SlideShare une entreprise Scribd logo

abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-卡巴斯基实验室资深病毒分析师 evgeny aseev

Y
Yankmo

DNS can be abused in several ways to spread malware. Attackers can hijack or poison DNS on multiple levels, including end users, routers, and DNS servers. DNS was not originally designed with security in mind, so it has vulnerabilities that can be exploited. Real-world examples demonstrate how malware has abused DNS to redirect users to malicious sites and infect other devices on local networks. Improving DNS security and default device configurations can help mitigate these risks.

Technologie
1  sur  21
Télécharger pour lire hors ligne
Abusing DNS to spread malwareAbusing DNS to spread malwareAbusing DNS to spread malwareAbusing DNS to spread malware From router to end-user Evgeny Aseev, Senior Malware Analyst, Kaspersky Lab CNCERT/CC 2011 Annual Conference
What is DNS?What is DNS? And why can it be abused?
What is DNS? DNS – Domain Name System DNS translates domain names meaningful to humans into the numerical identifiers associated with networking equipment for the purpose of locating and addressing these devicesaddressing these devices worldwide DNS is a "phone book" for the Internet Examples: kaspersky.com -> 91.103.64.6 google.com -> 209.85.149.104
Why can DNS be abused? • Technical side • Open, distributed design • Lots of nodes • Everybody can start one • Usage of User Datagram Protocol (UDP) • Unreliable (no concept of acknowledgment, retransmission or timeout) • Not ordered (if two messages are sent to the same recipient, the order in which they arrive cannot be predicted)arrive cannot be predicted) • Human factor • Not well-qualified network administrators • Network security holes • Default hardware configurations • etc. • End-users themselves • The most easy object to abuse!
How can DNS be abused?How can DNS be abused? Real-world examples
How can DNS be abused? Instead of going into cool theoretical stuff about techniques of exploiting DNS itself, I would rather show some real-world examples of attacks and malicious programs related to DNS.
Abusing DNS Simple example: changing user’s DNS settings using ‘hosts’ file That’s how normal ‘hosts’ file looks like And that’s an infected example
Abusing DNS Simple example: changing user’s DNS settings using relocated ‘hosts’ file That’s where ‘hosts’ file should be located But it can be relocated and infected And original ‘hosts’ file remains unchanged
Abusing DNS Simple example: changing user’s DNS settings using network registry settings That’s how ‘NameServer’ option should look like But it can be manually changed..But it can be manually changed.. And immediately updated
Abusing DNS More advanced example: Rorpian case • First of all, malware gets on user’s PC via removable media • Then, the magic begins • Malware configures user’s system as DHCP server and starts listening to the local network • If the system is already infected, manually sets the DNS server to Google’s one (8.8.8.8) • When a DHCP request from another computer arrives, malicious DHCP Malware infection from any visited resource! • When a DHCP request from another computer arrives, malicious DHCP server attempts to answer before official one • If the attempt was successful, another computer’s DNS will be changed to malicious one • Which leads to..
Abusing DNS More high-level threat: hacking the routers • Main security issues • weak default passwords or no password change enforcement • insecure default configuration • firmware vulnerabilities & services implementation errors • lack of awareness
Abusing DNS How to hack million of routers? Overhyped? PAGE 12 | Kaspersky Powerpoint template – Overview | January 24 2011 Not at all.
Abusing DNS Example: 2Wire case
Abusing DNS Example: D-Link & Tsunami case Malware goes even inside the router itself!Malware goes even inside the router itself!
Abusing DNS Examples: it’s only the beginning
Abusing DNS Even more high-level threat: hacking the DNS servers PAGE 16 | Kaspersky Powerpoint template – Overview | January 24 2011
Abusing DNS Last example: mysterious google-analytics.com case • Several months ago by Kaspersky Security Network (KSN) we received tons of notifications of javascript Iframer malware planted on http://google- analytics.com/ga.js • ga.js downloaded from google-analytics.com was clean • But when we got some file from users.. It was infected! It seems like something is wrong with the local DNS • First version redirects user to domain name quehduid.com, which wasn’t even registered! • But still, we received notifications about exploits downloaded using this domain • Analyzed tons of malware which could be connected to this case • Found nothing common to DNS poisoning/hijacking • But found some interesting geographic pattern between versions It seems like something is wrong with the local DNS in these countries, isn’t it?
ConclusionsConclusions
Conclusions Summing it up • DNS can be is hijacked/poisoned on every layer of network organization structure • Users • Routers • DNS servers • DNS was not originally designed with security in mind • Thus has number of security issues• Thus has number of security issues • There are some technical things that can make it more secure • Domain Name System Security Extensions (DNSSEC) - cryptographically signed responses • OpenDNS - misspelling correction, phishing protection, content filtering, blocks bad IPs, stops bots from 'phoning home' • Google Public DNS - basic validity checking, adding entropy to requests, removing duplicate queries, rate-limiting queries
Conclusions Summing it up • From user side, more things can be done • Again and again, strong passwords • Hardening default hardware settings • Systematic updates of both firmware and software • Remote control through VPN • From hardware vendors side • Unique default passwords for devices • Secure default settings (disable or limit remote access!) • Emphasis on firmware security • From security vendors side • Miscellaneous checking for security (passwords, default settings, vulnerabilities etc.) • Inform user on possible security holes
Thank YouThank You Evgeny Aseev, Senior Malware Analyst, Kaspersky LabEvgeny Aseev, Senior Malware Analyst, Kaspersky Lab CNCERT/CC 2011 Annual Conference

