OpenDNS Senior Security Researcher Dhia Mahjoub's presentation from SOURCE Boston 2014.

1. !
Marauder or Scanning your DNSDB
for Fun and Profit
Dhia!Mahjoub!
OpenDNS!
April!10th,!2014!
Boston!

2. Short!Bio!
• Senior!Security!Researcher!at!OpenDNS!
• PredicAve!threat!detecAon!based!on!DNS!traffic!and!
hosAng!infrastructure!analysis!
• CS!PhD!graduate!from!Southern!Methodist!University!
!!!!IIIIIII>!Go!Mustangs!!
!
• Graph!Theory!applied!on!Wireless!Sensor!Networks!
problems!(network!lifeAme,!rouAng)!
• Enjoyed!wriAng!sniffers,!port!scanners!in!C…!

3. Outline!
• DNSDB!
• Marauder!
• ImplementaAon!
• ASN!graph!
• Use$case$1:$Suspicious!Sibling!Leaf!ASNs!!
• Use$Case$2:!Rogue!ASN!deIpeered!or!gone!stealth!
• Use$Case$3:!ASN(s)!abused!or!lax!about!content!
• Marauder:!PlaZorm,!tools,!libraries!used!
• Marauder!in!acAon!
• Use$case$4:!Malicious!subIallocated!ranges!
• Use$case$5:!PredicAng!Malicious!domains!IP!infrastructure!
• Conclusion!

4. querylogs! authlogs!
DNS$data$

5. OpenDNS’!Network!Map!

6. $
DNSDB$
$

7. Passive!DNS!
• Introduced!by!Florian!Weimar!in!2004!
• Passive!DNS!builds!zone!replicas!without!
cooperaAon!from!zone!administrators!
• Captures!messages!between!DNS!servers!
• Messages!are!processed,!deIduplicated,!and!DNS!
records!are!consolidated!in!an!indexed!database!
!I>!Historical!DNS!database!(DNSDB)!

8. Passive!DNS!(cont’d)!
!Various!Services!
1. hbp://www.bd.de/bd_dnslogger_en.html!
2. DNSDB!(Farsight!Security)!
hbps://www.dnsdb.info/!
3. Umbrella!SGraph!(reIdubbed!InvesAgate)!
hbps://sgraph.opendns.com/main!
4. VirusTotal!DNSDB!
• hbps://github.com/gamelinux/passivedns!
• hbps://github.com/chrislee35/passivednsIclient!

9. Why!is!DNSDB!useful?!
D!
D!
D!
D!
IP!
IP!
NS!
IP!
NS!
+$TIME$
Domain!
IP!address!
Name!server!

10. Streaming!AuthoritaAve!DNS!
• Tap!into!processed!authoritaAve!DNS!stream!before!
it’s!consolidated!into!a!persistent!DB!
• asn,!domain,!2LD,!IP,!NS_IP,!Amestamp,!TTL,!type!
• Faster!
• 100s!–!1000s!entries/sec!(from!subset!of!resolvers)!
• Need!to!implement!your!own!filters,!detecAon!
heurisAcs!

11. $
Marauder$
$

12. Marauder!
• Maraud!(def):!To!rove!and!raid!in!search!for!plunder!
• MarAn!BI26!Marauder!
• WW2!mediumIrange!bomber!
• Pacific,!Mediterranean,!Western!Europe!theaters!

13. Marauder!
• Cruise!the!IP,!DNS!space!in!search!for!new!aback!
domains,!IP!infrastructures!!

14. ImplementaAon!
1. IP!watchlist!+!domain!filter(s)!+!more!post!detecAon!
filter(s)!
• IP!watchlist!<I!blacklist!feeds!+!other!heurisAcs!to!
build!malicious/suspicious!IP!lists!
2. Domain!detecAon!heurisAcs:!name!pabern,!IP,!NS,!
age,!traffic!volume!

