That’s why we wanted to share a bit about our experience with Splunk, a big data management system that provides fast machine data parsing, indexing, searching and data analyses. The GUI interface, dashboard and availability of security-related add-ons make for a neat out-of-the-box solution for enhanced data visibility. 

Splunk Basic Usage

Installation of Splunk base is rather straightforward. Check out their official docs for installation instructions. When you’re getting started, these are some of the basic ways to use Splunk: add data to splunk (data input), search, delete, data aggregation, data transformation, and charting. 

If you’re using customized data, you’ll likely find input to be the trickiest part. That’s where Splunk will have to figure out the correct data format, and properly parse it to extract fields. Splunk tries to automatically break the raw blob of textual input into EVENTS based on default or customized event breaking settings, and recognize the timestamp for each event. These settings can be customized both via Splunk GUI or command line interface (CLI). Make changes props.conf file to tell Splunk how to treat your data with correct configurations.

An example of extracting tab delimited fields from my input data: 

For data queries and other operations (aggregating, data transforming etc.), Splunk’s pipe syntax seems pretty straightforward.

The following query that maps out a number of IP addresses that fits certain criteria serve as a good example of basic query syntaxes. The example requires the geoIP mapping app provided by Maxmind, and amMap, a mapping app. 

sourcetype=mute* | rex "(?d+.d+.d+.d+)"| search ip!=192.168* ip!=0.0.* ip!=10.*|  stats count by ip | eval count_label="Event" | eval iterator="ip" | eval iterator_label="IP" |  eval zoom = "zoom="334%" zoom_x="-128.58%" zoom_y="-113.11%""| eval movie_color="#FF0000" | eval output_file="home_threat_data.xml" | eval app="amMap" | lookup geoip clientip as ip | search client_country!=^$ | mapit

Splunk data forwarding and receiving 

Install the universal forwarder if your have remote data. The universal forwarder gathers data from servers where your input data reside and forwards them to your main Splunk server for indexing and searching. 

./splunk add forward-server [splunk server:port]

/opt/splunkforwarder/bin/splunk add monitor /path/to/app/logs/ -index main -sourcetype %app%

At the same time, enable receiver – the main Splunk server and indexer by going to Splunk GUI, in forwarding and receiving->add new -> TCP port [port]

To troubleshoot the deployment, check these internal logs at the receiving indexer:

$SPLUNK_HOME/var/log/splunk/splunkd.log

$SPLUNK_HOME/var/log/splunk/license_audit.log

Use cases for Splunk security apps 

Splunk base has a set of charting choices. In the following example, we made a pie chart of user agent distribution of our mobile clients data. 

Snort app has been a great tool for quick network threat monitoring and alerting. We can easily retrieve all the entries that triggered snort, and perform in-depth investigations given the source IP addresses and contextual network data. 

Snort and amMap makes use of Maxmind’s geo-ip mapping to give us an instant global look at the threat’s scale and spreading patterns.  

Conclusion

We have yet to explore Splunk’s other interesting capabilities, such as real-time correlation making and alerting, or its distributed system deployment scheme (with Hadoop integration). We’ve spent lots of time with Hadoop and Hbase, which are largely back-end systems. As far as our primitive use of Splunk goes, it seems to serve quite well as a front-end portal for internal search, query and reporting. Data parsing for customized data is not as intuitive. It would be great if it provided pipe-like syntax for data input, as well. 

The post Big Data Driven Security with Splunk appeared first on Umbrella Security Labs.

The top contributors of the community also get access to the Umbrella Security Graph, OpenDNS’s proprietary research tool that provides the Umbrella Security Labs research team with specific information about domains and allows us to review sites that are going to host malware, bot networks, and phishing before they actually become malicious. The data is sourced from the 50+ billion DNS requests OpenDNS receives each day from 50 million customers in more than 150 countries.

