Exploiting Redundancy Properties of Malicious Infrastructure for Incident Detection
-
Upload
positive-hack-days -
Category
Internet
-
view
806 -
download
0
Transcript of Exploiting Redundancy Properties of Malicious Infrastructure for Incident Detection
Exploiting Redundancy Properties of Malicious InfrastructureJohn Bambenek, Manager of Threat SystemsFidelis Cybersecurity
PHDays 6 – Moscow, Russia
© Fidelis Cybersecurity
Intro• Manager at Fidelis Cybersecurity of a team responsible for
automation and data mining threat information.• Faculty at University of Illinois – Urbana-Champaign in
Computer Science.• Participate (and run) many private groups investigating
major criminal threats on the internet.• I generally focus only on criminal threats and avoid nation-
state/espionage.
2
© Fidelis Cybersecurity
Agenda• Single Point of Failure vs Redundancy• Redundancy techniques• Detection• Sinkholing• Increased Fingerprints• Targeted Intelligence Operations• Surveillance• Towards more Effective Disruption
3
© Fidelis Cybersecurity
Single Point of Failure vs Redundancy• Many malware attacks rely on a single method of
communication (a single IP, DNS name, tor node, etc).• Easy to set up and maintain, low cost of entry.• However, only two states: up or down.• Cannot establish a pattern on a single data point.• Many RATs are single C2 based.• Attackers who want to persist need something else.
4
© Fidelis Cybersecurity
Single C2 Examples
5
Example of static C2 config (more on barncat later)
© Fidelis Cybersecurity
Multi C2 example
6
Example of static C2 config (more on barncat later)
© Fidelis Cybersecurity
Redundancy Techniques• Multiple IPs/Hostnames (static lists)• Use of Fast Flux / Double Flux• DGAs• Tor/I2P• Multiple Methods• If done right, uses multiple ISPs/providers
7
© Fidelis Cybersecurity
Detection• If you already know about a threat, you can protect based
on a single piece of information.• For unknown threats, you need to have a pattern and
single data points aren’t a pattern.• Redundancy helps us by forcing the adversary to create
fingerprints we can use to detect otherwise “unknown” threats.
• Allows for data mining, statistical analysis, etc.
8
© Fidelis Cybersecurity
Goal• Goal: Force adversary to behavior that inherently requires
them to create patterns.
• Takedowns are risky because the attacker can adapt back into an “unknown threat”. Patterns, however, tend to persist if you have visibility into their behavior.
9
© Fidelis Cybersecurity
Detection• Double flux networks rely on a massive pool of
endpoints and nameservers so taking down a single IP has no impact to adversary.
divewithsharks.hk. 1800 IN A 70.68.187.xxx [xxx.vf.shawcable.net]divewithsharks.hk. 1800 IN A 76.209.81.xxx [SBIS-AS - AT&T Internet Services]divewithsharks.hk. 1800 IN A 85.207.74.xxx [adsl-ustixxx-74-207-85.bluetone.cz]divewithsharks.hk. 1800 IN A 90.144.43.xxx [d90-144-43-xxx.cust.tele2.fr]divewithsharks.hk. 1800 IN A 142.165.41.xxx [142-165-41-xxx.msjw.hsdb.sasknet.sk.ca]
10
© Fidelis Cybersecurity
Detection – Flux networks• Besides CDNs, very few valid DNS queries will have multiple
low TTL A records across geographies and network boundaries (especially in residential IP space).
• Almost no one has low TTL NS records (very limited use case).
• Can combine with domain/IP rep or alexa to increase confidence.
11
© Fidelis Cybersecurity
Detection - DGAs• Pseudorandom domain names (or hostnames) usually
many hundreds or thousands generated (potentially per day).
• Attacker only needs to control one of the domains, if it gets suspended they can just register another to reassert control.
12
© Fidelis Cybersecurity
Detection – DGAs (tinba)• pmlmfbehhunq.com,72.52.4.90,a.ns36.de|b.ns36.de
• pmqeelsxyddk.com,188.120.224.164,ns1.reg.ru|ns2.reg.ru
• pqtcwrrrvgvf.ru,158.58.170.148,a.dnspod.com|b.dnspod.com|c.dnspod.com
• pubejsbumwql.com,72.52.4.90,a.ns36.de|b.ns36.de
• qrwlypygphht.ru,158.58.170.148,a.dnspod.com|b.dnspod.com|c.dnspod.com
• Easy to load known DGA domains into RPZ to block at DNS level.
13
© Fidelis Cybersecurity
Detection - DGAs• Easy to find “unknown” DGAs.
