SlideShare une entreprise Scribd logo

OpenDNS Whitepaper: DNS's Role in Botnet C&C

Courtland Smith
Courtland Smith

Security brief on DNS's role in botnet command and control.

Technologie
1  sur  8
Télécharger pour lire hors ligne
SECURITY WHITEPAPER The Role of DNS in Botnet Command and Control (C&C) DNS is powerful, ubiquitous and yet ignored by most organizations. Today, cybercriminals rely on DNS for rallying infected devices to join a botnet and to mitigate takedowns by authorities. In 2011, cybercriminals started covertly tunneling botnet communications over DNS traffic to mitigate detection by security solutions, despite security researchers widely publishing this threat in 2004! QUESTION: What do you know about 101.cnc.com? ANSWER: Analyze logs... RESULT: Post-damage forensics • Are any devices outside your network trying to resolve Stored on: • Locates infected devices delegated to be such domain hostnames through your network? • DNS servers, proxies or name servers for botnet C&C. • Are any devices within your network trying to • Web servers, or • Locates infected devices attempting to tunnel resolve hostnames to that domain? • Firewalls. botnet C&C communications over DNS. If you cannot answer the above questions, either because you build botnets to bypass firewall filters or Web proxies.3 Ethical don’t keep these logs, they’re not readily available, or you hackers have constructed a reverse shellcode exploit that could wouldn’t know how to analyze them, you’re likely blind to provide cybercriminals VPN and remote access into an insecure infected devices that have compromised your network by network using valid DNS syntax to avoid detection.4 Furthermore, performing these botnet command and control (C&C) activities. with the future adoptions of DKIM, IPv6 and other extensions to the basic DNS protocol, big and complex packets within DNS Botnet’s principal single point of failure and beacon to security traffic will become more common. Thereby assisting DNS-based researchers is its Internet-wide C&C architecture. From 2007-8, botnet C&C communications to more easily and efficiently blend cybercriminals began building distributed or hybrid C&C in since it’ll appear normal in DNS query streams (see page 2). topologies leveraging more advanced DNS-based C&C rallying mechanisms, such as third-party dynamic or its own distributed In the arms race between cybercriminal organizations and the DNS services, to enable C&C communications to be redirected security community, C&C techniques have become so robust, through its own distributed proxy service. Infected devices within stealth and mobile that botnets are ubiquitous in both home and insecure home or business networks host these services. DNS is business networks despite so-called “next generation” security used to add robustness and mobility to remove single points of solutions’ best attempts to prevent all malware. The “defense- failure within the architecture and provide anonymity for the in-depth” strategy needs to migrate from adding prevention cybercriminals running botnet C&C servers (see page 2). Fluxing layers, to adding containment layers. DNS traffic is often domain names and/or the IP addresses in DNS records used by examined after security incidents; for example, Google botnets makes them more difficult for the security community to discovered the advanced and persistent “Aurora” botnet that take down or over. breached its network by analyzing DNS logs after damage occurred. The most costly damage is no longer the lost time for Today, most botnets rely on a mix of P2P-, HTTP- or IRC-based IT to remediate infected devices, but the stolen data enclosing protocols to communicate between bots and/or C&C servers. sensitive company or personal info for legal and regulatory However, in late 2011, security researchers began publishing bodies to resolve. papers and blogs on botnets, such as “Morto”, “Feederbot” and “Katusha/Timestamper”, using a covert C&C communication method known as DNS tunneling to add stealth.1 DNS tunneling “DEFENSE-IN-DEPTH” STRATEGY MIGRATION is not new; it existed since 1998 and the first implementation DETECT MALWARE PREVENT MALWARE CONTAIN BOTNETS published by Slashdot in 2000. In 2004, Dan Kaminsky widely presented his implementation to tunnel arbitrary data over DNS to the security community, but lost their short-term attention as other exploited DNS vulnerabilities, such as DNS cache INFECTED DEVICE / UNINFECTED DEVICE INFECTED DEVICE / poisoning, became more prevalent. 2 Today, many popular DNS INSECURE NETWORK / SECURE NETWORK SECURE NETWORK tunnels exist that are readily available for cybercriminals to                                                                                                                                                                                                                                 1 3 http://bit.ly/NSTX_DNS, http://bit.ly/OzymanDNS, http://bit.ly/TCP-over-DNS, http://bit.ly/Symantec_Morto, http://bit.ly/Dietrich_Feederbot, http://bit.ly/CHMag_Katusha http://bit.ly/Iodine_DNS, http://bit.ly/Dns2tcp, http://bit.ly/DNScat, http://bit.ly/DeNiSe 2 http://bit.ly/Kaminsky_DNStunneling 4 http://bit.ly/Shellcode  
  1st prototype fully 1st successful P2P-based botnets Evolution of Botnet C&C P2P-based botnet 1st HTTP- 1st hybrid P2P/HTTP-based botnets 1st Web site/service- based botnets Web Services based botnets seed domain 1stIRC- IRC Domain IRC-based IRC-based based botnets flux Bots change host DNS settings flux crypto benign bot malicious bot botnet pervasive IP flux (double) DNS tunneling 1st fully DNS- DNS tunneling developed for cybercrime IP flux (single) based botnets P2P !! !! !! !! "! "! "! "! #! #! #! #! #! #! #! HTTP $! $! $! $! $! $! !! !! #! #! #! #! #! #! #! #! #! #! IRC $! !! !! !! !! "! "! "! "! "! "! #! #! #! #! #! #! #! #! #! #! #! #! #! #! #! DNS $! $! $! $! $! $! $! $! $! $! $! $! $! $! $! !! !! !! !! !! !! "! "! "! "! "! "! "! #! #! #! MALWARE (VIRUS, WORMS, TROJANS, ETC.) INFECTED DEVICES ARE CONNECTED BOTNETS ARE INFECTING DEVICES ARE ISOLATED TO FORM ROBOT NETWORKS (AKA. BOTNETS) UBIQITIOUS FUTURE 2001 2007 2011 2012 1987 1991 1997 2000 2002 2003 2004 2005 2006 2008 2009 2010 1983 1984 1985 1986 1988 1989 1990 1992 1993 1994 1995 1996 1998 1999 CENTRALIZED C&C TOPOLOGY DISTRIBUTED C&C TOPOLOGY HYBRID C&C TOPOLOGY* DNS-BASED RALLYING MECHANISMS HELP CYBERCRIMINALS STOP TAKEDOWNS BY REMOVING SINGLE POINTS OF FAILURE C&C RALLYING MECHANISMS DYNAMIC & (*one example) DISTRIBUTED DNS SERVICES DNS TRAFFIC HTTP TRAFFIC REDIRECTED REDIRECTED DNS-BASED C&C COMMUNICATION can be HELPS AVOID DETECTION BY BLENDING IN same bot ns1.cnc.tld ns2.cnc.tld 1.1.1.1 2.2.2.2 cnc.tld QUERY: QUERY: flux.cnc.tld RESPONSE: HTTP GET RESPONSE: ONLY ALLOW BASIC 1.1.1.1 C&C PORT 80/443 PORT 53 RESOLVERS RESPONSE: NO SINKHOLE 1.1.1.1 NO PROXY NO FILTER QUERY: QUERY: QUERY: QUERY: flux.cnc.tld LEAK DATA = where is where is where is 11010 + 01010 11010 + 01010 00110. 01010. 11010. + … 00110 QUERY: flux.cnc.tld DISTRIBUTED + … 00110 cnc.tld? cnc.tld? cnc.tld? = DATA STOLEN REFERRER: PROXY 01110 + 11011 RESPONSE: RESPONSE: RESPONSE: COMMAND = ns1.cnc.tld SERVICES + … 11100 00110. 01010. 11010. 01110 + 11011 = CONTROL cnc.tld is cnc.tld is cnc.tld is + … 11100 at 01110 at 11011 at 11100 DNS TUNNELING FOR COVERT C&C COMMUNICATIONS  
  The Past, Present and Future of Significant Botnet C&C Techniques C&C Attributes Past Present Future Centralized topology Distributed or hybrid topology using RALLYING MECHANISMS using static IP lists domain flux and/or IP flux (via DNS records) > Static Lists IP addresses Domain names and/or IP addresses Dynamic content hidden on popular websites (e.g. > Domain Flux > Seeding Predictable timestamp Twitter trends) that can be customized in do-it- yourself kits > Domain Flux > Crypto Static Frequently changing > Domain Flux > Names Random characters Dictionary word combinations > Domain Flux > Volume Hundreds of domains Tens of thousands of domains Single flux networks changing A Double flux networks changing both A and NS > IP Flux > Records resource records (first seen in the resource records (first seen in the Asprov botnet in Storm/Peacomm botnets in 2007) 2008) Existing dynamic DNS services or As dynamic DNS services are taking a more “personalized” third-level domain (3LD) aggressive stance against botnet abuse, and services. Alternatively, custom DNS governments are cooperating quicker with the servers on bulletproof hosts, which security community, cybercriminals are building their > IP Flux > Service allows a cybercriminal to bypass the own distributed DNS services using multiple laws or contractual terms of