We’re still searching for people to join our passionate security community, so if this sounds like something you would be interested in, then we would love to have you! Join members in Australia, India, Africa, UK, Switzerland, Sweden, Canada and in various parts of the US – just let us know what caught your eye.

The post Announcing the Security Community Forums appeared first on Umbrella Security Labs.

An Overview of Exploit Kits

Exploit kits are an extremely efficient and popular way of distributing malware to gain control of people’s computers. Let’s quickly review how exploit kits work: First, a user’s traffic is redirected to a server that runs an exploit kit Web application. Then, the kit detects existing vulnerabilities in the software or operating system running on the user’s machine. The kit exploits these vulnerabilities by stealthily dropping a malware payload (directly or via further redirections) on the user’s computer. As a result, the attacker takes over the user’s machine. The ecosystem of exploit kits is quite vast, and these kits can differ technically or with regard to their business model. A good poster showing the common exploit kits of 2012 is available on deependresearch.org site.

[Exploit kits poster published on http://www.deependresearch.org/2012/11/common-exploit-kits-2012-poster.html]

An Umbrella Security Labs Exploit Kit Study

To perform a study on how exploit kits are behaving, we take random samples of malicious URLs from our database for a period of 7 days, and use Yara (more on the tool at the end of this post) rules to detect known exploit kits URLs and report the percentage of URLs for each exploit kit. We also analyze the domains of the URLs for any noticeable features.

In the figure above, we see the top 3 most frequent exploit kits in the URL samples. As expected, Blackhole is the most prevalent followed by Red kit, then Safepack.

We then take as an example, the URLs that are related to Blackhole and further investigate their domains using the Umbrella Security Graph (Sgraph). For the example domain dfudont[.]ru, Sgraph shows in the figure below that it is fastflux, hosted on an ASN with a suspicious score, has a low C-Rank and that the domain has been assigned a low score by our classifier.

Details on a Sample of Blackhole Domains

Domains such as jindalo[.]ru, ijsiokolo[.]ru, ifikangloo[.]ru, ejjiipprr[.]ru, and dfudont[.]ru, are detected as fastflux and registered in January-April 2013. One of our predictive algorithms detects fastflux domains daily. These domains are often registered recently then start triggering DNS traffic. 

The domain ehrap[.]net is registered on May 2nd, and stays dormant for 5 days. It starts being DNS-active on May 7 and our fastflux detection system catches it on that day, which is also the same day it begins delivering malware in a fake Amazon spam campaign. On May 8, we catch the domain nilokwe[.]pw as fastflux, which is the same day it is registered. On May 9, we detect the domain pinformer[.]net as fastflux. The three domains ehrap[.]net, nilokwe[.]pw, pinformer[.]net are all Blackhole related domains as urlquery reports it (click on the domain name to see the urlquery report). Furthermore, as of May 8, the three domains ehrap[.]net, nilokwe[.]pw, and pinformer[.]net use the same name server(s): ns1[.]recorderbooks[.]net and ns2[.]recorderbooks[.]net. ns[1-2].recorderbooks[.]net also serve as name servers for nopfrog[.]pw. This domain was registered on May 4, stayed dormant, then started activity as a Blackhole domain on May 9-10 (urlquery report). We spotted it at the same time via its name server association with fastflux Blackhole domains.

justcollega[.]net is hosted on 37.59.215.18. This IP is hosting several other known malicious domains, and others not yet flagged as malicious. Some of the latter domains were registered in early May, e.g. ksufsdkjvbdskvsdkvsdv[.]com on May 2, justcollega[.]com on May 4, burnbug[.]net on May 5, zohoretail[.]biz on May 5, and contasesso[.]net on May 6. These domains are suspicious and justify that we block them or quarantine them.

Several known Blackhole related domains are hosted on the same IPs, as the figure below shows (from the studied sample). One such IPs is 37.230.116.89. This IP hosts other domains, and similarly several are registered recently. For example, kawsedrol[.]us, kawsedrol[.]info, kawsedrol[.]biz, qertroli[.]us, qertroli[.]info, polkawsed[.]org, polkawsed[.]info are all registered on May 1st 2013. Some of these domains already have known subdomains hosting or redirecting to malware. This justifies that we block the 2LDs.

