SlideShare une entreprise Scribd logo

Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS will be your friend [RootedCON 2011]

RootedCON
RootedCON
Technologie
1  sur  62
Télécharger pour lire hors ligne
Cloud Malware Distribution DNS will be your friend
Francisco J. Gómez Rodríguez (ffranz@iniqua.com): • Computer engineering (EUI-UPM) • Security research (Telefonica R&D) • dig ffranz.cmdns.h4ck.me TXT Carlos Díaz Hidalgo (charlie@tid.es): • Telecommunications Engineer (ETSITM-UPM) • GPEN, GCIH, OPST, ITILF and CCNA. • Technology Specialist in Ethical Hacking (Telefonica R&D) • dig charlie.cmdns.h4ck.me TXT
• 01 Introduction • 02 DNS in a nutshell • 03 Our history • Implementation • Improvement • 04 Real world • 05 Results
• 01 Introduction • 02 DNS in a nutshell • 03 Our history • Implementation • Improvement • 04 Real world • 05 Results
01 Malware on legitimate DNS • Nowadays, many legitimate Web sites are serving malware. – But … Attacker must compromise the server first. • Why couldn’t we do it differently? – Using legitimate DNS caches. – We can inject malware into caches without needing to compromise them.
01 Introduction • Cloud Malware Distribution (CMD) – An alternative method for malware distribution using Cache DNS services. • Why cloud? – DNS service is one of the first cloud services. • How? – By using the protocol and the architecture.
01 Break point (I) 1. GET resource 2. Process resource 3. GET payload Torpig 4. Process payload 5. Update Bot
01 Break point (II) megasticks.ru/au.exe HTTP GET file
• 01 Introduction • 02 DNS in a nutshell • 03 Our history • Implementation • Improvement • 04 Real world • 05 Results
02 Architecture • Hierarchical naming system. • Globally deployed, universally employed. • DNS traffic is usually allowed, even in the most restrictive environments. • Not inspected, …, as it should be. • DNS is a key enabling technology for botnets.
02 Hierarchical Architecture (I) Root(.) me. com. es. org. h4ck.me. es.me. ur.me. cmdns.h4ck.me dom.h4ck.me. ......
02 Hierarchical Architecture (II)
02 DNS caching • DNS responses are cached: – The authoritative server uses the TTL value to set the "expiration date" for every record. – Other queries may reuse some parts of the lookup (quick response). – Negative caching is useful. • Although the source is gone, information remains stored.
02 Types of (I)
02 Types of (II)
02 Types of (III)
02 DNS Protocol (I) 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ID | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |QR| Opcode |AA|TC|RD|RA| Z|AD|CD| RCODE | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | QDCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ANCOUNT | 12 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ bytes | NSCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ARCOUNT | 504 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | QUESTIONS | bytes | /../ | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ANSWERS | | /../ | 492 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ bytes | AUTHORITY | | /../ | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ADDITIONAL | | /../ | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
02 DNS Protocol (II) Resource Record Format • Labels 63 octets or less Name www.fram.fr.am 255 octets • Names 255 octets or less Type A 2 octets • TTL 32 bit number. Class IN 2 octets • UDP msg 512 octets or less TTL 100 4 octets RDLength 4 2 octets Label RDATA 192.168.1.10 255 octets www.fram.fr.am Name
02 DNS Protocol (III) Types… types… types… •A • RP • NAPTR • NSEC3PARAM • AAAA • AFSDB • KS • HIP • NS • X25 • CERT • NINFO • MD • ISDN • A6 • RKEY • MF • RT • DNAME • TALINK • SOA • NSAP • SINK • SPF • MB • SIG • OPT • UINFO CNAME • MG • KEY • APL • UID Avg. 200 bytes • MR • PX • DS • GID • NULL • GPOS • SSHFP • TKEY • WKS • LOC • IPSECKEY • TSIG • PTR • NXT (o) • RRSIG • IXFR •HINFO • EID • NSEC • AXFR •MINFO • NB • DNSKEY • MAILB • MX • SRV • DHCID • MAILA • TXT • ATMA • NSEC3 •DNSSEC
• 01 Introduction • 02 DNS in a nutshell • 03 Our history • Implementation • Improvement • 04 Real world • 05 Results
03 Public DNS Servers
03 Ingredients Loading Public Name server Public Cache DNS Malware Encoding Downloading Update
03 Publish process root(.) am. com. es. FreeDNS.afraid.org fr.am. es.am. ur.am. cmdns.fr.am Authoritative NS 88.34.23.12
03 Encoding process Segmented payload • Compress (gz) • Base32 Encode • Split (RFC) • Become a RR en/decoder payload (*) Resource Record example [SegmentedID] CNAME [base32EncodeLabel].[subdomain].[domain].[main] m1-0.cmdns.fr.am. CNAME WQ4TOXMQP…N5VSHVOKUEGQ.cmdns.fr.am
03 Loading process Name server Cache DNS ns1.afraid.org 2 Segment1 Segment2 cmdns.fr.am? Segment3 … NS nscmd.fr.am Segmentn Uploader 1 cmdns.fr.am NS nscmd.fr.am Force Malware Upload nscmd.fr.am A XX.XX.XX.XX 3 Segment1 -> qrjiqerkjqet.cmdns.fr.am -> Segment2 -> ktqtr53xase.cmdns.fr.am -> Segment3 -> gtsdmfzfzre.cmdns.fr.am -> ... Segmentn -> 1.1.1.1 -> 1. Force upload Malware DNS Auth. 2. Public NS resolution nscmd.fr.am 3. Cache DNS store segments
03 Downloading process Intranet DNS Corporate environment Bot Bot Bot Bot
03 DNS analysis, from where? sign.io Amsterdam, Holland shellmix.com Szczecin, Pólland devio.us ADSL & 3G Orlando, USA Madrid, Spain Guayaquil, Ecuador Thorough characterization Basic tests
03 DNS cache survey • Different locations. – IP anycast (DNS proxy): • Different locations Different results. • Different authoritative DNS. – cmdns.mooo.com; cmdns.h4ck.me; cmdns.pocho.cl; cmdns.fr.am; cmdns.m3th.org; cmdns.t28.net; Etc. • Being patient (thorough characterization) – It takes time to run two hundred thousand queries per DNS cache and per location. • In this study we undertook the task to obtain the list of emitters behind each IP anycast.