service compromised hosts. Often these are initially regulating Internet content and service bootstrapped via custom DNS servers on bulletproof use in its country of operation and are hosts. unlikely to cooperate with authorities. Distributed or hybrid Hybrid topology with Centralized topology using COMMUNICATION topology using P2P-and/or protocol tunneling such IRC- or HTTP-based protocols HTTP-based protocols as DNS traffic > IRC > Client Common IRC client Cybercriminal’s custom IRC client Paid do-it-yourself malware exploit kits Paid or open-source do-it-yourself botnet kits > HTTP > DIY Kits (e.g. Mpack, ICEPack, Fiesta) (e.g. Zeus, SpyEye, TDSS) > HTTP > Protocol Unencrypted Encrypted Public Web 2.0 services (e.g. Amazon Elastic > HTTP > Hosts Privately owned Web servers Compute Cloud, Google App Engine) and social network sites (e.g. Twitter, Facebook, Google Groups) Non-standard port numbers used by P2P standard ports numbers used by common encrypted > P2P > Port protocols protocols (e.g. SSH, HTTPS) > P2P > Protocol Unauthenticated Authenticated > P2P > Discovery Centralized in cache servers Distribute hashed tables across the network Trickled, non- Phone home, data consecutive DNS > DNS Not used exfiltration and/or bot queries over long time instructions periods to further mitigate detection  
  C&C RALLYING MECHANISM DESCRIPTIONS The rallying mechanism enables new bots to locate its peers IP Flux or the C&C servers and join the botnet. While rallying can Modern botnets primarily use one or more hard-coded also be related to botnet recruitment and propagation, the domain names for DNS servers to resolve to many different IP following mechanisms are only for the purposes of addresses over a short span of time. This technique is also networking the bots. widely known as “Fast Flux” Service Networks (FFSN) as it’s If the security community is 100% successful in shutting also associated with spam and phishing attacks. However, down or hijacking the rallying mechanisms, the botnet falls the term “IP Flux” best describes the result of rapidly apart into a benign collection of discrete, unorganized changing the location (i.e. IP address) to which the domain infections. However, if even a few C&C servers remain alive, name of an Internet host (A) or authoritative name server the botnet can adapt and reconfigure itself to be undetected (NS) resolves, caused by rapid and repeated changes to DNS or protected behind the virtual walls of international records using very low time-to-live (TTL) cache settings. jurisdiction. Several movie analogies come to mind such as Relative to using IP lists, taking down malicious DNS records Terminator’s shape-shifting T-1000 series cyborg or Star is often more difficult than compromised IP addresses Trek’s Borg collective; both these entities are very resilient because many records can be established for the same or unless the entire control mechanism is eliminated. Today, many IP addresses. botnets use a hybrid of up to all three of the following These locations are actually a network of compromised hosts techniques, where one may initiate the rallying, one that act as front-end nodes to proxy DNS and C&C maintains the rallying, and another backs up the rallying if communication protocols to a group of backend C&C servers, the other one or two are disrupted. commonly referred to as a “fast flux mothership” (see page 2). This second layer of abstraction further increases Static Lists anonymity, security, high availability and load balancing of Early botnets primarily used hardcoded static lists of IP the botnet. It makes it nearly impossible to filter only by IP addresses or domain names. However, many firewalls can address, ASNs or geo-location and adds resiliency to add an optional feed of known bad IP addresses to help takedown attempts as it shifts the centralizing agent of mitigate this legacy technique and it is often not agile control from the C&C servers to the distributed DNS enough for today’s large botnet operations. While some architecture. In many ways the idea is comparable to Content compromised hosts will initially rely on static IPs to Delivery Networks (CDN). It has evolved and advanced since bootstrap communications with the botnet, they then switch the The Honeynet Project Research Alliance first discovered to one of the following, more robust methods. For added its use. mobility, cybercriminals used domain names with round- The evolution for cybercriminals to use their own robin/multi-homing techniques to associate multiple IP authoritative name servers has added greater robustness addresses with a single DNS record or dynamic DNS services, and mobility to IP Flux, and makes successful takedown more but not abusing them via IP flux, which is described next. difficult for the security community. Alternatively, if the compromised devices are redirected to the cybercriminals Domain Flux own recursive DNS servers, bots are able to resolve domain The botnet uses cryptographically generated domain names names to different IP addresses relative to the rest of the by a Domain Generation Algorithm (DGA), which makes it Internet, so for example, if a security researcher or other more difficult for static reputation systems to maintain an network device tries to access the domain, it may appear to accurate list of all possible C&C domains or for the security not exist. Also, it allows the bot to resolve well-known domain community to attempt to hijack the domain. Many names (e.g. google.com) to C&C servers. cybercriminals register only a few of the possible generated domains at a time using dynamic DNS services. In limited recent cases such as the “Android bot”, URL Flux has been used, which is similar to domain flux in that the bot uses a list of usernames generated by a Username Generation Algorithm (UGA) from which it selects a username to visit on a Web 2.0 site.  
  C&C COMMUNICATION DESCRIPTIONS Once the bots have joined the botnet, they regularly maintain the century, many first-generation cybercriminals were very communications to receive new commands, send back data familiar with IRC as a simple, synchronized and scalable to the C&C servers, such as sensitive company or personal means to chat between thousands of hosts so it was natural information, or learn how to adapt itself in response to the evolution to utilize it for the first C&C communications in security community’s efforts to disrupt or take down its 1999. Despite the advent of instant-messaging (IM) operations. There are advantages and disadvantages as the protocols such as ICQ, AIM, and MSN Messenger that gained following table explains. popularity over IRC for the masses, many “old school” networking and security professionals still use IRC. In fact, Evolution Past Present the original C&C functionality of three evolved IRC-based bot Distributed or hybrid, yet families – Agobot, SDBot, and GTBot – still constitute a large Topology Centralized many are still centralized percent of today’s botnet infections especially since some of Protocols IRC or HTTP P2P the source code was published by its author, with occasional Setup Easy Hard infections by variants of the DSNX, Q8, kaiten, and Perlbot Detection Easy Hard IRC-based families. While almost the same in principal to IRC, there have been only a few botnets based on IM Communication Small delays Small to medium delays protocols due to the difficulty of creating individual IM Resiliency Bad Good accounts for each bot. Anonymity Bad Good Centralized Communications via HTTP-based Protocols Based on the communication topology, different push and However, as the security community adapted to use network pull control mechanisms will be used together with the firewalls to block seldom used or unnecessary ports at the communication protocol. Also, command authentication can Internet gateway, cybercriminals realized that a more be added to the communication protocol such as passwords ubiquitous C&C protocol was needed to blend in with normal or encryption certificates to help mitigate outsiders taking user traffic. Ports 80 and 443 used for unencrypted and command over the botnet from the cybercriminals; especially encrypted Web traffic over HTTP/S is almost universally with P2P-based protocols. allowed through firewalls, and a few GET and POST requests Direction / used for C&C can easily be lost amongst the exponentially Topology Centralized Distributed growing volume of legitimate Web traffic. HTTP-based DDoS & spam botnets greatly accelerated with advances in do-it-yourself Push IRC-based protocols attacks kits developed mainly by professional Russian cybercriminals HTTP-based protocols, IP Flux P2P-based