More Details on Yara, the Tool for Our Study

Yara is a malware identification and classification tool that is fast at detecting textual patterns in URL samples. One can use known regular expressions of exploit kits’ URLs as rules and fire up the Yara engine to see which URLs match the rules. For example, a known string rule for detecting certain Blackhole URLs looks like:

rule blackhole : exploit_kit
{
    strings:
        $a = /.php?.*?:[a-zA-Z0-9:]{6,}&.*?&/
    condition:
        $a
}

Another rule for detecting certain Red kit URLs used for dropping malware payloads looks like:

rule redkit_bin : exploit_kit
{
    strings:
        $a = //d{2}.htmls/
    condition:
        $a
}

The post Details on exploit kits, as told by the Umbrella Security Graph appeared first on Umbrella Security Labs.

We can look at data from Syria’s most recent Internet blackout for further evidence on how telling a graph can be. Below are DNS traffic plots we made using mathematica. The first plot shows the hours before and after Syria’s went offline. The second shows when Syria came back online the next day. 

There are tons of exciting technologies that can be used for visualizing data. D3, Angular, Amber, and backbone.js are just a few. We use Angular and Highcharts in the Umbrella Security Graph, and we’re using Maltego and amMap, ggplot2 (R), and OpenGL as well. But there are still many questions to be answered: 

What are the coolest visualization examples we can draw ideas from?

Which of these techniques make a good stack for use out-of-the-box?

What does visualization mean for big data?

Which chart types can reveal patterns for discovery, rather than just being eye candy? 

What techniques allow us to interact with a graph, exploring the rich dimensions of our data?

To try and answer some of these questions, we invited the experts from Bay Area D3 User Group to the OpenDNS headquarters.

Miles McCrocklin [video, slides] and Chris Viau [video, slides] each presented a different-yet-unified focus on reusable D3 visualizations, providing a very good collection of resources.  Jyri Tuulos [video, slides] covered how to build object-oriented D3 charts using Views in Backbone.js, including structuring the code, the distribution of responsibilities between the libraries, and extending chart classes from a single base class.

If all this talk of Big Data leaves you wanting to roll up your sleeves and do some data mining of your own, we’ve got a great place for you to get started. Below you’ll find the BGP data we observed during the Syrian Internet Blackout. Can’t wait to hear more about what you discover. 

[download the data link1 link2] [data description] 

The post D3 + MV* Framework Visualization Meetup appeared first on Umbrella Security Labs.

Newly registered domains. Pseudorandom names. Short TTLs. A myriad of IPs spread over unrelated ASNs, most of them being already well known for hosting malicious content. These are strong indicators, among others, that a domain is very likely to be malicious. Our team has been using algorithms that can automatically spot these malicious trends and block them for our customers.  

However, the security industry is currently observing a significant paradigm shift. Spammers, scammers and malware authors are now massively abusing compromised machines in order to operate their business. Hours after the Boston Marathon bombing tragedy, a spam campaign drove recipients to a web page containing actual videos of the explosion. What site visitors didn’t know is that the page also contained a malicious iframe exploiting a recent vulnerability in Java that would download and install the Kelihos trojan.

Here are some of the infectors serving the malicious Java bytecode:

kentuckyautoexchange.com

infoland.xtrastudio.com

aandjlandscapecreations.com

detectorspecials.com

incasi.xtrastudio.com

sylaw.net

franklincotn.us

earart.com

bigbendrivertours.com

aeroimageworks.com

winerackcellar.com

In order to evade most blacklists, the iframe in the video web page was switching to a new URL roughly every hour. Around the same time, other spam campaigns led to a similar page. Thousands of web sites were involved. We quickly set up scripts to monitor these web pages and block newly discovered domains in real time.