• The biggest obvious network behavior of DGA enabled malware is a large number of NXDOMAIN responses to queries.• Most DGAs have a majority of domains unregistered)
• Looking at DNS logs for repetitive queries to NXDOMAIN or known sinkholed IPs.
14
© Fidelis Cybersecurity
Detection - DGAs• For non-word list DGAs, checking domain names for high entropy finds
“random” looking domains.• N-Gram analysis can also be used to find DGA-like domains.
• Based on looking at sequences of characters that do not naturally occur in a given language to create a score (essentially anti-patterns).
• i.e. “QQ” is not naturally occurring 2-letter combination in English• Based on statistical comparisons of letter combinations in “natural”
language and observed domain names, you can make some conclusions.
15
© Fidelis Cybersecurity
Detection - DGAs• Can be language specific so care needs to be done for
other languages.
• Using n-grams is not a 100% confidence prospect, other checking needs to be done.
• See “Use of n-Gram models for DGA detection” once published.
16
© Fidelis Cybersecurity
Sinkholing• For DGAs, most domains are unregistered.• If researcher registers one (or several) of those domains,
victims will beacon to them.• Useful for telemetry data or developing signatures.• Some adversaries have started creating sinkhole-aware
malware.
17
© Fidelis Cybersecurity
Other uses of sinkholing• If you can make victims thinking you are the C2, you can, to
an extent, control the victim.• May require other data (encryption keys) and mimicking
the C2 protocol.• Some (but not all) malware families have a self-destruct
option to uninstall on victim’s machine.• This has been done in the past as part of takedowns.
18
© Fidelis Cybersecurity
Other users of sinkholing• You can also engage in direct control of the victim.
• A “white hat” hacker, recently breached part of an exploit kit network to install Avira instead of the intended malware by replacing the binary.• Transient benefit.
• If you do this, please just install Flash/Adobe/Java patches instead.• More persistent benefit
19
© Fidelis Cybersecurity
Important Note• Doing any of the above without legal authority is probably
criminal in almost every jurisdiction represented in this room.
• Going to jail is bad, I don’t recommend it.
20
© Fidelis Cybersecurity
Targeted Intelligence Operations• Our biggest difficulty in prosecuting cybercrime is the difficulty
in getting information between nations.• International cooperation is often marred by unrelated foreign
policy constraints, sometimes even with private sector actors.
• To make matters worse, as a consequence of the amount of data and metadata created by computers and networks, there is a huge amount of tools available to hide.
21
© Fidelis Cybersecurity
Targeted Intelligence Operations• When the adversary has only a single static C2, your
options are limited:• Take it down• Get a wiretap
• If you take it down and lack other tracking ability, the attacker will just set up their operation elsewhere… and potentially break your visibility into their operations.
22
© Fidelis Cybersecurity
Targeted Intelligence Operations• When an adversary uses redundant C2 methods, a
disruption in part of their communications is not critical.• They may not make wholesale changes.
• The key to a targeted intelligence operation is to have enough impact so the adversary does something but not enough impact where they disappear and stop operating.
23
© Fidelis Cybersecurity
Examples• During Cryptolocker, they often used the same Chinese
registrar (DNSPOD) for their DGA registrations.• In 2013, Chinese-American cooperation was not great.• Objectives:
• I wanted to build a relationship with a Chinese company to deal with obvious abuse.
• I wanted to see how they would change if that registrar suspended a few domains.
24
© Fidelis Cybersecurity
Examples• Results:
• For a few days, they kept using DNSPOD.• For two weeks, they used a different register before going
back to DNSPOD.• The cycling of registrant accounts led to some good leads
available to “western” law enforcement for their investigation.• I opened the door to working with other Chinese companies
on criminal matters.
25
© Fidelis Cybersecurity
Example #2• I was tracking a criminal service provider who used a
“shared hosting” account to manage their infrastructure.• I paid “a premium” to get an account on the same box to see
if I can use poor file system permissions to gather additional intelligence (perfectly legal).
• It didn’t work but attacker didn’t know that.• Attacker was aware of who I am and that I was tracking him,
so I subtly let him know I got an account on the same box.
26
© Fidelis Cybersecurity
Example #2• Attacker very quickly moved their C2 operations using a control
panel “move” function.
• Also required them to reissue binaries and cause some disruption and a poor “customer experience”.
• Most important, using the “move function” left files behind after they left. This allows for possibility of a search warrant to obtain that data without the adversary being aware.
27
© Fidelis Cybersecurity
More Fingerprints• The use of redundancy also comes with new fingerprints
that can be used to identify adversaries.
