dead people

CMD could be alive!

DATA LEAK OVER DNS

TradiGonal data leak using DNS

1

Bot

DataLeakRecord2.[OUTPUT_DOMAIN] [OUTPUT_DOMAIN] DataLeakRecord1

DataLeakRecord2

…

DataLeakRecord1.[OUTPUT_DOMAIN]

2

Cache DNS (public or private) DNS Auth.

OUTPUT_DOMAIN

Using a DNS reflector

1

Bot [PUBLICATION_DOMAIN] Data1 Data2

…


2

Cache DNS (public or private)

DNS Auth. (OUTPUT_DOMAIN)

DNS Auth. (Open emi`er + cache) PUBLICATION_DOMAIN

Force Data Leak Upload CMD

3

Cache DNS

4

5

(PUBLICATION_DOMAIN) Data1 -‐> DataLeakRecord1

Data1.[PUBLICATION_DOMAIN]

Data1

Data1 -‐> DataLeakRecord1

DNS reflector (demo)

Using Fast-‐Flux DNS reflectors


1

Bot [PUBLICATION_DOMAIN] Data1 Data2

…


2

Cache DNS (public or private)


DNS Auth. (Open emi`er + cache)

Force Data Leak Upload CMD

3

Cache DNS

4

5

(PUBLICATION_DOMAIN) Data1 -‐> DataLeakRecord1

Data1.[PUBLICATION_DOMAIN]

Data1

Data Leak using NXDOMAIN responses

•  NXDOMAIN responses are cached: – NegaGve caching is useful. – TTL value: The SOA 'minimum' parameter is used as the negaGve (NXDOMAIN) caching Gme (defined in RFC 2308).

•  Other queries may reuse some parts of the lookup (quick response).

Caching NXDOMAIN responses (I)

Caching NXDOMAIN responses (II)

Caching NXDOMAIN responses (III)

Data leak with “dig”

RCODE

TTL

QUERY TIME

Leak recovery with “dig” (I)

TTL < 86400

QUERY TIME < 300 msec

Leak recovery with “dig” (II)

TTL = 86400

QUERY TIME approx. 300 msec

It is not a good method for recovery!

Leak recovery with “dig” (III)

TTL < 86400


Leak recovery with “dig” (IV)

RCODE ≠ NXDOMAIN


It is the preferred method for recovery!

DataLeakRecord1.[OUTPUT_DOMAIN] ataLeakRecord1.[OUTPUT_DOMAIN]

dataleakrecord1.

[OUTPUT_DOMAIN] ataleakr

ecord1.[OUTPUT_D

OMAIN]

Data Leak using NXDOMAIN responses da

tale

akre

cord

1 1

Bot

d1.[OUTPUT_DOMAIN] 1.[OUTPUT_DOMAIN]

2 DNS (Open emi`er + cache)

1.[OUTPUT_DOMAIN

]

d1.[OUTPUT_DOMAI

N]

rd1.[OUTPUT_DOMA

IN] …


…

b.[OUTPUT_DOMAIN] a.[OUTPUT_DOMAIN]

…


dataleakrecord1.

[OUTPUT_DOMAIN] ataleakr

ecord1.[OUTPUT_D

OMAIN]

Data Leak using NXDOMAIN responses da

tale

akre

cord

1 1

Bot



3

1.[OUTPUT_DOMAIN

]

d1.[OUTPUT_DOMAI

N]

rd1.[OUTPUT_DOMA

IN] …


…

dataleakrecord1

z.[OUTPUT_DOMAIN] 1.[OUTPUT_DOMAIN] a1.[OUTPUT_DOMAIN] …

QUERY: +norecurse

RESPONSE: RCODE? TTL value?

Query Gme?

NXDOMAIN (demo)

Data Leak using “nice” domains

•  There are authoritaGve DNS server that: – Simply point all unknown DNS queries to a single IP address.

– Minimum TTL value on the order of 1-‐7 days.

•  Where can I find them? – Alexa “Tops Sites”: h`p://www.alexa.com/topsites

inbox.com imgur.com motherless.com wikia.com wikispaces.com pbworks.com …

Caching ‘nice’ responses (II)

Data Leak using ‘nice’ domains da

tale

akre

cord

1 1

Bot



1.[OUTPUT_DOMAIN

]

d1.[OUTPUT_DOMAI

N]

rd1.[OUTPUT_DOMA

IN] …

ataleakrecord1.[

OUTPUT_DOMAIN]

dataleakrecord1.

[OUTPUT_DOMAIN]

‘nice’ DNS Auth. (OUTPUT_DOMAIN)

…


Data Leak using ‘nice’ domains da

tale

akre

cord

1 1

Bot



3

1.[OUTPUT_DOMAIN

]

d1.[OUTPUT_DOMAI

N]

rd1.[OUTPUT_DOMA

IN] …

ataleakrecord1.[

OUTPUT_DOMAIN]

dataleakrecord1.

[OUTPUT_DOMAIN]

‘nice’ DNS Auth. (OUTPUT_DOMAIN)

…


a.[OUTPUT_DOMAIN]

dataleakrecord1

b.[OUTPUT_DOMAIN] z.[OUTPUT_DOMAIN] 1.[OUTPUT_DOMAIN] a1.[OUTPUT_DOMAIN] … …

QUERY: +norecurse

ANSWER SECTION? TTL value?