What all of these websites have in common is that they were not malicious. These were totally benign web sites, established for a long time, with a decent security track record and no distinctive network features. But in the blink of an eye they were compromised, and started infecting thousands of machines with malware. (Running software known to have well-known vulnerabilities didn’t help.)

A compromised host is a powerful weapon for malware authors. Having full control of a system makes it easy to serve different content according to the web browser, referrer, time or other criteria. The code can be updated anytime, in order to ship repacked versions or download data from different hosts.

Furthermore, backdoors like Darkleech can be planted and stay under the radar for a very long time for further malicious activities.

For this reason, detecting compromised hosts as soon as possible has become a critical research topic for our team.

Traffic spikes as an indicator of compromise

Anomaly detection is a way to spot some domain names we want to take a closer look at. In particular, we are keeping track of domain names seeing a sudden increase of traffic.

There are many legitimate reasons for such a spike to happen, for example a company may be sending a newsletter.  

While being virtually useless as a defense against spam, a lot of mail transfer agents are doing preliminary checks on incoming email.

 Whenever an email whose sender is example.com is received, these servers check that valid DNS MX or A records for example.com are present. They also frequently check that related PTR records map to one of the found IP addresses. TXT queries (for SPF and DomainKey records), as well as checks against DNS-based black lists are also common.

In order to reduce false positives when detecting compromised hosts, we only keep domain names for which we saw no TXT, SPF nor MX queries around the time the spike began. 

Another common cause for a spike of traffic is web sites dedicated to specific events.

We use the Umbrella Security Graph to extract three features for domain names observing an abnormal increase of traffic:

- The popularity score, which reflects the number of distinct client IP addresses having looked up a domain name in a short time frame.

- The requester geographic distribution. Benign web sites seeing a spike of traffic after a special event tend to fit our models better than malicious domains.

- The c-rank, which reflects how frequently the domain name has been co-occurring with other domain names known to be malicious. 

These features then produce and score classification candidate and updates. During this review, we are looking for obfuscated Javascript code, iframes, and software/modules known to have widely exploited vulnerabilities.

The post Why real-time detection of compromised hosts has become critical appeared first on Umbrella Security Labs.

The graph below shows DNS traffic from and to Syria. The drop in both inbound and outbound traffic from Syria is clearly visible. The small amount of outbound traffic depicted by the chart indicates our DNS servers trying to reach DNS servers in Syria.

Currently both TLD servers for Syria, ns1.tld.sy and ns2.tld.sy are unreachable.  The remaining two nameservers sy.cctld.authdns.ripe.net. and pch.anycast.tld.sy. are reachable since they are not within Syria.

Umbrella Security Labs, which is the threat research division of OpenDNS, also reported on an Internet blackout in Syria November of 2012, where we shared details of the top 10 most failed domains during the outage.  

Expect updates from our team shortly.

Update: 1:28 p.m. PDT

There have been numerous incidents where access to and from the Internet in Syria was shut down. Shutting down Internet access to and from Syria is achieved by withdrawing the BGP routes from Syrian prefixes. The graph below shows the sudden drop in visibility for Syrian network prefixes.

How it happened:

Routing on the Internet relies on the Border Gateway Protocol (BGP). BGP distributes routing information and makes sure all routers on the Internet know how to get to a certain IP address. When an IP range becomes unreachable it will be withdrawn from BGP, this informs routers that the IP range is no longer reachable.

For example, one of the name servers for the DNS zone .SY is ns1.tld.sy with IP address 82.137.200.85.

