Exploiting Redundancy Properties of Malicious Infrastructure for Incident Detection

Exploiting Redundancy Properties of Malicious InfrastructureJohn Bambenek, Manager of Threat SystemsFidelis Cybersecurity

PHDays 6 – Moscow, Russia

© Fidelis Cybersecurity

Intro• Manager at Fidelis Cybersecurity of a team responsible for

automation and data mining threat information.• Faculty at University of Illinois – Urbana-Champaign in

Computer Science.• Participate (and run) many private groups investigating

major criminal threats on the internet.• I generally focus only on criminal threats and avoid nation-

state/espionage.

2

© Fidelis Cybersecurity

Agenda• Single Point of Failure vs Redundancy• Redundancy techniques• Detection• Sinkholing• Increased Fingerprints• Targeted Intelligence Operations• Surveillance• Towards more Effective Disruption

3

© Fidelis Cybersecurity

Single Point of Failure vs Redundancy• Many malware attacks rely on a single method of

communication (a single IP, DNS name, tor node, etc).• Easy to set up and maintain, low cost of entry.• However, only two states: up or down.• Cannot establish a pattern on a single data point.• Many RATs are single C2 based.• Attackers who want to persist need something else.

4

© Fidelis Cybersecurity

Single C2 Examples

5

Example of static C2 config (more on barncat later)

© Fidelis Cybersecurity

Multi C2 example

6

Example of static C2 config (more on barncat later)

© Fidelis Cybersecurity

Redundancy Techniques• Multiple IPs/Hostnames (static lists)• Use of Fast Flux / Double Flux• DGAs• Tor/I2P• Multiple Methods• If done right, uses multiple ISPs/providers

7

© Fidelis Cybersecurity

Detection• If you already know about a threat, you can protect based

on a single piece of information.• For unknown threats, you need to have a pattern and

single data points aren’t a pattern.• Redundancy helps us by forcing the adversary to create

fingerprints we can use to detect otherwise “unknown” threats.

• Allows for data mining, statistical analysis, etc.

8

© Fidelis Cybersecurity

Goal• Goal: Force adversary to behavior that inherently requires

them to create patterns.

• Takedowns are risky because the attacker can adapt back into an “unknown threat”. Patterns, however, tend to persist if you have visibility into their behavior.

9

© Fidelis Cybersecurity

Detection• Double flux networks rely on a massive pool of

endpoints and nameservers so taking down a single IP has no impact to adversary.

divewithsharks.hk. 1800 IN A 70.68.187.xxx [xxx.vf.shawcable.net]divewithsharks.hk. 1800 IN A 76.209.81.xxx [SBIS-AS - AT&T Internet Services]divewithsharks.hk. 1800 IN A 85.207.74.xxx [adsl-ustixxx-74-207-85.bluetone.cz]divewithsharks.hk. 1800 IN A 90.144.43.xxx [d90-144-43-xxx.cust.tele2.fr]divewithsharks.hk. 1800 IN A 142.165.41.xxx [142-165-41-xxx.msjw.hsdb.sasknet.sk.ca]

10

© Fidelis Cybersecurity

Detection – Flux networks• Besides CDNs, very few valid DNS queries will have multiple

low TTL A records across geographies and network boundaries (especially in residential IP space).

• Almost no one has low TTL NS records (very limited use case).

• Can combine with domain/IP rep or alexa to increase confidence.

11

© Fidelis Cybersecurity

Detection - DGAs• Pseudorandom domain names (or hostnames) usually

many hundreds or thousands generated (potentially per day).

• Attacker only needs to control one of the domains, if it gets suspended they can just register another to reassert control.

12

© Fidelis Cybersecurity

Detection – DGAs (tinba)• pmlmfbehhunq.com,72.52.4.90,a.ns36.de|b.ns36.de

• pmqeelsxyddk.com,188.120.224.164,ns1.reg.ru|ns2.reg.ru

• pqtcwrrrvgvf.ru,158.58.170.148,a.dnspod.com|b.dnspod.com|c.dnspod.com

• pubejsbumwql.com,72.52.4.90,a.ns36.de|b.ns36.de

• qrwlypygphht.ru,158.58.170.148,a.dnspod.com|b.dnspod.com|c.dnspod.com

• Easy to load known DGA domains into RPZ to block at DNS level.

13

© Fidelis Cybersecurity

Detection - DGAs• Easy to find “unknown” DGAs.

• The biggest obvious network behavior of DGA enabled malware is a large number of NXDOMAIN responses to queries.• Most DGAs have a majority of domains unregistered)

• Looking at DNS logs for repetitive queries to NXDOMAIN or known sinkholed IPs.

