SlideShare a Scribd company logo

Hitbkl 2012

F _
F _
1 of 55
Download to read offline
Messing up with Kids playground: Eradicating easy targets Yarochkin Fyodor @fygrave Vladimir Kropotov @vbkropotov Presented at HITBKL 2012
agenda Introduction (cybecrime 2012 – russian style :) Detecting malicious network infrastructure Getting one-step-ahead Conclusions
DCCrime-2012: Brief Introduction ● Bots and Botnets – still popular :) ● Monetization schemes vary. ● DbD is one of the most common attack vectors – We also have email – We also have stupid users downloading sh*t – Mobile is lucrative target (all your money are there)
DCCrime-2012: Introduction “Traffic” - is still an important component in the process :)
Main “components” to deal with ● Callback nodes (aka C&C) ● Traffic: – Compromised machines/or manipulated content – Banner networks – SEO (doorways)
What's new this year? ● Automated detection gets difficult. (anti- sandboxing, anti-crawler tricks) function() { var url = 'http://yyzola.gpbbsdhmjm.shacknet.nu/g/'; … document.onmousemove = function() { … ● In some cases of idiocy, human interaction is a must.. ● Mobile phone as the most common means of funds transfer
Mobile scams ● Fake apps are still big ● Android apps avail :)
So really, how easy it is to get pwned In Russia? :)
● So the focus of this research: – Identifying “bad kids” playground – mapping infrastructure, identifying potential targets, attempting to fix the problems, before “things hit hard”
Detecting malicious network infrastructure
DNS: (did u see this morning passive DNS talk? ;-)) With a spike of generative domain botnets, this seems like interesting research project DGAs produce very specific pattern in DNS traffic
Is this the only method to call back? Nop..
Alternatives... 13
Domain generative bots ● C&C is not hardcoded to maintain flexibility in cases when C&C is taken down. ● Some sort of algorithm is used to generate domain names ● Domains are tested for validity. IP address is obtained. ● Sometimes obfuscation involved. (for example: manipulations applied to resolved IP address)
How it looks on the wire
C&C/generative domains and pattern mining ● Generative-domain name based domains generate very specific voluminous DNS traffic ● Our research is primarily focused on picking up these patterns. Example Carberp (details provided by Vladimir Kropotov)
Carberp ● Bot Infection: Drive-By-HTTP ● Payload and intermediate malware domains: normal, recent registration dates or DynDNS ● Distributed via: Many many compromised web-sites, top score > 100 compromised resources detected during 1 week. ● C&C domains usually generated, but some special cases below ;-). ● C&C and Malware domains located on the same AS (from bot point of view). Easy to detect. ● Typical bot activity: Mass HTTP Post
Size Payload Referrer URL Domain 9414 javascript www.*****press.ru /g/18418362672595167.js beatshine.is- saved.org 45443 html www.*****press.ru /index.php? activatedreplacing. 28d9000e56c2a63080ff89c is-very-evil.org 6f5357591 4135 application/x //images/r/785cee8be7f1da activatedreplacing. -jar 9a9d60820cbf8b1840.jar is-very-evil.org 155529 application/e /server_privileges.php? activatedreplacing. xecutable 91370f5f009a815950578cb is-very-evil.org 539f28b58=3
Size Payload Referrer URL Domain 997 html Infected site /1/s.html 3645455029 4923 javascript 3645455029 /js/deployJava.js Java.com 18046 application/x /1/exp.jar 3645455029 -jar 138352 application/e /file1.dat 3645455029 xecutable
Detection: related works From Throw-Away Traffic to Bots: Detecting Rise of DGA-Based Malware (Manos Antonakakis, Roberto Redisci et al) (2012) L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi. EXPOSURE: Finding malicious domains using passive dns analysis. In Proceedings of NDSS, 2011 etc..
What we do differently: ● “lazy” WHOIS lookups, team cymru IP to ASN lookups ● Our own passive DNS index ● Sandbox farm (mainly to detect compromised websites automagically and study behavior)
Dealing with false positives: filtering ● Generated sequences: n-gram analysis ● WHOIS cross-ref (if available) ● Ips belong to Malicious ASN ● Public domain lists (alexa top 100k) works well as whitelist
Cat and mouse game ● Of course all of this is easy to evade. Once you know the method. But security is always about 'cat-n-mouse' game ;-)
Architecture ● What we are building ;)
Are we using signatures? Yes and No.. ● We don't have signatures for C&C domains.. ● But we maintain patterns for suspicious whois data (registration date, registrar, email, ..) ● Historical DNS and AS association (bad IP) ● Generic patterns for generative domains (high, similarly distributed pattern of failed lookups within the same zone)
