We were honored to speak at the 10th annual Shmoocon Conference in Washington, D.C. a few weeks ago. There were several good talks during the 3 day program. Just to name one or two, httpscreenshot – A Tool for Both Teams and NaCl: A New Crypto Library caught our interest.
Our presentation focused on network threat intelligence, specifically how OpenDNS approaches collecting, encoding, and correlating intelligence. We discussed active probing and passive monitoring, two techniques we use at OpenDNS to derive network intelligence and to track how malicious infrastructure as it moves across the Internet. We provided concrete use cases, which showed how these approaches can be applied and finally, we released an open source prototype for tracking changes in domain artifacts.
A few important takeaways:
- Threat intelligence should be automated, scalable, and accurate.
- Intelligence should be shared within the security community.
- Human validation is still crucial. Not everything can be automated or “Machine-Learned”. (ML models require good training sets reviewed by knowledgeable human analysts.)
Here are the slides from our presentation:
We define active probing as a method of determining the current state of something. Who owns a domain name right now? What IPv4 address does that domain name resolve to right now? These are questions active probing answers, and it does so in two ways: direct and indirect. Direct involves communicating with the system or artifact being investigated (ports scans, banner grabs), while indirect involves asking other systems about whatever is being investigated (DNS, Whois, BGP).
We define passive monitoring as the previous state of things or patterns derived from previously observed behaviours. What time of the day does that domain receive the most queries? What IPv4 addresses has that domain resolve to in the past? What other domains has that email address registered? These are questions passive monitoring is able to answer. OpenDNS uses a technique called passive DNS reconstruction to build a huge historic database we use as one method of passive monitoring.
Zbot Case Study
In this case study, we covered the Zbot fast flux proxy network, a “hosting as a service” infrastructure for malware CnCs that has been under our watch for over a year. We covered this proxy network at BlackHat, DefCon, and BotConf, and for this conference, we released new results regarding abused registrars and registrant email addresses used to register the malware domains.
Despite having been around for at least a couple of years, this malware hosting infrastructure is still alive and actively used by a variety of malware families. The last to date is TinyBanker (Tinba), the lightweight banking trojan, which has been observed using the Zbot fast flux infrastructure to host its CnC domains since approximately November of 2014.
One of many notable facts about our studies is that we saw common patterns between the Zbot proxy network and the newGOZ infrastructure, both at the DNS and IP level. For instance, TodayNIC and Melbourne IT (two registrars from China and Australia, respectively), are among the top abused registrars for both Zbot and newGOZ CnC domains, which is quite suggestive of shared TTPs within the same or between bad actor groups.
Furthermore, the newGOZ CnC domains had been hosted for a short period of time on the Zbot proxy network when it re-emerged in July of 2014. This could have been an early testing phase or a quick bootstrap platform before newGOZ moved to more dedicated setups, as our talk shows.
GOZ Case Study
OpenDNS has been tracking the Gameover Zeus since it appeared last summer. This case study presented the analyzed data we collected about the botnet from October 7, 2014 through December 7, 2014. The data includes preferences and patterns found in registrars used, domain TTLs, IPv4 addresses and hosting providers, name server domains, registrant email addresses, and registration to resolution deltas. Researcher sinkholes were also identified and briefly discussed.
The above image shows the command and control domains in blue, the IPv4 addresses of command and control domains in purple, and the IPv4 addresses of the command and control domains’ nameservers in brown. The six disconnected graphs represent five research sinkholes and one (lower left) malicious botnet.
The above image is the center of the malicious cluster in the previous image. The level of connectivity and node names can be seen.
Finally, we released an open source project named Snapshooter. Snapshooter provides a distributed worker system for collecting information about a list of domain names. Some novel techniques snapshooter uses include taking advantage of passive DNS to rotate between whois server IP addresses (instead of relying on DNS to round robin), as well as incorporating a mix of recursive and iterative DNS resolutions to locate original domain TTLs. Running the Snapshooter system periodically provides a means of actively probing for changes in domain information (registrant details, registrar, name servers, DNS resource records, etc.).
Later this month, we will be sharing more of these results along with a complementary study by a fellow researcher from Cisco in a joint presentation at ISOI 14 in Los Angeles, CA.