to aspiring amateur cybercriminals, and in mid-2011 several Pull botnet kits were leaked. Recently, public or social Web rallying mechanisms protocols services have been gaining popularity as C&C hosts via obfuscated commands due to their added anonymity, Centralized Topologies openness and scalability. However, the security research All early botnets and still the majority of botnets today use community can also leverage this openness to quickly shut centralized topologies via HTTP-based, IRC-based or other such botnets down. IDS/IPS solutions can often detect protocols because they are easier to setup and ensure that suspicious URI strings or nonstandard HTTP headers (e.g. new commands are disseminated to large botnet populations Entity-Info, Magic-Number) used by botnets (e.g. Bredolab). quickly. However, centralized C&C servers are easier to detect and become a single point of failure for the botnet Centralized Communications via Other Protocols (see page 2). FTP isn‘t commonly seen in the wild; however, several phishing or banking Trojan horses regularly drops off stolen Centralized Communications via IRC-based Protocols data to FTP servers. Some botnets use custom UDP-only Only one year after the IRC protocol was invented in 1988 protocols, which while easily blocked by business networks, programmers created the first bots to enable chat room (aka. often are able to bypass misconfigured firewalls. channel) operators to log in, ensure the channel remained open, and to give them non-malicious control. At the turn of  
  Distributed Topologies (via P2P-based protocols) Hybrid Topologies Peer-to-peer (P2P) communications were created to Advanced hybrid, hierarchal C&C architectures combine the distribute file sharing (e.g. MP3s) amongst large stealth from a few centralized C&C servers and robustness populations. From 1999 to 2003, P2P topologies and from distributed peers to prevent take down. For example, protocols quickly evolved to add robustness, stealth and one group of bots act as servants since they behave as both mobility from the recording industry’s and ISP’s attempts to clients and servers, which have static, non-private IP disrupt communications and/or prosecute guilty individuals; addresses and is accessible from the global Internet. The exactly what cybercriminals also seek for their botnet C&C second group of bots only act as clients since they don’t communications. Using structured P2P communications as a accept incoming connections. The second group contains the C&C topology was first envisioned as early as 2000, but the remaining bots, including: (1) bots with dynamic IP first botnets to use it appeared in 2003, the security research addresses; (2) private IP addresses; or (3) bots behind community began to publish its use in 2005, and it wasn’t firewalls such that they cannot be connected from the global until 2006 that they achieved some limited success. The bots Internet. Only servant bots are candidates in peer lists. are able to loosely communicate amongst its peers using the Another example, is the Hierarchical Kademlia bot, which same or similar non-RFC TCP, UDP (used to bypass NAT extends the base Kademlia bot. Each level in the hierarchy situations) or encrypted ICMP protocols as many file sharing consists of a set of clusters or islands of bots. These clusters clients (see page 2). This topology offers the botnet better use Kademlia for intra-cluster communication. Each cluster anonymity and resiliency without any single points of failure has a super peer that is responsible for communicating with at the expense of higher setup overhead and communication other super peers in the next level up in the hierarchy. The latency. However, since the knowledge about participating super peers thus facilitate inter-cluster communication (see peers is distributed throughout the botnet itself, which gives page 2). the security research community equal access to this information, cybercriminals evolved the standard P2P protocols to include proprietary authentications. A future evolution for P2P-based botnet C&C would be to blend in with common encrypted P2P protocol traffic ubiquitously within business networks. Fortunately, only one protocol really exists today; Skype. Despite known malware instances using Skype plugins and its API, to the best of the security community’s knowledge, Skype-based botnets are still exclusively theoretical. In 2005, researchers presented an extremely distributed C&C topology using random, unstructured P2P communications broadcast to any other available peers. While one of the very first experimental P2P botnets in 2003 had used such a method, it was not successful, and no other botnets have since been reported to use this topology. Overall, despite the advancements that cybercriminals have developed, some of the oldest botnet C&C communication techniques are still being used today due to their availability via open or leaked source code, or do-it-yourself kits. The table below provides a few data C&C Apr 2008 2008 2009 Q2 2010 2011 points published by the security Communications Arbor Networks Symantec Symantec Microsoft govcert.nl community over the past few years. Centralized / IRC 90% 44% 31% 38.2% 30% Centralized / HTTP 4% 57% 69% 29.1% Distributed / P2P 5% n/a n/a 2.3% 70% Other 1%` n/a n/a 30.5%  
  DNS-based Communications within Any Topology Notable Quote from Ed Skoudis, Founder of Counter Hack Essentially, DNS records are abused to traffic data in and out Challenges and SANS Fellow (Feb 2012) of a network. Every type of record (NULL, TXT, SRV, MX, “Number of malware threats that receive instructions from CNAME or A) can be used, but the speed of the connection attackers through DNS is expected to increase, and most companies are not currently scanning for such activity on differs by the amount of data that can be stored in a single their networks, security experts said at the RSA Conference record (see page 2). 2012 on Tuesday. While most malware-generated traffic passing through most channels used for communicating The outbound phase starts with the bot on the compromised with botnets (such as TCP, IRC, HTTP or Twitter feeds and device requesting a response from the local host or network Facebook walls) can be detected and blocked, it's not the case for DNS (Domain Name System) and attackers are DNS server for a DNS query to [data].cnc-domain.tld. The taking advantage of that.” data (base32-encoded) is split and placed in the third- and http://www.circleid.com/posts/malware_increasingly_uses_dns_as_command_and_control_channel/ lower-level domain name labels of multiple queries. Since there will be no cached response on either local DNS server, the requests are forwarded to the ISP’s recursive DNS servers, which in turn will get responses from the cybercriminal’s authoritative name server. For the inbound phase, TXT records can store the most data (base64-encoded) as typically suggested in DNS tunnel implementations up to 110 kbps, but may not be ideal for botnets to avoid detection by network devices since these are not common records. Unfortunately simply blocking TXT records as a defense method is insufficient, because it will break other protocols (e.g. SPF, DKIM) and alternative DNS records such as CNAME are common, and used in series, can still transmit detailed instructions for the compromised host to act on. Alternatively, if two-way communication is not necessary, either the queries or responses can exclude the encoded outbound or inbound data, respectively. This would make the transfer more inconspicuous to avoid anomaly detection systems. At present time, there are not many countermeasures cited by the security community that are “silver bullets” to detect DNS-based botnet C&C communications. While some larger, security-aware organizations could use techniques such as “split horizon” DNS to force internal hosts to send their DNS requests only through the network DNS server and then use statistical anomaly detection (aka. signatures) for this DNS traffic, there are unfortunately little to no readily-available signatures that are well tested to both guarantee protection and cause no false positives.  
  Cloud-based Internet Security Trusted by millions around the world. The easiest way to prevent malware and phishing attacks, contain botnets, and make your Internet faster and more reliable. OpenDNS, Inc. • www.opendns.com • 1.877.811.2367 Copyright © 2012 OpenDNS, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of OpenDNS, Inc. Information contained in this document is believed to be accurate and reliable, however, OpenDNS, Inc. assumes no responsibility for its use. SWP-Botnets-V1-0612  