A walk through automated detection ● In this example we will show how automated detection works step by step. We will show redis queries in form of interactive session:
Detection starting point: rcode: 3 (Non-existing domains) 12 10 8 Column 1 6 Column 2 Column 3 4 2 0 Row 1 Row 2 Row 3 Row 4
Rcode:2 domains Detection: rcode:2 (server failure) (failed servers)
Sample analysis (step by step) ● Start looking for a failed pattern and cluster id:
Sample analysis (two) ● Get the cluster ID: (eu_11_14) Clustering is based on domain similarity. Currently used characteristics: - f(zone, pattern (length, depth)) - additional characteristics (building up): natural language domain vs. generated string (occurrence of two-character sequences - n-grams) - domain registration parameters (obtained via WHOIS [ problematic! ] ) - cross-reference with existing malicious IP and AS reputation database (incrementally built by us)
Sample analysis ● Get other members of the cluster
Sample analysis ● Find common members (notice avatarmaker.eu could be a false positive, easily filtered out through common denominator filering (IP, WHOIS information)
Sample analysis ● So we have C&C IP 66.175.210.173 ● we can continue mining to see if we get any other domain names:
Sample analysis ● Look! We just met an old friend!!
Sample analysis ● Palevo:
Mapping C&C (easily automated) ● http://cihunemyror.eu/login.php ● http://foxivusozuc.eu/login.php ● http://ryqecolijet.eu/login.php ● http://xuqohyxeqak.eu/login.php ● http://foqaqehacew.eu/login.php ● http://jecijyjudew.eu/login.php ● http://voworemoziv.eu/login.php ● http://mamixikusah.eu/login.php ● http://qebahilojam.eu/login.php ● http://foqaqehacew.eu/search.php ● http://foqaqehacew.eu/search.php ● http://foqaqehacew.eu/LMvg9Ng1d.php
Sample analysis ● Finding more relevant domains:
Automation
Zoom in...
Performance ● On single machine (32Gb RAM) we run up to 2000 pkt/sec without significant performance loss ● Average load:
Other Interesting numbers ● Packets per day: ~130M filtered. ● Mal. Domains/day: ~30k DNS queries (varies) ● Avg. 30-50 req/minute for single domain ●
Uses of the data ● Obvious: blacklists ● Botnet take overs (costs 11USD or less ;) ● Sinkholing
Detection ● (demos, lets look at some videos :)
What could be more flux than fastflux? ;-) ● WHOIS fastflux … HOW?! Domain ID:D166393631-LROR Domain Name:FOOTBALL-SECURITY- WETRLSGPIEO.ORG Created On:21-Aug-2012 01:23:52 UTC Last Updated On:21-Aug-2012 01:23:53 UTC Expiration Date:21-Aug-2013 01:23:52 UTC Sponsoring Registrar:Click Registrar, Inc. d/b/a publicdomainregistry.com (R1935-LROR) Status:CLIENT TRANSFER PROHIBITED Status:TRANSFER PROHIBITED Status:ADDPERIOD Registrant ID:PP-SP-001 Registrant Name:Domain Admin Registrant Organization:PrivacyProtect.org Registrant Street1:ID#10760, PO Box 16 Registrant Street2:Note - All Postal Mails Rejected, visit Privacyprotect.org
Moving ahead: Finding easy targets before they do :)
In short, it is all about quick ways of finding idiots having no clue of what they are doing with wordpress, oscommerce, openx, [put yer fave] And forcing them to update before they get owned ;) And hmm.. doing it country-wide
disclaimer Just another “small data” project we play with. Around 4 machines solr cluster. Largely inspired by “Fruit: why so low?” by Adam MetlStorm (hack.lu 2011)
Scanning internet is not new.. but pretty much realistic
Architecture ● Network port discovery (agents) ● Banner collection (agents) ● Backend Store: SOLR ● Collectibles: services and ports, OS fingerprints, ● ASN/OWNER/netblock/Country, geographical location/App data
Architecture(2) ● Roughly something like that
Approach ● Scan slow (avoid abuse reports) ● Index time ● Passive “mapper” (simple sniffer + browser fingerprinting at the moment) ● Larger range of ports (account port numbers, which are actively being scanned from firewall log analysis, honeypot machines etc) ● For web apps – (wafp fingerprinting) + index banner (noisy, cause of most of the abuse complaints)
How you use this shit...
Features ● Scriptable via restful API (think of solr) (cuz UI is for sissies ;-)) ● Query by any combination of: – software version/banner regex (solr/lucene style) – geospatial search (via geohash) – ASN or regex on ASN owner – Country code
Uses CERT team: automated notifications of idiots running old wordpress within particular range, geographic location or organization is a one liner script
Questions @fygrave @vbkropotov