03 Characterization (I) 198.153.192.1 8@.2#1.%1&.1~0 8@.2#1.%1&.1~2 198.153.194.1 9@.1#8.%2.&5~ 2@8.#8.%9.&5~ 9@.1#4.%0&.~4 2@8.#8.%8.&5~ 2@8.#8.%8.&5~ 7@.2#.9%.5& 8@.2#1.%1&.1~2 9@.1#4.%0&.~4 6@.2#2.%9.&2 2@4.#3.%4&.1~2 7@.2#.9%.5& 2@8.#8.%9.&5~ 7@.2#.9%.1&2 8@.2#1.%5.&5~ 9@.1#4.%0&.~4
03 Characterization (II) 208.67.222.222 2@8.#9.%4.& 2@8.#9.%4.& 208.67.220.220 2@8.#9.%4.&0 2@8.#9.%5.&3 2@8.#9.%5.&9 2@8.#9.%4.& 2@8.#9.%5.&2 2@8.#9.%4.& 6@.2#5.%0.&5 2@8.#7.%3&.1~ 2@8.#9.%5.&2 2@8.#7.%3&.1~ 2@8.#9.%5.&1 2@8.#9.%5.&0 6@.2#5.%0.&0 2@8.#7.%3&.1~ 2@8.#9.%5.&2 2@8.#7.%3&.1~ 2@4.#9%.2&8.~3 2@8.#7.%1&.1~ 2@8.#9.%5.&2 2@4.#9%.2&8.~5 2@8.#9.%6.&1 2@8.#7.%1&.1~ 2@8.#9.%5.&7 2@8.#9.%6.&7
03 Characterization (III) 8.8.8.8 & 8.8.4.4 2@9.#5.%2&.8~ 2@9.#5.%2&.8~ 2@9.#5.%2&.8~ 2@9.#5.%2&.8~ 2@9.#5.%2&.8~ 2@9.#5.%2&.8~ 2@9.#5.%2&.8~ 2@9.#5.%2&.8~ 2@9.#5.%2&.8~ 7@.1#5.%6.&0 7@.1#5.%6.&1 2@9.#5.%2&.8~ 2@9.#5.%2&.8~ 2@9.#5.%2&.8~ 7@.1#5.%6.&2 7@.1#5.%6.&3 7@.1#5.%8.&0 7@.1#5.%8.&1 7@.1#5.%8.&2 7@.1#5.%6.&4 7@.1#5.%6.&5 7@.1#5.%8.&3 7@.1#5.%8.&4 7@.1#5.%8.&5 7@.1#5.%6.&6 7@.1#5.%6.&7 7@.1#5.%8.&6 7@.1#5.%8.&7 7@.1#5.%6.&0 7@.1#5.%8.&0 7@.1#5.%8.&1 7@.1#5.%6.&1 7@.1#5.%6.&2 7@.1#5.%6.&3 7@.1#5.%8.&2 7@.1#5.%6.&4 7@.1#5.%6.&5 7@.1#5.%6.&6 7@.1#5.%6.&7 7@.1#5.%8.&0 7@.1#5.%8.&1 7@.1#5.%8.&2
03 Characterization (IV) 8.8.8.8 & 8.8.4.4 2@9.#5.%2&.8~ 2@9.#5.%2&.8~ 2@9.#5.%2&.9~ 6@.#3%.1&8.~3 2@9.#5. %2&.80 2@9. #5.%2&.81 2@9. #5.%2&.82 2@9. #5.2&4.83 2@9.#5.%2&.84 6@.2#3.%6&.8~ 6@.#3%.1&8.~5 2@9.#5. %2&.85 2@9.#5.%2&.86 2@9. #5.%2&.88 6@.2#3.&68.80 6@.2#3.%6&.81 7@.1#5.%1&.8~ 7@.#2%.1&2.~5 6@.2#3.%6&.82 6@.2#3.%6&.83 6@.2#3.%6&.84 6@.2#3.&68.85 6@.2#3.%6&.86 7@.1#5.%1&.8~ 7@.#2%.1&4.~4 6@.2#3.%6&.87 7@.1#.2%2.&0 7@.1#.2%2.&1 7@.1#.2%2.&2 7@.1#.2%2.&3 7@.1#5.%5&.8~ 7@.#2%.1&6.~0 7@.1#.2%2.&4 7@.1#.2%2.&5 7@.1#.2%2.&6 7@.1#.2%2.&7 7@.1#5.1%2.&0 7@.1#5.%5&.8~ 7@.#2%.1&6.~2 7@.1#5.%12.81 7@.1#5.%12.83 7@.1#5.%1&.84 7@.1#5.%1&.85 7@.1#5.%12.&6 7@.1#5.%5&.8~ 7@.#2%.1&8.~1 7@.1#5.%14.&0 7@.1#5.%1&.82 7@.1#.1%6.&0 7@.1#5.%2&.81 7@.1#5.%2&.82 7@.1#5.%5&.8~ 7@.#2%.1&8.~3 7@.1#5.%54.&0 7@.1#5.%5&.81 7@.1#5.%54.&2 7@.1#5.%5&.83 7@.1#5.%5&.84 7@.1#5.%5&.8~ 7@.#2%.1&8.~5 7@.1#5.%54.&5 7@.1#5.%5&.86 7@.1#5.%54.&7 7@.1#5.%5&.80 74.1#5.%5&.81 7@.1#5.%5&.8~ 7@.#2%.1&8.~7 7@.1#5.%56.&2 7@.1#5.%5&.80 7@.1#5.%5&.81 7@.1#5.%5&.82 7@.1%5.1&8.83 7@.1#5.%4.&0 7@.1#5.%4.&1 7@.1#5.%4.&2 7@.1#5.%58.&4 7@.1#5.%5&.85 7@.1#5.%5&.86 7@.1#5.%5&.87 7@.1%5.&4.80 7@.1#5.%4.&3 7@.1#5.%4.&4 7@.1#5.%4.&5 7@.1#5.%4.&1 7@.1#5.%4.&2 7@.1#5.%4.&3 7@.1#5.%4.&4 7@.1#5.%4.&5 7@.1#5.%4.&6 7@.1#5.%4.&7 7@.1#5.%6.&0 7@.1#5.%4.&6 7@.1#5.%4.&7 7@.1#5.%6.&0 7@.1#5.%6.&1 7@.1#5.%6.&2 7@.1#5.%6.&1 7@.1#5.%6.&2 7@.1#5.%6.&3 7@.1#5.%6.&3 7@.1#5.%6.&4 7@.1#5.%6.&5 7@.1#5.%6.&6 7@.1#5.%6.&7 7@.1#5.%6.&4 7@.1#5.%6.&5 7@.1#5.%6.&6 7@.1#5.%6.&8 7@.1#5.%6.&9 7@.1#5.%6.&0 7@.1#5.%6.&1 7@.1#5.%2.&0 7@.1#5.%6.&7 7@.1#5.%6.&8 7@.1#5.%6.&9 7@.1#5.%2.&1 7@.1#5.%2.&2 7@.1#5.%2.&3 7@.1#5.%2.&4 7@.1#5.%2.&5 7@.1#5.56.&0 7@.1#5.%6.&1 7@.1#5.%4.&0 7@.1#5.%2.&6 7@.1#5.%2.&7 7@.1#5.%4.&0 7@.1#5.%4.&1 7@.1#5.%4. &2 7@.1#5.%4.&1 7@.1#5.%4.&2 7@.1#5.%4.&3 7@.1#5.%4.&3 7@.1#5.%4.&4 7@.1#5.%4.&5 7@.1#5.%4.&6 7@.1#5.%4.&7 7@.1#5.%4.&4 7@.1#5.%4.&5 7@.1#5.%4.&6 7@.1#5.%6.&0 7@.1#5.%6.&1 7@.1#5.%6.&2 7@.1#5.%6.&3 7@.1#5.%6.84 7@.1#5.%4.&7 7@.1#5.%6.&0 7@.1#5.%6.&1 7@.1#5.%6.&5 7@.1#5.%6.&6 7@.1#5.%6.&7 7@.1#5.%6.&1 7@.1#5.%0.&0 7@.1#5.%6.&2 7@.1#5.%6.&3 7@.1#5.%6.&4 7@.1#5.%0.&1 7@.1#5.%0.&2 7@.1#5.%0.&3 7@.1#5.%0.&4 7@.1#5.%0.&5 7@.1#5.%6.&5 7@.1#5.%6.&6 7@.1#5.%6.&7 7@.1#5.%0.&6 7@.1#5.%0.&7 7@.1#5.%0.&8 7@.1#5.%2.80 7@.1#5.%2.&1 7@.1#5.%0.&5 7@.1#5.%0.&7 7@.1#5.%0.&9 7@.1#5.%2.&2 7@.1#5.%2.&3 7@.1#5.%2.&4 7@.1#5.%2.85 7@.1#5.%2.86 7@.1#5.%2.&5 7@.1#5.%2.90 7@.1#5.%2.&7 7@.1#5.%4.&0 7@.1#5.%4.81 7@.1#5.%4.82 7@.1#5.%4.83 7@.1#5.%4.84 7@.1#5.%4.85 7@.1#5.%4.86 7@.1#5.%4.87
03 Preliminary results
03 Characterization (V) 6@.1#4.2%5.&2 6@.1#2.2%5.&3 ns2.cisco.com (64.102.255.44) emitters 6@.1#2.2%5.&0 6@.1#2.2%5.&1 BT MDIP Dynamic Address Pools and Infrastructure indnsc70.bt.net (62.6.40.162) open emitter ns.above.net (207.126.96.162) MarkosWeb (Private World Communications) open emitter cache1.dnsresolvers.com (205.210.42.205) open emitter
03 Preliminary results
03 Theory Vs. Reality • DNS pools: – Load on each DNS in pool. – Load on more than one DNS pool. – Complex retry logic. • Limited in corporative environments. • Malware source must disappear before the first download. • Must use client default DNS settings.
03 Improvement • Need another way. DNS • Maybe can use three party resources … • … Use Cache DNS as authoritative server. – Malware source can disappear. – Completely asynchronous communication. – Origin trace is little more difficult. – Needed only one load process.
IMPORTANTE COMPAÑÍA ESPECIALIZADA EN DISTRIBUCIÓN DE MALWARE SELECCIONA SERVIDORES DNS (OPEN EMITTERS) Se requiere: • Accesibilidad a nivel mundial • Admitir y resolver correctamente preguntas recursivas (funcionalidad open resolver) • Sin limitaciones a la hora de almacenar nuevos registros de cualquier tipo (funcionalidad de caché) • Experiencia en trabajar con TTL altos (mínimo 86.400 segundos) • Capacidad para aceptar responsabilidades: • Respondiendo a consultas no recursivas (+norecurse) • Respondiendo con autoridad: Marcando las respuestas como autoritativas (bit AA) independientemente del dominio por el que pregunten (tenga autoridad sobre el o no) • Se valorarán estabilidad y altas prestaciones Interesados enviar dirección IP a cmd@iniqua.com
03 Finding Nemo (I) 380.700 Open emitters 15.553.600 Speak the DNS protocol 11.920.500 Open resolvers IPv4 addresses: 256⁴ = 4.294.967.296 IPv4 addresses routed on the Internet: 2.126.357.495 http://dns.measurement-factory.com/surveys/201010/
03 Finding Nemo (II) 10,9 % name servers .com, .net & .org Open emitters 13,4 million domains 90 million domains 8,6 million domains
03 Free public DNS servers list • DNS Benchmark • namebench • chaz6.com
03 Searching for good emitters February 2011 From Spain From USA Queried hosts 10.406 10.406 Replying hosts 9.077 9.094 Open resolvers 6.941 7.028 Open emitters 5.243 5.175 5.214 Accept +norecurse queries 5.075 5.005 5.047 TTL ≈ 604800 3.908 3.905 3.905
03 Here they are, in all their glory 0 3600 43200 86400 604800 higher 0,24% 0,00% 0,34% 0,46% 20,98% 77,98% Maximum TTL Value
03 New process overview Loading Cache DNS Anónimo cmdns.pocho.cl FreeDNS Coding Downloading
• 01 Introduction • 02 DNS in a nutshell • 03 Our history • Implementation • Improvement • 04 Real world • 05 Results
04 Here and right now (I) ns.deloitte.es (80.91.76.141) - recursion is enabled - open emitter - DNS caché (TTL 86400 s) - +norecurse (allowed) ns2.deloitte.es (62.14.236.141) - recursion is enabled - open emitter - no DNS caché (TTL 1 s)!!!! ns1.informatica64.com (80.81.106.148) - recursion is enabled - open emitter - DNS caché (TTL 86400 s) - +norecurse (allowed) ns2.informatica64.com (80.81.106.146) - recursion is enabled - open emitter - DNS caché (TTL 86400 s) - +norecurse (allowed)
04 Here and right now (II) • Analyzing 76 domains related to universities with presence in Spain (188 different name servers): – 31 Authority Servers accept recursive queries (open resolvers). – 29 of then are DNS cache & open emitters. • +norecurse allowed. – TTL value for 23 is 604.800 seconds (86.400 seconds for the others six).
04 Here and right now (III) • Analyzing 131 domains related to banks with presence in Spain (145 different name servers): – 32 Authority Servers accept recursive queries (open resolvers). – 21 of then are DNS cache & open emitters. • +norecurse allowed. – TTL value for 14 is 604.800 seconds (86.400 s for 6 and 172.800 s for the other one).
04 PoC (I) • Sample files (¬malware): – nc (20.156 bytes) – diff (100.324 bytes) • Domain to be used: “cmdns.pocho.cl” • Selected servers (TTL: 604.800 s): – 2@7.#2%.9&.1~2 – 1@3.#3%.2&6.1~ • From 20th Feb to 26th Feb, 2011
04 PoC (II) File nc diff Size 20.156 bytes 100.324 bytes Queries needed 44 (2.24 queries/KB) 222 (2.27 queries/KB) Upload time Spain 2@7.#2%.9&.1~2 33 s 2 min 27 s 1@3.#3%.2&6.~1 18 s 1 min 20 s Download time (First time) Spain USA Spain USA Google (8.8.8.8) 10 s 11 s 38 s 2 min 35s Norton (198.153.192.1) 12 s 28 s 52 s 2 min 17s OpenDNS (208.67.222.222) 25 s * 25 s * 1 min 29 s * 1 min 51s * Intranet (X.X.X.X) 22 s * - 1 min 28 s * -
300 04 User DNS traffic 250 200 Queries 150 Day 1 Day 2 100 50 0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 Hours
04 Live demo (I) Queries Sample files Bytes needed m1: PHP-Backdoor “id” 498 2 24/43 m2: “IE-KillProgramsTab.exe” 10.240 18 40/43 m3: PHP bot “pbot.txt” 23.140 21 28/43 m4: KillAV “ep.exe” 31.604 114 19/43 m5: Zeus binary “bot.exe” 152.064 636 29/41 m6: Trojan SpyEye “seye.exe” 200.704 535 32/43
04 Live demo (II) Domains Selected servers TTL to be used (Open Emitters) Seconds cmdns.mooo.com 762f62ae2c76a38dd72b99a6ae37f30a 1@0.#1%.1&7.~ 604.800 0078171a2416bcee4df828cc78ae528f 2@2.#6.%4.&6 cmdns.m3th.org 44e6d578b35bed74f55137ff09893585 604.800 2@2.#6.%4.&7 02ac6ee35a976289cf97a42c19e36601 8@.8#.1%6.&46 cmdns.h4ck.me f630b5ddf62603ce51f3d41e827e7786 86.400 8@.8#.1%6.&48 cmdns.fr.am ca865b43a95b8a966cb6b892efc66a3e 2@7.#5.%2.& 604.800 cmdns.t28.net c8e4a7ccd5a5a517a1c96be336276e5c 1@5.#4%.2&8.~3 604.800 1e98caffee2952ad1fb15b195ad2b065 2@7.#2%.9. &6~ cmdns.pocho.cl 7b95b106ced43b91bd551b33ee1f00c8 604.800 1@3.#3%.2&6.~1
04 Live demo (III) • All domains were loaded 27th Feb on air until 6th March. – “cmdns.h4ck.me” was reloaded yesterday at 06:30 pm. • TTL of: – “8@.8#.1%6.&46”: 86.400 seconds. – “8@.8#.1%6.&48”: 86.400 seconds. • On air until this afternoon. • Try it: dig m1-0.cmdns.pocho.cl A
04 On air File pbot.txt bot.exe Uhmmm rate-limiting Size queries!!!!!! 23.140 bytes 152.064 bytes Queries needed first 100 queries:21 (0.93 queries/KB) The 32 s 636 (4.28 queries/KB) Upload time 200 queries: 2 min 57 s Spain 300 queries: 7 min 29 s 8@.8#.1%6. &46 min 18 s 400 queries: 12 9s 2 min 34 s 8@.8#.1%6. &48 min 13 s 500 queries: 17 6s 2 min 41 s 600 queries: 22 min 14 s Download time (First time) Spain Ecuador Spain Ecuador Google (8.8.8.8) 9s 25 s 23 min 56 s * 25 min 14 s * Norton (198.153.192.1) 12 s 22 s 6 min 51s 17 min 48 s OpenDNS (208.67.222.222) 9 s ** 32 s ** 4 min 42 s ** 11 min 9 s ** Rooted CON (?.?.?.?) - -
04 The Origin of Evil
• 01 Introduction • 02 DNS in a nutshell • 03 Our history • Implementation • Improvement • 04 Real world • 05 Results
05 Results • Public cache DNS: – can be used as a platform to store and distribute malware. • DNS architecture: – is available. • Implementation: – just do it. • Survey Results: – can be used to define countermeasures.
05 Best Current Practice
00 References http://code.kryo.se/iodine/ http://dns.measurement-factory.com/ http://www.chaz6.com/files/resolv.conf http://www.grc.com/dns/benchmark.htm http://darkwing.uoregon.edu/~joe/secprof10-dns/secprof10-dns.pdf http://www.blackhat.com/presentations/bh-europe-05/BH_EU_05-Kaminsky.pdf http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-kaminsky/bh-us-04- kaminsky.ppt http://code.google.com/p/namebench/ http://www.pcworld.com/article/220024/feds_accidentally_seize_84000_innocent_d omains_link_them_with_child_porn.html http://www.symantec.com/content/en/us/enterprise/media/security_response/white papers/zeus_king_of_bots.pdf http://www.secdev.org/projects/scapy/ https://www.isc.org/software/bind/documentation/arm95#man.dig http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl http://hakin9.org/magazine/1652-mobile-malware-the-new-cyber-threat http://www.ietf.org/rfc/rfc{1033,1034,1035,1183,2181}.txt
00 Questions? mailto: ffranz@iniqua.com mailto: charlie@tid.es
Thanks for your time!

