This domain name will self-destruct tomorrow
-
Upload
frank-denis -
Category
Technology
-
view
3.053 -
download
0
description
Transcript of This domain name will self-destruct tomorrow
This!domain name!
will!self-destruct!
tomorrow
OpenDNS
• Open DNS resolvers:208.67.220.220 & 208.67.222.222
• Can be used to block malware, botnets, phishing.
• Security Graph: DNSDB + reputation systems
</marketing>
Reputation
trust level
IP reputation: just one of the many features
used for classification
price(IP) > price(domain) > price(subdomain)
l7099.com q8940.com s5416.com u1105.com v9054.com w1130.com w9148.com x1132.com y1149.com z0338.com z2837.com a0257.com f0390.com h9169.com t7149.com
penispaldevice.com beautifulwebcamsgirls.com
Ransomware
Malvertising
count(items known to be malicious)count(full set) + C
Co-occurrence relation between queries
Useful to extend existing lists
What if we didn’t label anything before?
DGA patterndwayoq.gkxvxvtoq.biz 06vjbb.eiclpilgp.biz 0vq1ol.egivdjpyb.biz!33qd6r.trdtffxya.biz 3h31h3.ohtnaoani.biz 4trmrj.trdtffxya.biz!5vdckg.ohtnaoani.biz 8i7ugu.eiclpilgp.biz b0tse7.eiclpilgp.biz!bcx5nd.mrelvrobu.biz dckc3d.trdtffxya.biz dlvmsz.eiclpilgp.biz!duf2jj.ohtnaoani.biz htzcni.eiclpilgp.biz hwsotz.ojdomjbri.biz!jf2mkk.aaefpbrwf.biz mqihxp.xyevppjpw.biz nfq70m.huiabgkfh.biz!ow6vt1.ojdomjbri.biz q1kfvx.eiclpilgp.biz qbjp6w.aaefpbrwf.biz!u49zqt.hslrnwqtr.biz v9lpyh.mrelvrobu.biz wn2xci.mpnlnwnbd.biz!x71goh.ohtnaoani.biz ygig8u.trdtffxya.biz 01lt9k.ljabojeag.biz!05w2p4.xjlwqsshk.biz 0c7d7i.ljabojeag.biz 0l3grl.qeqfofqil.biz!0lkvfq.wcjlbyikh.biz 0ln3gs.bucbbqswa.biz 0tg47r.bucbbqswa.biz!163em8.kpoisetkp.biz 1n2rw9.ljabojeag.biz 1njh89.kpoisetkp.biz!1r9a3p.bucbbqswa.biz 23b8fw.xjlwqsshk.biz 2684sc.jpitlicla.biz!2y4hdx.qeqfofqil.biz 34uzo7.jhbleynam.biz 36vgh9.pwrueetru.biz!
Notalways malicious
Blackhat SEO CDNs
Mobile sites
Fast flux pattern
californiyaslososemk.com !
8,855 unique IPs 564 ASNs!
45 countries !
over a 5 months period
But a lot of malicious IPs are not part of a fast-flux
infrastructure. !
Example:DGA-based C&Cs
Another IP reputation system: Dorothy
Because there is no place like 127.0.0.1
Constantly moving to new subdomains, new
domains, new IPs makes malware more resistant to
takedown.
Subdomain rotation is free
Domain rotation happens at regular intervals or
shortly after a domain has been flagged by
some security products.
IP rotation happens as well, but is usually slower
than domain rotation.
Hosting a C&C on a compromised host would
be a terrible idea.
price(IP) > price(domain) > price(subdomain)
t-6 t-5 t-4 t-3 t-2 t-1 t
N1 X
N2 X
N3 X
N4 X
N5 X X
N6 X
N7 X
N8 X X
N9 X
X : Ni resolves to this IP and real client queries were observed for this (name, IP, time window) tuple
t-6 t-5 t-4 t-3 t-2 t-1 t
N1 X X X X X X X
N2 X X X X X X
N3 X X X X X X
N4 X X X X X X X
N5 X X X X X
N6 X X X X X X
N7 X X X X X X
N8 X X X
N9 X X X X
X : Ni resolves to this IP and real client queries were observed for this (name, IP, time window) tuple
92.48.122.132
Names 19993
Median lifetime (days) 1.0
Median client IPs/name/day 1.0
208.73.211.247
Names 15964
Median lifetime (days) 1.0
Median client IPs/name/day 10.0
198.27.90.196
Names 244
Median lifetime (days) 1.0
Median client IPs/name/day 1.0
193.169.86.247
Names 19069
Median lifetime (days) 1.0
Median client IPs/name/day 1.0
100.2.24.243
Names 135
Median lifetime (days) 3.65
Median client IPs/name/day 10953.0
A lot of names on a single IP is not necessarily bad.
A lot of names only active for a very short period of time on a single IP looks pretty bad.
count(domains) x
(max_lifetime - median_lifetime(domains))
88.208.18.34! -99.99994344508787!66.6.40.14! -99.99991902141797!66.6.40.41! -99.99991881331263!66.6.40.38! -99.99991849346496!66.6.40.40! -99.99991847539887!66.6.40.58! -99.99991843314294!66.6.40.55! -99.99991764598933!92.48.122.132! -99.9999137065818!107.20.206.69! -99.99990925954143!198.52.243.229!-99.99990697303538!181.41.202.249!-99.99990279989224!208.93.0.128! -99.99990129681458!
109.123.127.228! -99.99989610061355!208.73.211.247!-99.99989518133837!10.0.15.201!-99.99989386815456!
208.73.211.249!-99.99989356270828!208.73.211.230!-99.9998933650058!208.73.211.246!-99.99989335858926!168.63.160.30! -99.99989324720488!75.98.17.61!-99.99988611752897!62.149.128.160!-99.9998744487991!62.149.128.151!-99.99987442160271!62.149.128.154!-99.99987441006259!62.149.128.157!-99.99987419281405
88.208.18.34! -99.99994344508787
DGAs
66.6.40.14! -99.99991902141797
Tumblr
92.48.122.132! -99.9999137065818
Caphaw banking trojan
Immediately followed by:• Parked domains
• More Caphaw!
• Livejournal subdomains
• Malicious redirection service!
• Nuclear Exploit kit!
• Microsoft CDN (msedge.net)
• Browlock ransomware!
• Sinkhole
• Fast flux (Rogue pharmacies)
t-6 t-5 t-4 t-3 t-2 t-1 t
N1 X
N2 X
N3 X
N4 X
N5 X X
N6 X
N7 X
N8 X X
N9 X
X : Ni resolves to this IP and real client queries were observed for this (name, IP, time window) tuple
X
• Ni resolves to this IP
• number of real client queries > (median(number of queries per day) / 4)for this (name, ip, time window) tuple
92.48.122.132! -79.552485207211
Active Cryptolocker domains
Dorothy
• A simple IP reputation model, reflecting the stability of an IP address.
• Not a replacement for your current models, but another feature worth considering to help researchers to spot C&Cs, hosts serving exploit kits and massive spam campaigns.
Thanks!
• This is slide #42
• OpenDNS: http://opendns.com
• Umbrella Security Labs: http://labs.umbrella.com
• Github/Twitter/Flickr: @jedisct1