Recommended

Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017J Hartig
 
Taming botnets
Taming botnetsTaming botnets
Taming botnetsf00d
 
MongoDB Advanced Topics
MongoDB Advanced TopicsMongoDB Advanced Topics
MongoDB Advanced TopicsCésar Rodas
 
Hacklu2012 v07
Hacklu2012 v07Hacklu2012 v07
Hacklu2012 v07F _
 
Thinking in documents
Thinking in documentsThinking in documents
Thinking in documentsCésar Rodas
 
Mezi snem a realitou. Otevřená data českého webového archivu.
Mezi snem a realitou. Otevřená data českého webového archivu.Mezi snem a realitou. Otevřená data českého webového archivu.
Mezi snem a realitou. Otevřená data českého webového archivu.Webarchive of National Library of the Czech Republic
 
DEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webDEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webFelipe Prado
 
MongoDB Europe 2016 - Debugging MongoDB Performance
MongoDB Europe 2016 - Debugging MongoDB PerformanceMongoDB Europe 2016 - Debugging MongoDB Performance
MongoDB Europe 2016 - Debugging MongoDB PerformanceMongoDB
 

Recommended

Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017J Hartig
 
Taming botnets
Taming botnetsTaming botnets
Taming botnetsf00d
 
MongoDB Advanced Topics
MongoDB Advanced TopicsMongoDB Advanced Topics
MongoDB Advanced TopicsCésar Rodas
 
Hacklu2012 v07
Hacklu2012 v07Hacklu2012 v07
Hacklu2012 v07F _
 
Thinking in documents
Thinking in documentsThinking in documents
Thinking in documentsCésar Rodas
 
Mezi snem a realitou. Otevřená data českého webového archivu.
Mezi snem a realitou. Otevřená data českého webového archivu.Mezi snem a realitou. Otevřená data českého webového archivu.
Mezi snem a realitou. Otevřená data českého webového archivu.Webarchive of National Library of the Czech Republic
 
DEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webDEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webFelipe Prado
 
MongoDB Europe 2016 - Debugging MongoDB Performance
MongoDB Europe 2016 - Debugging MongoDB PerformanceMongoDB Europe 2016 - Debugging MongoDB Performance
MongoDB Europe 2016 - Debugging MongoDB PerformanceMongoDB
 
MongoDB (Advanced)
MongoDB (Advanced)MongoDB (Advanced)
MongoDB (Advanced)TO THE NEW | Technology
 
Approach to find critical vulnerabilities
Approach to find critical vulnerabilitiesApproach to find critical vulnerabilities
Approach to find critical vulnerabilitiesAshish Kunwar
 
Google Hacking 101
Google Hacking 101Google Hacking 101
Google Hacking 101Sais Abdelkrim
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.SecuRing
 
MongoDB Europe 2016 - ETL for Pros – Getting Data Into MongoDB The Right Way
MongoDB Europe 2016 - ETL for Pros – Getting Data Into MongoDB The Right WayMongoDB Europe 2016 - ETL for Pros – Getting Data Into MongoDB The Right Way
MongoDB Europe 2016 - ETL for Pros – Getting Data Into MongoDB The Right WayMongoDB
 
Dns wildcards demystified
Dns wildcards demystifiedDns wildcards demystified
Dns wildcards demystifiedMen and Mice
 
Concise at NTU Graduate Institute of Linguistics
Concise at NTU Graduate Institute of Linguistics Concise at NTU Graduate Institute of Linguistics
Concise at NTU Graduate Institute of Linguistics kuanming
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with pythonJose Manuel Ortega Candel
 
