• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
    • Get the 2022 Cloud Scurity Comparison Guide
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
      • Cyber Threat Categories and Definitions
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Spotlight

Real Time Monitoring of Kelihos Fast Flux Botnet: A Case Study for APWG eCrime 2013

By Dhia Mahjoub
Posted on September 24, 2013
Updated on August 3, 2020

Share

FacebookTweetLinkedIn

Last week’s APWG eCrime 2013 conference marked the 10th anniversary of the the Anti Phishing Working Group. What better a place to host this special event than our great city of San Francisco? The conference drew crowds from academia, industry, and the governing bodies of the Internet; there were presentations from RSA, PayPal, Microsoft, UC Berkeley, CMU, IID, StubHub, ICANN, and the .org, .pl, .jp, .co and .uk registries, among others. OpenDNS was at the scene with two presentations: our CTO, Dan Hubbard, presented on Monday Sep 16th on “Achieving Zen with a new Security Venn” and I presented a research case study on “Real time Monitoring of fast flux botnets using DNS” on Wednesday Sep 18th.

apwg_sf

The Talk

In my presentation, I discussed a 7-month study of the Kelihos fast flux botnet from a DNS perspective. This involved real-time monitoring and detection of Kelihos domains using both our recursive and authoritative DNS traffic. Some of the highlights of the talk were the monitoring methodology used: it first carefully defines a profile of domains to monitor, then watches the emergence of similar domains in real time. I also discussed the Kelihos domains’ TLD distribution, botnet country distribution, statistics on the daily lifecycle of the botnet, daily detected domains, lifetime of domains and hosting IPs, and malware payload delivered. I also described the valuable collaboration with the research group MalwareMustDie, which is paramount to swiftly take these domains down right after they are blocklisted in our systems to protect our customers. For more details, you can consult the slides here. Also, the final version of the submitted paper will be available soon in the conference proceedings. Below, you can also see a world map with a sample of the botnet’s infected hosts prepared by my colleague Thibault (check his recent blog).

animated

The Conference

I attended several good talks. A recurring theme was the need to streamline the collaboration between industry, law enforcement, ICANN, registries, registrars and regional CERTs and ISPs. This is important to facilitate and speed up the takedown of malicious domains, and hosting infrastructures on one hand, and the prosecution of the criminals behind these operations on the other hand. Cybercrime increases in sophistication at a staggering speed, and shows no sign of slowing down, so if the laws and policies don’t follow suit, then we are losing the battle.

apwg-ecrime

A notable talk under this theme was “Put the F@ckers in Jail, part Deux! Direct-to-Prosecutor Referrals” by StubHub. I also found the panel discussion “ccTLD Abuse Management Protocols and Practices” quite insightful which was moderated by ICANN, and featured CERT/NASK Poland (.pl registry), PIR (.org registry), Japan Registry Services (.jp registry), and Nominet (.uk registry).

For instance, CERT/NASK described how their new team of lawyers was able to use two principles to push local law enforcement into action:

  • “The general principles of civil law, where one is responsible for any harm caused by his actions or negligence.” NASK was compelled to take action against malicious domains or risk being held liable for their activities.
  • “To hold claims against NASK, a domain owner would have to prove his losses, therefore criminal charges against the owner would stall the civil dispute.” The owners of malicious domains could only take legal action against NASK by demonstrating legitimate losses—which would be impossible to do until the criminal case was completed.

NASK was able to take over and sinkhole 82 domains of the Virut botnet in early 2013 and several hundred more in subsequent operations. Details are described here and information on other operations can be found here.

Protecting Our Customers: a Real Time Detection Framework of Malicious Domains

The real time monitoring/detection system I described in the talk has been used on a larger scale to daily detect domains involved in various malicious campaigns. For example, I tailored the system to monitor fast flux domains of different families (domains that share same IP pool, TTL value, etc), so in addition to the daily stream of Kelihos domains recognizable by their TTL=0, the system has monitored other FF domains with TTL=150, 300, 1440, used for other malicious purposes. For example, TTL=1440 is typical of certain spam, scam, casino, and pharmacy domains.

This more generalized real time monitoring framework detects everyday, hundreds to a few thousands of domains serving various Exploit kits, or used as CnCs for trojans such as Sality, and Caphaw; ransomware CnCs such as CryptoLocker, Reveton, Urausy, and browser-based ransomware domains, etc.

The accuracy of such profiling of domains stems from the fact that, domains, and IPs are often reused, recycled, rented, and borrowed among malicious campaigns and criminal organizations.

These detected domains are confirmed malicious as they generally combine bad IP reputation, recent registration, a surge in traffic volume, similar name patterns, and 0-day age (as they are detected in real time in our traffic). Below is an example of an Exploit kit serving domain detected a few hours earlier by our real time system. More examples of such discovered Exploit kit domains that we blocked to protect our users then shared with the security community can be found here.

RT-detected-domain

Because of the worldwide visibility of OpenDNS into recursive and authoritative DNS, our real time system constitutes an early detection layer for our customers, and should be part of a defense-in-depth approach to security, to face the barrage of increasingly sophisticated attacks.

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella