Earlier in August, a few of us from Security Research at OpenDNS left our hoodies behind in San Francisco to endure the 100+ degree blazing heat of Las Vegas, NV to attend BSides Las Vegas, and BlackHat USA. We look forward to this week every year to have the opportunity to share our research and network with the security community. We were able to attend many awesome talks and had the privilege of presenting as well.
Here are some insights from our Research team.
INSIGHTS FROM ANDREA SCARFO
Andrea was particularly pleased to deliver her very first speaking engagement at a conference. At BSides Las Vegas, she presented “An Evolving Era of Botnet Empires“.
The talk highlighted the history of botnets, their evolving characteristics, and botnet detection methods using DNS traffic.
Of all of the amazing talks at BSides, here are a few highlights from the talks that Andrea was able to attend:
- Ryan Chapman gave a really enjoyable interactive talk titled; “Exposing Neutrino EK: All the Naughty Bits”. Ryan made a point to highlight that the Exploit-Kit vulnerabilities are part of a business. The malware authors pay for their malware to be distributed by the Exploit-Kit authors. Someone gets paid to run the campaign to spread the exploit-kits and redirect the traffic. There’s also money to be made in setting up the infrastructure that is used to make all of this happen, for example, the redirects and the landing pages. He then had a really cool live display of reverse engineering the second stage .swf file involved in the Neutrino Exploit-Kit using FlashDevelop.
- Vineetha Paruchuri delivered “QUESTIONING 42: Where is the “Engineering” in the Social Engineering of Namespace Compromises?” A very lively and frank discussion about how frustratingly easy it is to social engineer your way into taking control over someone’s digital life, or gaining control over a domain. Some examples required only pure social engineering. While others were a mix of social engineering, workflow and protocol vulnerabilities or exploits combined. Companies that continue to value profit over customer privacy will make it incredibly easy to social engineer your way into someone’s personal account. The fact that OSINT is used to verify ownership of very important and private accounts is still mind boggling. Vineetha likened the human interactions involved in these social engineering cases to a client/server session. Putting some actual “engineering” into the social engineering problem could lead to a solution. One major take-away: 2FA all the things.
INSIGHTS FROM THOMAS MATTHEW AND DHIA MAHJOUB
Dhia and Thomas gave a talk at Blackhat 2016 with Mykhailo Sakaly from Intel471. In their talk titled “Towards a Holistic Approach in Building Intelligence to Fight Crimeware”, they proposed an integrated approach to fight crimeware that combines both network-centric and actor-centric perspectives.
Bulletproof hosting (BPH) providers represent a fundamental enabling technology to all sorts of cybercrime campaigns and they lend themselves to being explored from both perspectives.
Cybercrime offerings
In the first part of the talk, the speakers described the different classes of cybercrime offerings: products, services and goods. Products include malware (e.g. RATs, banking trojans), DDoS or brute-forcing tools and exploits and vulnerabilities. Services include bulletproof hosting, DDoS services, ransomware-as-a-service, exploit kits, cash out and exchangers. Goods represent commodities that are quickly consumable such as credit card and database dumps and PII.
Bqhost is an example of a bulletproof hosting provider with a public web site.
Intelligence sources for crimeware investigation
Next, they described the data sources and processes used to construct the network and actor centric views. The network view uses data such as DNS, IP, BGP, Whois, SSL, malware samples, etc. The actor-centric view is built through access to closed underground forums and marketplaces, direct communication with criminal actors, and the purchasing of services to verify claimed features and map out infrastructures.
crdclub.ws is a free registration credit card dump shop hosted on BPH.
Bulletproof hosting classification taxonomy
The speakers then proposed a BPH classification taxonomy: From the actor view, these hosters can be ranked in 3 tiers depending on their reputation, technical complexity and involvement in high profile cyber-criminal campaigns. From the network view, we identified key technical features that, when combined together, are distinctive of rogue hosting infrastructures. Some of the features are:
-Leaf ASN (also known as stub ASN in networking terminology): an ASN with upstream but no downstream peers.
-Business registration in offshore jurisdictions (e.g. Anguilla, Belize, Dominica, Seychelles, UAE, etc).
-Hosting that is botnet-based or dedicated servers based.
-Anonymous payment methods, e.g. bitcoin, Perfect Money.
Dataflow.su is a bulletproof hosting provider operating leaf AS203624, with business registration in Belize and IP space in Ukraine, Russia.
Bulletproof hosting use cases
In the second part of the talk, Dhia and Mykhailo gave a detailed overview of various examples of BPH that are both botnet based (ZBot fast flux proxy network) and dedicated (Althost, Abdallah, Maxided, Dataflow.su, XServer, Offshore Racks) with the majority operating from Ukraine and Russia. They also talked about the evolution of these services over the past few years.
Offshoreracks.com is an anonymous offshore hosting provider located in Panama and hosting phishing, stolen credit card shops, pharma, etc.
Using SSL data at scale to track malware infrastructures
The talk finally discussed the methods used in order to identify bulletproof hosting providers with SSL scan data as a key source. SSL data constitutes a valuable fingerprint in identifying similar hosting ranges. Therefore, we talked about how to build a database to store SSL data involving x509 certificates and SSL hashes. These two pieces of information can be used to identify a particular hoster based on searching through common-name records in the x509 certificate or scanning IP ranges for particular SSL hashes. Thomas described the database involved and the various engineering challenges we faced in order to make the system scalable. One notable problem was designing tables that were optimized for large scans. By tweaking our rowkey structure we were able to solve the issue. By combining SSL data with IP monitoring techniques, security researchers are able to better identify bulletproof hosters as well as predict new IP ranges where hosters might move their services to.
Stay tuned for the release of the video of the talk.
