ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS...
Transcript of ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS...
![Page 1: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/1.jpg)
ACM Winter SchoolNISER, Bhuvaneshwar
Speaker: Gopinath Palaniappan
16th December 2019
1
![Page 2: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/2.jpg)
Malware AnalysisDNS & attacks using themMalicious domain Detection
Part 1:
Part 2:
Part 3:
2
![Page 3: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/3.jpg)
Malware AnalysisAn Introduction
3
Part 1:
![Page 4: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/4.jpg)
Outline
● What is Malware?
● Why Malware?
● Harmful effects of Malware
● Spreading of Malware
● Popular types of Malware
● Popular carriers of Malware
● Stages of Malware Exploit plan
● Malware Creators
● Dimensions of Malware Detection
● Techniques for Malware Analysis & Detection
● Case Study
● Demonstration
4
![Page 5: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/5.jpg)
What is Malware?
Malware = Malicious Software
● Exploit - a software designed to take advantage of a flaw in a computer
system, typically for malicious purposes such as installing malware, taking
control, stealing data, etc.
● Payload - is that part of the exploit which actually performs the intended
malicious action. e.g. Opening a backdoor, installing keyloggers, stealing or
tampering data, etc.
5
![Page 6: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/6.jpg)
Why Malware?
● Money
● Fame/Defame
● Destruction
● Cyber warfare
● 3352 Malware detected per minute i.e. 434 million in Q1 2019 (Quick Heal)
6
![Page 7: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/7.jpg)
Harmful effects of Malware
● Hamper availability of a service (DoS/DDoS)
● Compromise privacy (steal data)
● Undesirable results of software
● Financial or Infrastructural loss
● Prank
● Impacts: Health, Banking, Business, Politics, Social Media, etc.
7
![Page 8: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/8.jpg)
Spreading of Malware
● Websites (links, compromised websites)
● Email (attachments, links)
● Physical media (storage devices)
● Software download (trojan)
● File sharing
8
![Page 9: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/9.jpg)
Popular types of Malware
● Virus (infects a program)
● Worm (crawls through a network spreading infection)
● Trojan Horse (masquerades/misleads)
● Backdoor (command & control)
● Rootkit (super-user privileges)
● Adware (advertisements)
● Botnets (zombies)
● Ransomware (refuse access by encryption)
● Spyware (keylogging, online behaviour)
● Browser hijacker (crypto-miner)
9
![Page 10: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/10.jpg)
Popular carriers of Malware
10
![Page 11: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/11.jpg)
Stages of a Malware Exploit Plan
11
![Page 12: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/12.jpg)
Malware Creators
Naive Malware Creators
❖ Self conceptualized
ideas
Sophisticated Malware Creators
❖ Self conceptualized ideas
❖ Common Vulnerabilities Exposure (CVE)
➢ Stuxnet attacks on Iran's Natanz nuclear plant -
Shell flaw (CVE-2010-2772, CVE-2010-2568) in
Windows
➢ Wannacry, Brambul Worm - Server Message Block
(SMB) vulnerability (CVE-2017-0143/4/5/6/8)
12
![Page 13: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/13.jpg)
Dimensions of Malware Detection
13
![Page 14: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/14.jpg)
Techniques for Malware Analysis & Detection
Signature-based
❖ Similar or re-packaged
malware detection only
Static Analysis
❖ Determine the
functionalities without
executing the software
Dynamic Analysis
❖ Determining the
functionalities by
executing the software in
a restricted environment
Supplementary Techniques
❖ Machine Learning
❖ Natural Language Processing
❖ Data/Text Mining
14
![Page 15: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/15.jpg)
Techniques for Malware Analysis and Detection
15
![Page 16: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/16.jpg)
Case Study
● https://coednssecurity.in/pdf/An_Intrusion_using_Malware_and_DDNS.pdf
16
![Page 17: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/17.jpg)
Demonstration
https://www.virustotal.com/
http://www.hybrid-analysis.com
IDA pro
Online Tools
Desktop Tools
17
![Page 18: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/18.jpg)
DNS and attacks using them
18
Part 2:
![Page 19: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/19.jpg)
Outline
● What is DNS?
● How DNS works
● DNS Ecosystem
● Contractual relationships in DNS ecosystem
● Domain Name hierarchy
● Common DNS record types
● Popular Attacks using DNS○ DNS Amplification Attack
○ DNS Changer
○ DNS Tunneling
19
![Page 20: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/20.jpg)
What is DNS ?
20
● The Domain Name System (DNS) is one the vital elements in the
Internet. Due to the importance of DNS, it’s been the target of attacks by
attackers
![Page 21: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/21.jpg)
How DNS works
21
![Page 22: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/22.jpg)
DNS Ecosystem
22
![Page 23: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/23.jpg)
Contractual relationships in DNS Ecosystem
23
![Page 24: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/24.jpg)
Domain Name hierarchy
24
![Page 25: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/25.jpg)
Common DNS record types
25
● A record: IPv4 address. A domain or sub-domain has single IP while one IP
can have multiple domains pointing to it.
● AAAA record: IPv6 addresses.
● PTR record: finds a domain name in a reverse-lookup when the IP is already
known.
● CNAME record: canonical name, forward a domain or sub-domain to another
domain without providing an IP address. These can be used as aliases to
domains.
● MX record: mail exchange record that directs mail to an email server.
● TXT record: domain administrator store text notes commonly used to gauge
the trustworthiness and verify ownership of a domain.
● NS record: authoritative name servers.
![Page 26: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/26.jpg)
26
DNS Amplification Attack
![Page 27: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/27.jpg)
27
DNS Changer
![Page 28: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/28.jpg)
DNS Tunneling
28
● Tools: dns2tcp, Iodine, OzymanDNS, NSTX, psUDP, DnsCat, TUNS,
DNScapy, squeeza, DeNISe, Heyoka
● Mitigation: DNS payload inspection, DNS Traffic Analysis, Host monitoring for
tunneling software
Infected
machineDNS ResolverFirewall
Attacker’s
C&C
server
Attacker’s
machine
![Page 29: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/29.jpg)
Malicious domain detection
29
Part 3:
![Page 30: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/30.jpg)
Outline
● Common uses of maliciously registered domains
● Approaches to detect malicious domains
● Datasets for research
● Demonstration
30
![Page 31: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/31.jpg)
Common uses of maliciously registered domains
1.
❖ Manipulate to webpage
similar to a reputed
website
2.
❖ Data Exflitration
3.
❖ Download malware
31
4.
❖ Redirect to other
malware hosts
5.
❖ Remote control your
network resources
6.
❖ Crash infrastructures
![Page 32: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/32.jpg)
Approaches to detect malicious domains
Blacklist
❖ Reputation based on
history
Lexical Features
❖ Length
❖ Characters ratio,
continuity rate
❖ Phrases
Global ranking
❖ Alexa
❖ Domcop
❖ Majestic
32
Registration data
❖ RDAP
❖ IPWhois
❖ DomainWhois
Web Traffic
❖ Visitors count
❖ Stay time
❖ Web referrals
Category & Content
❖ Type of website
❖ Number of pages
❖ Broken links
![Page 33: ACM Winter School NISER, Bhuvaneshwarsmishra/acmws2019/lectures/ma.pdf · 2019-12-17 · Common DNS record types 25 A record: IPv4 address. A domain or sub-domain has single IP while](https://reader033.fdocuments.us/reader033/viewer/2022041915/5e697b4aa925d6235a7b6feb/html5/thumbnails/33.jpg)
Datasets for research
● Spamhaus DBL
● SURBL
● IANA
● ICANN
33