Recommandé

433 438
433 438433 438
433 438Editor IJARCET
 
285 288
285 288285 288
285 288Editor IJARCET
 
Reputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsReputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsSource Conference
 
Anonymizing Networks
Anonymizing NetworksAnonymizing Networks
Anonymizing Networkspauldeng
 
10.1.1.64.2504
10.1.1.64.250410.1.1.64.2504
10.1.1.64.2504Dan Drumm
 
Survey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital ForensicsSurvey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital ForensicsTyler Shields
 
Netsec
NetsecNetsec
NetsecSaleem Khan
 
5691 computer network career
5691 computer network career5691 computer network career
5691 computer network careerUniversitas Bina Darma Palembang
 

Recommandé

433 438
433 438433 438
433 438Editor IJARCET
 
285 288
285 288285 288
285 288Editor IJARCET
 
Reputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsReputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsSource Conference
 
Anonymizing Networks
Anonymizing NetworksAnonymizing Networks
Anonymizing Networkspauldeng
 
10.1.1.64.2504
10.1.1.64.250410.1.1.64.2504
10.1.1.64.2504Dan Drumm
 
Survey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital ForensicsSurvey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital ForensicsTyler Shields
 
Netsec
NetsecNetsec
NetsecSaleem Khan
 
5691 computer network career
5691 computer network career5691 computer network career
5691 computer network careerUniversitas Bina Darma Palembang
 
ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack
 
Final report
Final reportFinal report
Final reportRaja Farhat
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandTyler Shields
 
Gtb Product Technical Present
Gtb Product Technical PresentGtb Product Technical Present
Gtb Product Technical Presentgtbsalesindia
 
A Havoc Proof for Secure and Robust Audio Watermarking
A Havoc Proof for Secure and Robust Audio WatermarkingA Havoc Proof for Secure and Robust Audio Watermarking
A Havoc Proof for Secure and Robust Audio WatermarkingCSCJournals
 
NCompass Live: IT Security for Libraries
NCompass Live: IT Security for LibrariesNCompass Live: IT Security for Libraries
NCompass Live: IT Security for LibrariesChrista Porter
 
341 345
341 345341 345
341 345Editor IJARCET
 
A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...
A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...
A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...IJERA Editor
 
DNS Advanced Attacks and Analysis
DNS Advanced Attacks and AnalysisDNS Advanced Attacks and Analysis
DNS Advanced Attacks and AnalysisCSCJournals
 
IRJET- Detection of Distributed Denial-of-Service (DDos) Attack on Software D...
IRJET- Detection of Distributed Denial-of-Service (DDos) Attack on Software D...IRJET- Detection of Distributed Denial-of-Service (DDos) Attack on Software D...
IRJET- Detection of Distributed Denial-of-Service (DDos) Attack on Software D...IRJET Journal
 
Smart x
Smart xSmart x
Smart xManjesh Mani
 
A PROJECT REPORT ON SECURED FUZZY BASED ROUTING FRAMEWORK FOR DYNAMIC WIRELES...
A PROJECT REPORT ON SECURED FUZZY BASED ROUTING FRAMEWORK FOR DYNAMIC WIRELES...A PROJECT REPORT ON SECURED FUZZY BASED ROUTING FRAMEWORK FOR DYNAMIC WIRELES...
A PROJECT REPORT ON SECURED FUZZY BASED ROUTING FRAMEWORK FOR DYNAMIC WIRELES...DMV SAI
 
FIREWALLS BY SAIKIRAN PANJALA
FIREWALLS BY SAIKIRAN PANJALAFIREWALLS BY SAIKIRAN PANJALA
FIREWALLS BY SAIKIRAN PANJALASaikiran Panjala
 
D0961927
D0961927D0961927
D0961927IOSR Journals
 
Paper id 312201518
Paper id 312201518Paper id 312201518
Paper id 312201518IJRAT
 
Check Point75 Makes3 D Security A Reality Q22011
Check Point75 Makes3 D Security A Reality Q22011Check Point75 Makes3 D Security A Reality Q22011
Check Point75 Makes3 D Security A Reality Q22011chaucheckpoint
 
Intrution detection
Intrution detectionIntrution detection
Intrution detectioningenioustech
 
O046048187
O046048187O046048187
O046048187IJERA Editor
 
Fast flux
Fast fluxFast flux
Fast fluxSwapnil Patil
 
Fast flux hosting and DNS
Fast flux hosting and DNSFast flux hosting and DNS
Fast flux hosting and DNSamiable_indian
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionSensePost
 
DNS Security
DNS SecurityDNS Security
DNS Securityjohnmcclure00
 

Contenu connexe

Tendances

ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandTyler Shields
 
Gtb Product Technical Present
Gtb Product Technical PresentGtb Product Technical Present
Gtb Product Technical Presentgtbsalesindia
 
A Havoc Proof for Secure and Robust Audio Watermarking
A Havoc Proof for Secure and Robust Audio WatermarkingA Havoc Proof for Secure and Robust Audio Watermarking
A Havoc Proof for Secure and Robust Audio WatermarkingCSCJournals
 
NCompass Live: IT Security for Libraries
NCompass Live: IT Security for LibrariesNCompass Live: IT Security for Libraries
NCompass Live: IT Security for LibrariesChrista Porter
 
A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...
A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...
A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...IJERA Editor
 
DNS Advanced Attacks and Analysis
DNS Advanced Attacks and AnalysisDNS Advanced Attacks and Analysis
DNS Advanced Attacks and AnalysisCSCJournals
 
IRJET- Detection of Distributed Denial-of-Service (DDos) Attack on Software D...
IRJET- Detection of Distributed Denial-of-Service (DDos) Attack on Software D...IRJET- Detection of Distributed Denial-of-Service (DDos) Attack on Software D...
IRJET- Detection of Distributed Denial-of-Service (DDos) Attack on Software D...IRJET Journal
 
A PROJECT REPORT ON SECURED FUZZY BASED ROUTING FRAMEWORK FOR DYNAMIC WIRELES...
A PROJECT REPORT ON SECURED FUZZY BASED ROUTING FRAMEWORK FOR DYNAMIC WIRELES...A PROJECT REPORT ON SECURED FUZZY BASED ROUTING FRAMEWORK FOR DYNAMIC WIRELES...
A PROJECT REPORT ON SECURED FUZZY BASED ROUTING FRAMEWORK FOR DYNAMIC WIRELES...DMV SAI
 
FIREWALLS BY SAIKIRAN PANJALA
FIREWALLS BY SAIKIRAN PANJALAFIREWALLS BY SAIKIRAN PANJALA
FIREWALLS BY SAIKIRAN PANJALASaikiran Panjala
 
Paper id 312201518
Paper id 312201518Paper id 312201518
Paper id 312201518IJRAT
 
Check Point75 Makes3 D Security A Reality Q22011
Check Point75 Makes3 D Security A Reality Q22011Check Point75 Makes3 D Security A Reality Q22011
Check Point75 Makes3 D Security A Reality Q22011chaucheckpoint
 

Tendances (18)

ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012
 
Final report
Final reportFinal report
Final report
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP Ireland
 
Gtb Product Technical Present
Gtb Product Technical PresentGtb Product Technical Present
Gtb Product Technical Present
 
A Havoc Proof for Secure and Robust Audio Watermarking
A Havoc Proof for Secure and Robust Audio WatermarkingA Havoc Proof for Secure and Robust Audio Watermarking
A Havoc Proof for Secure and Robust Audio Watermarking
 
NCompass Live: IT Security for Libraries
NCompass Live: IT Security for LibrariesNCompass Live: IT Security for Libraries
NCompass Live: IT Security for Libraries
 
341 345
341 345341 345
341 345
 
A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...
A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...
A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...
 
DNS Advanced Attacks and Analysis
DNS Advanced Attacks and AnalysisDNS Advanced Attacks and Analysis
DNS Advanced Attacks and Analysis
 
IRJET- Detection of Distributed Denial-of-Service (DDos) Attack on Software D...
IRJET- Detection of Distributed Denial-of-Service (DDos) Attack on Software D...IRJET- Detection of Distributed Denial-of-Service (DDos) Attack on Software D...
IRJET- Detection of Distributed Denial-of-Service (DDos) Attack on Software D...
 
Smart x
Smart xSmart x
Smart x
 
A PROJECT REPORT ON SECURED FUZZY BASED ROUTING FRAMEWORK FOR DYNAMIC WIRELES...
A PROJECT REPORT ON SECURED FUZZY BASED ROUTING FRAMEWORK FOR DYNAMIC WIRELES...A PROJECT REPORT ON SECURED FUZZY BASED ROUTING FRAMEWORK FOR DYNAMIC WIRELES...
A PROJECT REPORT ON SECURED FUZZY BASED ROUTING FRAMEWORK FOR DYNAMIC WIRELES...
 