Recommandé

Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...RootedCON
 
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...RootedCON
 
Использование KASan для автономного гипервизора
Использование KASan для автономного гипервизораИспользование KASan для автономного гипервизора
Использование KASan для автономного гипервизораPositive Hack Days
 
C&C Botnet Factory
C&C Botnet FactoryC&C Botnet Factory
C&C Botnet FactoryNullbyte Security Conference
 
Hacking cable modems the later years
Hacking cable modems the later yearsHacking cable modems the later years
Hacking cable modems the later yearsNullbyte Security Conference
 
Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEamiable_indian
 
OpenStack networking
OpenStack networkingOpenStack networking
OpenStack networkingSim Janghoon
 
Snort
SnortSnort
Snortbala150985
 

Recommandé

Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...RootedCON
 
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...RootedCON
 
Использование KASan для автономного гипервизора
Использование KASan для автономного гипервизораИспользование KASan для автономного гипервизора
Использование KASan для автономного гипервизораPositive Hack Days
 
C&C Botnet Factory
C&C Botnet FactoryC&C Botnet Factory
C&C Botnet FactoryNullbyte Security Conference
 
Hacking cable modems the later years
Hacking cable modems the later yearsHacking cable modems the later years
Hacking cable modems the later yearsNullbyte Security Conference
 
Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEamiable_indian
 
OpenStack networking
OpenStack networkingOpenStack networking
OpenStack networkingSim Janghoon
 
Snort
SnortSnort
Snortbala150985
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиPositive Hack Days
 
Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-TutorialVladimir Koychev
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
 
Security Onion Advance
Security Onion AdvanceSecurity Onion Advance
Security Onion AdvanceKaustubh Padwad
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Docker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversDocker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversBrent Salisbury
 
securing_syslog_onFreeBSD
securing_syslog_onFreeBSDsecuring_syslog_onFreeBSD
securing_syslog_onFreeBSDwebuploader
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule WritingCisco DevNet
 
Using metasploit
Using metasploitUsing metasploit
Using metasploitCyberRad
 
Ganeti - build your own cloud
Ganeti - build your own cloudGaneti - build your own cloud
Ganeti - build your own cloudDobrica Pavlinušić
 
05 06 ike
05 06 ike05 06 ike
05 06 ikeBabaa Naya
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
 
What can possibly go wrong? Why eSport needs an AntiDDoS Protection
What can possibly go wrong? Why eSport needs an AntiDDoS ProtectionWhat can possibly go wrong? Why eSport needs an AntiDDoS Protection
What can possibly go wrong? Why eSport needs an AntiDDoS ProtectionJakub Słociński
 
Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted...
Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted...Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted...
Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted...RootedCON
 
Staging driver sins
Staging driver sinsStaging driver sins
Staging driver sinsStephen Hemminger
 
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)PROIDEA
 
Enable DPDK and SR-IOV for containerized virtual network functions with zun
Enable DPDK and SR-IOV for containerized virtual network functions with zunEnable DPDK and SR-IOV for containerized virtual network functions with zun
Enable DPDK and SR-IOV for containerized virtual network functions with zunheut2008
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)Martin Schütte
 
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Jian-Hong Pan
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMPShaikh Jamal Uddin l CISM, QRadar, Hack Card Recovery Expert
 
Tutorial 1
Tutorial 1Tutorial 1
Tutorial 1VIKAS_1705212
 
dns.workshop.hsgr
dns.workshop.hsgrdns.workshop.hsgr
dns.workshop.hsgrebalaskas
 

Contenu connexe

Tendances

Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиPositive Hack Days
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Docker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversDocker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversBrent Salisbury
 
securing_syslog_onFreeBSD
securing_syslog_onFreeBSDsecuring_syslog_onFreeBSD
securing_syslog_onFreeBSDwebuploader
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule WritingCisco DevNet
 
Using metasploit
Using metasploitUsing metasploit
Using metasploitCyberRad
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
 
What can possibly go wrong? Why eSport needs an AntiDDoS Protection
What can possibly go wrong? Why eSport needs an AntiDDoS ProtectionWhat can possibly go wrong? Why eSport needs an AntiDDoS Protection
What can possibly go wrong? Why eSport needs an AntiDDoS ProtectionJakub Słociński
 
Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted...
Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted...Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted...
Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted...RootedCON
 
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)PROIDEA
 
Enable DPDK and SR-IOV for containerized virtual network functions with zun
Enable DPDK and SR-IOV for containerized virtual network functions with zunEnable DPDK and SR-IOV for containerized virtual network functions with zun
Enable DPDK and SR-IOV for containerized virtual network functions with zunheut2008
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)Martin Schütte
 
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Jian-Hong Pan
 

Tendances (20)

Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атаки
 
Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-Tutorial
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2
 
Security Onion Advance
Security Onion AdvanceSecurity Onion Advance
Security Onion Advance
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Docker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversDocker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan Drivers
 
securing_syslog_onFreeBSD
securing_syslog_onFreeBSDsecuring_syslog_onFreeBSD
securing_syslog_onFreeBSD
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule Writing
 
Using metasploit
Using metasploitUsing metasploit
Using metasploit
 
Ganeti - build your own cloud
Ganeti - build your own cloudGaneti - build your own cloud
Ganeti - build your own cloud
 
05 06 ike
05 06 ike05 06 ike
05 06 ike
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security Intelligence
 
What can possibly go wrong? Why eSport needs an AntiDDoS Protection
What can possibly go wrong? Why eSport needs an AntiDDoS ProtectionWhat can possibly go wrong? Why eSport needs an AntiDDoS Protection
What can possibly go wrong? Why eSport needs an AntiDDoS Protection
 
Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted...
Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted...Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted...
Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted...
 