Recommandé

DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksVitor Jesus
 
Ecase direct servlet acess v1
Ecase direct servlet acess v1Ecase direct servlet acess v1
Ecase direct servlet acess v1Damir Delija
 
Vulnerability and Penetration Testing
Vulnerability and Penetration TestingVulnerability and Penetration Testing
Vulnerability and Penetration TestingJeffery Brown
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
 
Attacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selectionamiable_indian
 
Attack on computer
Attack on computerAttack on computer
Attack on computerRabail khan
 
Network Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using WiresharkNetwork Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using Wiresharkn|u - The Open Security Community
 

Recommandé

DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksVitor Jesus
 
Ecase direct servlet acess v1
Ecase direct servlet acess v1Ecase direct servlet acess v1
Ecase direct servlet acess v1Damir Delija
 
Vulnerability and Penetration Testing
Vulnerability and Penetration TestingVulnerability and Penetration Testing
Vulnerability and Penetration TestingJeffery Brown
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
 
Attacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selectionamiable_indian
 
Attack on computer
Attack on computerAttack on computer
Attack on computerRabail khan
 
Network Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using WiresharkNetwork Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using Wiresharkn|u - The Open Security Community
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackKaustubh Padwad
 
Session 4.1 Roy Arends
Session 4.1 Roy ArendsSession 4.1 Roy Arends
Session 4.1 Roy ArendsCommonwealth Telecommunications Organisation
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksNetSPI
 
From liability to asset, the role you should be playing in your security arch...
From liability to asset, the role you should be playing in your security arch...From liability to asset, the role you should be playing in your security arch...
From liability to asset, the role you should be playing in your security arch...Jisc
 
Destributed denial of service attack ppt
Destributed denial of service attack pptDestributed denial of service attack ppt
Destributed denial of service attack pptOECLIB Odisha Electronics Control Library
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014chrissanders88
 
Exploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedExploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedNCC Group
 
Denail of Service
Denail of ServiceDenail of Service
Denail of ServiceRamasubbu .P
 
Dos attack
Dos attackDos attack
Dos attackSuraj Swarnakar
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptxOzkan E
 
Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2Damir Delija
 
5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS AttackRedZone Technologies
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
DNS Security WebTitan Web Filter - Stop Malware
DNS Security WebTitan Web Filter - Stop Malware DNS Security WebTitan Web Filter - Stop Malware
DNS Security WebTitan Web Filter - Stop Malware Dryden Geary
 
Malware and Modern Propagation Techniques
Malware and Modern Propagation TechniquesMalware and Modern Propagation Techniques
Malware and Modern Propagation TechniquesJoseph Bugeja
 
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiComputer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiProfessor Lili Saghafi
 
Digital Immunity -The Myths and Reality
Digital Immunity -The Myths and RealityDigital Immunity -The Myths and Reality
Digital Immunity -The Myths and Realityamiable_indian
 
EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection Damir Delija
 
Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013Islam Azeddine Mennouchi
 
Ddos- distributed denial of service
Ddos- distributed denial of service Ddos- distributed denial of service
Ddos- distributed denial of service laxmi chandolia
 