FIREWALLS BY SAIKIRAN PANJALA
FIREWALLS BY SAIKIRAN PANJALAFIREWALLS BY SAIKIRAN PANJALA
FIREWALLS BY SAIKIRAN PANJALA
 
D0961927
D0961927D0961927
D0961927
 
Paper id 312201518
Paper id 312201518Paper id 312201518
Paper id 312201518
 
Check Point75 Makes3 D Security A Reality Q22011
Check Point75 Makes3 D Security A Reality Q22011Check Point75 Makes3 D Security A Reality Q22011
Check Point75 Makes3 D Security A Reality Q22011
 
Intrution detection
Intrution detectionIntrution detection
Intrution detection
 
O046048187
O046048187O046048187
O046048187
 

En vedette

Fast flux hosting and DNS
Fast flux hosting and DNSFast flux hosting and DNS
Fast flux hosting and DNSamiable_indian
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionSensePost
 
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Paladion Networks
 
TechWiseTV Workshop: OpenDNS and AnyConnect
TechWiseTV Workshop: OpenDNS and AnyConnectTechWiseTV Workshop: OpenDNS and AnyConnect
TechWiseTV Workshop: OpenDNS and AnyConnectRobb Boyd
 
DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016Maarten Balliauw
 
The DNS Tunneling Blindspot
The DNS Tunneling BlindspotThe DNS Tunneling Blindspot
The DNS Tunneling BlindspotBrian A. McHenry
 
Dns security threats and solutions
Dns security threats and solutionsDns security threats and solutions
Dns security threats and solutionsFrank Victory
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniquesinbroker
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsOpenDNS
 
DNS Security
DNS SecurityDNS Security
DNS Securityinbroker
 
Let's Lean and Implement flux
Let's Lean and Implement fluxLet's Lean and Implement flux
Let's Lean and Implement flux大樹 小倉
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
 
DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSASrikrupa Srivatsan
 

En vedette (20)

Fast flux
Fast fluxFast flux
Fast flux
 
Fast flux hosting and DNS
Fast flux hosting and DNSFast flux hosting and DNS
Fast flux hosting and DNS
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server Detection
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
 
TechWiseTV Workshop: OpenDNS and AnyConnect
TechWiseTV Workshop: OpenDNS and AnyConnectTechWiseTV Workshop: OpenDNS and AnyConnect
TechWiseTV Workshop: OpenDNS and AnyConnect
 
DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016
 
The DNS Tunneling Blindspot
The DNS Tunneling BlindspotThe DNS Tunneling Blindspot
The DNS Tunneling Blindspot
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the name
 
Dns security threats and solutions
Dns security threats and solutionsDns security threats and solutions
Dns security threats and solutions
 
Dns security
Dns securityDns security
Dns security
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniques
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
Security of DNS
Security of DNSSecurity of DNS
Security of DNS
 
Let's Lean and Implement flux
Let's Lean and Implement fluxLet's Lean and Implement flux
Let's Lean and Implement flux
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS Security
 
Industry breakout focus on education eduroam_anyroam_andy logan
Industry breakout focus on education eduroam_anyroam_andy loganIndustry breakout focus on education eduroam_anyroam_andy logan
Industry breakout focus on education eduroam_anyroam_andy logan
 
Industry breakout focus on education open_dns_andy logan
Industry breakout focus on education open_dns_andy loganIndustry breakout focus on education open_dns_andy logan
Industry breakout focus on education open_dns_andy logan
 
DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSA
 

Similaire à OpenDNS Whitepaper: DNS's Role in Botnet C&C

Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecurityLancope, Inc.
 
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...Yankmo
 
Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Usevngundi
 
A taxonomy of botnet detection approaches
A taxonomy of botnet detection approachesA taxonomy of botnet detection approaches
A taxonomy of botnet detection approachesFabrizio Farinacci
 
BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed Bedewi
BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed BedewiBalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed Bedewi
BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed BedewiShah Sheikh
 
Dnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnDnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnErol Dizdar
 
Dnssec proposal-09oct08-en
Dnssec proposal-09oct08-enDnssec proposal-09oct08-en
Dnssec proposal-09oct08-enguest3131f85
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 
Network security monitoring elastic webinar - 16 june 2021
Network security monitoring elastic webinar - 16 june 2021Network security monitoring elastic webinar - 16 june 2021
Network security monitoring elastic webinar - 16 june 2021Mouaz Alnouri
 
Presentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad AlmajaliPresentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad Almajaliwebhostingguy
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14mjos
 
Linux Security Quick Reference Guide
Linux Security Quick Reference GuideLinux Security Quick Reference Guide
Linux Security Quick Reference Guidewensheng wei
 
Ch18 Internet Security
Ch18 Internet SecurityCh18 Internet Security
Ch18 Internet Securityphanleson
 
Geek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the InternetGeek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the InternetGeekNightHyderabad
 
Sntvt sentivate presentation_blockfyre
Sntvt sentivate presentation_blockfyreSntvt sentivate presentation_blockfyre
Sntvt sentivate presentation_blockfyreJonathan Habicht
 
Data Sheet: OpenDNS Enterprise Insights
Data Sheet: OpenDNS Enterprise InsightsData Sheet: OpenDNS Enterprise Insights
Data Sheet: OpenDNS Enterprise InsightsCourtland Smith
 

Similaire à OpenDNS Whitepaper: DNS's Role in Botnet C&C (20)

Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective Security
 
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
 
Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Use
 
A taxonomy of botnet detection approaches
A taxonomy of botnet detection approachesA taxonomy of botnet detection approaches
A taxonomy of botnet detection approaches
 
BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed Bedewi
BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed BedewiBalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed Bedewi
BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed Bedewi
 
Dnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnDnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 En
 
Dnssec proposal-09oct08-en
Dnssec proposal-09oct08-enDnssec proposal-09oct08-en
Dnssec proposal-09oct08-en
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
Vpn alternative whitepaper
Vpn alternative whitepaperVpn alternative whitepaper
Vpn alternative whitepaper
 
Network security monitoring elastic webinar - 16 june 2021
Network security monitoring elastic webinar - 16 june 2021Network security monitoring elastic webinar - 16 june 2021
Network security monitoring elastic webinar - 16 june 2021
 
Presentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad AlmajaliPresentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad Almajali
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14
 
Linux quick reference
Linux quick reference Linux quick reference
Linux quick reference
 
Linux Security Quick Reference Guide
Linux Security Quick Reference GuideLinux Security Quick Reference Guide
Linux Security Quick Reference Guide
 
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSEC
 
Ch18 Internet Security
Ch18 Internet SecurityCh18 Internet Security
Ch18 Internet Security
 
Geek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the InternetGeek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the Internet
 
Sntvt sentivate presentation_blockfyre
Sntvt sentivate presentation_blockfyreSntvt sentivate presentation_blockfyre
Sntvt sentivate presentation_blockfyre
 
Data Sheet: OpenDNS Enterprise Insights
Data Sheet: OpenDNS Enterprise InsightsData Sheet: OpenDNS Enterprise Insights
Data Sheet: OpenDNS Enterprise Insights
 

Plus de Courtland Smith

White Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic WorkforceWhite Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic WorkforceCourtland Smith
 
Tech Doc: Umbrella Delivery Platform
Tech Doc: Umbrella Delivery PlatformTech Doc: Umbrella Delivery Platform
Tech Doc: Umbrella Delivery PlatformCourtland Smith
 
Datasheet: Umbrella Everywhere Solution Overview
Datasheet: Umbrella Everywhere Solution OverviewDatasheet: Umbrella Everywhere Solution Overview
Datasheet: Umbrella Everywhere Solution OverviewCourtland Smith
 
White Paper: Defense In Breadth
White Paper: Defense In BreadthWhite Paper: Defense In Breadth
White Paper: Defense In BreadthCourtland Smith
 
OpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform TechnologyOpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform TechnologyCourtland Smith
 
SWG Buyer Guide: Competitive Comparison
SWG Buyer Guide: Competitive ComparisonSWG Buyer Guide: Competitive Comparison
SWG Buyer Guide: Competitive ComparisonCourtland Smith
 

Plus de Courtland Smith (6)

White Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic WorkforceWhite Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic Workforce
 
Tech Doc: Umbrella Delivery Platform
Tech Doc: Umbrella Delivery PlatformTech Doc: Umbrella Delivery Platform
Tech Doc: Umbrella Delivery Platform
 
Datasheet: Umbrella Everywhere Solution Overview
Datasheet: Umbrella Everywhere Solution OverviewDatasheet: Umbrella Everywhere Solution Overview
Datasheet: Umbrella Everywhere Solution Overview
 
White Paper: Defense In Breadth
White Paper: Defense In BreadthWhite Paper: Defense In Breadth
White Paper: Defense In Breadth
 
OpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform TechnologyOpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform Technology
 
SWG Buyer Guide: Competitive Comparison
SWG Buyer Guide: Competitive ComparisonSWG Buyer Guide: Competitive Comparison
SWG Buyer Guide: Competitive Comparison
 

Dernier

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 

Dernier (20)

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 

OpenDNS Whitepaper: DNS's Role in Botnet C&C

  • 1. SECURITY WHITEPAPER The Role of DNS in Botnet Command and Control (C&C) DNS is powerful, ubiquitous and yet ignored by most organizations. Today, cybercriminals rely on DNS for rallying infected devices to join a botnet and to mitigate takedowns by authorities. In 2011, cybercriminals started covertly tunneling botnet communications over DNS traffic to mitigate detection by security solutions, despite security researchers widely publishing this threat in 2004! QUESTION: What do you know about 101.cnc.com? ANSWER: Analyze logs... RESULT: Post-damage forensics • Are any devices outside your network trying to resolve Stored on: • Locates infected devices delegated to be such domain hostnames through your network? • DNS servers, proxies or name servers for botnet C&C. • Are any devices within your network trying to • Web servers, or • Locates infected devices attempting to tunnel resolve hostnames to that domain? • Firewalls. botnet C&C communications over DNS. If you cannot answer the above questions, either because you build botnets to bypass firewall filters or Web proxies.3 Ethical don’t keep these logs, they’re not readily available, or you hackers have constructed a reverse shellcode exploit that could wouldn’t know how to analyze them, you’re likely blind to provide cybercriminals VPN and remote access into an insecure infected devices that have compromised your network by network using valid DNS syntax to avoid detection.4 Furthermore, performing these botnet command and control (C&C) activities. with the future adoptions of DKIM, IPv6 and other extensions to the basic DNS protocol, big and complex packets within DNS Botnet’s principal single point of failure and beacon to security traffic will become more common. Thereby assisting DNS-based researchers is its Internet-wide C&C architecture. From 2007-8, botnet C&C communications to more easily and efficiently blend cybercriminals began building distributed or hybrid C&C in since it’ll appear normal in DNS query streams (see page 2). topologies leveraging more advanced DNS-based C&C rallying mechanisms, such as third-party dynamic or its own distributed In the arms race between cybercriminal organizations and the DNS services, to enable C&C communications to be redirected security community, C&C techniques have become so robust, through its own distributed proxy service. Infected devices within stealth and mobile that botnets are ubiquitous in both home and insecure home or business networks host these services. DNS is business networks despite so-called “next generation” security used to add robustness and mobility to remove single points of solutions’ best attempts to prevent all malware. The “defense- failure within the architecture and provide anonymity for the in-depth” strategy needs to migrate from adding prevention cybercriminals running botnet C&C servers (see page 2). Fluxing layers, to adding containment layers. DNS traffic is often domain names and/or the IP addresses in DNS records used by examined after security incidents; for example, Google botnets makes them more difficult for the security community to discovered the advanced and persistent “Aurora” botnet that take down or over. breached its network by analyzing DNS logs after damage occurred. The most costly damage is no longer the lost time for Today, most botnets rely on a mix of P2P-, HTTP- or IRC-based IT to remediate infected devices, but the stolen data enclosing protocols to communicate between bots and/or C&C servers. sensitive company or personal info for legal and regulatory However, in late 2011, security researchers began publishing bodies to resolve. papers and blogs on botnets, such as “Morto”, “Feederbot” and “Katusha/Timestamper”, using a covert C&C communication method known as DNS tunneling to add stealth.1 DNS tunneling “DEFENSE-IN-DEPTH” STRATEGY MIGRATION is not new; it existed since 1998 and the first implementation DETECT MALWARE PREVENT MALWARE CONTAIN BOTNETS published by Slashdot in 2000. In 2004, Dan Kaminsky widely presented his implementation to tunnel arbitrary data over DNS to the security community, but lost their short-term attention as other exploited DNS vulnerabilities, such as DNS cache INFECTED DEVICE / UNINFECTED DEVICE INFECTED DEVICE / poisoning, became more prevalent. 2 Today, many popular DNS INSECURE NETWORK / SECURE NETWORK SECURE NETWORK tunnels exist that are readily available for cybercriminals to                                                                                                                                                                                                                                 1 3 http://bit.ly/NSTX_DNS, http://bit.ly/OzymanDNS, http://bit.ly/TCP-over-DNS, http://bit.ly/Symantec_Morto, http://bit.ly/Dietrich_Feederbot, http://bit.ly/CHMag_Katusha http://bit.ly/Iodine_DNS, http://bit.ly/Dns2tcp, http://bit.ly/DNScat, http://bit.ly/DeNiSe 2 http://bit.ly/Kaminsky_DNStunneling 4 http://bit.ly/Shellcode  
  • 2.   1st prototype fully 1st successful P2P-based botnets Evolution of Botnet C&C P2P-based botnet 1st HTTP- 1st hybrid P2P/HTTP-based botnets 1st Web site/service- based botnets Web Services based botnets seed domain 1stIRC- IRC Domain IRC-based IRC-based based botnets flux Bots change host DNS settings flux crypto benign bot malicious bot botnet pervasive IP flux (double) DNS tunneling 1st fully DNS- DNS tunneling developed for cybercrime IP flux (single) based botnets P2P !! !! !! !! "! "! "! "! #! #! #! #! #! #! #! HTTP $! $! $! $! $! $! !! !! #! #! #! #! #! #! #! #! #! #! IRC $! !! !! !! !! "! "! "! "! "! "! #! #! #! #! #! #! #! #! #! #! #! #! #! #! #! DNS $! $! $! $! $! $! $! $! $! $! $! $! $! $! $! !! !! !! !! !! !! "! "! "! "! "! "! "! #! #! #! MALWARE (VIRUS, WORMS, TROJANS, ETC.) INFECTED DEVICES ARE CONNECTED BOTNETS ARE INFECTING DEVICES ARE ISOLATED TO FORM ROBOT NETWORKS (AKA. BOTNETS) UBIQITIOUS FUTURE 2001 2007 2011 2012 1987 1991 1997 2000 2002 2003 2004 2005 2006 2008 2009 2010 1983 1984 1985 1986 1988 1989 1990 1992 1993 1994 1995 1996 1998 1999 CENTRALIZED C&C TOPOLOGY DISTRIBUTED C&C TOPOLOGY HYBRID C&C TOPOLOGY* DNS-BASED RALLYING MECHANISMS HELP CYBERCRIMINALS STOP TAKEDOWNS BY REMOVING SINGLE POINTS OF FAILURE C&C RALLYING MECHANISMS DYNAMIC & (*one example) DISTRIBUTED DNS SERVICES DNS TRAFFIC HTTP TRAFFIC REDIRECTED REDIRECTED DNS-BASED C&C COMMUNICATION can be HELPS AVOID DETECTION BY BLENDING IN same bot ns1.cnc.tld ns2.cnc.tld 1.1.1.1 2.2.2.2 cnc.tld QUERY: QUERY: flux.cnc.tld RESPONSE: HTTP GET RESPONSE: ONLY ALLOW BASIC 1.1.1.1 C&C PORT 80/443 PORT 53 RESOLVERS RESPONSE: NO SINKHOLE 1.1.1.1 NO PROXY NO FILTER QUERY: QUERY: QUERY: QUERY: flux.cnc.tld LEAK DATA = where is where is where is 11010 + 01010 11010 + 01010 00110. 01010. 11010. + … 00110 QUERY: flux.cnc.tld DISTRIBUTED + … 00110 cnc.tld? cnc.tld? cnc.tld? = DATA STOLEN REFERRER: PROXY 01110 + 11011 RESPONSE: RESPONSE: RESPONSE: COMMAND = ns1.cnc.tld SERVICES + … 11100 00110. 01010. 11010. 01110 + 11011 = CONTROL cnc.tld is cnc.tld is cnc.tld is + … 11100 at 01110 at 11011 at 11100 DNS TUNNELING FOR COVERT C&C COMMUNICATIONS  