15. Building!the!IP!watchlist!!
Mo<va<on!
• Assess!malicious!IP!ranges!in!BGP!prefixes,!ASNs!
from!a!new!perspecAve!
• Look!beyond!the!simple!counAng!of!number!of!bad!
domains,!bad!IPs!hosted!on!prefixes!of!an!ASN!
How$?$
• Look!at!topology!of!AS$graph$
• Look!at!smaller!granularity!than!BGP!prefix:!!
!subGallocated$ranges$within!BGP!prefixes!

16. AS!graph!
• BGP!rouAng!tables!
• Valuable!data!sources!
• Routeviews!hbp://archive.routeviews.org/bgpdata/!
• CidrIreport!hbp://www.cidrIreport.org/as2.0/!
• Hurricane!Electric!database!hbp://bgp.he.net/!
• Your!own!rouAng!tables!if!you!operate!your!own!
worldwide!BGP!routers!
• 500,000+$BGP$prefixes$
• 46,000+$ASNs$

17. AS!graph!
• Route!Views!hbp://archive.routeviews.org/bgpdata/!

18. AS!graph!
• Cidr!Report!hbp://www.cidrIreport.org/as2.0/!

19. AS!graph!
• Hurricane!Electric!database!hbp://bgp.he.net/!

20. AS!graph!
• Show!one!line!of!the!BGP!rouAng!table!
• TABLE_DUMP2|1392422403|B|96.4.0.55|11686|
67.215.94.0/24|11686!4436!2914!36692|IGP|
96.4.0.55|0|0||NAG||!
• The!AS!graph!changes!constantly:!
• New!prefixes!(with!their!routes)!are!announced!
• Old!prefixes!are!dropped!
• IntenAonal,!human!error,!hardware!faults,!or!malicious!

21. AS!graph!

22. AS!graph!
• TABLE_DUMP2|1392422403|B|96.4.0.55|11686|
67.215.94.0/24|11686!4436!2914!36692|IGP|
96.4.0.55|0|0||NAG||!
• We!can!extract!two!types!of!useful!data:!
!1.!Upstream!and!downstream!ASNs!of!every!ASN!
!2.!IP!to!ASN!mapping!(via!prefix!to!ASN!mapping)!
• pyasn,!Python!IP!to!ASN!lookup!module!!
!hbps://code.google.com/p/pyasn/!
• Team!Cymru!IP!to!ASN!mapping!
• GeoIPASNum.dat!from!maxmind!
• curl!ipinfo.io/8.8.8.8/org!

23. AS!graph!
• Build!AS!graph!
• Directed!graph:!node=ASN,!a!directed!edge!from!an!
ASN!to!an!upstream!ASN!
• TABLE_DUMP2|1392422403|B|96.4.0.55|11686|67.215.94.0/24|
11686!4436!2914!36692|IGP|96.4.0.55|0|0||NAG||!

24. AS!graph!
• Directed!graph:!node=ASN,!a!directed!edge!from!an!
ASN!to!an!upstream!ASN!
Interes<ng$cases:$
• Leaf!ASNs!that!are!siblings,!i.e.!they!have!common!
parents!in!the!AS!graph!(share!same!upstream!AS)!
• Cluster!the!leaves!by!country!
• Find!interesAng!paberns:!certain!siblings!in!certain!
countries!are!delivering!similar!suspicious!campaigns!

25. $
Use$Case$1:$
Suspicious$Sibling$leaf$ASNs$
$

26. Leaf!ASNs!and!their!upstreams!
• January!8th!topology!snapshot,!Ukraine,!Russia!
• 10!sibling!leaf!ASNs!with!2!upstream!ASNs!
• /23!or!/24!serving!TrojWare.Win32.KrypAk.AXJX!
• !TrojanIDownloader.Win32.Ldmon.A!
• hbp://telussecuritylabs.com/threats/show/TSL20130715I08!