Staging driver sins
Staging driver sinsStaging driver sins
Staging driver sins
 
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)
 
Enable DPDK and SR-IOV for containerized virtual network functions with zun
Enable DPDK and SR-IOV for containerized virtual network functions with zunEnable DPDK and SR-IOV for containerized virtual network functions with zun
Enable DPDK and SR-IOV for containerized virtual network functions with zun
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)
 
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 

Similaire à Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS will be your friend [RootedCON 2011]

dns.workshop.hsgr
dns.workshop.hsgrdns.workshop.hsgr
dns.workshop.hsgrebalaskas
 
Gregory engels nsd crash course - ilug10
Gregory engels nsd crash course - ilug10Gregory engels nsd crash course - ilug10
Gregory engels nsd crash course - ilug10Grégory Engels
 
Leveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivityLeveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivitySqrrl
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival GuideAPNIC
 
DNS Survival Guide.
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.Qrator Labs
 
Ops Jumpstart: MongoDB Administration 101
Ops Jumpstart: MongoDB Administration 101Ops Jumpstart: MongoDB Administration 101
Ops Jumpstart: MongoDB Administration 101MongoDB
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53
(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53
(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53Amazon Web Services
 
CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)
CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)
CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)PROIDEA
 
Oracle RAC and Docker: The Why and How
Oracle RAC and Docker: The Why and HowOracle RAC and Docker: The Why and How
Oracle RAC and Docker: The Why and HowSeth Miller
 
Deploying secure backup on to the Cloud
Deploying secure backup on to the CloudDeploying secure backup on to the Cloud
Deploying secure backup on to the CloudLahav Savir
 
Working with Delimited Data in Apache Drill 1.6.0
Working with Delimited Data in Apache Drill 1.6.0Working with Delimited Data in Apache Drill 1.6.0
Working with Delimited Data in Apache Drill 1.6.0Vince Gonzalez
 
hacking and crecjing
hacking and crecjinghacking and crecjing
hacking and crecjingparth jasani
 
Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)MongoDB
 

Similaire à Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS will be your friend [RootedCON 2011] (20)

Tutorial 1
Tutorial 1Tutorial 1
Tutorial 1
 
dns.workshop.hsgr
dns.workshop.hsgrdns.workshop.hsgr
dns.workshop.hsgr
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
 
Defcon
DefconDefcon
Defcon
 
Gregory engels nsd crash course - ilug10
Gregory engels nsd crash course - ilug10Gregory engels nsd crash course - ilug10
Gregory engels nsd crash course - ilug10
 
Leveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivityLeveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker Activity
 
1 technical-dns-workshop-day1
1 technical-dns-workshop-day11 technical-dns-workshop-day1
1 technical-dns-workshop-day1
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival Guide
 
DNS Survival Guide.
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
Ops Jumpstart: MongoDB Administration 101
Ops Jumpstart: MongoDB Administration 101Ops Jumpstart: MongoDB Administration 101
Ops Jumpstart: MongoDB Administration 101
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
 
(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53
(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53
(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53
 
CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)
CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)
CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)
 
Oracle RAC and Docker: The Why and How
Oracle RAC and Docker: The Why and HowOracle RAC and Docker: The Why and How
Oracle RAC and Docker: The Why and How
 
Deploying secure backup on to the Cloud
Deploying secure backup on to the CloudDeploying secure backup on to the Cloud
Deploying secure backup on to the Cloud
 
Working with Delimited Data in Apache Drill 1.6.0
Working with Delimited Data in Apache Drill 1.6.0Working with Delimited Data in Apache Drill 1.6.0
Working with Delimited Data in Apache Drill 1.6.0
 
hacking and crecjing
hacking and crecjinghacking and crecjing
hacking and crecjing
 
Tools kali
Tools kaliTools kali
Tools kali
 
Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)
 

Plus de RootedCON

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRootedCON
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...RootedCON
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRootedCON
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_RootedCON
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...RootedCON
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...RootedCON
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...RootedCON
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRootedCON
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...RootedCON
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRootedCON
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...RootedCON
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRootedCON
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...RootedCON
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRootedCON
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRootedCON
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...RootedCON
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...RootedCON
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRootedCON
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRootedCON
 
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acinRooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acinRootedCON
 

Plus de RootedCON (20)

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
 
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acinRooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin
 

Dernier

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 

Dernier (20)

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 

Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS will be your friend [RootedCON 2011]

