DGAs, DNS and Threat Intelligence John Bambenek – Fidelis Cybersecurity Threat Research Team ISC 2015 – September 30, 2015 – Beijing, China Intro  Sr. Threat Analyst for Fidelis Cybersecurity  Adjunct Faculty in CS Department at the University of Illinois at Urbana-Champaign  Producer of open-source intel feeds  Work with companies and LE all over the world to address growth in cybercrime About Threat Intelligence  Information is a set of unprocessed data that may or may not contain actionable intelligence.  Intelligence is the art of critically examining information to draw meaningful and actionable conclusions based on observations and information.  Involves analyzing adversary capabilities, intentions and motivations. Malware C2 Network Types  Static IP / Hostname Lists  Proxied C2s  Dynamic DNS  Fast Flux / Double Flux Networks  Domain Generation Algorithms  Tor / i2p hidden services Static lists  Many forms of malware have a simple list of hostnames/IPs and ports that it uses for C2 communications.  A common example are Remote Access Tools.  RATs also tend to have configuration items that can also provide a wealth of other intelligence. Static Config Extraction • https://github.com/kevthehermit/RATDecoders • Python scripts that will statically rip configurations out of 32 different flavors of RATs. • Actively developed and you can see in action at malwareconfig.com • Disclaimer: I had nothing to do with the development of these tools; they just fit my need and Kevin Breen deserves mad props. The next piece of the puzzle • In order to determine which decoder to use, you need to know which malware it is. • Yara used for this piece using configs from: • https://github.com/kevthehermit/YaraRules • Yara Exchange • In-House Rules • Yara results used as “authoritative” for purposes of selecting the decoder. Malware Sources • VirusTotal • MSFT VIA Program • Others I haven’t had chance to see if they want recognition • RAT Traps • In total, upwards of .25 TB a day (not all RATs) • If you have malware you want to “trade”, Sample DarkComet config Key: Key: Key: Key: Key: Key: Key: Key: Key: Key: Key: Key: Key: Key: Key: CampaignID Domains Value: FTPHost Value: FTPKeyLogs FTPPassword FTPPort Value: FTPRoot Value: FTPSize Value: FTPUserName FireWallBypass Gencode Value: Mutex Value: OfflineKeylogger Password Value: Version Value: Value: Guest16 06059600929.ddns.net:1234 Value: Value: Value: Value: 0 3yHVnheK6eDm DC_MUTEX-W45NCJ6 Value: 1 #KCMDDC51# Sample njRat config Key: Campaign ID Value: 1111111111111111111 Key: Domain Value: apolo47.ddns.net Key: Install Dir Value: UserProfile Key: Install Flag Value: False Key: Install Name Value: svchost.exe Key: Network Separator Value: |'|'| Key: Port Value: 1177 Key: Registry Value Value: 5d5e3c1b562e3a75dc95740a35744ad0 Key: version Value: 0.6.4 Processing DNS/IP Info • Config takes FQDN or IP in free-form field. • The only configuration item any processing is done on is here. • If RFC 1918 IP, then drop config. • If FQDN resolves to RFC1918 IP, keep it. • If it doesn’t resolve, keep it. Sample Output 0739b6a1bc018a842b87dcb95a73248d3842c5de,150213,Dark Comet Config,Guest16,lolikhebjegehackt.ddns .net,,1604,,,,o1o5GgYr8yBB,DC_MUTEX-4E844NR 0745a4278793542d15bbdbe3e1f9eb8691e8b4fb,150213,Dark Comet Config,Guest16,ayhan313.noip.me,,1604 ,,,,aWUZabkXJRte,DC_MUTEX-TX61KQS 07540d2b4d8bd83e9ba43b2e5d9a2578677cba20,150213,Dark Comet Config,FUDDDDD,bilalsidd43.noip.biz, 204.95.99.66,1604,,,,qZYsyVu0kMpS,DC_MUTEX-8VK1Q5N 07560860bc1d58822db871492ea1aa56f120191a,150213,Dark Comet Config,Victim,cutedna.noip.biz,,1604 ,,,,sfAEjh4m1lQ7,DC_MUTEX-F2T2XKC 07998ff3d00d232b6f35db69ee5a549da11e96d1,150213,Dark Comet Config,test1,,192.116.50.238,90,,,,4A 2xbJmSqvuc,DC_MUTEX-F54S21D 07ac914bdb5b4cda59715df8421ec1adfaa79cc7,150213,Dark Comet Config,Guest16,alkozor.ddns.net,31.13 2.106.94,1604,1.ekspert60.z8.ru,######60,######2012,zwd8tEC0F0tA,DC_MUTEX-W3VUKQN What if C2 changes? • Flexibility of DNS is underlying IP can be changed at any time. • Many C2 hostnames will not resolve or resolve to private IPs unless actively in use. • Persistent surveillance needed to capture the IP during the small windows it resolves. • Need to capture IP changes too. Domain Generation Algorithms  Usually a complex math algorithm to create pseudo-random but predictable domain names.  Now instead of a static list, you have a dynamic list of hundreds or thousands of dom