Why Botnet Takedowns Never Work, Unless It’s a SmackDown!

-Brian Foster, CTO Damballa

1

The Old Security Stack

Prevention DetectionResponse

ForensicsATTACK INFECTION DAMAGE

INFECTION RISK BUSINESS RISK

Firewall

IDS/IPS

Web Security

Email Security

Sandboxing

Host AV/IPS/FW

Resource intensive, inefficient manual

investigation efforts.

“Is this alert real or a false positive?”

ALERT & LOGS

SOC

SIEMSingle Pane of Glass

2

The New Security Stack

Prevention DetectionResponse

ForensicsATTACK INFECTION DAMAGE

INFECTION RISK BUSINESS RISK

NGFW

Endpoint Containment

Sandboxing

Email Gateway

ALERT & LOGS

SOC

SIEMSingle Pane of Glass

LEGACY

Host AV/IPS/FW

Damballa fills

the security

gap between

failed

prevention and

your incident

response

3

Productizing Research

4

5

Predictive Security Analytics Platform

Case Analyzer Platform

Connection

Query

• Indicators of

Compromise

• Threat Actors / Intent

File

Request

• Zero Day Files

• Suspicious HTTP

Content

Domain Fluxing

Automation

Execution

Peer-To-Peer

• Automated Malicious

Activity

• Observed Evasion Tactics

Data Transferred PCAPs Communication Success Malicious File Availability Sequence of Events Importance of Endpoint Malware Family Intent Severity AV Coverage

Damage Potential

• Observed Activity

• Device Properties

• Threat Sophistication

• Threat Intent

9 Risk

Profilers

Prioritized Risk

of Confirmed

Infections

8 Detection

Engines

Rapid Discovery &

Validation

of Infections

5

Network Data

qrl89y666z.tang.la

p5ctnvqyd3.myftp.org

5opskttv3y.serveblog.net

tzeh62imx.informatix.com.ru

0zd2bwqqyu.no-ip.info

2ndk2swdma.madhacker.biz

pe4d0t35bs.no-ip.info

5c0x3re4vr.zapto.org

seqkhgd4pj.logout.us

zkycgbn8es.serveblog.net

a4669k3.spacetechnology.net

s45223a.tang.la

0098.no-ip.info

Sbdat.servevlog.net

0few3kd4yv.mooo.info

…

6

Network Data

qrl89y666z.tang.la

p5ctnvqyd3.myftp.org

5opskttv3y.serveblog.net

tzeh62imx.informatix.com.ru

0zd2bwqqyu.no-ip.info

2ndk2swdma.madhacker.biz

pe4d0t35bs.no-ip.info

5c0x3re4vr.zapto.org

seqkhgd4pj.logout.us

zkycgbn8es.serveblog.net

a4669k3.spacetechnology.net

s45223a.tang.la

0098.no-ip.info

Sbdat.servevlog.net

0few3kd4yv.mooo.info

…

Numbers

30 Billion per day.

8 Trillion per year.

DNS Records

ISPs

Telcos

Enterprises

7

Network Data

Numbers

100 Thousand per day.

36.5 Million per year.

Malware samples

Enterprises.

Industry sharing/feeds.

8

Supervised Learning

Y-Axis – Total malware

samples looking up the

domain.

X-Axis – Total blacklisted

domains on BGP prefix.

9

Supervised Learning

Y-Axis – Total malware

samples looking up the

domain.

X-Axis – Total blacklisted

domains on BGP prefix.

10

Supervised Learning

Y-Axis – Total malware

samples looking up the

domain.

X-Axis – Total blacklisted

domains on BGP prefix.

11

Unsupervised Learning

Y-Axis – n-grams.

X-Axis – Entropy.

12

Unsupervised Learning

Y-Axis – n-grams.

X-Axis – Entropy.

13

Domain Name Reputation

• message-tvit.com – 172.16.32.193

• artizondigital.com – 10.10.9.1

• ubibar.ubi.com – 192.168.7.4

• www.benjaminsparkmemorialchapel.ca -172.16.1.45

• player-update.info – 10.1.3.156

• king-orbit.com – 192.168.24.1914

Domain Name Reputation

• message-tvit.com - .08

• artizondigital.com - .87

• ubibar.ubi.com - .93

• www.benjaminsparkmemorialchapel.ca - .78

• player-update.info - .05

• king-orbit.com - .1215

Notos

16

Zone Based Clusters

17

Introduction

Motivation

Preparation

Notos’ Components

Results

Conclusions and Future Work

Network Profile Modeling

Network and Zone Profile Clustering

Reputation Function

2nd Level Clustering Split Due to Zone Properties

[A]: ns6.b0e.ru 218.75.144.6

...