The Art of the Pitching
The Art of the PitchingThe Art of the Pitching
The Art of the Pitchinghuer1278ft
 
5 (Ridiculously) Simple Steps to Creating Your Employment Brand | CAREEREALISM
5 (Ridiculously) Simple Steps to Creating Your Employment Brand | CAREEREALISM5 (Ridiculously) Simple Steps to Creating Your Employment Brand | CAREEREALISM
5 (Ridiculously) Simple Steps to Creating Your Employment Brand | CAREEREALISMJ.T. O'Donnell
 

Contenu connexe

Tendances

Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackKaustubh Padwad
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksNetSPI
 
From liability to asset, the role you should be playing in your security arch...
From liability to asset, the role you should be playing in your security arch...From liability to asset, the role you should be playing in your security arch...
From liability to asset, the role you should be playing in your security arch...Jisc
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014chrissanders88
 
Exploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedExploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedNCC Group
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptxOzkan E
 
Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2Damir Delija
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
DNS Security WebTitan Web Filter - Stop Malware
DNS Security WebTitan Web Filter - Stop Malware DNS Security WebTitan Web Filter - Stop Malware
DNS Security WebTitan Web Filter - Stop Malware Dryden Geary
 
Malware and Modern Propagation Techniques
Malware and Modern Propagation TechniquesMalware and Modern Propagation Techniques
Malware and Modern Propagation TechniquesJoseph Bugeja
 
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiComputer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiProfessor Lili Saghafi
 
Digital Immunity -The Myths and Reality
Digital Immunity -The Myths and RealityDigital Immunity -The Myths and Reality
Digital Immunity -The Myths and Realityamiable_indian
 
EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection Damir Delija
 
Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013Islam Azeddine Mennouchi
 
Ddos- distributed denial of service
Ddos- distributed denial of service Ddos- distributed denial of service
Ddos- distributed denial of service laxmi chandolia
 

Tendances (20)

Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
Session 4.1 Roy Arends
Session 4.1 Roy ArendsSession 4.1 Roy Arends
Session 4.1 Roy Arends
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
 
From liability to asset, the role you should be playing in your security arch...
From liability to asset, the role you should be playing in your security arch...From liability to asset, the role you should be playing in your security arch...
From liability to asset, the role you should be playing in your security arch...
 
Destributed denial of service attack ppt
Destributed denial of service attack pptDestributed denial of service attack ppt
Destributed denial of service attack ppt
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014
 
Exploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedExploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removed
 
Denail of Service
Denail of ServiceDenail of Service
Denail of Service
 
Dos attack
Dos attackDos attack
Dos attack
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptx
 
Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2
 
5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
DNS Security WebTitan Web Filter - Stop Malware
DNS Security WebTitan Web Filter - Stop Malware DNS Security WebTitan Web Filter - Stop Malware
DNS Security WebTitan Web Filter - Stop Malware
 
Malware and Modern Propagation Techniques
Malware and Modern Propagation TechniquesMalware and Modern Propagation Techniques
Malware and Modern Propagation Techniques
 
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiComputer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
 
Digital Immunity -The Myths and Reality
Digital Immunity -The Myths and RealityDigital Immunity -The Myths and Reality
Digital Immunity -The Myths and Reality
 
EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection
 
Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013
 
Ddos- distributed denial of service
Ddos- distributed denial of service Ddos- distributed denial of service
Ddos- distributed denial of service
 

En vedette

The Art of the Pitching
The Art of the PitchingThe Art of the Pitching
The Art of the Pitchinghuer1278ft
 
5 (Ridiculously) Simple Steps to Creating Your Employment Brand | CAREEREALISM
5 (Ridiculously) Simple Steps to Creating Your Employment Brand | CAREEREALISM5 (Ridiculously) Simple Steps to Creating Your Employment Brand | CAREEREALISM
5 (Ridiculously) Simple Steps to Creating Your Employment Brand | CAREEREALISMJ.T. O'Donnell
 
Pitch Deck Templates for Startups
Pitch Deck Templates for StartupsPitch Deck Templates for Startups
Pitch Deck Templates for StartupsNextView Ventures
 
Recruitment: Candidate Experience and Storytelling Lessons from Hollywood
Recruitment: Candidate Experience and Storytelling Lessons from HollywoodRecruitment: Candidate Experience and Storytelling Lessons from Hollywood
Recruitment: Candidate Experience and Storytelling Lessons from HollywoodPh.Creative
 
