Last week’s APWG eCrime 2013 conference marked the 10th anniversary of the the Anti Phishing Working Group. What better a place to host this special event than our great city of San Francisco? The conference drew crowds from academia, industry, and the governing bodies of the Internet; there were presentations from RSA, PayPal, Microsoft, UC Berkeley, CMU, IID, StubHub, ICANN, and the .org, .pl, .jp, .co and .uk registries, among others. OpenDNS was at the scene with two presentations: our CTO, Dan Hubbard, presented on Monday Sep 16th on “Achieving Zen with a new Security Venn” and I presented a research case study on “Real time Monitoring of fast flux botnets using DNS” on Wednesday Sep 18th.
The Talk
In my presentation, I discussed a 7-month study of the Kelihos fast flux botnet from a DNS perspective. This involved real-time monitoring and detection of Kelihos domains using both our recursive and authoritative DNS traffic. Some of the highlights of the talk were the monitoring methodology used: it first carefully defines a profile of domains to monitor, then watches the emergence of similar domains in real time. I also discussed the Kelihos domains’ TLD distribution, botnet country distribution, statistics on the daily lifecycle of the botnet, daily detected domains, lifetime of domains and hosting IPs, and malware payload delivered. I also described the valuable collaboration with the research group MalwareMustDie, which is paramount to swiftly take these domains down right after they are blocklisted in our systems to protect our customers. For more details, you can consult the slides here. Also, the final version of the submitted paper will be available soon in the conference proceedings. Below, you can also see a world map with a sample of the botnet’s infected hosts prepared by my colleague Thibault (check his recent blog).
The Conference
I attended several good talks. A recurring theme was the need to streamline the collaboration between industry, law enforcement, ICANN, registries, registrars and regional CERTs and ISPs. This is important to facilitate and speed up the takedown of malicious domains, and hosting infrastructures on one hand, and the prosecution of the criminals behind these operations on the other hand. Cybercrime increases in sophistication at a staggering speed, and shows no sign of slowing down, so if the laws and policies don’t follow suit, then we are losing the battle.
A notable talk under this theme was “Put the F@ckers in Jail, part Deux! Direct-to-Prosecutor Referrals” by StubHub. I also found the panel discussion “ccTLD Abuse Management Protocols and Practices” quite insightful which was moderated by ICANN, and featured CERT/NASK Poland (.pl registry), PIR (.org registry), Japan Registry Services (.jp registry), and Nominet (.uk registry).
For instance, CERT/NASK described how their new team of lawyers was able to use two principles to push local law enforcement into action:
- “The general principles of civil law, where one is responsible for any harm caused by his actions or negligence.” NASK was compelled to take action against malicious domains or risk being held liable for their activities.
- “To hold claims against NASK, a domain owner would have to prove his losses, therefore criminal charges against the owner would stall the civil dispute.” The owners of malicious domains could only take legal action against NASK by demonstrating legitimate losses—which would be impossible to do until the criminal case was completed.
NASK was able to take over and sinkhole 82 domains of the Virut botnet in early 2013 and several hundred more in subsequent operations. Details are described here and information on other operations can be found here.
Protecting Our Customers: a Real Time Detection Framework of Malicious Domains
The real time monitoring/detection system I described in the talk has been used on a larger scale to daily detect domains involved in various malicious campaigns. For example, I tailored the system to monitor fast flux domains of different families (domains that share same IP pool, TTL value, etc), so in addition to the daily stream of Kelihos domains recognizable by their TTL=0, the system has monitored other FF domains with TTL=150, 300, 1440, used for other malicious purposes. For example, TTL=1440 is typical of certain spam, scam, casino, and pharmacy domains.
This more generalized real time monitoring framework detects everyday, hundreds to a few thousands of domains serving various Exploit kits, or used as CnCs for trojans such as Sality, and Caphaw; ransomware CnCs such as CryptoLocker, Reveton, Urausy, and browser-based ransomware domains, etc.
The accuracy of such profiling of domains stems from the fact that, domains, and IPs are often reused, recycled, rented, and borrowed among malicious campaigns and criminal organizations.
These detected domains are confirmed malicious as they generally combine bad IP reputation, recent registration, a surge in traffic volume, similar name patterns, and 0-day age (as they are detected in real time in our traffic). Below is an example of an Exploit kit serving domain detected a few hours earlier by our real time system. More examples of such discovered Exploit kit domains that we blocked to protect our users then shared with the security community can be found here.
Because of the worldwide visibility of OpenDNS into recursive and authoritative DNS, our real time system constitutes an early detection layer for our customers, and should be part of a defense-in-depth approach to security, to face the barrage of increasingly sophisticated attacks.