  • 1. Cloud Malware Distribution DNS will be your friend
  • 2. Francisco J. Gómez Rodríguez (ffranz@iniqua.com): • Computer engineering (EUI-UPM) • Security research (Telefonica R&D) • dig ffranz.cmdns.h4ck.me TXT Carlos Díaz Hidalgo (charlie@tid.es): • Telecommunications Engineer (ETSITM-UPM) • GPEN, GCIH, OPST, ITILF and CCNA. • Technology Specialist in Ethical Hacking (Telefonica R&D) • dig charlie.cmdns.h4ck.me TXT
  • 3. • 01 Introduction • 02 DNS in a nutshell • 03 Our history • Implementation • Improvement • 04 Real world • 05 Results
  • 4. • 01 Introduction • 02 DNS in a nutshell • 03 Our history • Implementation • Improvement • 04 Real world • 05 Results
  • 5. 01 Malware on legitimate DNS • Nowadays, many legitimate Web sites are serving malware. – But … Attacker must compromise the server first. • Why couldn’t we do it differently? – Using legitimate DNS caches. – We can inject malware into caches without needing to compromise them.
  • 6. 01 Introduction • Cloud Malware Distribution (CMD) – An alternative method for malware distribution using Cache DNS services. • Why cloud? – DNS service is one of the first cloud services. • How? – By using the protocol and the architecture.
  • 7. 01 Break point (I) 1. GET resource 2. Process resource 3. GET payload Torpig 4. Process payload 5. Update Bot
  • 8. 01 Break point (II) megasticks.ru/au.exe HTTP GET file
  • 9. • 01 Introduction • 02 DNS in a nutshell • 03 Our history • Implementation • Improvement • 04 Real world • 05 Results
  • 10. 02 Architecture • Hierarchical naming system. • Globally deployed, universally employed. • DNS traffic is usually allowed, even in the most restrictive environments. • Not inspected, …, as it should be. • DNS is a key enabling technology for botnets.
  • 11. 02 Hierarchical Architecture (I) Root(.) me. com. es. org. h4ck.me. es.me. ur.me. cmdns.h4ck.me dom.h4ck.me. ......
  • 13. 02 DNS caching • DNS responses are cached: – The authoritative server uses the TTL value to set the "expiration date" for every record. – Other queries may reuse some parts of the lookup (quick response). – Negative caching is useful. • Although the source is gone, information remains stored.
  • 14. 02 Types of (I)
  • 15. 02 Types of (II)
  • 16. 02 Types of (III)
  • 17. 02 DNS Protocol (I) 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ID | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |QR| Opcode |AA|TC|RD|RA| Z|AD|CD| RCODE | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | QDCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ANCOUNT | 12 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ bytes | NSCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ARCOUNT | 504 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | QUESTIONS | bytes | /../ | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ANSWERS | | /../ | 492 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ bytes | AUTHORITY | | /../ | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ADDITIONAL | | /../ | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
  • 18. 02 DNS Protocol (II) Resource Record Format • Labels 63 octets or less Name www.fram.fr.am 255 octets • Names 255 octets or less Type A 2 octets • TTL 32 bit number. Class IN 2 octets • UDP msg 512 octets or less TTL 100 4 octets RDLength 4 2 octets Label RDATA 192.168.1.10 255 octets www.fram.fr.am Name
  • 19. 02 DNS Protocol (III) Types… types… types… •A • RP • NAPTR • NSEC3PARAM • AAAA • AFSDB • KS • HIP • NS • X25 • CERT • NINFO • MD • ISDN • A6 • RKEY • MF • RT • DNAME • TALINK • SOA • NSAP • SINK • SPF • MB • SIG • OPT • UINFO CNAME • MG • KEY • APL • UID Avg. 200 bytes • MR • PX • DS • GID • NULL • GPOS • SSHFP • TKEY • WKS • LOC • IPSECKEY • TSIG • PTR • NXT (o) • RRSIG • IXFR •HINFO • EID • NSEC • AXFR •MINFO • NB • DNSKEY • MAILB • MX • SRV • DHCID • MAILA • TXT • ATMA • NSEC3 •DNSSEC
  • 20. • 01 Introduction • 02 DNS in a nutshell • 03 Our history • Implementation • Improvement • 04 Real world • 05 Results
  • 21. 03 Public DNS Servers
  • 22. 03 Ingredients Loading Public Name server Public Cache DNS Malware Encoding Downloading Update
  • 23. 03 Publish process root(.) am. com. es. FreeDNS.afraid.org fr.am. es.am. ur.am. cmdns.fr.am Authoritative NS 88.34.23.12
  • 24. 03 Encoding process Segmented payload • Compress (gz) • Base32 Encode • Split (RFC) • Become a RR en/decoder payload (*) Resource Record example [SegmentedID] CNAME [base32EncodeLabel].[subdomain].[domain].[main] m1-0.cmdns.fr.am. CNAME WQ4TOXMQP…N5VSHVOKUEGQ.cmdns.fr.am
  • 25. 03 Loading process Name server Cache DNS ns1.afraid.org 2 Segment1 Segment2 cmdns.fr.am? Segment3 … NS nscmd.fr.am Segmentn Uploader 1 cmdns.fr.am NS nscmd.fr.am Force Malware Upload nscmd.fr.am A XX.XX.XX.XX 3 Segment1 -> qrjiqerkjqet.cmdns.fr.am -> Segment2 -> ktqtr53xase.cmdns.fr.am -> Segment3 -> gtsdmfzfzre.cmdns.fr.am -> ... Segmentn -> 1.1.1.1 -> 1. Force upload Malware DNS Auth. 2. Public NS resolution nscmd.fr.am 3. Cache DNS store segments
  • 26. 03 Downloading process Intranet DNS Corporate environment Bot Bot Bot Bot
  • 27. 03 DNS analysis, from where? sign.io Amsterdam, Holland shellmix.com Szczecin, Pólland devio.us ADSL & 3G Orlando, USA Madrid, Spain Guayaquil, Ecuador Thorough characterization Basic tests
  • 28. 03 DNS cache survey • Different locations. – IP anycast (DNS proxy): • Different locations Different results. • Different authoritative DNS. – cmdns.mooo.com; cmdns.h4ck.me; cmdns.pocho.cl; cmdns.fr.am; cmdns.m3th.org; cmdns.t28.net; Etc. • Being patient (thorough characterization) – It takes time to run two hundred thousand queries per DNS cache and per location. • In this study we undertook the task to obtain the list of emitters behind each IP anycast.
  • 29. 03 Characterization (I) 198.153.192.1 8@.2#1.%1&.1~0 8@.2#1.%1&.1~2 198.153.194.1 9@.1#8.%2.&5~ 2@8.#8.%9.&5~ 9@.1#4.%0&.~4 2@8.#8.%8.&5~ 2@8.#8.%8.&5~ 7@.2#.9%.5& 8@.2#1.%1&.1~2 9@.1#4.%0&.~4 6@.2#2.%9.&2 2@4.#3.%4&.1~2 7@.2#.9%.5& 2@8.#8.%9.&5~ 7@.2#.9%.1&2 8@.2#1.%5.&5~ 9@.1#4.%0&.~4
