Using Algorithms to Brute Force Algorithms...A Journey Through Time and Namespace

Using Algorithms to
Brute Force Algorithms
… a journey through time and namespace
Anthony Kasza
Bsides Chicago 2015

Audience Participation:
Answer a question, win a prize

What is an algorithm?

algorithm
noun
Word used by programmers when they do
not want to explain what they did.
[12]

Outline
Background
Malware Communications and Botnet Architectures
Analyzing Domain Generation Algorithms
Ramnit
Ramnit’s DGA
Brute Force Identification of Ramnit DGA Seeds
Results
Graphs
Applications and Improvements

Me
Anthony Kasza
Security Researcher: OpenDNS
@anthonykasza
github.com/anthonykasza

Malware Communications
Let’s pretend…
We all just compromised 10k hosts for our botnet
[10]

Let’s pretend…
What do we do now?
[10]

Let’s pretend…
What do we do now?
Have our malware phone home
[10]

Let’s pretend…
What do we do now?
Have our malware phone home
Botnets are resilient cloud based, often distributed, remote
administration systems
[10]

Name a malware

Malware Communications: IP
Open socket
Beacon to IP address
Easy to set up
Easy to take down
Client

Implant

C2

Server

Client

Implant

Client

Implant

Malware Communications: P2P
Open socket
Beacon to super node peer(s)
Very resilient
Peer consensus issues
Complex to set up
Super

node

Super

node

Super

node

Super

node

[9]

Client

Implant

Client

Implant

Client

Implant

Malware Communications: DNS
Open socket
Issue DNS query
Client

Implant

C2

Server

Client

Implant

Client

Implant

DNS

Resolver

Malware Communications: DNS
Open socket
Issue DNS query
Open socket
Beacon to IP address
Relatively easy to set up
Relatively easy to take down
Client

Implant

C2

Server

Client

Implant

Client

Implant

DNS

Resolver

Name a botnet that uses DNS

Malware Communications:
DNS Resiliency Tricks
Fast Flux – DNS A records change quickly
Double Flux – DNS A and NS records change quickly
Domain Generation Algorithms (DGA) – C2 domain
names are generated dynamically by a deterministic
function within the implant at run time.
Samples are "strings proof"

How To DGA
Client

DGA

Date
Seed

Hash/PRNG

String
TLD
set

Domain

name

Lexicon

query
connect
to
IP

NXD

A

Start

End

Example DGA Output
vfxlsatformalisticirekb[.]com
rd0ee55073a3776810962c124f02a99424[.]ws
croialotvvnfliyjmvt[.]ru
yxjsibeugmmj[.]in
osghqrdmlyhh[.]net
easebrainjobmarket[.]com

Malware Communications: DGA
-  Function that generates
domain names
-  Shared secret between
botnet implants and
operators
-  Often incorporates the date
Operator registers domain
“just in time” before the
implant generates it
[3]

Client

Implant

Registrar
Operator

DNS

Resolver

C2

Server

domain names
botnet implants and
operators
Registrar ensures the domain
is inserted into the DNS
[3]

Client

Implant

Registrar
Operator

DNS

Resolver

C2

Server

domain names
botnet implants and
operators
Implant generates and
resolves the domain
[3]

Client

Implant

Registrar
Operator

DNS

Resolver

C2

Server

domain names
botnet implants and
operators
Implant connects to C2 IPv4
[3]

Client

Implant

Registrar
Operator

DNS

Resolver

C2

Server

domain names
botnet implants and
operators
Repeat:
Operator is constantly
registering domain names
[3]

Client

Implant

Registrar
Operator

DNS

Resolver

C2

Server

Name a malware that uses a DGA

Malware that uses a DGA
Banjori
DirCrypt
Dyre
GameoverZeus
Hesperbot
Matsnu
Necurs
Pushdo
Pykspa
Qakbot
Ramnit
Shiotob
Simbda/Shiz
Symmi
TinyBanker
Bedep
Emotet
Gozi
Nymaim
Suppobox
Urlzone
VolatileCedar
Cryptolocker
Conficker
Murofet
BankPatch
Bobax
Ramdo
Flashback
Kelihos
Rovnix
Torpig
Many more…
[5]

Each DGA is Special Snowflake
Conficker.C – generated 50k names per day
Pushdo – DGA as a backup if C2 domain went down
Kelihos – DGA as a backup if P2P network went down
newGOZ DGA domains…
registered through a few common registrars
typically registered 1hr before algo would generate them
changed NS domains but reused NS IPv4s
[4]