Normally our routers would expect a BGP route for 82.137.192.0/18

Currently that route has disappeared and we no longer have a way to reach the Nameservers for .SY that reside in Syria

andree@rtr1-re0.ams> show route 82.137.192.0/18 detail

{master}

Currently there are just three routes in the BGP routing tables for Syria, while normally it’s close to Eighty.  Below are the routes that are still being announced by the major Syrian Telecom provider: AS29256

andree@rtr1-re0.ams> show route aspath-regex “.* 29256 “

inet.0: 447128 destinations, 1696295 routes (446964 active, 5 holddown, 445714 hidden)

+ = Active Route, – = Last Active, * = Both

46.53.0.0/17       *[BGP/170] 01:41:57, MED 0, localpref 100

                     AS path: 3356 3320 29386 29256 I

78.110.96.0/20     *[BGP/170] 01:41:57, MED 0, localpref 100

                     AS path: 3356 3320 29386 29256 I

94.141.192.0/19    *[BGP/170] 01:41:57, MED 0, localpref 100

                     AS path: 3356 3320 29386 29256 I

Effectively, the shutdown disconnects Syria from Internet communication with the rest of the world. It’s unclear whether Internet communication within Syria is still available. Although we can’t yet comment on what caused this outage, past incidents were linked to both government-ordered shutdowns and damage to the infrastructure, which included fiber cuts and power outages.

Update 2:

At 14:12 UTC the OpenDNS operations team saw traffic come back online in Syria, after 19 hours and 27 minutes of total time offline. More updates shortly. 

The post Breaking news: Traffic from Syria Disappears from Internet appeared first on Umbrella Security Labs.

A few months ago the Umbrella Security Labs research team hosted some great speakers from the SF Data Mining group at the OpenDNS HQ. SF Data Mining meet-ups are heavily attended by serious data engineers/scientists, as well as a few amateurs.  The group has been tremendously successful at bringing in big data, machine learning experts, and hosting presentations on the newest techniques, algorithms and products. 

Last night we attended another awesome meetup featuring Mikio Braun, who talked about stream mining using streamdrill, and SriSatish Ambati who shared an open source prediction engine called H₂O. The presentations were so engaging, that we wanted to share the insight here with Umbrella Security Labs blog readers.

While Hadoop and the mapreduce framework has served us well in hosting terabytes of data, HBASE type of techniques supporting No-SQL data indexing and query, they are batch-processing in essence. Stream processing frameworks were developed to meet the real-time requirements.

Streamdrill provides a streaming solution for solving top-k problems. Top-k is always one of the immediate queries in most analytical systems. It answers queries like “top-x tweets”, “top-y spammers” or “top-z DNS abusers”. More importantly, it has to answer them in real-time, from a surprisingly large dataset. Mikio’s drawing below illustrates the streaming logic well.

 (source: http://blog.mikiobraun.de)

One of the algorithmic practices Mikio shared is Count-Min Sketch.

The Umbrella Security Lab applies similar techniques in multiple places. In processing the DNS authoritative logs, coming in @ 1G/min (~1.5 Tb/day), we use bloom filters to remove duplicates which reduce the data down to several millions of unique records per day. 

DataFu’s StreamingQuantile algorithm is also used in our security graph system. A simple usage is shown below. I think that our application of Count-Min sketch in detecting traffic spikes calls for a separate blog post to discuss its technical details in full length. =)

DEFINE Quantile datafu.pig.stats.StreamingQuantile(’0.999′);

 queries_count_per_client = FOREACH (GROUP raw BY client_ip) {

  GENERATE group AS client_ip, COUNT_STAR(raw) AS n;

  } 

pctiles = FOREACH (GROUP queries_count_per_client ALL)

  GENERATE Quantile(queries_count_per_client.n).quantile_0 AS pctile99;

top_client_ips = FOREACH (FILTER queries_count_per_client BY n > pctiles.pctile99) {

  GENERATE client_ip;

};

The above code rescales a popularity score based on DNS queries, it removes entries from IPs having sent more queries than 99.9% of other IPs.

We resonate with SriSatish Ambati’s desire to enable better predictions by making math to scale. His team’s H2O project is made open source, so math, and statistical learning on bigdata is free. We had a chance to try it out, and after less than 30 minutes of setup, here’s what we see: 

Pretty neat! We’re looking forward to more great big data and data mining meetups in San Francisco, and even hosting some at the OpenDNS headquarters.  When the time comes, we’ll share those details on our blog.