  • 3.   The Past, Present and Future of Significant Botnet C&C Techniques C&C Attributes Past Present Future Centralized topology Distributed or hybrid topology using RALLYING MECHANISMS using static IP lists domain flux and/or IP flux (via DNS records) > Static Lists IP addresses Domain names and/or IP addresses Dynamic content hidden on popular websites (e.g. > Domain Flux > Seeding Predictable timestamp Twitter trends) that can be customized in do-it- yourself kits > Domain Flux > Crypto Static Frequently changing > Domain Flux > Names Random characters Dictionary word combinations > Domain Flux > Volume Hundreds of domains Tens of thousands of domains Single flux networks changing A Double flux networks changing both A and NS > IP Flux > Records resource records (first seen in the resource records (first seen in the Asprov botnet in Storm/Peacomm botnets in 2007) 2008) Existing dynamic DNS services or As dynamic DNS services are taking a more “personalized” third-level domain (3LD) aggressive stance against botnet abuse, and services. Alternatively, custom DNS governments are cooperating quicker with the servers on bulletproof hosts, which security community, cybercriminals are building their > IP Flux > Service allows a cybercriminal to bypass the own distributed DNS services using multiple laws or contractual terms of service compromised hosts. Often these are initially regulating Internet content and service bootstrapped via custom DNS servers on bulletproof use in its country of operation and are hosts. unlikely to cooperate with authorities. Distributed or hybrid Hybrid topology with Centralized topology using COMMUNICATION topology using P2P-and/or protocol tunneling such IRC- or HTTP-based protocols HTTP-based protocols as DNS traffic > IRC > Client Common IRC client Cybercriminal’s custom IRC client Paid do-it-yourself malware exploit kits Paid or open-source do-it-yourself botnet kits > HTTP > DIY Kits (e.g. Mpack, ICEPack, Fiesta) (e.g. Zeus, SpyEye, TDSS) > HTTP > Protocol Unencrypted Encrypted Public Web 2.0 services (e.g. Amazon Elastic > HTTP > Hosts Privately owned Web servers Compute Cloud, Google App Engine) and social network sites (e.g. Twitter, Facebook, Google Groups) Non-standard port numbers used by P2P standard ports numbers used by common encrypted > P2P > Port protocols protocols (e.g. SSH, HTTPS) > P2P > Protocol Unauthenticated Authenticated > P2P > Discovery Centralized in cache servers Distribute hashed tables across the network Trickled, non- Phone home, data consecutive DNS > DNS Not used exfiltration and/or bot queries over long time instructions periods to further mitigate detection  
  • 4.   C&C RALLYING MECHANISM DESCRIPTIONS The rallying mechanism enables new bots to locate its peers IP Flux or the C&C servers and join the botnet. While rallying can Modern botnets primarily use one or more hard-coded also be related to botnet recruitment and propagation, the domain names for DNS servers to resolve to many different IP following mechanisms are only for the purposes of addresses over a short span of time. This technique is also networking the bots. widely known as “Fast Flux” Service Networks (FFSN) as it’s If the security community is 100% successful in shutting also associated with spam and phishing attacks. However, down or hijacking the rallying mechanisms, the botnet falls the term “IP Flux” best describes the result of rapidly apart into a benign collection of discrete, unorganized changing the location (i.e. IP address) to which the domain infections. However, if even a few C&C servers remain alive, name of an Internet host (A) or authoritative name server the botnet can adapt and reconfigure itself to be undetected (NS) resolves, caused by rapid and repeated changes to DNS or protected behind the virtual walls of international records using very low time-to-live (TTL) cache settings. jurisdiction. Several movie analogies come to mind such as Relative to using IP lists, taking down malicious DNS records Terminator’s shape-shifting T-1000 series cyborg or Star is often more difficult than compromised IP addresses Trek’s Borg collective; both these entities are very resilient because many records can be established for the same or unless the entire control mechanism is eliminated. Today, many IP addresses. botnets use a hybrid of up to all three of the following These locations are actually a network of compromised hosts techniques, where one may initiate the rallying, one that act as front-end nodes to proxy DNS and C&C maintains the rallying, and another backs up the rallying if communication protocols to a group of backend C&C servers, the other one or two are disrupted. commonly referred to as a “fast flux mothership” (see page 2). This second layer of abstraction further increases Static Lists anonymity, security, high availability and load balancing of Early botnets primarily used hardcoded static lists of IP the botnet. It makes it nearly impossible to filter only by IP addresses or domain names. However, many firewalls can address, ASNs or geo-location and adds resiliency to add an optional feed of known bad IP addresses to help takedown attempts as it shifts the centralizing agent of mitigate this legacy technique and it is often not agile control from the C&C servers to the distributed DNS enough for today’s large botnet operations. While some architecture. In many ways the idea is comparable to Content compromised hosts will initially rely on static IPs to Delivery Networks (CDN). It has evolved and advanced since bootstrap communications with the botnet, they then switch the The Honeynet Project Research Alliance first discovered to one of the following, more robust methods. For added its use. mobility, cybercriminals used domain names with round- The evolution for cybercriminals to use their own robin/multi-homing techniques to associate multiple IP authoritative name servers has added greater robustness addresses with a single DNS record or dynamic DNS services, and mobility to IP Flux, and makes successful takedown more but not abusing them via IP flux, which is described next. difficult for the security community. Alternatively, if the compromised devices are redirected to the cybercriminals Domain Flux own recursive DNS servers, bots are able to resolve domain The botnet uses cryptographically generated domain names names to different IP addresses relative to the rest of the by a Domain Generation Algorithm (DGA), which makes it Internet, so for example, if a security researcher or other more difficult for static reputation systems to maintain an network device tries to access the domain, it may appear to accurate list of all possible C&C domains or for the security not exist. Also, it allows the bot to resolve well-known domain community to attempt to hijack the domain. Many names (e.g. google.com) to C&C servers. cybercriminals register only a few of the possible generated domains at a time using dynamic DNS services. In limited recent cases such as the “Android bot”, URL Flux has been used, which is similar to domain flux in that the bot uses a list of usernames generated by a Username Generation Algorithm (UGA) from which it selects a username to visit on a Web 2.0 site.  
  • 5.   C&C COMMUNICATION DESCRIPTIONS Once the bots have joined the botnet, they regularly maintain the century, many first-generation cybercriminals were very communications to receive new commands, send back data familiar with IRC as a simple, synchronized and scalable to the C&C servers, such as sensitive company or personal means to chat between thousands of hosts so it was natural information, or learn how to adapt itself in response to the evolution to utilize it for the first C&C communications in security community’s efforts to disrupt or take down its 1999. Despite the advent of instant-messaging (IM) operations. There are advantages and disadvantages as the protocols such as ICQ, AIM, and MSN Messenger that gained following table explains. popularity over IRC for the masses, many “old school” networking and security professionals still use IRC. In fact, Evolution Past Present the original C&C functionality of three evolved IRC-based bot Distributed or hybrid, yet families – Agobot, SDBot, and GTBot – still constitute a large Topology Centralized many are still centralized percent of today’s botnet infections especially since some of Protocols IRC or HTTP P2P the source code was published by its author, with occasional Setup Easy Hard infections by variants of the DSNX, Q8, kaiten, and Perlbot Detection Easy Hard IRC-based families. While almost the same in principal to IRC, there have been only a few botnets based on IM Communication Small delays Small to medium delays protocols due to the difficulty of creating individual IM Resiliency Bad Good accounts for each bot. Anonymity Bad Good Centralized Communications via HTTP-based Protocols Based on the communication topology, different push and However, as the security community adapted to use network pull control mechanisms will be used together with the firewalls to block seldom used or unnecessary ports at the communication protocol. Also, command authentication can Internet gateway, cybercriminals realized that a more be added to the communication protocol such as passwords ubiquitous C&C protocol was needed to blend in with normal or encryption certificates to help mitigate outsiders taking user traffic. Ports 80 and 443 used for unencrypted and command over the botnet from the cybercriminals; especially encrypted Web traffic over HTTP/S is almost universally with P2P-based protocols. allowed through firewalls, and a few GET and POST requests Direction / used for C&C can easily be lost amongst the exponentially