14

© Fidelis Cybersecurity

Detection - DGAs• For non-word list DGAs, checking domain names for high entropy finds

“random” looking domains.• N-Gram analysis can also be used to find DGA-like domains.

• Based on looking at sequences of characters that do not naturally occur in a given language to create a score (essentially anti-patterns).

• i.e. “QQ” is not naturally occurring 2-letter combination in English• Based on statistical comparisons of letter combinations in “natural”

language and observed domain names, you can make some conclusions.

15

© Fidelis Cybersecurity

Detection - DGAs• Can be language specific so care needs to be done for

other languages.

• Using n-grams is not a 100% confidence prospect, other checking needs to be done.

• See “Use of n-Gram models for DGA detection” once published.

16

© Fidelis Cybersecurity

Sinkholing• For DGAs, most domains are unregistered.• If researcher registers one (or several) of those domains,

victims will beacon to them.• Useful for telemetry data or developing signatures.• Some adversaries have started creating sinkhole-aware

malware.

17

© Fidelis Cybersecurity

Other uses of sinkholing• If you can make victims thinking you are the C2, you can, to

an extent, control the victim.• May require other data (encryption keys) and mimicking

the C2 protocol.• Some (but not all) malware families have a self-destruct

option to uninstall on victim’s machine.• This has been done in the past as part of takedowns.

18

© Fidelis Cybersecurity

Other users of sinkholing• You can also engage in direct control of the victim.

• A “white hat” hacker, recently breached part of an exploit kit network to install Avira instead of the intended malware by replacing the binary.• Transient benefit.

• If you do this, please just install Flash/Adobe/Java patches instead.• More persistent benefit

19

© Fidelis Cybersecurity

Important Note• Doing any of the above without legal authority is probably

criminal in almost every jurisdiction represented in this room.

• Going to jail is bad, I don’t recommend it.

20

© Fidelis Cybersecurity

Targeted Intelligence Operations• Our biggest difficulty in prosecuting cybercrime is the difficulty

in getting information between nations.• International cooperation is often marred by unrelated foreign

policy constraints, sometimes even with private sector actors.

• To make matters worse, as a consequence of the amount of data and metadata created by computers and networks, there is a huge amount of tools available to hide.

21

© Fidelis Cybersecurity

Targeted Intelligence Operations• When the adversary has only a single static C2, your

options are limited:• Take it down• Get a wiretap

• If you take it down and lack other tracking ability, the attacker will just set up their operation elsewhere… and potentially break your visibility into their operations.

22

© Fidelis Cybersecurity

Targeted Intelligence Operations• When an adversary uses redundant C2 methods, a

disruption in part of their communications is not critical.• They may not make wholesale changes.

• The key to a targeted intelligence operation is to have enough impact so the adversary does something but not enough impact where they disappear and stop operating.

23

© Fidelis Cybersecurity

Examples• During Cryptolocker, they often used the same Chinese

registrar (DNSPOD) for their DGA registrations.• In 2013, Chinese-American cooperation was not great.• Objectives:

• I wanted to build a relationship with a Chinese company to deal with obvious abuse.

• I wanted to see how they would change if that registrar suspended a few domains.

24

© Fidelis Cybersecurity

Examples• Results:

• For a few days, they kept using DNSPOD.• For two weeks, they used a different register before going

back to DNSPOD.• The cycling of registrant accounts led to some good leads

available to “western” law enforcement for their investigation.• I opened the door to working with other Chinese companies

on criminal matters.

25

© Fidelis Cybersecurity

Example #2• I was tracking a criminal service provider who used a

“shared hosting” account to manage their infrastructure.• I paid “a premium” to get an account on the same box to see

if I can use poor file system permissions to gather additional intelligence (perfectly legal).

• It didn’t work but attacker didn’t know that.• Attacker was aware of who I am and that I was tracking him,

so I subtly let him know I got an account on the same box.

26

© Fidelis Cybersecurity

Example #2• Attacker very quickly moved their C2 operations using a control

panel “move” function.

• Also required them to reissue binaries and cause some disruption and a poor “customer experience”.

• Most important, using the “move function” left files behind after they left. This allows for possibility of a search warrant to obtain that data without the adversary being aware.

27

© Fidelis Cybersecurity

More Fingerprints• The use of redundancy also comes with new fingerprints

that can be used to identify adversaries.

• DGAs inherently mean WHOIS artifacts could be used to find and track specific adversaries in all their operations.

