Exploiting Redundancy Properties of Malicious Infrastructure for Incident Detection

Exploiting Redundancy Properties of
Malicious Infrastructure
John Bambenek, Manager of Threat Systems
Fidelis Cybersecurity
PHDays 6 – Moscow, Russia

© Fidelis Cybersecurity
Intro
• Manager at Fidelis Cybersecurity of a team responsible for
automation and data mining threat information.
• Faculty at University of Illinois – Urbana-Champaign in
Computer Science.
• Participate (and run) many private groups investigating
major criminal threats on the internet.
• I generally focus only on criminal threats and avoid nation-
state/espionage.
2

Agenda
• Single Point of Failure vs Redundancy
• Redundancy techniques
• Detection
• Sinkholing
• Increased Fingerprints
• Targeted Intelligence Operations
• Surveillance
• Towards more Effective Disruption
3

Single Point of Failure vs Redundancy
• Many malware attacks rely on a single method of
communication (a single IP, DNS name, tor node, etc).
• Easy to set up and maintain, low cost of entry.
• However, only two states: up or down.
• Cannot establish a pattern on a single data point.
• Many RATs are single C2 based.
• Attackers who want to persist need something else.
4

Single C2 Examples
5
Example of static C2 config (more on barncat later)

Multi C2 example
6
Example of static C2 config (more on barncat later)

Redundancy Techniques
• Multiple IPs/Hostnames (static lists)
• Use of Fast Flux / Double Flux
• DGAs
• Tor/I2P
• Multiple Methods
• If done right, uses multiple ISPs/providers
7

Detection
• If you already know about a threat, you can protect based
on a single piece of information.
• For unknown threats, you need to have a pattern and
single data points aren’t a pattern.
• Redundancy helps us by forcing the adversary to create
fingerprints we can use to detect otherwise “unknown”
threats.
• Allows for data mining, statistical analysis, etc.
8

Goal
• Goal: Force adversary to behavior that inherently requires
them to create patterns.
• Takedowns are risky because the attacker can adapt back
into an “unknown threat”. Patterns, however, tend to persist
if you have visibility into their behavior.
9

Detection
• Double flux networks rely on a massive pool of
endpoints and nameservers so taking down a single
IP has no impact to adversary.
divewithsharks.hk. 1800 IN A 70.68.187.xxx [xxx.vf.shawcable.net]
divewithsharks.hk. 1800 IN A 76.209.81.xxx [SBIS-AS - AT&T Internet Services]
divewithsharks.hk. 1800 IN A 85.207.74.xxx [adsl-ustixxx-74-207-85.bluetone.cz]
divewithsharks.hk. 1800 IN A 90.144.43.xxx [d90-144-43-xxx.cust.tele2.fr]
divewithsharks.hk. 1800 IN A 142.165.41.xxx [142-165-41-xxx.msjw.hsdb.sasknet.sk.ca]
10

Detection – Flux networks
• Besides CDNs, very few valid DNS queries will have
multiple low TTL A records across geographies and network
boundaries (especially in residential IP space).
• Almost no one has low TTL NS records (very limited use
case).
• Can combine with domain/IP rep or alexa to increase
confidence.
11

Detection - DGAs
• Pseudorandom domain names (or hostnames) usually
many hundreds or thousands generated (potentially per
day).
• Attacker only needs to control one of the domains, if it gets
suspended they can just register another to reassert
control.
12

Detection – DGAs (tinba)
• pmlmfbehhunq.com,72.52.4.90,a.ns36.de|b.ns36.de
• pmqeelsxyddk.com,188.120.224.164,ns1.reg.ru|ns2.reg.ru
• pqtcwrrrvgvf.ru,158.58.170.148,a.dnspod.com|b.dnspod.com|c.dnspod.com
• pubejsbumwql.com,72.52.4.90,a.ns36.de|b.ns36.de
• qrwlypygphht.ru,158.58.170.148,a.dnspod.com|b.dnspod.com|c.dnspod.com
• Easy to load known DGA domains into RPZ to block at
DNS level.
13

Detection - DGAs
• Easy to find “unknown” DGAs.
• The biggest obvious network behavior of DGA enabled malware
is a large number of NXDOMAIN responses to queries.
• Most DGAs have a majority of domains unregistered)
• Looking at DNS logs for repetitive queries to NXDOMAIN or
known sinkholed IPs.
14