[11]

DGA Domain Query Periods
Dyre
Ramnit
Matsnu
Pykspa
Bedep
~1 day
N/A
~2 weeks
~3 weeks
~1 week

Generalized DGA pseudo code…
for i in domain_set_size:
domain = generate_domain(date, magic)
resolve domain
if domain resolves
contact domain
StopIteration
def generate_domain(date, magic):
domain = ''
for i in lexicon_item_count:
item = random_select(lexicon, magic)
domain = domain + item
domain = domain + random_select(tld_set, magic)
return domain

Generalized Algorithms Analyses
Domain set size
How many domains to generate
Date
Today's date
Seed
A number used to ignite a PRNG
Salt
A magic number or campaign ID
Lexicon
A set of letters, n-grams, or words
Lexicon Items Count
Number of items to use from lexicon
TLD set
All possible TLDs
MD*, SHA*, Etc
Some hash
PRNG
Random numbers
Bitwise Math
xor, shl/shr, mod, b64, ascii to
hex
Names to contact
These are often regex-able due to
properties of the transformation
function
Inputs Functions Outputs

An Algorithm Taxonomy from Inputs
Group
Lexicon
Domain

set
size

Salt/
Seed

Date
Examples

A
LeNers
Yes
Yes
Yes
Necurs,
GOZ,
Symmi,
Tinba,
Pykspa

B
LeNers
Yes
Yes
No
Ramnit,
DirCrypt,
VolaVleCedar,
Ramdo

C.i
LeNers
Yes
No
Yes
Conﬁcker,
Dyre,
Cryptolocker,
Pushdo,

Qakbot

C.ii
Words
Yes
No
Yes
Matsnu,
Rovnix

Tell me anything about Ramnit

Ramnit Malware
Worm/RAT
Emerged 2010
“Borrowed” features from Zeus source 2011
Spread via EK, social media, bundled software, etc
Uses a DGA
[7]

Ramnit DGA Pseudo Code
class RandInt: # LCG PRNG, random uint32
def __init__(self, seed):
self.seed = seed
def rand_int_modulus(self, modulus):
ix = self.seed
ix = 16807*(ix % 127773) - 2836*(ix / 127773) /
& 0xFFFFFFFF
self.seed = ix
return ix % modulus
r = RandInt(seed) # seed = ?
for i in domain_set_size: # domain_set_size = ?
seed_a = r.seed
domain_length = r.rand_int_modulus(12) + 8 # domain_length = {8,19}
seed_b = r.seed
domain = ''
for i in domain_length:
char = 'a' + r.rand_int_modulus(25) # lexicon = [a-y]
domain += char
domain += ".com” # tld_set = [“.com”]
m = seed_a*seed_b
r.seed = (m + m//(2**32)) % 2**32
yield domain
[1]

Client

DGA

Seed

uint32

LCG
PRNG

string
+
".com"

Domain

Name

Lexicon

[a-‐y]{8,19}

query
connect
to
IP

NXD

A

Unknowns
1.  Linear congruential
generator’s seed
2.  How many times this
loop occurs
Client

DGA

Seed

uint32

LCG
PRNG

string
+
".com"

Domain

Name

Lexicon

[a-‐y]{8,19}

query
connect
to
IP

NXD

A

Brute Forcing Ramnit DGA Seeds
Inputs: domain_set_size, seed, tld_set, lexicon
Outputs: names
I.  Iterate over seed space (232) and identify candidate
seeds
II.  Find and generate the seeds’ associated
domain_set_size
III.  Determine the minimum set of seeds to produce all
domains (overlap in LCG output)
[2]

Step 1: Identify Candidate Seeds
1.  Seed the Ramnit DGA with every value 0-232
2.  Generate the first domain from each seed
–  27 hours on an AWS c3.8xlarge
–  24 processes, each with its own CPU core and a portions
of the seed space
–  Resulting seed and domain tuples sorted and merged
3.  Scan OpenDNS querylogs and find which domains
received at least one query
4.  Seeds which generated domains that received
queries are candidate seeds

Which are candidate seeds?