The post H2O and Streamdrill Meetup appeared first on Umbrella Security Labs.

The Security Analyst

In the early days of security research, reverse engineers spent their time receiving samples from customers (even sometimes via snail mail on floppy disks). The researcher would then perform some analysis on the code to determine its intent and behavior, and then update the protection system with some sort of signature. This was a hash, CRC, or some sort of byte pattern. Although there was certainly *some* science applied here the majority of this manual work was done by a person that formed their opinion based on their research and was heavily art-based and little science.

Behavior Analysis

Years later the Internet was invented and malicious, self-replicating code (worms) started to be more pervasive. The volume of malware increased dramatically and the ability to push updates was available over the Internet. In addition, the research community started using  behavior systems. This allowed researchers the luxury of not having to reverse engineer and analyze every sample they collected and automation was put into place to update their protection much more frequently. This overlap created the Security Venn of a small part science and part art.

Automation : Automation : Automation

Next came the rise of the cyber-criminal. This made a dramatic impact on the volume and sophistication of attacks. At the same time researchers were building bigger automation systems, creating more collection mechanisms, and building large clusters of systems to automate analysis. Although this balanced the scale of science and art there was still a lot of tuning, development, and manual classification that was being created and maintained based on short-lived problems and driven, primarily from attack samples.

Big Data meets Security

As threats continue to evolve in sophistication and increase in numbers, the reliance on attack samples has caused continued decrease in efficacy. That said, there is a lot of room for continued innovation. We are using technologies from the big data/data mining movement in combination with machine learning and other scientific classification methods based off of DNS data, traffic, and hundreds of features we collect in real-time. This allows for predictive classification with very little human involvement,  post-classification push, and tips the scale towards more science and less art. While reverse-engineering and manual analysis has a role in advanced malware and forensics, it certainly is not equal to scientific research.

Design will increase in importance

Just like in other technology disciplines, information security can greatly benefit from the data visualization movement in combination with big data. The security version of data viz is sometimes referred to as “Secure-viz” or “sec-viz”. This brings back the art piece of security as the human element may be needed to analyze the data through visualization. The human brain can process graphics in a much more complex way than machines today.

Although it may be dependent on the class of attacks you are researching, it’s clear that the research community is moving towards a balance of science, art, and design as the evolution of the security venn. To learn more about how we do what we do, take a look at our Infographic on how the Umbrella Security Labs leverages Big Data for predictive threat research.

The post Evolution of the Security Venn appeared first on Umbrella Security Labs.

To underline how valuable Umbrella Labs Security community members are, I want to introduce you to one of the community’s top contributors.  Meet Jared!

OpenDNS: Tell us a bit about yourself.

Jared: My name is Jared Perry and I live in St. John’s on the island of Newfoundland, Canada. I mainly work in the areas of application and desktop security. I enjoy travelling and speaking about IT security topics. I also love to play the occasional real-time strategy such as Starcraft 2. 

OpenDNS: What initially sparked your interest in internet security?

Jared: I have had a lot of teachers in my IT career and learning from them how to build systems initially sparked my interest in Internet security. Seeing how systems can be broken and learning from that drives my interest in IT security to grow.

OpenDNS: Have you ever been a victim of a scam or malware?

Jared: Early on I had my personal Web server compromised. It was a learning experience, and showed the necessity for multiple layers of defense when building any system. 

OpenDNS: What’s the  most convincing scam that you’ve ever seen?

Jared: The AV industry :p, just kidding. I see so many scams in the run of the day and none are really that convincing if you follow some basic rules. Many are not coherent, have terrible grammar or are completely out of place. I think that the more subtle scams like Twitter/Facebook/Mobile apps that are “grey” at best and siphon off your personal information are probably the most convincing, as even the most aware users often don’t think twice about these types of apps.