ElasticSearch: Найдется все... и быстро!
ElasticSearch: Найдется все... и быстро!ElasticSearch: Найдется все... и быстро!
ElasticSearch: Найдется все... и быстро!Alexander Byndyu
 
IPTC News in JSON Spring 2013
IPTC News in JSON Spring 2013IPTC News in JSON Spring 2013
IPTC News in JSON Spring 2013Stuart Myles
 
From russia final_bluehat10
From russia final_bluehat10From russia final_bluehat10
From russia final_bluehat10F _
 
0nights2011
0nights20110nights2011
0nights2011F _
 
Solving the enterprise security challenge - Derek holt
Solving the enterprise security challenge - Derek holtSolving the enterprise security challenge - Derek holt
Solving the enterprise security challenge - Derek holtRoopa Nadkarni
 
Performance Management With Rational Insight - Karthi D
Performance Management With Rational Insight - Karthi DPerformance Management With Rational Insight - Karthi D
Performance Management With Rational Insight - Karthi DRoopa Nadkarni
 
Honeycon2014: Mining IoCs from Honeypot data feeds
Honeycon2014: Mining IoCs from Honeypot data feedsHoneycon2014: Mining IoCs from Honeypot data feeds
Honeycon2014: Mining IoCs from Honeypot data feedsF _
 
Wrangle 2016: Staying Hippocratic with High Stakes Data
Wrangle 2016: Staying Hippocratic with High Stakes DataWrangle 2016: Staying Hippocratic with High Stakes Data
Wrangle 2016: Staying Hippocratic with High Stakes DataWrangleConf
 
Wrangle 2016: Malware Tracking at Scale
Wrangle 2016: Malware Tracking at ScaleWrangle 2016: Malware Tracking at Scale
Wrangle 2016: Malware Tracking at ScaleWrangleConf
 
whats wrong with modern security tools and other blurps
whats wrong with modern security tools and other blurpswhats wrong with modern security tools and other blurps
whats wrong with modern security tools and other blurpsF _
 
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisLife Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisPositive Hack Days
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Rod Soto
 
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Jishnu Pradeep
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!EC-Council
 

More Related Content

What's hot

Approach to find critical vulnerabilities
Approach to find critical vulnerabilitiesApproach to find critical vulnerabilities
Approach to find critical vulnerabilitiesAshish Kunwar
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.SecuRing
 
MongoDB Europe 2016 - ETL for Pros – Getting Data Into MongoDB The Right Way
MongoDB Europe 2016 - ETL for Pros – Getting Data Into MongoDB The Right WayMongoDB Europe 2016 - ETL for Pros – Getting Data Into MongoDB The Right Way
MongoDB Europe 2016 - ETL for Pros – Getting Data Into MongoDB The Right WayMongoDB
 
Dns wildcards demystified
Dns wildcards demystifiedDns wildcards demystified
Dns wildcards demystifiedMen and Mice
 
Concise at NTU Graduate Institute of Linguistics
Concise at NTU Graduate Institute of Linguistics Concise at NTU Graduate Institute of Linguistics
Concise at NTU Graduate Institute of Linguistics kuanming
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with pythonJose Manuel Ortega Candel
 
ElasticSearch: Найдется все... и быстро!
ElasticSearch: Найдется все... и быстро!ElasticSearch: Найдется все... и быстро!
ElasticSearch: Найдется все... и быстро!Alexander Byndyu
 
IPTC News in JSON Spring 2013
IPTC News in JSON Spring 2013IPTC News in JSON Spring 2013
IPTC News in JSON Spring 2013Stuart Myles
 

What's hot (10)

MongoDB (Advanced)
MongoDB (Advanced)MongoDB (Advanced)
MongoDB (Advanced)
 
Approach to find critical vulnerabilities
Approach to find critical vulnerabilitiesApproach to find critical vulnerabilities
Approach to find critical vulnerabilities
 
Google Hacking 101
Google Hacking 101Google Hacking 101
Google Hacking 101
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
 
MongoDB Europe 2016 - ETL for Pros – Getting Data Into MongoDB The Right Way
MongoDB Europe 2016 - ETL for Pros – Getting Data Into MongoDB The Right WayMongoDB Europe 2016 - ETL for Pros – Getting Data Into MongoDB The Right Way
MongoDB Europe 2016 - ETL for Pros – Getting Data Into MongoDB The Right Way
 
Dns wildcards demystified
Dns wildcards demystifiedDns wildcards demystified
Dns wildcards demystified
 
Concise at NTU Graduate Institute of Linguistics
Concise at NTU Graduate Institute of Linguistics Concise at NTU Graduate Institute of Linguistics
Concise at NTU Graduate Institute of Linguistics
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with python
 
ElasticSearch: Найдется все... и быстро!
ElasticSearch: Найдется все... и быстро!ElasticSearch: Найдется все... и быстро!
ElasticSearch: Найдется все... и быстро!
 