Conclusions data-‐leak

Use client default DNS seings

Upload queries needed

Expose cybercrime

infrastructure

Download queries needed

Score (0-‐10)

TradiGonal DNS tunneling YES 2 queries/kB YES -‐ 5

Using Fast-‐Flux DNS reflectors YES 2 queries/kB YES 2 queries/kB 4

Using NXDOMAIN response

NO 2 queries/B NO 20 queries/B 2

Using “nice” domains NO 2 queries/B NO 20 queries/B 6

ToDo: Improvement++ •  Data Leak using ‘nice’ domains. But remembering that: – Must use client default DNS se_ngs.

•  Maybe can use three party resources … (once again) –  … Use misconfigured DNS (proxy DNS, cache DNS, authoritaGve server, …).

–  e.g. must ignore “+norecurse” flag, “minimal-‐response” configured, etc.

•  Result: Untraceable data leaks

Harder than finding a needle in a haystack!

LABORATORY Are we infected?

Making the lab.

•  We need a “real” threat… •  But we are “ethical”… •  And we are not developers…

Searching…

And the winner is…

•  Wri`en in C# and PHP •  GNU/GPL •  Geared to build botnets •  HTTP communicaGon

How Flu works

•  Flu server share XML commands file. •  Infected hosts get XML file through

HTTP request.

Flu Infected Host

Flu SERVER

HTTP

Flu and CMD

•  We use CMD to distribute XML commands file. •  Our dream: Flu become stateless Trojan. •  Then we’ll have stateless-‐Trojan-‐GPL botnet.

Open Emi`er DNS

Flu Infected Host

Flu DNS

DNS DNS

HTTP/TCP DNS/UDP

Vs 1 query 2 pkts. 0 conn.

1 GET 11 pkts. 1 conn.

Flu and CMD: Server

•  PHP 5.3.0 or higher required. •  Three steps:

1.  domain.db file create. (external lib: Tar.php) 2.  Load XML file into DNS server. (NaGve lib) 3.  Download data from infected host. (NaGve lib)

Flu and CMD: 3th Party

•  ISC Bind •  FreeDNS.afraid.org •  HE free DNS service •  Misconfigured DNS server.

Open Emi`er

Flu and CMD: Client

•  We use ARSoD.Tools.Net library. •  Without GUI changes:

–  We use domainload to data leak. –  We use domaindownload to get XML file.

Flu and CMD: How it works (I)

Open Emi`er DNS

Flu Infected Host

Flu DNS

DNS DNS

XML2DNS LOADXML DOWNLOADXML

Flu and CMD: How it works (II)

Open Emi`er DNS

Flu Infected Host

Flu C&C

DNS DNS

•  How flu call back? –  NXDOMAIN can: Track new bots. –  NXDOMAIN can’t: Send huge files.

DNS Server Nxdomainquery Noerror

Nxdomainquery Noerror

Flu and CMD: How it works (II)

Open Emi`er DNS

Flu Infected Host

Flu C&C

DNS DNS

1.  How flu call back? –  NXDOMAIN can: Track new bots. –  NXDOMAIN can’t: Send huge files.

2.  Then… we need to expose DNS server.

Cache DNS

Flu Infected Host

Flu DNS

DNS DNS

Nxdomainquery Noerror DNS Server

Nxdomainquery Noerror

2

1

Flu and CMD: Demo

Conclusions

•  DNS is a botnet dialect… –  One year ago DNS was a possibility, today could be a real threat.

•  Data leak using DNS need an improvement… –  ...but we are working progress.

•  Malware need to communicate undetected, and IDS want to detect malware. –  Both must be looking for the same… DNS.

•  Don’t forget DNS Protocol

QuesGons?

Who invented the rootedcon?

Rootedcon is your parents

Three Magic Kings Santa

Perez the mouse

References §  h`p://code.kryo.se/iodine/ §  h`p://dns.measurement-‐factory.com/ §  h`p://darkwing.uoregon.edu/~joe/secprof10-‐dns/secprof10-‐dns.pdf §  h`p://www.blackhat.com/presentaGons/bh-‐europe-‐05/BH_EU_05-‐Kaminsky.pdf §  h`p://www.blackhat.com/presentaGons/bh-‐usa-‐04/bh-‐us-‐04-‐kaminsky/bh-‐us-‐04-‐kaminsky.ppt §  h`p://www.pcworld.com/arGcle/220024/feds_accidentally_seize_84000_innocent_domains_link_them_with_child_porn.html §  h`p://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf §  h`p://www.secdev.org/projects/scapy/ §  h`ps://www.isc.org/so�ware/bind/documentaGon/arm95#man.dig §  h`p://dns.measurement-‐factory.com/cgi-‐bin/openresolvercheck.pl §  h`p://hakin9.org/magazine/1652-‐mobile-‐malware-‐the-‐new-‐cyber-‐threat §  h`p://www.ie�.org/rfc/rfc{1033,1034,1035,1183,2181}.txt §  h`p://tools.ie�.org/id/dra�-‐cmd-‐prevent-‐malware-‐dns-‐distribute-‐00.txt §  h`p://www.wombat-‐project.eu/ §  h`p://exposure.iseclab.org/index.html §  h`ps://dnsdb.isc.org/#Home §  h`p://www.webboar.com §  h`ps://dns.he.net/ §  h`p://www.flu-‐project.com/ §  h`p://arso�toolsnet.codeplex.com/

Thanks for your Gme! @{Hlexpired,ffranz} {charlie,fran}@7d.es