27. Leaf!ASNs!and!their!upstreams!

28. Leaf!ASNs!and!their!upstreams!
• February!21st!topology!snapshot,!Ukraine,!Russia!
!
• AS31500!detached!itself!from!the!leaves!(stopped!
announcing!their!prefixes)!
• More!leaves!started!hosAng!suspicious!payload!domains!
• 3100+!malware!domains!on!1020+!IPs!hosAng!malware!

29. Leaf!ASNs!and!their!upstreams!
• Taking!a!sample!of!160!live!IPs!
• Server!setup!is!similar:!
50!IPs!with:!
22/tcp$$$open$$ssh$$$$$$$$OpenSSH$6.2_hpn13v11$(FreeBSD$20130515;$
protocol$2.0)$
8080/tcp$open$$h[pGproxy$3Proxy$h[p$proxy$
Service$Info:$OS:$FreeBSD$
!
108!IPs!with:$
22/tcp$open$$ssh$$$$$OpenSSH$5.3$(protocol$1.99)$
80/tcp$open$$h[p?$

30. Leaf!ASNs!and!their!upstreams!
• The!payload!url!were!live!on!the!enAre!range!of!IPs!
before!any!domains!were!hosted!on!them!
• So,!the!IP!infrastructure!is!set!up!in!bulk!and!in!advance!
• hbp://pastebin.com/X83gkPY4!
$

31. $
Use$Case$2:$
ASN$abused$or$lax$about$shady$
content$
$

33. Example!ASNs!abused!or!lax!
• Wordstream!hosAng!fake!merchandise,!Exploit!kit!
domains,!XXX!themed!sites,!etc!
• Resellers!using!IP!space!of!larger!providers!
• e.g.!IxamIhosAng!uses!Voxility!
• Other!abused!ASNs!like!OVH,!LeaseWeb,!etc!
• Ranking!of!ASNs:!sitevet.com!
$

34. $
Use$Case$3:$
Rogue$ASN$deGpeered$or$gone$
stealth$$
$

35. Rogue!ASN!deIpeered!or!gone!stealth!
• AS48031!XSERVERIIPINETWORKIAS!PE!Ivanov!Vitaliy!
Sergeevich!86400!
• Serving!browlock,!porn,!radical!forums,!spam,!etc!
• “PE!Ivanov!Vitaliy!Sergeevich!malware”!

36. Rogue!ASN!deIpeered!or!gone!stealth!
Romanian!Man!Commits!Suicide!and!Kills!His!4IYearIOld!ayer!Falling!for!Police!Ransomware!

37. Rogue!ASN!deIpeered!or!gone!stealth!

38. Rogue!ASN!deIpeered!or!gone!stealth!
• AS48031!XSERVERIIPINETWORKIAS!PE!Ivanov!Vitaliy!Sergeevich!86400!
• 176.103.48.0/20!48031!
• 193.169.86.0/23!48031!
• 193.203.48.0/22!48031!
• 193.30.244.0/22!48031!
• 194.15.112.0/22!48031!
• 196.47.100.0/24!48031!
• 91.207.60.0/23!48031!
• 91.213.8.0/24!48031!
• 91.217.90.0/23!48031!
• 91.226.212.0/23!48031!
• 91.228.68.0/22!48031!
• 93.170.48.0/22!48031!
• 94.154.112.0/20!48031!

39. Rogue!ASN!deIpeered!or!stealth!

40. Rogue!ASN!deIpeered!or!stealth!

41. $
Marauder:$Pla_orm,$tools,$
libraries$used$
$

42. PlaZorm!and!tools!used!
IHadoop!cluster!
!
IRaw!logs!on!HDFS!
!
IIndexed!DNSDB!in!HBase!
!
IPython,!shell,!Gnu!Parallel!
!
IStreaming,!zmq!
!