• DGAs inherently mean WHOIS artifacts could be used to find and track specific adversaries in all their operations.
28
© Fidelis Cybersecurity
Whois Info• Many actors will use WHOIS protection… some just use fake
information.
• “David Bowers” ([email protected]) is common for Bedep.
$ grep "David Bowers" *.txt | grep Registrant
whois-bfzflqejohxmq.com.txt:Registrant Name: David Bowerswhois-demoqmfritwektsd.com.txt:Registrant Name: David Bowerswhois-eulletnyrxagvokz.com.txt:Registrant Name: David Bowerswhois-lepnzsiqowk94.com.txt:Registrant Name: David Bowerswhois-mhqfmrapcgphff4y.com.txt:Registrant Name: David Bowerswhois-natrhkylqoxjtqt45.com.txt:Registrant Name: David Bowers
© Fidelis Cybersecurity
David Bowersbfzflqejohxmq.com,Domain used by bedep (-4 days to today),2015-08-16
eulletnyrxagvokz.com,Domain used by bedep (-4 days to today),2015-08-16
natrhkylqoxjtqt45.com,Domain used by bedep (-4 days to today),2015-08-16
nrqagzfcsnneozu.com,Domain used by bedep (-4 days to today),2015-08-16
But why stop with just known DGAs, what other domains are associated with “David Bowers”?
© Fidelis Cybersecurity
David Bowers• Using DomainTools.com, it’s possible to see all domains
registered by a name, email, etc.• Domains seen associated with necurs and angler as well.• Can also set up registrant alerts on e-mail addresses used
to register domains.
31
© Fidelis Cybersecurity
David Bowers
© Fidelis Cybersecurity
Registrant Alert
33
© Fidelis Cybersecurity
Fingerprints Example #2• In a single static C2, the use of SSL could be a one-time
cert, could use a dedicated key or specific certificate details, there is no way to know.
• If there are many redundant C2s, they may re-use some information. For malware that does certificate pinning, they HAVE to use the same cert.
34
© Fidelis Cybersecurity
Fingerprints Example #2Certificate:
Data:
Version: 1 (0x0)
Serial Number:
fa:21:6b:2c:8e:6c:35:f6
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=EU, ST=Oregon, L=Cincinati, O=Oracle Corporation, OU=Oracle, CN=Oracle Developer/[email protected]
35
© Fidelis Cybersecurity
More fingerprints• Shodan (and other tools) can search for specific SSL certs
on internet facing services.
• Possible to programmatically hunt application stores for malicious certs in applications.
36
© Fidelis Cybersecurity
Surveillance• DNS data can change, IPs can come and go.
• Use adnstools to bulk resolve all DNS indicators on a frequent basis (this is what my DGA feeds is based on).
• C2s can start or stop listening or issuing instructions.
• These changes (and the related metadata) can prove key in an investigation.
37
© Fidelis Cybersecurity
Surveillance
Creation of feeds and intake is still a passive tactic.
Possible to see C2 changes and notify in near-time to potentially take action on the data.
This uses the Pushover application (Apple and Google stores) which has a very simple API.
© Fidelis Cybersecurity
New Matsnu domains registered
© Fidelis Cybersecurity
Pushovercurl -s \
--form-string "token=$appkey" \
--form-string "user=$userkey" \
--form-string "message=$message" \
https://api.pushover.net/1/messages.json
40
© Fidelis Cybersecurity
Pairing with other data• Barncat (the malware config data earlier) is a bulk malware
config ripping engine to statically get config data from malware binaries.
• Includes fields like “campaign ID”, Mutex, and C2 information that can be correlated.
41
© Fidelis Cybersecurity
More effective disruption• The “good guys” need to get lucky only once to attribute the
adversary. The adversary has to be lucky every time to ensure this doesn’t happen.
• The more they have to do, the harder this becomes.• All successful prosecutions involve monitoring an adversary
over the long-term to find the one time they screw up and expose themselves.
• Exploiting redundancy provides the opportunity to make this happen.
42
© Fidelis Cybersecurity
Free Resources• For my DGA feeds, go to
http://osint.bambenekconsulting.com/feeds (no authentication needed)
• For static malware configs, go to https://barncat.fidelissecurity.com (email me for access at [email protected])
43
Questions & Thank You!Find more of our research at: www.threatgeek.com
John Bambenek / [email protected]
Thanks to Vladimir Kropotov, Fyodor Yarochkin, Kevin Breen and Tim Leedy for their research and contributions to these efforts.