DNS Security for CERTs- Attack Scenarios & Demonstrations –

Malicious Use

Chris EvansDelta Risk, LLC

7 March 2010

1

What You Will Need for the Exercises

• Your Windows Terminal Server

– From Windows, Run ‘mstsc’

– From MAC, please download the Terminal Server Client from the wiki

– Run the DNS-Bot.vbs file when instructed

– Open a command prompt, and run

cscript.exe c:/users/studentX/Desktop/DNS-Bot.vbs

– Don’t forget – X is your student number

2

Description – Malicious Use

• Using the DNS to propagate malware or conduct attacks in a malicious manner, yet consistent with the DNS protocols

– BotNet Command & Control (indirect)

– Amplification Attacks (direct)

• These attacks do not necessarily target DNS servers – rather, they use your servers to conduct an attack elsewhere

3

NS

Victim

Case Study – Conficker

• Conficker - the Conficker worm appeared in late 2008, with most of the attention starting in Jan/Feb of 2009.

– The worm used pseudo-randomly generated domains from several top level domains (ccTLDs included) as its command and control points.

– The worm would contact servers on these random domains for instructions.

4

Case Study – Conficker

• The Conficker Working Group (Conficker Cabal) was started to address response actions to the worm

– Comprised of businesses, DNS operations, Internet organizations, and security researchers

– Requested top level organizations with suspected domain names involved in Conficker to register them in hopes of preempting Conficker activity

• Conficker mutated to thwart activity of the Working Group and started using P2P methods vs. DNS

5

How Should a ccTLD React to a Request to Register (at no cost)

Hundreds of Domain Names to Prevent Malicious Activity?

Attack Demonstration

• The “DNS Bot” receives its instructions and sends information back to the hacker via DNS

6

NS

DNS-Bot.vbs

Caching

Server

Rogue

Server

Double-click

Run Command &

Post Results

Remember, the bot won’t do

anything malicious!

Demonstration – Attacker View

• Rogue DNS Bind File & Web Post Directory

7

Demonstration – Server View

8

Demonstration – User View

• Please run your bot now

– Open a command prompt and run the command:

cscript.exe

c:/users/studentX/Desktop/DNS-Bot.vbs

• wireshark view

9

Demonstration – User View

• If you’d like to start Wireshark…

– Double click icon on desktop

– Select Options from Capture Menu

– In “capture filter” type port 53

– Click “Start”

10

Demonstration – User View

11

Encoded

Data Sent to

DNS Server

Demonstration – User View

• The bot will periodically request instructions over DNS from a rogue DNS server (192.168.85.5)

– Can you find the rogue DNS server with wireshark or DNS tools?

• The bot will execute the instructions:

– Wait, Download a File, Run a Command & Post Results, Quit

– Can you “reverse engineer” the instructions?

– Can you see what is being posted?

12

Impact

• DNS resources used for malicious purposes

• Possible brand or reputation loss due to apparent attacks originating from servers

• Widespread bot proliferation

13

Mitigation & Response Strategies

• Domain “Blackholes” – but only if domains don’t change rapidly – you have to keep up!

• Strengthen registrant information validation

• Develop policies for determining what’s malicious

• Add detection mechanisms for malicious use

– Host based (Antivirus, patching, etc)

– Network based (traffic & domain analysis)

• Develop policies for domain takedown

• Develop cooperative agreements with other registries, CERTs, law enforcement, and security organizations to address malicious use scenarios

14

Questions?

15

?