10 Project Proposal Writing
10 Project Proposal Writing10 Project Proposal Writing
10 Project Proposal WritingTony
 
UX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and ArchivesUX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and ArchivesNed Potter
 

En vedette (7)

The Art of the Pitching
The Art of the PitchingThe Art of the Pitching
The Art of the Pitching
 
5 (Ridiculously) Simple Steps to Creating Your Employment Brand | CAREEREALISM
5 (Ridiculously) Simple Steps to Creating Your Employment Brand | CAREEREALISM5 (Ridiculously) Simple Steps to Creating Your Employment Brand | CAREEREALISM
5 (Ridiculously) Simple Steps to Creating Your Employment Brand | CAREEREALISM
 
Pitch Deck Templates for Startups
Pitch Deck Templates for StartupsPitch Deck Templates for Startups
Pitch Deck Templates for Startups
 
Recruitment: Candidate Experience and Storytelling Lessons from Hollywood
Recruitment: Candidate Experience and Storytelling Lessons from HollywoodRecruitment: Candidate Experience and Storytelling Lessons from Hollywood
Recruitment: Candidate Experience and Storytelling Lessons from Hollywood
 
Smart city
Smart citySmart city
Smart city
 
10 Project Proposal Writing
10 Project Proposal Writing10 Project Proposal Writing
10 Project Proposal Writing
 
UX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and ArchivesUX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and Archives
 

Similaire à abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-卡巴斯基实验室资深病毒分析师 evgeny aseev

THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesJohn Bambenek
 
Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Usevngundi
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
DNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and ResponseDNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and Responsepm123008
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisJason Trost
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...DTM Security
 
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PROIDEA
 
NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS OpennessAPNIC
 
DNS Security, is it enough?
DNS Security, is it enough? DNS Security, is it enough?
DNS Security, is it enough? Zscaler
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...EC-Council
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
DNS Advanced Attacks and Analysis
DNS Advanced Attacks and AnalysisDNS Advanced Attacks and Analysis
DNS Advanced Attacks and AnalysisCSCJournals
 
Types of Attack in Information and Network Security
Types of Attack in Information and Network SecurityTypes of Attack in Information and Network Security
Types of Attack in Information and Network Securitypadmeshagrekar
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014Leonardo Nve Egea
 
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid ThemInfoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid ThemJennifer Nichols
 

Similaire à abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-卡巴斯基实验室资深病毒分析师 evgeny aseev (20)

Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
 
Dns firewalls null-may2020
Dns firewalls null-may2020Dns firewalls null-may2020
Dns firewalls null-may2020
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS Queries
 
Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Use
 
Dmk bo2 k8_ccc
Dmk bo2 k8_cccDmk bo2 k8_ccc
Dmk bo2 k8_ccc
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
 
DNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and ResponseDNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and Response
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
 
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS Openness
 
DNS Security, is it enough?
DNS Security, is it enough? DNS Security, is it enough?
DNS Security, is it enough?
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
 
DNS Advanced Attacks and Analysis
DNS Advanced Attacks and AnalysisDNS Advanced Attacks and Analysis
DNS Advanced Attacks and Analysis
 
Types of Attack in Information and Network Security
Types of Attack in Information and Network SecurityTypes of Attack in Information and Network Security
Types of Attack in Information and Network Security
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
 
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid ThemInfoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
 

Dernier

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 

Dernier (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-卡巴斯基实验室资深病毒分析师 evgeny aseev