188.240.164.122.dalfihom.cn 218.75.144.6

0743f9.tvafifid.cn 218.75.144.6

ns5.bg8.ru 218.75.144.6

097.groxedor.cn 218.75.144.6

adelaide.zegsukip.cn 218.75.144.6

07d2c.fpibucob.cn 218.75.144.6

0c9.xyowijam.cn 218.75.144.6

ns6.b0e.ru 218.75.144.6

0678fc.yxbocws.cn 218.75.144.6

ns1.loverspillscalm.com 218.75.144.6

09071.tjqsjfz.cn 218.75.144.6

0de1f.wqutoyih.cn 218.75.144.6

katnzvv.cn 218.75.144.6

...

[B]: e752.p.akamaiedge.net72.247.179.52

...

e882.p.akamaiedge.net 72.247.179.182

e707.g.akamaiedge.net 72.247.179.7

e867.g.akamaiedge.net 72.247.179.167

e747.p.akamaiedge.net 72.247.179.47

e732.g.akamaiedge.net 72.247.179.32

e932.g.akamaiedge.net 72.247.179.232

e752.p.akamaiedge.net 72.247.179.52

e729.g.akamaiedge.net 72.247.179.29

e918.p.akamaiedge.net 72.247.179.218

e831.p.akamaiedge.net 72.247.179.131

e731.p.akamaiedge.net 72.247.179.31

...

25 / 32

RZA - Motivation

• Takedowns are: ad-hoc, of arguable success, are performed without oversight

• System goal: add rhyme/reason to takedowns

– evaluate previous takedown attempts, and

– recommend and inform on/for future takedowns

18

RZA - Datasets

• Large passive DNS (pDNS) database– pDNS stores historic assignments btw IPs/domains– ~3 years of visibility

• Implement RHDN/RHIP operations–

–

• Source: major NA ISP, other customers• Data also in Hadoop for large-scale processing• Malware MD5 <-> domain name mapping

19

RZA - Overview

Domains

InfrastructureEnumeration

DomainReputation

Domain &MD5

Association

MalwareInterrogation

pDNS

Malware DB

MD5s

RZA

EnumeratedDomains

Low ReputationDomains

Malware-relatedDomains

InterrogatedDomains

PostmortemReport

TakedownRecommendation

1

2

3

4

5a

5b

Malware Backup Plan

De

Ds

Di

Dr

Dm

Dm: malware-related domains

De: enumerated domains

Dr: low reputation domains

Ds: seed domains

Di: malware interrogation domains

20

• Manipulate fundamental protocol packets to convince malware its primary network asset is unavailable– DNS and TCP– Easy to add additional protocols

• If malware is presented with unavailable infrastructure:– Retries hardcoded IPs/domains,– Tries to reach a finite set of IPs/domains, or– Tries to reach an infinite set of IPs/domains (DGA/P2P)

RZA – Malware Interrogation

21

22

23

24

25

26

RZA – Malware Interrogation

• Game malware to present primary infrastructure failure

• DNS/TCP packet manipulation (NXDomain/TCP RST)

• Automaticallydetermine backup behaviors

VM1 ...

G1 ...

VM2

G2

VMn

Gn

VM0

Gnull

Host

Internet

27

RZA – Malware Interrogation

• Simple heuristics to determine malware behavior

• Fake domain-level and IP-level takedowns

– Forge all non-white DNS responses -> NXDomain

• Alexa top 10K

– Forge all non-white TCP connections -> TCP reset

• IPs derived from Alexa top 10K

• Five analysis scenarios:

– Vanilla run

– DNS whitelist for time t

– DNS whitelist for time 2t

– IP whitelist for time t

– IP whitelist for time 2t

28

RZA – Takedown Recommendation

Enumerate Infrastructure

InterrogateMalware

No Behavioral Changes

Finite Domains/

IPsDGA

Input: {Ds}

Input: {De U Di}

ClassifyMalware Behavior

P2P

1.) Revoke D

1.) Reverse engineer DGA2.) TLD cooperation3.) Revoke D

1.) Counter P2P2.) Revoke D

29

Target Which Sets?

De

Ds

Di

Dr

Dm

Dm: malware-related domains

De: enumerated domains

Dr: low reputation domains

Ds: seed domains

Di: malware interrogation domains

30

RZA – Studies

• Postmortem study: analysis of Kelihos, ZeuS, and 3322.org/Nitol takedowns

– Use lookup volume to show activity to infrastructure

• Takedown study: analysis of 45 active botnet C&Cs

– Can we take them down?

31

Postmortem: Kelihos

32

Postmortem: Zeus

33

Postmortem: 3322.org/Nitol

34

RZA – Takedown Study

• Of the 45 botnets:

– 2 had DGA-based backup mechanism

– 1 had P2P-based backup mechanism

– 42 susceptible to DNS-only takedown

35

Policy Discussion• Current drawbacks to takedowns

– ad-hoc

– Little oversight

– Arguable success

• All point to need for central authority

– ICANN’s UDRP/URS as example frameworks• Criteria for takedown

• More eyes = more successes

• Test with new TLDs (much like w/ URS)

Thank you

Brian.foster@damballa.com

(310) 514-7485

37