Detection - DGAs
• For non-word list DGAs, checking domain names for high entropy finds
“random” looking domains.
• N-Gram analysis can also be used to find DGA-like domains.
• Based on looking at sequences of characters that do not naturally
occur in a given language to create a score (essentially anti-
patterns).
• i.e. “QQ” is not naturally occurring 2-letter combination in English
• Based on statistical comparisons of letter combinations in “natural”
language and observed domain names, you can make some
conclusions.
15

Detection - DGAs
• Can be language specific so care needs to be done for
other languages.
• Using n-grams is not a 100% confidence prospect, other
checking needs to be done.
• See “Use of n-Gram models for DGA detection” once
published.
16

Sinkholing
• For DGAs, most domains are unregistered.
• If researcher registers one (or several) of those domains,
victims will beacon to them.
• Useful for telemetry data or developing signatures.
• Some adversaries have started creating sinkhole-aware
malware.
17

Other uses of sinkholing
• If you can make victims thinking you are the C2, you can, to
an extent, control the victim.
• May require other data (encryption keys) and mimicking
the C2 protocol.
• Some (but not all) malware families have a self-destruct
option to uninstall on victim’s machine.
• This has been done in the past as part of takedowns.
18

Other users of sinkholing
• You can also engage in direct control of the victim.
• A “white hat” hacker, recently breached part of an exploit kit network to
install Avira instead of the intended malware by replacing the binary.
• Transient benefit.
• If you do this, please just install Flash/Adobe/Java patches instead.
• More persistent benefit
19

Important Note
• Doing any of the above without legal authority is probably
criminal in almost every jurisdiction represented in this
room.
• Going to jail is bad, I don’t recommend it.
20

Targeted Intelligence Operations
• Our biggest difficulty in prosecuting cybercrime is the
difficulty in getting information between nations.
• International cooperation is often marred by unrelated
foreign policy constraints, sometimes even with private
sector actors.
• To make matters worse, as a consequence of the amount
of data and metadata created by computers and networks,
there is a huge amount of tools available to hide.
21

• When the adversary has only a single static C2, your
options are limited:
• Take it down
• Get a wiretap
• If you take it down and lack other tracking ability, the
attacker will just set up their operation elsewhere… and
potentially break your visibility into their operations.
22

• When an adversary uses redundant C2 methods, a
disruption in part of their communications is not critical.
• They may not make wholesale changes.
• The key to a targeted intelligence operation is to have
enough impact so the adversary does something but not
enough impact where they disappear and stop operating.
23

Examples
• During Cryptolocker, they often used the same Chinese
registrar (DNSPOD) for their DGA registrations.
• In 2013, Chinese-American cooperation was not great.
• Objectives:
• I wanted to build a relationship with a Chinese company to
deal with obvious abuse.
• I wanted to see how they would change if that registrar
suspended a few domains.
24

Examples
• Results:
• For a few days, they kept using DNSPOD.
• For two weeks, they used a different register before going
back to DNSPOD.
• The cycling of registrant accounts led to some good leads
available to “western” law enforcement for their
investigation.
• I opened the door to working with other Chinese
companies on criminal matters.
25

Example #2
• I was tracking a criminal service provider who used a
“shared hosting” account to manage their infrastructure.
• I paid “a premium” to get an account on the same box to
see if I can use poor file system permissions to gather
additional intelligence (perfectly legal).
• It didn’t work but attacker didn’t know that.
• Attacker was aware of who I am and that I was tracking
him, so I subtly let him know I got an account on the same
box.
26

Example #2
• Attacker very quickly moved their C2 operations using a
control panel “move” function.
• Also required them to reissue binaries and cause some
disruption and a poor “customer experience”.
• Most important, using the “move function” left files behind
after they left. This allows for possibility of a search warrant
to obtain that data without the adversary being aware.
27

More Fingerprints
• The use of redundancy also comes with new fingerprints
that can be used to identify adversaries.
• DGAs inherently mean WHOIS artifacts could be used to
find and track specific adversaries in all their operations.
28

