Cisco Umbrella

Enterprise network security

Spotlight

Fast Predictive Detection of Malware domains: A New System presented at BSides Raleigh 2013

By Dhia Mahjoub

Threat prediction systems are now critically important to face the ever-growing breadth and complexity of online attacks. Three weeks ago, I attended BSides Raleigh and presented a fast predictive detection system for malware domains that leverages network reputation and our passive DNS database. This new system has helped mitigate several threats over the past few months, such as Fast flux botnet domains, Cryptolocker CnCs, Exploit kit domains, and other ransomware domains.

Attending the conference

It was great to be a part of BSides Raleigh and spend some time in the city. All of the talks were very informative, and everyone showed a high level of knowledge and intellectual curiosity, which contributed to the success of the conference. Another memorable thing about the event was the very cool T-Shirt design:

bsidestshirt

Before I describe my presentation, let me go over some of the other great talks. In the opening session, Advanced Evasion Techniques—Pwning the Next Generation Security Products, David Kennedy described elaborate techniques to evade current enterprise security products. He discussed how to:

  • Profile a target organization “without sending a single packet to them” (using social networks, Project Sonar shared data, search engines, etc).
  • Find out what defensive capabilities they have in place.
  • Get an attack around their preventive measures (e.g. next generation firewalls, web application firewalls, application allowing, IDS, vulnerability assessment tools, SIEM, AV, egress filtering, etc.).

Dave kept his presentation interesting with fascinating live demos of the tools he uses:

  • Torpedo (a tool that he wrote but has not released yet) used with Burp to profile Web Application Firewalls.
  • Recon-ng used with jigsaw.com, for organization reconnaissance and info gathering (there is a tool for enumerating information about a company’s employees also called jigsaw).
  • The harvester: another info gathering tool (part of Backtrack) used for instance to elicit email naming schemes of target organizations.
  • The Social Engineer Toolkit (SET).

Set-Box_2

Dave also discussed how to craft targeted emails that trigger emotional responses in their recipients in order to penetrate the organization via social engineering. He described how to clone a site to harvest username/passwords and how to obfuscate and sign the attached payloads using a throw-away certificate to abuse trust and get the victim to run the payload.

In Malware Automation, Chris Elisan discussed the current state of malware, and described the tools an attacker can use to automatically build an army of armored malware. This arsenal consists of:

  • DiY kits (ex: SpyEye, Zeus); kits that can generate an infinite number of malware samples.
  • Armoring tools (that use time and date to generate a nearly infinite number of samples).
    • Packers (e.g. UPX).
    • Crypters (e.g. PFE CX, or online services such as indetectables.net).
    • Joiners/binders.
  • AV-scanners for quality assurance purposes (on-premise, or in the cloud).

Chris demo’ed the Zeus Crimeware kit and the Saw crypter and showed how they can generate new unique malware samples en masse, and on the fly.

In Bending and Twisting Networks, Paul Coggin went over various advanced strategies and techniques to attack/penetrate network infrastructures, monitor, and exfiltrate data flows. These methods exploit protocols, device features, and network trust relationships (e.g. SNMP, IP routing policies, GRE tunnels, ERSPAN, DLSw, L2TP, Lawful intercept feature, OSPF, BGP, etc). Paul also discussed several approaches to mitigate these attack vectors.

My presentation

When it was my turn, I discussed a predictive fast detection system of malware domains that I built leveraging network reputation and our DNS database (DNSDB). The slides of the talk are available here.

bsides-raleigh-talk-front-slide

This system consists of two components:

  • An IP reputation component that carefully builds a watchlist of high risk IPs to monitor, and
  • A detection component that performs inverse lookups against the DNSDB to instantly detect new malicious domains that resolve to the IPs in the watchlist.

Both components run on a constant basis. Furthermore, in the background, the DNSDB is also constantly fed with the authoritative traffic coming from our resolvers. This traffic is first cleaned and deduplicated, then added to the indexed DNSDB.

Over the past months, this system has been monitoring and detecting several threats such as:

  • Domains serving various Exploit kits: BlackHole, Neutrino, NuclearPack, Angler, Magnitude, Styx, etc.
  • CnC domains for trojans such as Sality, Caphaw.
  • CnC domains for ransomware such as CryptoLocker, Reveton, Urausy.
  • Domains serving browser-based ransomware (browlock).

Early detection of initial Cryptolocker CnC domains

cryptolocker

Cryptolocker, the now infamous ransomware, emerged in early September of this year. The very first two CnCs spotted in the wild (xeogrhxquuubt,com and qaaepodedahnslq,org) were picked up by our detection system as soon as they hit our traffic and a few hours before they were published in the security community. We think that this ensured the initial low infection rate for Umbrella users. We further used other models to track down Cryptolocker DGA CnCs and mitigate the threat for our customers.

Predicting the emergence of Exploit kit and malware domains

The detection system also regularly helps predict patterns of how malicious domains use the network infrastructure.

One example was NuclearPack domains that were initially spotted on 142.4.194.0 on Oct 28th [details here]. We predicted that the Exploit kit domains would soon shift to the next IPs, and that was confirmed the next day [details here].

We also used the system to spot a malware campaign in its early stage: we discovered on Nov 1st that an initial range of 55 IPs in the range 62.122.73.200-254 were all loaded with rogue software payloads, and only 8 IPs were hosting live domains at the moment of discovery. We predicted that new domains would emerge on the remaining IPs [details here]. This has been confirmed, and currently there are 22 IPs hosting domains and serving the malware payloads. The campaign is still ongoing—we predict the full range of 55 IPs to be used for domain hosting and malware serving.

Conclusion

Security is a complex endeavor, and the various talks at BSides Raleigh showed once more that different layers and strategies must be deployed to protect valuable assets of the individual and enterprise alike. The human element is also important, as a lot of current attacks combine social engineering with technical exploitation.

This new predictive detection system for malware domains is an early detection layer in a defense-in-depth approach to security. It’s now a key part of the arsenal of models we use to detect malicious domains at the earliest stage so we can protect our customers from the avalanche of online threats.