Topology Centralized Distributed growing volume of legitimate Web traffic. HTTP-based DDoS & spam botnets greatly accelerated with advances in do-it-yourself Push IRC-based protocols attacks kits developed mainly by professional Russian cybercriminals HTTP-based protocols, IP Flux P2P-based to aspiring amateur cybercriminals, and in mid-2011 several Pull botnet kits were leaked. Recently, public or social Web rallying mechanisms protocols services have been gaining popularity as C&C hosts via obfuscated commands due to their added anonymity, Centralized Topologies openness and scalability. However, the security research All early botnets and still the majority of botnets today use community can also leverage this openness to quickly shut centralized topologies via HTTP-based, IRC-based or other such botnets down. IDS/IPS solutions can often detect protocols because they are easier to setup and ensure that suspicious URI strings or nonstandard HTTP headers (e.g. new commands are disseminated to large botnet populations Entity-Info, Magic-Number) used by botnets (e.g. Bredolab). quickly. However, centralized C&C servers are easier to detect and become a single point of failure for the botnet Centralized Communications via Other Protocols (see page 2). FTP isn‘t commonly seen in the wild; however, several phishing or banking Trojan horses regularly drops off stolen Centralized Communications via IRC-based Protocols data to FTP servers. Some botnets use custom UDP-only Only one year after the IRC protocol was invented in 1988 protocols, which while easily blocked by business networks, programmers created the first bots to enable chat room (aka. often are able to bypass misconfigured firewalls. channel) operators to log in, ensure the channel remained open, and to give them non-malicious control. At the turn of  
  • 6.   Distributed Topologies (via P2P-based protocols) Hybrid Topologies Peer-to-peer (P2P) communications were created to Advanced hybrid, hierarchal C&C architectures combine the distribute file sharing (e.g. MP3s) amongst large stealth from a few centralized C&C servers and robustness populations. From 1999 to 2003, P2P topologies and from distributed peers to prevent take down. For example, protocols quickly evolved to add robustness, stealth and one group of bots act as servants since they behave as both mobility from the recording industry’s and ISP’s attempts to clients and servers, which have static, non-private IP disrupt communications and/or prosecute guilty individuals; addresses and is accessible from the global Internet. The exactly what cybercriminals also seek for their botnet C&C second group of bots only act as clients since they don’t communications. Using structured P2P communications as a accept incoming connections. The second group contains the C&C topology was first envisioned as early as 2000, but the remaining bots, including: (1) bots with dynamic IP first botnets to use it appeared in 2003, the security research addresses; (2) private IP addresses; or (3) bots behind community began to publish its use in 2005, and it wasn’t firewalls such that they cannot be connected from the global until 2006 that they achieved some limited success. The bots Internet. Only servant bots are candidates in peer lists. are able to loosely communicate amongst its peers using the Another example, is the Hierarchical Kademlia bot, which same or similar non-RFC TCP, UDP (used to bypass NAT extends the base Kademlia bot. Each level in the hierarchy situations) or encrypted ICMP protocols as many file sharing consists of a set of clusters or islands of bots. These clusters clients (see page 2). This topology offers the botnet better use Kademlia for intra-cluster communication. Each cluster anonymity and resiliency without any single points of failure has a super peer that is responsible for communicating with at the expense of higher setup overhead and communication other super peers in the next level up in the hierarchy. The latency. However, since the knowledge about participating super peers thus facilitate inter-cluster communication (see peers is distributed throughout the botnet itself, which gives page 2). the security research community equal access to this information, cybercriminals evolved the standard P2P protocols to include proprietary authentications. A future evolution for P2P-based botnet C&C would be to blend in with common encrypted P2P protocol traffic ubiquitously within business networks. Fortunately, only one protocol really exists today; Skype. Despite known malware instances using Skype plugins and its API, to the best of the security community’s knowledge, Skype-based botnets are still exclusively theoretical. In 2005, researchers presented an extremely distributed C&C topology using random, unstructured P2P communications broadcast to any other available peers. While one of the very first experimental P2P botnets in 2003 had used such a method, it was not successful, and no other botnets have since been reported to use this topology. Overall, despite the advancements that cybercriminals have developed, some of the oldest botnet C&C communication techniques are still being used today due to their availability via open or leaked source code, or do-it-yourself kits. The table below provides a few data C&C Apr 2008 2008 2009 Q2 2010 2011 points published by the security Communications Arbor Networks Symantec Symantec Microsoft govcert.nl community over the past few years. Centralized / IRC 90% 44% 31% 38.2% 30% Centralized / HTTP 4% 57% 69% 29.1% Distributed / P2P 5% n/a n/a 2.3% 70% Other 1%` n/a n/a 30.5%  
  • 7.   DNS-based Communications within Any Topology Notable Quote from Ed Skoudis, Founder of Counter Hack Essentially, DNS records are abused to traffic data in and out Challenges and SANS Fellow (Feb 2012) of a network. Every type of record (NULL, TXT, SRV, MX, “Number of malware threats that receive instructions from CNAME or A) can be used, but the speed of the connection attackers through DNS is expected to increase, and most companies are not currently scanning for such activity on differs by the amount of data that can be stored in a single their networks, security experts said at the RSA Conference record (see page 2). 2012 on Tuesday. While most malware-generated traffic passing through most channels used for communicating The outbound phase starts with the bot on the compromised with botnets (such as TCP, IRC, HTTP or Twitter feeds and device requesting a response from the local host or network Facebook walls) can be detected and blocked, it's not the case for DNS (Domain Name System) and attackers are DNS server for a DNS query to [data].cnc-domain.tld. The taking advantage of that.” data (base32-encoded) is split and placed in the third- and http://www.circleid.com/posts/malware_increasingly_uses_dns_as_command_and_control_channel/ lower-level domain name labels of multiple queries. Since there will be no cached response on either local DNS server, the requests are forwarded to the ISP’s recursive DNS servers, which in turn will get responses from the cybercriminal’s authoritative name server. For the inbound phase, TXT records can store the most data (base64-encoded) as typically suggested in DNS tunnel implementations up to 110 kbps, but may not be ideal for botnets to avoid detection by network devices since these are not common records. Unfortunately simply blocking TXT records as a defense method is insufficient, because it will break other protocols (e.g. SPF, DKIM) and alternative DNS records such as CNAME are common, and used in series, can still transmit detailed instructions for the compromised host to act on. Alternatively, if two-way communication is not necessary, either the queries or responses can exclude the encoded outbound or inbound data, respectively. This would make the transfer more inconspicuous to avoid anomaly detection systems. At present time, there are not many countermeasures cited by the security community that are “silver bullets” to detect DNS-based botnet C&C communications. While some larger, security-aware organizations could use techniques such as “split horizon” DNS to force internal hosts to send their DNS requests only through the network DNS server and then use statistical anomaly detection (aka. signatures) for this DNS traffic, there are unfortunately little to no readily-available signatures that are well tested to both guarantee protection and cause no false positives.  
  • 8.   Cloud-based Internet Security Trusted by millions around the world. The easiest way to prevent malware and phishing attacks, contain botnets, and make your Internet faster and more reliable. OpenDNS, Inc. • www.opendns.com • 1.877.811.2367 Copyright © 2012 OpenDNS, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of OpenDNS, Inc. Information contained in this document is believed to be accurate and reliable, however, OpenDNS, Inc. assumes no responsibility for its use. SWP-Botnets-V1-0612