Whois Info
• Many actors will use WHOIS protection… some just use fake
information.
• “David Bowers” (yingw90@yahoo.com) is common for Bedep.
$ grep "David Bowers" *.txt | grep Registrant
whois-bfzflqejohxmq.com.txt:Registrant Name: David Bowers
whois-demoqmfritwektsd.com.txt:Registrant Name: David Bowers
whois-eulletnyrxagvokz.com.txt:Registrant Name: David Bowers
whois-lepnzsiqowk94.com.txt:Registrant Name: David Bowers
whois-mhqfmrapcgphff4y.com.txt:Registrant Name: David Bowers
whois-natrhkylqoxjtqt45.com.txt:Registrant Name: David Bowers

David Bowers
bfzflqejohxmq.com,Domain used by bedep (-4 days to today),2015-08-16
eulletnyrxagvokz.com,Domain used by bedep (-4 days to today),2015-08-
16
natrhkylqoxjtqt45.com,Domain used by bedep (-4 days to today),2015-
08-16
nrqagzfcsnneozu.com,Domain used by bedep (-4 days to today),2015-
08-16
But why stop with just known DGAs, what other domains are associated
with “David Bowers”?

David Bowers
• Using DomainTools.com, it’s possible to see all domains
registered by a name, email, etc.
• Domains seen associated with necurs and angler as well.
• Can also set up registrant alerts on e-mail addresses used
to register domains.
31

David Bowers

Registrant Alert
33

Fingerprints Example #2
• In a single static C2, the use of SSL could be a one-time
cert, could use a dedicated key or specific certificate
details, there is no way to know.
• If there are many redundant C2s, they may re-use some
information. For malware that does certificate pinning, they
HAVE to use the same cert.
34

Fingerprints Example #2
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
fa:21:6b:2c:8e:6c:35:f6
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=EU, ST=Oregon, L=Cincinati, O=Oracle Corporation,
OU=Oracle, CN=Oracle
Developer/emailAddress=admin@oracle.com
35

More fingerprints
• Shodan (and other tools) can search for specific SSL certs
on internet facing services.
• Possible to programmatically hunt application stores for
malicious certs in applications.
36

Surveillance
• DNS data can change, IPs can come and go.
• Use adnstools to bulk resolve all DNS indicators on a
frequent basis (this is what my DGA feeds is based on).
• C2s can start or stop listening or issuing instructions.
• These changes (and the related metadata) can prove key in
an investigation.
37

Surveillance
 Creation of feeds and intake is still a passive tactic.
 Possible to see C2 changes and notify in near-time to
potentially take action on the data.
 This uses the Pushover application (Apple and Google
stores) which has a very simple API.

New Matsnu domains registered

Pushover
curl -s
--form-string "token=$appkey"
--form-string "user=$userkey"
--form-string "message=$message"
https://api.pushover.net/1/messages.json
40

Pairing with other data
• Barncat (the malware config data earlier) is a bulk malware
config ripping engine to statically get config data from
malware binaries.
• Includes fields like “campaign ID”, Mutex, and C2
information that can be correlated.
41

More effective disruption
• The “good guys” need to get lucky only once to attribute the
adversary. The adversary has to be lucky every time to
ensure this doesn’t happen.
• The more they have to do, the harder this becomes.
• All successful prosecutions involve monitoring an adversary
over the long-term to find the one time they screw up and
expose themselves.
• Exploiting redundancy provides the opportunity to make this
happen.
42

Free Resources
• For my DGA feeds, go to
http://osint.bambenekconsulting.com/feeds (no
authentication needed)
• For static malware configs, go to
https://barncat.fidelissecurity.com (email me for access at
john.Bambenek@fidelissecurity.com)
43

Questions & Thank You!
Find more of our research at: www.threatgeek.com
John Bambenek / john.bambenek@fidelissecurity.com
Thanks to Vladimir Kropotov, Fyodor Yarochkin, Kevin
Breen and Tim Leedy for their research and contributions
to these efforts.

Exploiting Redundancy Properties of Malicious Infrastructure for Incident Detection

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Exploiting Redundancy Properties of Malicious Infrastructure for Incident Detection

Similar to Exploiting Redundancy Properties of Malicious Infrastructure for Incident Detection (20)

More from Positive Hack Days

More from Positive Hack Days (20)

Recently uploaded

Recently uploaded (20)

Exploiting Redundancy Properties of Malicious Infrastructure for Incident Detection