43. Python!libraries!
• Happybase:!developerIfriendly!Python!library!to!
interact!with!Apache!HBase!
!hbp://happybase.readthedocs.org/en/latest/!
!Column!I>!value!
!Single!row:!domain,$<me,$type,$IP$G>$TTL$
• Search!DNSDB!by!IP,!name!
• Forward!lookup!for!domain!to!get!history!of!IPs,!TTL!
• Inverse!lookup!for!IP!to!get!mapping!domain(s)!over!
Ame!

44. Python!libraries!
• Happybase:!!
import$happybase$
#protect$in$a$try$catch$
connec<on$=$happybase.Connec<on(’server.com',$compat='0.90')$
table$=$connec<on.table('authlogs')$
_domain$=$“google.com”$
for$key,$data$in$table.scan(row_prefix=_domain):$
$domain,<me,type,$ip$=$key.split(":")$
$ip_[l$=$ip$+$"$"$+$data['name2rr:v']$#$if$you$need$the$TTL$

45. Python!libraries!
• IPy:!Python!class!and!tools!for!handling!of!IPv4!and!
IPv6!addresses!and!networks!
!hbps://github.com/haypo/pythonIipy/wiki!
!Use!it!to!flaben!a!CIDR!into!a!list!of!IPs$
!from$IPy$import$IP$
$cidr$=$IP('127.0.0.0/30')$
$for$ip$in$cidr:$
$ $print$ip$

46. Python!libraries!
• PySubnetTree:!Python!data!structure!SubnetTree!
which!maps!subnets!given!in!CIDR!notaAon!to!
Python!objects.!!
• Lookups!are!performed!by!longestIprefix!matching.!
!hbp://www.bro.org/download/README.pysubnebree.html!
!Use!it!to!map!IP!to!BGP!prefix!and/or!ASN!
!!
• A!row!in!the!prefix!to!ASN!database!(file):!
$1.22.232.0/24$45528$

47. Python!libraries!
• PySubnetTree:!!
Load!pref_asn!db!then!do!lookups!on!IPs!
import$SubnetTree$
pref_asn_db$=$SubnetTree.SubnetTree()$
f_pref_asn$=$open(“prefGasn",$'r')$
….$
pref_asn_db[“1.22.232.0/24”]=“1.22.232.0/24$45528”$
ip$=$“1.22.232.7”$
cidr$=$pref_asn_db[ip].split()[0]$

48. Python!libraries!
• PyASN:!Python!extension!module!(wriben!in!C)!that!
allows!to!perform!very!fast!IP!to!ASN!lookups!
!hbps://code.google.com/p/pyasn/!
• pygeoip:$Map!IP!to!country!code!
hbps://pypi.python.org/pypi/pygeoip!
• networkx:!Python!package!to!manipulate!graphs!
!hbp://networkx.github.io/!
!

49. $
Marauder$in$ac<on$
$

50. Marauder!in!acAon!
• Input:!IP,!BGP!prefix,!or!ASN!
• Use!DNSDB!(HBase)!
• Use!auth!DNS!stream!
HBase:$
1) !IP:!direct!lookup!
2) !BGP!prefix!I>!flaben!prefixI>!fork!processes!(GNU!
parallel!processes!or!threads)!to!query!HBase!for!every!IP!
3) !ASN!I>!get!list!of!prefixes!from!pref_asn_db!I>!
process!every!prefix!like!in!2)!

51. $
Use$Case$4:$
Malicious$subGallocated$ranges$
$

52. Malicious!subIallocated!ranges!
• Case!of!OVH!
• SubIallocated!ranges!reserved!by!same!suspicious!
customers,!serving!Nuclear!Exploit!kit!domains!
• Users!are!lead!to!the!Exploit!landing!sites!through!
malverAsing!campaigns,!then!malware!is!dropped!on!
vicAms’!machines!(e.g.!zbot)!
• Monitoring!paberns!for!5!months:!Oct$2013GFeb$2014$

53. Malicious!subIallocated!ranges!
• For!several!months,!OVH!ranges!were!abused!
• Notable!fact:!IPs!were!exclusively!used!for!hosAng!
Nuclear!Exploit!subdomains,!no!other!sites!hosted!
!
!
!

