Embed Size (px)
Citation preview
A New Look at Fast Flux Proxy Networks
@DhiaLite @unixfreaxjp
December 5th, 2014
Outline • Introduction • Crimeware ecosystem • Fast flux networks • Detection methods • Zeus CnC domains • Zbot CnCs usage by various malware • Abused TLDs and registrars • Bots distribution • Infected client IPs distribution • Zbot domains and malware samples
• Kelihos update • CnC domains and proxy network IPs
OpenDNS' Network Map
STUB CLIENTS
RECURSIVE NAME SERVERS
AUTHORITATIVE NAME SERVERS
root
tld
domain.tld
DNS Traffic
Crimeware Ecosystem
• DNS-based redundancy/evasion technique
• Fast flux domain resolves to many IPs, many ASNs, many CCs, relatively low TTL
• Fast flux domain resolves to 1 IP with TTL=0
• Ex : Trojan CnCs, spam, scam, pharmacy, dating domains
Fast Flux Networks
Authoritative DNS Stream
ASN, Domain, 2LD, IP, NS_IP, Timestamp, TTL,
type
• 100s – 1000s entries/sec (from subset of resolvers) • Need to implement own filters, detection heuristics • Faster than DNSDB on Hadoop
Detection with DNS stream • Seed of known Zbot CnCs
• Harvest IPs and add them to pool of Zbot IPs
• Extract domains with IP or NS_IP in Zbot IP pool with TTL=150
• Add new Zbot CnCs to seed
(1) Initial list of zbot fast flux
domains
(2) Get IP, TTL via direct lookup into
DNSDB (3) Extract IPs s.t
TTL=150
(4) Get domains from IPs via
inverse lookup (5) Add domains
from (4) to list (1) (6) Extract IPs s.t
TTL=150
(7) Add IPs from (6) to list of zbot
proxy network IPs
Zbot CnCs detection method
Fast Flux Proxy Networks (ex: Zbot)
CnCs Targets
Kelihos TTL = 0 Zbot TTL = 150
Zeus Crimeware (1/2)
Configuration file Web injects
Zeus builder
Binary file
Zeus Crimeware (2/2)
Control panel
Zeus Timeline
Zeus CnCs
Compromised Sites
Bulletproof Hosting Fast Flux Botnet
Zeus CnC URLs
Configuration Files
Binary Files
Drop Zones
INSERT DOMAIN-IP OVER TIME VISUALIZATION - We have graph data with detection methods - We create graph with SemanticNet - Load in Graphiti and apply force directed - Build event timeline - Viz over time
Malware using the CnC domains
Zeus
Config URLs Binary URLs Drop Zone URLs
Citadel
KINS &
Ice IX
Asprox Zemot/Rerdom
Phishing
Ursnif Madness Pro Pony panel
newGOZ
Tiny Banker
Zeus urls
Citadel urls
KINS & Ice IX urls
Phishing
Asprox/Zemot/Rerdom • Asprox payload from malicious email attachment • Phone to Asprox CnC • Get Asprox update, Zemot payload with embedded
Zemot domains • Serves Rovnix bootkit, Rerdom -> click fraud activity
• Threat Report: Behind a Malware Lifecycle and Infection Chain, Linking Asprox, Zemot, Rovix and Rerdom Malware Families, by Damballa
Asprox (1)
Asprox (2)
ET rules for Zemot/Asprox
• ET TROJAN Win32/Zemot Checkin • ET TROJAN Win32/Zemot URI Struct • ETPRO TROJAN Win32/Zemot User-Agent • ET TROJAN Win32/Zemot Requesting PE • ET TROJAN Win32/Zemot Config Download
• ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon • ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement • ET TROJAN W32/Asprox.ClickFraudBot POST CnC Beacon
Madness Pro • Madness Pro (Ddos bot) phoning home netom.in, GET /1/?uid=17428742&ver=1.14&mk=bb3b62&os=WinXP&rs=adm&c=1&rq=0 with several occurring OS versions: os=S2000 os=Win07 os=Win_V os=WinXP os=Win08