  • 30. 03 Characterization (II) 208.67.222.222 2@8.#9.%4.& 2@8.#9.%4.& 208.67.220.220 2@8.#9.%4.&0 2@8.#9.%5.&3 2@8.#9.%5.&9 2@8.#9.%4.& 2@8.#9.%5.&2 2@8.#9.%4.& 6@.2#5.%0.&5 2@8.#7.%3&.1~ 2@8.#9.%5.&2 2@8.#7.%3&.1~ 2@8.#9.%5.&1 2@8.#9.%5.&0 6@.2#5.%0.&0 2@8.#7.%3&.1~ 2@8.#9.%5.&2 2@8.#7.%3&.1~ 2@4.#9%.2&8.~3 2@8.#7.%1&.1~ 2@8.#9.%5.&2 2@4.#9%.2&8.~5 2@8.#9.%6.&1 2@8.#7.%1&.1~ 2@8.#9.%5.&7 2@8.#9.%6.&7
  • 31. 03 Characterization (III) 8.8.8.8 & 8.8.4.4 2@9.#5.%2&.8~ 2@9.#5.%2&.8~ 2@9.#5.%2&.8~ 2@9.#5.%2&.8~ 2@9.#5.%2&.8~ 2@9.#5.%2&.8~ 2@9.#5.%2&.8~ 2@9.#5.%2&.8~ 2@9.#5.%2&.8~ 7@.1#5.%6.&0 7@.1#5.%6.&1 2@9.#5.%2&.8~ 2@9.#5.%2&.8~ 2@9.#5.%2&.8~ 7@.1#5.%6.&2 7@.1#5.%6.&3 7@.1#5.%8.&0 7@.1#5.%8.&1 7@.1#5.%8.&2 7@.1#5.%6.&4 7@.1#5.%6.&5 7@.1#5.%8.&3 7@.1#5.%8.&4 7@.1#5.%8.&5 7@.1#5.%6.&6 7@.1#5.%6.&7 7@.1#5.%8.&6 7@.1#5.%8.&7 7@.1#5.%6.&0 7@.1#5.%8.&0 7@.1#5.%8.&1 7@.1#5.%6.&1 7@.1#5.%6.&2 7@.1#5.%6.&3 7@.1#5.%8.&2 7@.1#5.%6.&4 7@.1#5.%6.&5 7@.1#5.%6.&6 7@.1#5.%6.&7 7@.1#5.%8.&0 7@.1#5.%8.&1 7@.1#5.%8.&2
  • 32. 03 Characterization (IV) 8.8.8.8 & 8.8.4.4 2@9.#5.%2&.8~ 2@9.#5.%2&.8~ 2@9.#5.%2&.9~ 6@.#3%.1&8.~3 2@9.#5. %2&.80 2@9. #5.%2&.81 2@9. #5.%2&.82 2@9. #5.2&4.83 2@9.#5.%2&.84 6@.2#3.%6&.8~ 6@.#3%.1&8.~5 2@9.#5. %2&.85 2@9.#5.%2&.86 2@9. #5.%2&.88 6@.2#3.&68.80 6@.2#3.%6&.81 7@.1#5.%1&.8~ 7@.#2%.1&2.~5 6@.2#3.%6&.82 6@.2#3.%6&.83 6@.2#3.%6&.84 6@.2#3.&68.85 6@.2#3.%6&.86 7@.1#5.%1&.8~ 7@.#2%.1&4.~4 6@.2#3.%6&.87 7@.1#.2%2.&0 7@.1#.2%2.&1 7@.1#.2%2.&2 7@.1#.2%2.&3 7@.1#5.%5&.8~ 7@.#2%.1&6.~0 7@.1#.2%2.&4 7@.1#.2%2.&5 7@.1#.2%2.&6 7@.1#.2%2.&7 7@.1#5.1%2.&0 7@.1#5.%5&.8~ 7@.#2%.1&6.~2 7@.1#5.%12.81 7@.1#5.%12.83 7@.1#5.%1&.84 7@.1#5.%1&.85 7@.1#5.%12.&6 7@.1#5.%5&.8~ 7@.#2%.1&8.~1 7@.1#5.%14.&0 7@.1#5.%1&.82 7@.1#.1%6.&0 7@.1#5.%2&.81 7@.1#5.%2&.82 7@.1#5.%5&.8~ 7@.#2%.1&8.~3 7@.1#5.%54.&0 7@.1#5.%5&.81 7@.1#5.%54.&2 7@.1#5.%5&.83 7@.1#5.%5&.84 7@.1#5.%5&.8~ 7@.#2%.1&8.~5 7@.1#5.%54.&5 7@.1#5.%5&.86 7@.1#5.%54.&7 7@.1#5.%5&.80 74.1#5.%5&.81 7@.1#5.%5&.8~ 7@.#2%.1&8.~7 7@.1#5.%56.&2 7@.1#5.%5&.80 7@.1#5.%5&.81 7@.1#5.%5&.82 7@.1%5.1&8.83 7@.1#5.%4.&0 7@.1#5.%4.&1 7@.1#5.%4.&2 7@.1#5.%58.&4 7@.1#5.%5&.85 7@.1#5.%5&.86 7@.1#5.%5&.87 7@.1%5.&4.80 7@.1#5.%4.&3 7@.1#5.%4.&4 7@.1#5.%4.&5 7@.1#5.%4.&1 7@.1#5.%4.&2 7@.1#5.%4.&3 7@.1#5.%4.&4 7@.1#5.%4.&5 7@.1#5.%4.&6 7@.1#5.%4.&7 7@.1#5.%6.&0 7@.1#5.%4.&6 7@.1#5.%4.&7 7@.1#5.%6.&0 7@.1#5.%6.&1 7@.1#5.%6.&2 7@.1#5.%6.&1 7@.1#5.%6.&2 7@.1#5.%6.&3 7@.1#5.%6.&3 7@.1#5.%6.&4 7@.1#5.%6.&5 7@.1#5.%6.&6 7@.1#5.%6.&7 7@.1#5.%6.&4 7@.1#5.%6.&5 7@.1#5.%6.&6 7@.1#5.%6.&8 7@.1#5.%6.&9 7@.1#5.%6.&0 7@.1#5.%6.&1 7@.1#5.%2.&0 7@.1#5.%6.&7 7@.1#5.%6.&8 7@.1#5.%6.&9 7@.1#5.%2.&1 7@.1#5.%2.&2 7@.1#5.%2.&3 7@.1#5.%2.&4 7@.1#5.%2.&5 7@.1#5.56.&0 7@.1#5.%6.&1 7@.1#5.%4.&0 7@.1#5.%2.&6 7@.1#5.%2.&7 7@.1#5.%4.&0 7@.1#5.%4.&1 7@.1#5.%4. &2 7@.1#5.%4.&1 7@.1#5.%4.&2 7@.1#5.%4.&3 7@.1#5.%4.&3 7@.1#5.%4.&4 7@.1#5.%4.&5 7@.1#5.%4.&6 7@.1#5.%4.&7 7@.1#5.%4.&4 7@.1#5.%4.&5 7@.1#5.%4.&6 7@.1#5.%6.&0 7@.1#5.%6.&1 7@.1#5.%6.&2 7@.1#5.%6.&3 7@.1#5.%6.84 7@.1#5.%4.&7 7@.1#5.%6.&0 7@.1#5.%6.&1 7@.1#5.%6.&5 7@.1#5.%6.&6 7@.1#5.%6.&7 7@.1#5.%6.&1 7@.1#5.%0.&0 7@.1#5.%6.&2 7@.1#5.%6.&3 7@.1#5.%6.&4 7@.1#5.%0.&1 7@.1#5.%0.&2 7@.1#5.%0.&3 7@.1#5.%0.&4 7@.1#5.%0.&5 7@.1#5.%6.&5 7@.1#5.%6.&6 7@.1#5.%6.&7 7@.1#5.%0.&6 7@.1#5.%0.&7 7@.1#5.%0.&8 7@.1#5.%2.80 7@.1#5.%2.&1 7@.1#5.%0.&5 7@.1#5.%0.&7 7@.1#5.%0.&9 7@.1#5.%2.&2 7@.1#5.%2.&3 7@.1#5.%2.&4 7@.1#5.%2.85 7@.1#5.%2.86 7@.1#5.%2.&5 7@.1#5.%2.90 7@.1#5.%2.&7 7@.1#5.%4.&0 7@.1#5.%4.81 7@.1#5.%4.82 7@.1#5.%4.83 7@.1#5.%4.84 7@.1#5.%4.85 7@.1#5.%4.86 7@.1#5.%4.87
  • 33. 03 Preliminary results
  • 34. 03 Characterization (V) 6@.1#4.2%5.&2 6@.1#2.2%5.&3 ns2.cisco.com (64.102.255.44) emitters 6@.1#2.2%5.&0 6@.1#2.2%5.&1 BT MDIP Dynamic Address Pools and Infrastructure indnsc70.bt.net (62.6.40.162) open emitter ns.above.net (207.126.96.162) MarkosWeb (Private World Communications) open emitter cache1.dnsresolvers.com (205.210.42.205) open emitter
  • 35. 03 Preliminary results
  • 36. 03 Theory Vs. Reality • DNS pools: – Load on each DNS in pool. – Load on more than one DNS pool. – Complex retry logic. • Limited in corporative environments. • Malware source must disappear before the first download. • Must use client default DNS settings.
  • 37. 03 Improvement • Need another way. DNS • Maybe can use three party resources … • … Use Cache DNS as authoritative server. – Malware source can disappear. – Completely asynchronous communication. – Origin trace is little more difficult. – Needed only one load process.
  • 38. IMPORTANTE COMPAÑÍA ESPECIALIZADA EN DISTRIBUCIÓN DE MALWARE SELECCIONA SERVIDORES DNS (OPEN EMITTERS) Se requiere: • Accesibilidad a nivel mundial • Admitir y resolver correctamente preguntas recursivas (funcionalidad open resolver) • Sin limitaciones a la hora de almacenar nuevos registros de cualquier tipo (funcionalidad de caché) • Experiencia en trabajar con TTL altos (mínimo 86.400 segundos) • Capacidad para aceptar responsabilidades: • Respondiendo a consultas no recursivas (+norecurse) • Respondiendo con autoridad: Marcando las respuestas como autoritativas (bit AA) independientemente del dominio por el que pregunten (tenga autoridad sobre el o no) • Se valorarán estabilidad y altas prestaciones Interesados enviar dirección IP a cmd@iniqua.com
  • 39. 03 Finding Nemo (I) 380.700 Open emitters 15.553.600 Speak the DNS protocol 11.920.500 Open resolvers IPv4 addresses: 256⁴ = 4.294.967.296 IPv4 addresses routed on the Internet: 2.126.357.495 http://dns.measurement-factory.com/surveys/201010/
  • 40. 03 Finding Nemo (II) 10,9 % name servers .com, .net & .org Open emitters 13,4 million domains 90 million domains 8,6 million domains
  • 41. 03 Free public DNS servers list • DNS Benchmark • namebench • chaz6.com