54. Malicious!subIallocated!ranges!

55. Malicious!subIallocated!ranges!
• Some!OVH!subIallocated!ranges!used!in!JanIFeb!2014!
192.95.50.208!I!192.95.50.215!
198.50.183.68!I!198.50.183.71!
192.95.42.112!I!192.95.42.127!
192.95.6.112!I!192.95.6.127!
192.95.10.208!I!192.95.10.223!
192.95.7.224!I!192.95.7.239!
192.95.43.160!I!192.95.43.175!
192.95.43.176!I!192.95.43.191!
198.50.131.0!I!198.50.131.15!

56. Malicious!subIallocated!ranges!
• Feb!7th,!bad!actors!moved!to!a!Ukrainian!hosAng!
provider!hbp://www.besthosAng.ua/!
• 31.41.221.143!2014I02I14!2014I02I14!0!
• 31.41.221.142!2014I02I12!2014I02I14!2!
• 31.41.221.130!2014I02I12!2014I02I14!2!
• 31.41.221.140!2014I02I12!2014I02I12!0!
• 31.41.221.139!2014I02I12!2014I02I12!0!
• 31.41.221.138!2014I02I11!2014I02I12!1!
• 31.41.221.137!2014I02I10!2014I02I11!1!
• 31.41.221.136!2014I02I10!2014I02I11!1!
• 31.41.221.135!2014I02I10!2014I02I10!0!
• 31.41.221.134!2014I02I09!2014I02I19!10!
• 31.41.221.132!2014I02I08!2014I02I09!1!
• 31.41.221.131!2014I02I07!2014I02I08!1!

57. Malicious!subIallocated!ranges!
• Feb!14th,!bad!actors!moved!to!a!Russian!hosAng!
provider!hbp://pinspb.ru/!
• 5.101.173.10!2014I02I21!2014I02I22!1!
• 5.101.173.9!2014I02I19!2014I02I21!2!
• 5.101.173.8!2014I02I19!2014I02I19!0!
• 5.101.173.7!2014I02I18!2014I02I19!1!
• 5.101.173.6!2014I02I18!2014I02I18!0!
• 5.101.173.5!2014I02I17!2014I02I18!1!
• 5.101.173.4!2014I02I17!2014I02I17!0!
• 5.101.173.3!2014I02I16!2014I02I17!1!
• 5.101.173.2!2014I02I15!2014I02I16!1!
• 5.101.173.1!2014I02I14!2014I02I15!1!

58. Malicious!subIallocated!ranges!
• Feb!22nd,!bad!actors!moved!back!to!OVH!
!
!
• Notable!fact:!They!change!MO,!IPs!have!been!
allocated!and!used!in!the!past!for!other!content!I>!
evasion!technique!or!resource!recycling!
• But!during!all!this!Ame,!bad!actors!sAll!kept!the!
name!server!infrastructure!on!OVH!on!ranges!
reserved!by!same!customers!

59. Malicious!subIallocated!ranges!
• 198.50.143.73$2013G11G25$2014G02G24$91$
• 198.50.143.69$2013G11G25$2014G02G24$91$
• 198.50.143.68$2013G11G25$2014G02G24$91$
• 198.50.143.67$2013G11G26$2014G02G24$90$
• 198.50.143.65$2013G11G24$2014G02G23$91$
• 198.50.143.66$2013G11G25$2014G02G23$90$
• 198.50.143.64!2013I11I24!2014I01I25!62!
• 198.50.143.75!2013I12I03!2013I12I10!7!
• 198.50.143.79!2013I11I25!2013I12I10!15!
• 198.50.143.78!2013I11I25!2013I12I10!15!
• 198.50.143.74!2013I11I25!2013I12I10!15!
• 198.50.143.72!2013I11I25!2013I12I10!15!
• 198.50.143.71!2013I11I25!2013I12I10!15!
• 198.50.143.76!2013I11I25!2013I12I09!14!
• 198.50.143.70!2013I11I26!2013I12I09!13!
• 198.50.143.77!2013I11I26!2013I12I05!9!