New GameOver Zeus (newGOZ) • Operation Tovar: Takedown of oldGOZ • NewGOZ emerged in July 2014 • Abandoned P2P and resorted initially to hosting CnCs on
zbot fast flux proxy network • 230+ IPs from proxy network used for newGOZ
• http://garwarner.blogspot.com/2014/07/new-gameover-zeus-variant-uses-fastflux.html
• http://labs.opendns.com/2014/07/11/gameover-zeus-switches-p2p-dga/
• http://labs.opendns.com/2014/09/18/zeus-gameover/
TinyBanker (Tinba) • Tinba born months after ZeuS source code leak in 2011 • Group started using Blackhole EK for delivery and in
2014 moved to Angler EK, Rig EK and having 64bit codes
• Analysis of Tinba’s source code in early 2012 showed lots of functions/modules are copy/paste line by line from Zeus leaked code
• Group running Tinba campaign was based in Russia and having no connection with ZeuS group
TinyBanker (Tinba) • Ties to suspicious web hosting, pornography, a possible
money mule network including exploit kits, ZeuS CnC servers, fake AV, spyeye C&C, fraud pages
• TrendMicro report • http://www.trendmicro.com/cloud-content/us/pdfs/
security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf
TinyBanker (Tinba) • 44 Tinba DGA domains hosted on the zbot FF proxy
network • 7 live domains • 900+ IPs from proxy network hosting Tinba CnCs • 470 lives IPs hosting Tinba CnCs
• Taking a sample of 70 fingerprinted IPs • 75% are running Windows
Proxy IPs hosting Tinba CnCs
TinyBanker (Tinba) SHA1 • b7e5e8afac71ab70d0a1710e1655c730b89682d5 • 97f2253a5aec9c54e9550b3b4bd62bd2ec37a4e3 • fa6746cee604d7d456b39b8450ac4d13d66b33ca • d227a219f48ad2e9644a82e3c1e132034407a976 • ac6b0ddf98bfc894372e84bc76ea71dd3352a1f3 • 0d050dfb8b31bec8506428660effe2b4259760a4 • 3353566bfea4e784b4fffe98df9ae20334568aea • 18c9db10282d91926d58c75ae9c72ac61babbc61 • f1452f19d80588937ea8d9532b657af946669484 • 7b8413950cccf8b0616fbf82709c7c70ee7edb32
Misc • Downloading binaries and configs azg.su, GET /coivze7aip/modules/bot.exe tundra-tennes.com, GET /infodata/soft32.dll tundra-tennes.com, GET /info-data/soft32.dll bee-pass.com, GET /info/soft32.dll quarante-ml.com, GET /nivoslider/jquery/ quarante-ml.com, GET /nivoslider98.45/ajax/ quarante-ml.com, GET /nivoslider98.45/jquery/ tundra-tennes.com, GET /nivoslider/ajax/
Pony Panel marmedladkos.com
Pony Panel • Pony 1.9 leaked for Trojan Forge in late 2012 • Info stealer • Win32/Fareit
Payload delivered via: • Drive-by/Exploit kit • Attachment in spam emails
Pony Panel
Pony Panel -p/Panel.zip — controlling php scripts -includes/design/images/modules/* — images for each zeus plugin supported/tracked -includes/password_modules.php — contains array with all software it tries to steal credentials for -includes/database.php — contains db schema and accessors -character set cp1251 used everywhere -mysql storage engine is MyISAM -config.php date_default_timezone_set(‘Europe/Moscow’)
Pony Panel
Pony Panel
Pony Panel
Pony Panel Google search of distinctive key terms
malware
Pony Panel
Pony Panel epvpcash.net16.net/Panel/temp/ hgfhgfhgfhfg.net/pony/temp/ http://pantamati.com/dream/Panel/temp/ http://pantamati.com/wall/Panel/temp/ mastermetr.ru/steal/Panel/temp/ microsoft.blg.lt/q/temp/ santeol.su/p/temp/ terra-araucania.cl/pooo/temp/ thinswares.com/panel/temp/ www.broomeron.com/pn2/temp/ www.kimclo.com/cli/temp/ www.sumdfase2.net/adm/temp/ www.tripplem2.com/images/money/temp/