28

© Fidelis Cybersecurity

Whois Info• Many actors will use WHOIS protection… some just use fake

information.

• “David Bowers” (yingw90@yahoo.com) is common for Bedep.

$ grep "David Bowers" *.txt | grep Registrant

whois-bfzflqejohxmq.com.txt:Registrant Name: David Bowerswhois-demoqmfritwektsd.com.txt:Registrant Name: David Bowerswhois-eulletnyrxagvokz.com.txt:Registrant Name: David Bowerswhois-lepnzsiqowk94.com.txt:Registrant Name: David Bowerswhois-mhqfmrapcgphff4y.com.txt:Registrant Name: David Bowerswhois-natrhkylqoxjtqt45.com.txt:Registrant Name: David Bowers

© Fidelis Cybersecurity

David Bowersbfzflqejohxmq.com,Domain used by bedep (-4 days to today),2015-08-16

eulletnyrxagvokz.com,Domain used by bedep (-4 days to today),2015-08-16

natrhkylqoxjtqt45.com,Domain used by bedep (-4 days to today),2015-08-16

nrqagzfcsnneozu.com,Domain used by bedep (-4 days to today),2015-08-16

But why stop with just known DGAs, what other domains are associated with “David Bowers”?

© Fidelis Cybersecurity

David Bowers• Using DomainTools.com, it’s possible to see all domains

registered by a name, email, etc.• Domains seen associated with necurs and angler as well.• Can also set up registrant alerts on e-mail addresses used

to register domains.

31

© Fidelis Cybersecurity

David Bowers

© Fidelis Cybersecurity

Registrant Alert

33

© Fidelis Cybersecurity

Fingerprints Example #2• In a single static C2, the use of SSL could be a one-time

cert, could use a dedicated key or specific certificate details, there is no way to know.

• If there are many redundant C2s, they may re-use some information. For malware that does certificate pinning, they HAVE to use the same cert.

34

© Fidelis Cybersecurity

Fingerprints Example #2Certificate:

Data:

Version: 1 (0x0)

Serial Number:

fa:21:6b:2c:8e:6c:35:f6

Signature Algorithm: sha1WithRSAEncryption

Issuer: C=EU, ST=Oregon, L=Cincinati, O=Oracle Corporation, OU=Oracle, CN=Oracle Developer/emailAddress=admin@oracle.com

35

© Fidelis Cybersecurity

More fingerprints• Shodan (and other tools) can search for specific SSL certs

on internet facing services.

• Possible to programmatically hunt application stores for malicious certs in applications.

36

© Fidelis Cybersecurity

Surveillance• DNS data can change, IPs can come and go.

• Use adnstools to bulk resolve all DNS indicators on a frequent basis (this is what my DGA feeds is based on).

• C2s can start or stop listening or issuing instructions.

• These changes (and the related metadata) can prove key in an investigation.

37

© Fidelis Cybersecurity

Surveillance

Creation of feeds and intake is still a passive tactic.

Possible to see C2 changes and notify in near-time to potentially take action on the data.

This uses the Pushover application (Apple and Google stores) which has a very simple API.

© Fidelis Cybersecurity

New Matsnu domains registered

© Fidelis Cybersecurity

Pushovercurl -s \

--form-string "token=$appkey" \

--form-string "user=$userkey" \

--form-string "message=$message" \

https://api.pushover.net/1/messages.json

40

© Fidelis Cybersecurity

Pairing with other data• Barncat (the malware config data earlier) is a bulk malware

config ripping engine to statically get config data from malware binaries.

• Includes fields like “campaign ID”, Mutex, and C2 information that can be correlated.

41

© Fidelis Cybersecurity

More effective disruption• The “good guys” need to get lucky only once to attribute the

adversary. The adversary has to be lucky every time to ensure this doesn’t happen.

• The more they have to do, the harder this becomes.• All successful prosecutions involve monitoring an adversary

over the long-term to find the one time they screw up and expose themselves.

• Exploiting redundancy provides the opportunity to make this happen.

42

© Fidelis Cybersecurity

Free Resources• For my DGA feeds, go to

http://osint.bambenekconsulting.com/feeds (no authentication needed)

• For static malware configs, go to https://barncat.fidelissecurity.com (email me for access at john.Bambenek@fidelissecurity.com)

43

Questions & Thank You!Find more of our research at: www.threatgeek.com

John Bambenek / john.bambenek@fidelissecurity.com

Thanks to Vladimir Kropotov, Fyodor Yarochkin, Kevin Breen and Tim Leedy for their research and contributions to these efforts.