60. Malicious!subIallocated!ranges!
• hbp://labs.umbrella.com/2014/02/14/whenIipsIgoInuclear/!
• hbp://pastebin.com/SX5R69vY!
• hbp://pastebin.com/KuxpNJwV!

61. Abused!TLDs!
• Nuclear!has!been!abusing!various!TLDs,!ccTLDs!(Feb!2014)!
• .pw!for!a!while!
• Take!down!campaign!with!MalwareMustDie!
• Moved!to!.ru!and!.in.net!
• Then!back!to!.pw!

62. $
Use$Case$5:$
Predic<ng$malicious$domains$IP$
infrastructure$
$

63. Malicious!subIallocated!ranges!(Feb!2014)!
• For!Nuclear,!In!addiAon!to!subIallocated!ranges!
reserved!by!same!actors!(for!OVH!case)!
• The!live!IPs!all!have!same!server!setup!(fingerprint):!
• 31.41.221.131!to!31.41.221.143!
22/tcp$$open$$ssh$$$$$OpenSSH$5.5p1$Debian$6+squeeze4$(protocol$2.0)$
80/tcp$$open$$h[p$$$$nginx$web$server$0.7.67$
111/tcp$open$$rpcbind$
• 5.101.173.1!to!5.101.173.10!
22/tcp$$open$$ssh$$$$$OpenSSH$6.0p1$Debian$4$(protocol$2.0)$
80/tcp$$open$$h[p$$$$nginx$web$server$1.2.1$
111/tcp$open$$rpcbind$

64. Malicious!subIallocated!ranges!(Feb!2014)!
• 198.50.143.64!to!198.50.143.79!
22/tcp$$open$$$$$ssh$$$$$$$$$$OpenSSH$5.5p1$Debian$6+squeeze4$(protocol$2.0)$
80/tcp$$open$$$$$h[p$$$$$$$$$nginx$web$server$0.7.67$
445/tcp$filtered$microsoqGds!
• In!some!cases,!IPs!are!brought!online!in!small!chunks!
• The!name!server!IPs!also!have!the!same!fingerprint!
• CombinaAon!of!these!different!indicators!has!made!
predicAons!100%!accurate!for!the!past!months.!Bad!actors!
change!their!MO,!but!this!approach!works!on!other!abacks!
• I>!We!block/monitor!IPs!before!they!start$hos<ng$domains!

65. Conclusion!
• PredicAve!threat!detecAon!based!on:!
• Monitoring!of!DNS!traffic!(recursive!and!authoritaAve)!
!and!!
• hosAng!infrastructure!
• Shut!down!the!bad!actors!infrastructure!at!the!hosAng!
provider;!reseller!level!or!lowest!common!upstream!
ancestor!(with!bad!reputaAon!and!repeated!offenses)!

66. References!
• Discovering!Fast!Flux!domains!using!Machine!Learning!
!Presented!at!BSides$New$Orleans$2013$
• Real!Ame!monitoring!of!Kelihos!Fast!Flux!botnet!
!Presented!at!APWG$eCrime$2013$
• Fast!detecAon!of!malicious!domains!using!DNS!
!Presented!at!BSides$Raleigh$2013$
• The!power!of!the!team!work!–!Management!of!DissecAng!Kelihos!Fast!
Flux!Botnet!“Unleashed”!!
!Presented!at!BotConf$2013$
!

67. Contact!Info!
• Contact!me!at!dhia@opendns.com!if!you!are!
interested!in:!
• Asking!quesAons!
• CollaboraAng!
• Twiber!@DhiaLite!
• Blogs!hbp://labs.umbrella.com/author/dhia/!

68. Thank!you!
!
(Q!&!A)!