Dynamic DNS Abuse Chris Baker Senior Principal Data Analyst dig @slide.deck chris.baker ; <<>> DiG 9.8.3-P1 <<>> datumrich.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1337H@X0R ;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: chris.baker. 3600 chris.baker. 138547 chris.baker. 3600 IN NS ns1.dyn.com. IN MX cbaker@dyn.combaker@dyn.com IN TWEET @datumrich ;; Query time: 111 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Aug 16 12:00:00 2016 ;; MSG SIZE rcvd: 99 Overview Contents 1. Dynamic DNS Service • Criminal Cost Model 2. Data Available for Analysis 3. Interaction Patterns 4. Adapting Methodology • Jscript Infection • DNS Beaconing Why Dynamic DNS? Frank Denis @jedisct1: “The price of an IP Address ( V4 of course ) is greater than the price of a domain name and the price of a domain is greater than the price of a subdomain.” The business of Dynamic DNS is providing sub domains as a service Investment Model A criminal expends an account or a credit card when they create an account on our platform The operating cost needs to be dwarfed by the profitability their activity otherwise wouldn’t they do something else? ddns.hostname.tld ddns.hostname.tld ddns.hostname.tld ddns.hostname.tld Overview / Summary Creates: fj7e.is-an-actor.com Phished person requests fj7e.is-an-actor.com They are redirect to: http://themanicnomad.com/wordpress/wp-content/plugins/rthytrghf/index.htm Example Page Mile High Technical Summary Modifies: fj7e.is-an-actor.com Change fj7e.is-an-actor.com to sinkhole Sinkhole -> http://<Sinkhole-IP>/campaigntag-html.htm Total Possible Audience ( everyone in the spam list ) Audience Solicited Message reached inbox Message Opened Link Clicked Credentials Submitted Apple Accounts We have some sample data related to Apple phishing that are interesting Sample Set of 45 Campaigns Summary stats: Users who clicked the link / visited the redirection landing page –Min: 18 –Median: 187 –Mean: 467 –Max 1689 Resale Value of Accounts Min: Median: Mean: Max 90% $88.00 $924.00 $2,310.00 $8,360.00 70% $71.50 $720.50 $1,798.50 $6,501.00 50% $49.50 $517.00 $1,287.00 $4,647.50 30% $27.50 $308.00 $770.00 $2,788.50 If we take the median price of $5.50 per account we can estimate the profitability of various rates of credential submission and resale Data Trail: DDNS Host Creation Username Date time IP Address User Agent String Datetime Hostname IP Address URL What is the rate of hostname creation? How many different end points? How many different hostnames? End User Data Trail: Contrast Account Creation Username Date time IP Address User Agent Hostname Creation Datetime Hostname IP Address URL User Agent Was the account created from an IP in the same netblock as the IP the hostname is set to resolve to? Does the GeoIP of address place them in the same country? Continent? Example: Phishing Hostname Created u876trtr.fuettertdasnetz.de uy85rr.is-a-candidate.org 3yi87.is-a-geek.org awu7o.is-a-soxfan.org hguy5434rer.is-with-theband.com ui783ert.from-ok.com d3678iyhgfd.space-to-rent.com xey6hg.is-a-socialist.com 2hmmn7.from-wv.com a54hgh.from-ky.com yu74er.isa-geek.net 3gtij5.ham-radio-op.net If we strip off the domain portion u876trtr uy85rr 3yi87 awu7o hguy5434rer ui783ert d3678iyhgfd xey6hg 2hmmn7 a54hgh yu74er 3gtij5 Names and Endpoints Lets review the data •User created a total of 12 domains •User’s account contains 12 domain names •Names appear to be pseudo-randomly generated •All created within 10 mins of purchasing the service •All of the domains resolve to the same wordpress instance • Wordpress instance URI contains string “wp-content” • Wordpress instance URI contains pseudo-random generated html end point Rate of name creation, number of persistent names, and the end points all point to phishing