IPTC News in JSON Spring 2013
IPTC News in JSON Spring 2013IPTC News in JSON Spring 2013
IPTC News in JSON Spring 2013
 

Viewers also liked

From russia final_bluehat10
From russia final_bluehat10From russia final_bluehat10
From russia final_bluehat10F _
 
0nights2011
0nights20110nights2011
0nights2011F _
 
Solving the enterprise security challenge - Derek holt
Solving the enterprise security challenge - Derek holtSolving the enterprise security challenge - Derek holt
Solving the enterprise security challenge - Derek holtRoopa Nadkarni
 
Performance Management With Rational Insight - Karthi D
Performance Management With Rational Insight - Karthi DPerformance Management With Rational Insight - Karthi D
Performance Management With Rational Insight - Karthi DRoopa Nadkarni
 
Honeycon2014: Mining IoCs from Honeypot data feeds
Honeycon2014: Mining IoCs from Honeypot data feedsHoneycon2014: Mining IoCs from Honeypot data feeds
Honeycon2014: Mining IoCs from Honeypot data feedsF _
 
Wrangle 2016: Staying Hippocratic with High Stakes Data
Wrangle 2016: Staying Hippocratic with High Stakes DataWrangle 2016: Staying Hippocratic with High Stakes Data
Wrangle 2016: Staying Hippocratic with High Stakes DataWrangleConf
 
Wrangle 2016: Malware Tracking at Scale
Wrangle 2016: Malware Tracking at ScaleWrangle 2016: Malware Tracking at Scale
Wrangle 2016: Malware Tracking at ScaleWrangleConf
 
whats wrong with modern security tools and other blurps
whats wrong with modern security tools and other blurpswhats wrong with modern security tools and other blurps
whats wrong with modern security tools and other blurpsF _
 

Viewers also liked (8)

From russia final_bluehat10
From russia final_bluehat10From russia final_bluehat10
From russia final_bluehat10
 
0nights2011
0nights20110nights2011
0nights2011
 
Solving the enterprise security challenge - Derek holt
Solving the enterprise security challenge - Derek holtSolving the enterprise security challenge - Derek holt
Solving the enterprise security challenge - Derek holt
 
Performance Management With Rational Insight - Karthi D
Performance Management With Rational Insight - Karthi DPerformance Management With Rational Insight - Karthi D
Performance Management With Rational Insight - Karthi D
 
Honeycon2014: Mining IoCs from Honeypot data feeds
Honeycon2014: Mining IoCs from Honeypot data feedsHoneycon2014: Mining IoCs from Honeypot data feeds
Honeycon2014: Mining IoCs from Honeypot data feeds
 
Wrangle 2016: Staying Hippocratic with High Stakes Data
Wrangle 2016: Staying Hippocratic with High Stakes DataWrangle 2016: Staying Hippocratic with High Stakes Data
Wrangle 2016: Staying Hippocratic with High Stakes Data
 
Wrangle 2016: Malware Tracking at Scale
Wrangle 2016: Malware Tracking at ScaleWrangle 2016: Malware Tracking at Scale
Wrangle 2016: Malware Tracking at Scale
 
whats wrong with modern security tools and other blurps
whats wrong with modern security tools and other blurpswhats wrong with modern security tools and other blurps
whats wrong with modern security tools and other blurps
 

Similar to Hitbkl 2012

Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisLife Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisPositive Hack Days
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Rod Soto
 
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Jishnu Pradeep
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!EC-Council
 
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...DefconRussia
 
Phd III - defending enterprise
Phd III - defending enterprise Phd III - defending enterprise
Phd III - defending enterprise F _
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your NetworkCTruncer
 
HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!F _
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleGuardicore
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
Travelling to the far side of Andromeda
Travelling to the far side of AndromedaTravelling to the far side of Andromeda
Travelling to the far side of AndromedaJose Miguel Esparza
 
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...Demi Ben-Ari
 
Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...
Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...
Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...Codemotion
 
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemyPROIDEA
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017Demi Ben-Ari
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing DevelopmentCTruncer
 
Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020
Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020
Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020Greg Bailey
 
OSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and PractitionersOSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and PractitionersMegan DeBlois
 

Similar to Hitbkl 2012 (20)

Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisLife Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
 
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
 
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...
 