Top Abused TLDs Sample of 2180+ zbot CnC domains
Top Abused registrars • A sample of 1230 CnC domains
Top Abused registrars
Zbot proxy IPs geo distribution • Sample of 18,000+ recent IPs from the zbot proxy network • 691 ASNs • 71 countries (Ukraine, Russia, Kazakhstan, Turkey, US, etc) • 7600+ currently live ones
Zbot proxy IPs geo distribution
Zbot proxy IPs geo distribution
Zbot CnCs clients geo distribution • 2+ Million DNS lookups to CnCs over 24 hours • 10000+ unique client IPs • 151 countries
Zbot CnCs clients geo distribution
Zbot CnCs clients geo distribution
CnC domains vs nameservers • CnC domains resolve to 12 IPs with TTL=150 • Name server domains resolve to 6 IPs with TTL=150 • 610 domains used as name servers • 11750 IPs hosting name servers • Double flux where both CnC domains and their name servers
flux IPs from the proxy network
CnC domains and related samples -Sample of 337 zbot CnC domains -208 different samples (sha256 communicated with the CnCs) Top recorded sample names: Trojan[Spy]/Win32.Zbot TrojanDownloader:Win32/Upatre -Upatre is used as a downloader for Zeus GameOver -Sent as attachment in spam emails delivered by Cutwail botnet
Kelihos update (Dec 2014) • 23 recorded domains at the moment, 22 live ones • Still Fast Flux with a single IP, TTL=0 • 2600+ hosting IPs • 221 ASNs • 44 countries (Ukraine, US, Japan, Eastern bloc) • 370+ live IPs
• Taking a sample of 71 fingerprinted IPs • 50% are running Windows
Kelihos bots top ASNs • KSNET-AS _Kyivstar_ PJSC,UA • VOLIA-AS Kyivski Telekomunikatsiyni Merezhi LLC,UA • CHARTER-NET-HKY-NC - Charter Communications,US • CONTENT DELIVERY NETWORK LTD, UA • PRIVATE JOINT STOCK COMPANY "DATAGROUP”, UA • Time Warner Cable Internet LLC, US • MTSBY-AS Mobile TeleSystems JLLC,BY • BHN-TAMPA - BRIGHT HOUSE NETWORKS, LLC,US • Moldtelecom SA, MD • Lanet Network Ltd., UA • Freenet Ltd., UA • Saimanet Telecomunications, KG
Kelihos bots geo distribution
Kelihos clients geo distribution • Clients looking up the 23 recorded domains at the moment • 7100+ DNS lookups over 24 hours • 278 unique client IPs • 45 countries
Kelihos clients geo distribution
Conclusion • Zbot fast flux proxy network is very versatile • Multi-purpose based on clients’ needs • CnCs for Zeus, Citadel, Ice IX, KINS, Asprox, Madness Pro, Tiny
Banker, phishing, Pony panel • Serve all types of Zeus urls: config, binary and drop zones • .ru, .su, .com most abused TLDs • Bots concentrated in Russia, Ukraine • Targeted victims concentrated in the US
• Kelihos is still alive despite last year’s dissection and disclosure • What more can we do ?
Acknowledgements • Hendrik Adrian • Friend from MalwareMustDie group • Friends from BitDefender • Friend from XTO
References • Distributed Malware Proxy Networks, B. Porter, N. Summerlin,
BotConf 2013 • http://labs.opendns.com/2013/12/18/operation-kelihos-presented-
botconf-2013/ • http://blog.malwaremustdie.org/2013/12/short-talk-in-botconf-2013-
kelihos.html • https://zeustracker.abuse.ch/ • http://www.malware-traffic-analysis.net/ • http://techhelplist.com/index.php/tech-tutorials/41-misc/465-asprox-
botnet-advertising-fraud-general-overview-1 • VirusTotal