  • 1. Abusing DNS to spread malwareAbusing DNS to spread malwareAbusing DNS to spread malwareAbusing DNS to spread malware From router to end-user Evgeny Aseev, Senior Malware Analyst, Kaspersky Lab CNCERT/CC 2011 Annual Conference
  • 2. What is DNS?What is DNS? And why can it be abused?
  • 3. What is DNS? DNS – Domain Name System DNS translates domain names meaningful to humans into the numerical identifiers associated with networking equipment for the purpose of locating and addressing these devicesaddressing these devices worldwide DNS is a "phone book" for the Internet Examples: kaspersky.com -> 91.103.64.6 google.com -> 209.85.149.104
  • 4. Why can DNS be abused? • Technical side • Open, distributed design • Lots of nodes • Everybody can start one • Usage of User Datagram Protocol (UDP) • Unreliable (no concept of acknowledgment, retransmission or timeout) • Not ordered (if two messages are sent to the same recipient, the order in which they arrive cannot be predicted)arrive cannot be predicted) • Human factor • Not well-qualified network administrators • Network security holes • Default hardware configurations • etc. • End-users themselves • The most easy object to abuse!
  • 5. How can DNS be abused?How can DNS be abused? Real-world examples
  • 6. How can DNS be abused? Instead of going into cool theoretical stuff about techniques of exploiting DNS itself, I would rather show some real-world examples of attacks and malicious programs related to DNS.
  • 7. Abusing DNS Simple example: changing user’s DNS settings using ‘hosts’ file That’s how normal ‘hosts’ file looks like And that’s an infected example
  • 8. Abusing DNS Simple example: changing user’s DNS settings using relocated ‘hosts’ file That’s where ‘hosts’ file should be located But it can be relocated and infected And original ‘hosts’ file remains unchanged
  • 9. Abusing DNS Simple example: changing user’s DNS settings using network registry settings That’s how ‘NameServer’ option should look like But it can be manually changed..But it can be manually changed.. And immediately updated
  • 10. Abusing DNS More advanced example: Rorpian case • First of all, malware gets on user’s PC via removable media • Then, the magic begins • Malware configures user’s system as DHCP server and starts listening to the local network • If the system is already infected, manually sets the DNS server to Google’s one (8.8.8.8) • When a DHCP request from another computer arrives, malicious DHCP Malware infection from any visited resource! • When a DHCP request from another computer arrives, malicious DHCP server attempts to answer before official one • If the attempt was successful, another computer’s DNS will be changed to malicious one • Which leads to..
  • 11. Abusing DNS More high-level threat: hacking the routers • Main security issues • weak default passwords or no password change enforcement • insecure default configuration • firmware vulnerabilities & services implementation errors • lack of awareness
  • 12. Abusing DNS How to hack million of routers? Overhyped? PAGE 12 | Kaspersky Powerpoint template – Overview | January 24 2011 Not at all.
  • 14. Abusing DNS Example: D-Link & Tsunami case Malware goes even inside the router itself!Malware goes even inside the router itself!
  • 15. Abusing DNS Examples: it’s only the beginning
  • 16. Abusing DNS Even more high-level threat: hacking the DNS servers PAGE 16 | Kaspersky Powerpoint template – Overview | January 24 2011
  • 17. Abusing DNS Last example: mysterious google-analytics.com case • Several months ago by Kaspersky Security Network (KSN) we received tons of notifications of javascript Iframer malware planted on http://google- analytics.com/ga.js • ga.js downloaded from google-analytics.com was clean • But when we got some file from users.. It was infected! It seems like something is wrong with the local DNS • First version redirects user to domain name quehduid.com, which wasn’t even registered! • But still, we received notifications about exploits downloaded using this domain • Analyzed tons of malware which could be connected to this case • Found nothing common to DNS poisoning/hijacking • But found some interesting geographic pattern between versions It seems like something is wrong with the local DNS in these countries, isn’t it?
  • 19. Conclusions Summing it up • DNS can be is hijacked/poisoned on every layer of network organization structure • Users • Routers • DNS servers • DNS was not originally designed with security in mind • Thus has number of security issues• Thus has number of security issues • There are some technical things that can make it more secure • Domain Name System Security Extensions (DNSSEC) - cryptographically signed responses • OpenDNS - misspelling correction, phishing protection, content filtering, blocks bad IPs, stops bots from 'phoning home' • Google Public DNS - basic validity checking, adding entropy to requests, removing duplicate queries, rate-limiting queries
  • 20. Conclusions Summing it up • From user side, more things can be done • Again and again, strong passwords • Hardening default hardware settings • Systematic updates of both firmware and software • Remote control through VPN • From hardware vendors side • Unique default passwords for devices • Secure default settings (disable or limit remote access!) • Emphasis on firmware security • From security vendors side • Miscellaneous checking for security (passwords, default settings, vulnerabilities etc.) • Inform user on possible security holes
  • 21. Thank YouThank You Evgeny Aseev, Senior Malware Analyst, Kaspersky LabEvgeny Aseev, Senior Malware Analyst, Kaspersky Lab CNCERT/CC 2011 Annual Conference