Phd III - defending enterprise
Phd III - defending enterprise Phd III - defending enterprise
Phd III - defending enterprise
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your Network
 
HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at Scale
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
Travelling to the far side of Andromeda
Travelling to the far side of AndromedaTravelling to the far side of Andromeda
Travelling to the far side of Andromeda
 
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...
 
Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...
Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...
Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...
 
Bug bounty recon.pdf
Bug bounty recon.pdfBug bounty recon.pdf
Bug bounty recon.pdf
 
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing Development
 
Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020
Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020
Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020
 
OSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and PractitionersOSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and Practitioners
 

More from F _

Rsa2016
Rsa2016Rsa2016
Rsa2016F _
 
Hitcon 2014: Surviving in tough Russian Environment
Hitcon 2014: Surviving in tough Russian EnvironmentHitcon 2014: Surviving in tough Russian Environment
Hitcon 2014: Surviving in tough Russian EnvironmentF _
 
Indicators of Compromise Magic: Living with compromise
Indicators of Compromise Magic: Living with compromiseIndicators of Compromise Magic: Living with compromise
Indicators of Compromise Magic: Living with compromiseF _
 
Incident Response Tactics with Compromise Indicators
Incident Response Tactics with Compromise IndicatorsIncident Response Tactics with Compromise Indicators
Incident Response Tactics with Compromise IndicatorsF _
 
Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT AttacksHunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT AttacksF _
 
2011 hk fyodor-anthony_ppt
2011 hk fyodor-anthony_ppt2011 hk fyodor-anthony_ppt
2011 hk fyodor-anthony_pptF _
 

More from F _ (6)

Rsa2016
Rsa2016Rsa2016
Rsa2016
 
Hitcon 2014: Surviving in tough Russian Environment
Hitcon 2014: Surviving in tough Russian EnvironmentHitcon 2014: Surviving in tough Russian Environment
Hitcon 2014: Surviving in tough Russian Environment
 
Indicators of Compromise Magic: Living with compromise
Indicators of Compromise Magic: Living with compromiseIndicators of Compromise Magic: Living with compromise
Indicators of Compromise Magic: Living with compromise
 
Incident Response Tactics with Compromise Indicators
Incident Response Tactics with Compromise IndicatorsIncident Response Tactics with Compromise Indicators
Incident Response Tactics with Compromise Indicators
 
Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT AttacksHunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
 
2011 hk fyodor-anthony_ppt
2011 hk fyodor-anthony_ppt2011 hk fyodor-anthony_ppt
2011 hk fyodor-anthony_ppt
 