  • 42. 03 Searching for good emitters February 2011 From Spain From USA Queried hosts 10.406 10.406 Replying hosts 9.077 9.094 Open resolvers 6.941 7.028 Open emitters 5.243 5.175 5.214 Accept +norecurse queries 5.075 5.005 5.047 TTL ≈ 604800 3.908 3.905 3.905
  • 43. 03 Here they are, in all their glory 0 3600 43200 86400 604800 higher 0,24% 0,00% 0,34% 0,46% 20,98% 77,98% Maximum TTL Value
  • 44. 03 New process overview Loading Cache DNS Anónimo cmdns.pocho.cl FreeDNS Coding Downloading
  • 45. • 01 Introduction • 02 DNS in a nutshell • 03 Our history • Implementation • Improvement • 04 Real world • 05 Results
  • 46. 04 Here and right now (I) ns.deloitte.es (80.91.76.141) - recursion is enabled - open emitter - DNS caché (TTL 86400 s) - +norecurse (allowed) ns2.deloitte.es (62.14.236.141) - recursion is enabled - open emitter - no DNS caché (TTL 1 s)!!!! ns1.informatica64.com (80.81.106.148) - recursion is enabled - open emitter - DNS caché (TTL 86400 s) - +norecurse (allowed) ns2.informatica64.com (80.81.106.146) - recursion is enabled - open emitter - DNS caché (TTL 86400 s) - +norecurse (allowed)
  • 47. 04 Here and right now (II) • Analyzing 76 domains related to universities with presence in Spain (188 different name servers): – 31 Authority Servers accept recursive queries (open resolvers). – 29 of then are DNS cache & open emitters. • +norecurse allowed. – TTL value for 23 is 604.800 seconds (86.400 seconds for the others six).
  • 48. 04 Here and right now (III) • Analyzing 131 domains related to banks with presence in Spain (145 different name servers): – 32 Authority Servers accept recursive queries (open resolvers). – 21 of then are DNS cache & open emitters. • +norecurse allowed. – TTL value for 14 is 604.800 seconds (86.400 s for 6 and 172.800 s for the other one).
  • 49. 04 PoC (I) • Sample files (¬malware): – nc (20.156 bytes) – diff (100.324 bytes) • Domain to be used: “cmdns.pocho.cl” • Selected servers (TTL: 604.800 s): – 2@7.#2%.9&.1~2 – 1@3.#3%.2&6.1~ • From 20th Feb to 26th Feb, 2011
  • 50. 04 PoC (II) File nc diff Size 20.156 bytes 100.324 bytes Queries needed 44 (2.24 queries/KB) 222 (2.27 queries/KB) Upload time Spain 2@7.#2%.9&.1~2 33 s 2 min 27 s 1@3.#3%.2&6.~1 18 s 1 min 20 s Download time (First time) Spain USA Spain USA Google (8.8.8.8) 10 s 11 s 38 s 2 min 35s Norton (198.153.192.1) 12 s 28 s 52 s 2 min 17s OpenDNS (208.67.222.222) 25 s * 25 s * 1 min 29 s * 1 min 51s * Intranet (X.X.X.X) 22 s * - 1 min 28 s * -
  • 51. 300 04 User DNS traffic 250 200 Queries 150 Day 1 Day 2 100 50 0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 Hours
  • 52. 04 Live demo (I) Queries Sample files Bytes needed m1: PHP-Backdoor “id” 498 2 24/43 m2: “IE-KillProgramsTab.exe” 10.240 18 40/43 m3: PHP bot “pbot.txt” 23.140 21 28/43 m4: KillAV “ep.exe” 31.604 114 19/43 m5: Zeus binary “bot.exe” 152.064 636 29/41 m6: Trojan SpyEye “seye.exe” 200.704 535 32/43
  • 53. 04 Live demo (II) Domains Selected servers TTL to be used (Open Emitters) Seconds cmdns.mooo.com 762f62ae2c76a38dd72b99a6ae37f30a 1@0.#1%.1&7.~ 604.800 0078171a2416bcee4df828cc78ae528f 2@2.#6.%4.&6 cmdns.m3th.org 44e6d578b35bed74f55137ff09893585 604.800 2@2.#6.%4.&7 02ac6ee35a976289cf97a42c19e36601 8@.8#.1%6.&46 cmdns.h4ck.me f630b5ddf62603ce51f3d41e827e7786 86.400 8@.8#.1%6.&48 cmdns.fr.am ca865b43a95b8a966cb6b892efc66a3e 2@7.#5.%2.& 604.800 cmdns.t28.net c8e4a7ccd5a5a517a1c96be336276e5c 1@5.#4%.2&8.~3 604.800 1e98caffee2952ad1fb15b195ad2b065 2@7.#2%.9. &6~ cmdns.pocho.cl 7b95b106ced43b91bd551b33ee1f00c8 604.800 1@3.#3%.2&6.~1
  • 54. 04 Live demo (III) • All domains were loaded 27th Feb on air until 6th March. – “cmdns.h4ck.me” was reloaded yesterday at 06:30 pm. • TTL of: – “8@.8#.1%6.&46”: 86.400 seconds. – “8@.8#.1%6.&48”: 86.400 seconds. • On air until this afternoon. • Try it: dig m1-0.cmdns.pocho.cl A
  • 55. 04 On air File pbot.txt bot.exe Uhmmm rate-limiting Size queries!!!!!! 23.140 bytes 152.064 bytes Queries needed first 100 queries:21 (0.93 queries/KB) The 32 s 636 (4.28 queries/KB) Upload time 200 queries: 2 min 57 s Spain 300 queries: 7 min 29 s 8@.8#.1%6. &46 min 18 s 400 queries: 12 9s 2 min 34 s 8@.8#.1%6. &48 min 13 s 500 queries: 17 6s 2 min 41 s 600 queries: 22 min 14 s Download time (First time) Spain Ecuador Spain Ecuador Google (8.8.8.8) 9s 25 s 23 min 56 s * 25 min 14 s * Norton (198.153.192.1) 12 s 22 s 6 min 51s 17 min 48 s OpenDNS (208.67.222.222) 9 s ** 32 s ** 4 min 42 s ** 11 min 9 s ** Rooted CON (?.?.?.?) - -
  • 56. 04 The Origin of Evil
  • 57. • 01 Introduction • 02 DNS in a nutshell • 03 Our history • Implementation • Improvement • 04 Real world • 05 Results
  • 58. 05 Results • Public cache DNS: – can be used as a platform to store and distribute malware. • DNS architecture: – is available. • Implementation: – just do it. • Survey Results: – can be used to define countermeasures.
  • 59. 05 Best Current Practice
  • 60. 00 References http://code.kryo.se/iodine/ http://dns.measurement-factory.com/ http://www.chaz6.com/files/resolv.conf http://www.grc.com/dns/benchmark.htm http://darkwing.uoregon.edu/~joe/secprof10-dns/secprof10-dns.pdf http://www.blackhat.com/presentations/bh-europe-05/BH_EU_05-Kaminsky.pdf http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-kaminsky/bh-us-04- kaminsky.ppt http://code.google.com/p/namebench/ http://www.pcworld.com/article/220024/feds_accidentally_seize_84000_innocent_d omains_link_them_with_child_porn.html http://www.symantec.com/content/en/us/enterprise/media/security_response/white papers/zeus_king_of_bots.pdf http://www.secdev.org/projects/scapy/ https://www.isc.org/software/bind/documentation/arm95#man.dig http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl http://hakin9.org/magazine/1652-mobile-malware-the-new-cyber-threat http://www.ietf.org/rfc/rfc{1033,1034,1035,1183,2181}.txt
  • 61. 00 Questions? mailto: ffranz@iniqua.com mailto: charlie@tid.es