Candidate Seeds Example
seed1, domain1
seed2, domain1
seed3, domain1
seed4, domain1

Step 2: Find Seeds’ Domain Set Size
1.  Observe the domain’s hourly query counts for the
previous two weeks*
2.  For each candidate seed, generate the next domain
3.  Compare 2 to the seed’s composite query pattern
If they are similar:
1.  Merge the pattern into the seed’s composite query pattern
2.  Increment the seed’s domain set size
3.  Goto 1
Otherwise:
1.  Exit
* A vector with each position representing an hourly count of DNS queries

What is this seed’s domain set size?

Seeds’ Domain Set Size Example
seed1, domain1
seed1, domain2
seed1, domain3
seed1, domain4

Step 3: Minimum Seed Set for Domain Coverage
1.  For each seed and its associated domain set…
2.  Remove all domain sets that are subset of other
domain sets
3.  Minimum seed set for domain coverage remains
Seeds that remain aren’t necessarily “in the wild”
They are seeds that generate all domains “in the wild”

Which seeds would be eliminated?

Minimum Seed Set Example
seed1: domain1, domain2
seed2: domain1, domain2, domain3
seed3: domain3, domain4
seed4: domain1, domain2, domain3, domain4
seed5: domain5

Brute Forcing Algorithm Weaknesses
1.  The first domain from each seed is used to
located candidate seeds
2.  No queries on that day means seed is ignored
3.  Point in time analysis
4.  DGAs collide with legitimate domain names
-  1 million monkeys typing in 1 million address bars
will eventually browse to 4chan

Results: Seeds, Domains, Clients
29 seeds, 3924 domains
-  Seeds confirmed by Symantec’s report
I found some seeds not listed in Symantec’s report
-  Not a big deal due to overlaps in Ramnit DGA’s LCG
seeds
I found some domains not listed in Symantec’s report
-  Bigger deal if Symantec is serious about takedowns
[7]

[8]

Was anyone here involved in the
Ramnit takedown?

Results: Patterns in Domain Queries by Seed

Results: Patterns in Domain Queries
1.  Locate IPv4s that queried each domain
2.  Create a graph of seed -> domains -> client IPv4s
3.  Count connect components (I found two)
S
S
S
S
S

D
D
D
D
D
D
D
D
D

C
C
C
C
C
C

Results: Patterns in Domain Queries by IPv4
Groups

Applications and Improvements
Generalize framework for use with all DGA implementations
- Currently working with more than just Ramnit
Vigilant monitoring instead of point in time search
-  Ramdo seeds are able to be updated by the C2 server
-  even if you RE the algorithm, you don't have the seed
unique to each compromised system
Combine with other DGA detection techniques
-  co-occurrances and lexical features
[6]

Conclusion
Why should you care?
-  Many malware families are using DGAs
-  This is a new way to identify new badness
-  Know the shared secret, find all the C2 domains
-  Not all DGAs are created equal
-  Some are more difficult to track than others
-  malware authors are people too
-  3:30, “The Life and Times of an APT Malware Author”

Are there any questions?

Thanks
BsidesChicago
OpenDNS
Johannes Bader
Daniel Plohmann
John Bambenek
Thomas Mathew
Dhia Mahjoub
Steve Mckinney

References
http://johannesbader.ch/2014/12/the-dga-of-ramnit/ [1]
https://labs.opendns.com/2015/02/18/at-high-noon-algorithms-do-battle/ [2]
http://www.cc.gatech.edu/~ynadji3/docs/pubs/pleiades2012.pdf [3]
http://www.slideshare.net/OpenDNS/shmoocon-2015-presentation [4]
https://github.com/Andrewaeva/DGA [5]
http://blogs.technet.com/b/mmpc/archive/2014/04/08/msrt-april-2014-ramdo.aspx [6]
http://www.symantec.com/connect/blogs/ramnit-cybercrime-group-hit-major-law-enforcement-operation [7]
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32-ramnit-analysis.pdf [8]
http://www.malwaretech.com/2013/12/peer-to-peer-botnets-for-beginners.html [9]
http://en.wikipedia.org/wiki/Botnet [10]
http://commons.wikimedia.org/wiki/File:Snowflake-black.png [11]
Somewhere on Twitter [12]

Using Algorithms to Brute Force Algorithms...A Journey Through Time and Namespace

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (13)

Similaire à Using Algorithms to Brute Force Algorithms...A Journey Through Time and Namespace

Similaire à Using Algorithms to Brute Force Algorithms...A Journey Through Time and Namespace (20)

Plus de OpenDNS

Plus de OpenDNS (16)

Dernier

Dernier (20)

Using Algorithms to Brute Force Algorithms...A Journey Through Time and Namespace