Hitbkl 2012

  • 1. Messing up with Kids playground: Eradicating easy targets Yarochkin Fyodor @fygrave Vladimir Kropotov @vbkropotov Presented at HITBKL 2012
  • 2. agenda Introduction (cybecrime 2012 – russian style :) Detecting malicious network infrastructure Getting one-step-ahead Conclusions
  • 3. DCCrime-2012: Brief Introduction ● Bots and Botnets – still popular :) ● Monetization schemes vary. ● DbD is one of the most common attack vectors – We also have email – We also have stupid users downloading sh*t – Mobile is lucrative target (all your money are there)
  • 4. DCCrime-2012: Introduction “Traffic” - is still an important component in the process :)
  • 5. Main “components” to deal with ● Callback nodes (aka C&C) ● Traffic: – Compromised machines/or manipulated content – Banner networks – SEO (doorways)
  • 6. What's new this year? ● Automated detection gets difficult. (anti- sandboxing, anti-crawler tricks) function() { var url = 'http://yyzola.gpbbsdhmjm.shacknet.nu/g/'; … document.onmousemove = function() { … ● In some cases of idiocy, human interaction is a must.. ● Mobile phone as the most common means of funds transfer
  • 7. Mobile scams ● Fake apps are still big ● Android apps avail :)
  • 8. So really, how easy it is to get pwned In Russia? :)
  • 9. So the focus of this research: – Identifying “bad kids” playground – mapping infrastructure, identifying potential targets, attempting to fix the problems, before “things hit hard”
  • 10. Detecting malicious network infrastructure
  • 11. DNS: (did u see this morning passive DNS talk? ;-)) With a spike of generative domain botnets, this seems like interesting research project DGAs produce very specific pattern in DNS traffic
  • 12. Is this the only method to call back? Nop..
  • 14. Domain generative bots ● C&C is not hardcoded to maintain flexibility in cases when C&C is taken down. ● Some sort of algorithm is used to generate domain names ● Domains are tested for validity. IP address is obtained. ● Sometimes obfuscation involved. (for example: manipulations applied to resolved IP address)
  • 15. How it looks on the wire
  • 16. C&C/generative domains and pattern mining ● Generative-domain name based domains generate very specific voluminous DNS traffic ● Our research is primarily focused on picking up these patterns. Example Carberp (details provided by Vladimir Kropotov)
  • 17. Carberp ● Bot Infection: Drive-By-HTTP ● Payload and intermediate malware domains: normal, recent registration dates or DynDNS ● Distributed via: Many many compromised web-sites, top score > 100 compromised resources detected during 1 week. ● C&C domains usually generated, but some special cases below ;-). ● C&C and Malware domains located on the same AS (from bot point of view). Easy to detect. ● Typical bot activity: Mass HTTP Post
  • 18. Size Payload Referrer URL Domain 9414 javascript www.*****press.ru /g/18418362672595167.js beatshine.is- saved.org 45443 html www.*****press.ru /index.php? activatedreplacing. 28d9000e56c2a63080ff89c is-very-evil.org 6f5357591 4135 application/x //images/r/785cee8be7f1da activatedreplacing. -jar 9a9d60820cbf8b1840.jar is-very-evil.org 155529 application/e /server_privileges.php? activatedreplacing. xecutable 91370f5f009a815950578cb is-very-evil.org 539f28b58=3
  • 19. Size Payload Referrer URL Domain 997 html Infected site /1/s.html 3645455029 4923 javascript 3645455029 /js/deployJava.js Java.com 18046 application/x /1/exp.jar 3645455029 -jar 138352 application/e /file1.dat 3645455029 xecutable
  • 20. Detection: related works From Throw-Away Traffic to Bots: Detecting Rise of DGA-Based Malware (Manos Antonakakis, Roberto Redisci et al) (2012) L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi. EXPOSURE: Finding malicious domains using passive dns analysis. In Proceedings of NDSS, 2011 etc..
  • 21. What we do differently: ● “lazy” WHOIS lookups, team cymru IP to ASN lookups ● Our own passive DNS index ● Sandbox farm (mainly to detect compromised websites automagically and study behavior)
  • 22. Dealing with false positives: filtering ● Generated sequences: n-gram analysis ● WHOIS cross-ref (if available) ● Ips belong to Malicious ASN ● Public domain lists (alexa top 100k) works well as whitelist
  • 23. Cat and mouse game ● Of course all of this is easy to evade. Once you know the method. But security is always about 'cat-n-mouse' game ;-)
  • 24. Architecture ● What we are building ;)
  • 25. Are we using signatures? Yes and No.. ● We don't have signatures for C&C domains.. ● But we maintain patterns for suspicious whois data (registration date, registrar, email, ..) ● Historical DNS and AS association (bad IP) ● Generic patterns for generative domains (high, similarly distributed pattern of failed lookups within the same zone)
  • 26. A walk through automated detection ● In this example we will show how automated detection works step by step. We will show redis queries in form of interactive session:
  • 27. Detection starting point: rcode: 3 (Non-existing domains) 12 10 8 Column 1 6 Column 2 Column 3 4 2 0 Row 1 Row 2 Row 3 Row 4
  • 28. Rcode:2 domains Detection: rcode:2 (server failure) (failed servers)
  • 29. Sample analysis (step by step) ● Start looking for a failed pattern and cluster id:
  • 30. Sample analysis (two) ● Get the cluster ID: (eu_11_14) Clustering is based on domain similarity. Currently used characteristics: - f(zone, pattern (length, depth)) - additional characteristics (building up): natural language domain vs. generated string (occurrence of two-character sequences - n-grams) - domain registration parameters (obtained via WHOIS [ problematic! ] ) - cross-reference with existing malicious IP and AS reputation database (incrementally built by us)
  • 31. Sample analysis ● Get other members of the cluster
  • 32. Sample analysis ● Find common members (notice avatarmaker.eu could be a false positive, easily filtered out through common denominator filering (IP, WHOIS information)
  • 33. Sample analysis ● So we have C&C IP 66.175.210.173 ● we can continue mining to see if we get any other domain names:
  • 34. Sample analysis ● Look! We just met an old friend!!
  • 36. Mapping C&C (easily automated) ● http://cihunemyror.eu/login.php ● http://foxivusozuc.eu/login.php ● http://ryqecolijet.eu/login.php ● http://xuqohyxeqak.eu/login.php ● http://foqaqehacew.eu/login.php ● http://jecijyjudew.eu/login.php ● http://voworemoziv.eu/login.php ● http://mamixikusah.eu/login.php ● http://qebahilojam.eu/login.php ● http://foqaqehacew.eu/search.php ● http://foqaqehacew.eu/search.php ● http://foqaqehacew.eu/LMvg9Ng1d.php
  • 37. Sample analysis ● Finding more relevant domains:
  • 40. Performance ● On single machine (32Gb RAM) we run up to 2000 pkt/sec without significant performance loss ● Average load:
  • 41. Other Interesting numbers ● Packets per day: ~130M filtered. ● Mal. Domains/day: ~30k DNS queries (varies) ● Avg. 30-50 req/minute for single domain ●
  • 42. Uses of the data ● Obvious: blacklists ● Botnet take overs (costs 11USD or less ;) ● Sinkholing
  • 43. Detection ● (demos, lets look at some videos :)
  • 44. What could be more flux than fastflux? ;-) ● WHOIS fastflux … HOW?! Domain ID:D166393631-LROR Domain Name:FOOTBALL-SECURITY- WETRLSGPIEO.ORG Created On:21-Aug-2012 01:23:52 UTC Last Updated On:21-Aug-2012 01:23:53 UTC Expiration Date:21-Aug-2013 01:23:52 UTC Sponsoring Registrar:Click Registrar, Inc. d/b/a publicdomainregistry.com (R1935-LROR) Status:CLIENT TRANSFER PROHIBITED Status:TRANSFER PROHIBITED Status:ADDPERIOD Registrant ID:PP-SP-001 Registrant Name:Domain Admin Registrant Organization:PrivacyProtect.org Registrant Street1:ID#10760, PO Box 16 Registrant Street2:Note - All Postal Mails Rejected, visit Privacyprotect.org
  • 45. Moving ahead: Finding easy targets before they do :)
  • 46. In short, it is all about quick ways of finding idiots having no clue of what they are doing with wordpress, oscommerce, openx, [put yer fave] And forcing them to update before they get owned ;) And hmm.. doing it country-wide
  • 47. disclaimer Just another “small data” project we play with. Around 4 machines solr cluster. Largely inspired by “Fruit: why so low?” by Adam MetlStorm (hack.lu 2011)
  • 48. Scanning internet is not new.. but pretty much realistic
  • 49. Architecture ● Network port discovery (agents) ● Banner collection (agents) ● Backend Store: SOLR ● Collectibles: services and ports, OS fingerprints, ● ASN/OWNER/netblock/Country, geographical location/App data
  • 50. Architecture(2) ● Roughly something like that
  • 51. Approach ● Scan slow (avoid abuse reports) ● Index time ● Passive “mapper” (simple sniffer + browser fingerprinting at the moment) ● Larger range of ports (account port numbers, which are actively being scanned from firewall log analysis, honeypot machines etc) ● For web apps – (wafp fingerprinting) + index banner (noisy, cause of most of the abuse complaints)
  • 52. How you use this shit...
  • 53. Features ● Scriptable via restful API (think of solr) (cuz UI is for sissies ;-)) ● Query by any combination of: – software version/banner regex (solr/lucene style) – geospatial search (via geohash) – ASN or regex on ASN owner – Country code
  • 54. Uses CERT team: automated notifications of idiots running old wordpress within particular range, geographic location or organization is a one liner script