OpenDNS: Besides OpenDNS, what are your favorite tools of the trade to use?

Jared: My absolute favorite tool is Burp Suite from Portswigger, its like the Sriracha of security tools – you can use it on everything. I use it for application security testing and also a proxy for malware communications. Thug is also a pretty cool tool that I have been using lately as it saves me a lot of time.

OpenDNS: Do u currently have any security certificates like CISSP or GIAC from SANS.

Jared: I currently have two GIAC certifications, GIAC security essentials certification (GSEC) and GIAC Web application pen tester certification (GWAPT). http://www.giac.org/certified-professional/jared-perry/126579

OpenDNS: What do you most enjoy about being a member of our security community ?

Jared: I enjoy contributing to malware tagging at OpenDNS because it gives data back to the community and helps end users. It’s also a reason for me to develop scripts and learn new tools to tackle malware.

OpenDNS: Can you demonstrate or explain an interesting case that you moderated?

Jared: Ransomware these days I find interesting, I can only imagine an end user dealing with being locked out of there computer by this malware and some now even have webcam integration to scare the user even further. Its concerning when you find semi-legit services processing payments for these criminal groups. Its more rewarding when you send the data to services like OpenDNS to block these malware networks and report them to payment processors who hopefully freeze the accounts.

OpenDNS: What’s for lunch?

Jared: Fish and brewis! https://en.wikipedia.org/wiki/Fish_and_brewis

If you’re interested in joining Jared and the Umbrella Labs Security Community, just apply online and let us know why you’d make a great contributor to the community.

The post Meet Jared, a member of the Umbrella Labs Security Community appeared first on Umbrella Security Labs.

Unfortunately, the convenience of dynamic DNS did not go unnoticed by miscreants, who have been abusing free, dynamic DNS to perform various attacks such as large-scale malvertising, and targeted spear-phishing, which both resulted in drive-by downloads, and use it for botnet C&C. For attackers, using dynamic DNS constitutes another agile evasion technique against IP blacklisting. It also allows them to deliver malicious payloads from constantly-changing hosting IPs, be it infected individuals’ computers or compromised public websites. To circumvent domain blacklisting, attackers can also use randomly-generated disposable subdomains under the dynamic DNS domain to point to the next hop in a redirection chain or to the final malware hosting IP. This seems similar to fast flux, although from a definition standpoint they are different. For dynamic DNS, the dynamic IP is supposed to fall in the IP range of the ISP (1 or a few ASNs), whereas, with fast flux, a domain will be pointing to an increasing number of different IPs scattered across numerous ASNs and multiple geographical locations. Additionally, for dynamic DNS, the authoritative name servers for a dynamic DNS domain physically belong to the dynamic DNS provider, whereas with fast flux, double fluxing is possible where the name servers can be made point to constantly changing IPs of physical hosts located in disparate ASNs and countries.  In practice, dynamic DNS domains map to a much smaller set of IPs than fast flux.

In this blog, we discuss the relationship between dynamic DNS domains and malware as we see it through mining our large DNS data sets. This can also give some perspective on how to address the problem of rogue dynamic DNS domains.

Dynamic DNS analysis

There are plenty of dynamic DNS providers, both free and for a cost. One good list of them is available here. 

Dynamic DNS providers offer users to either register domains (2LDs), or subdomains (3LDs) under a predefined set of domains (2LDs). For instance, changeIP.com has a list of 155 domains, under which a user can freely register any subdomain of his choice (if it is available). For example, they have 1dumb.com and 2waky.com as pre-registered domains, and a user can register the hostnames johndoe.1dumb.com or myhomebusiness.2waky.com. changeIP also offers to users to register a domain under the following TLDs .com, .net, .info, .org, .biz, or .us. This latter choice requires an annual registration fee though. Similar offers are available from other providers like no-ip.com, afraid.org, Dyn.com (formerly known as DynDNS), etc. The common practice for attackers is to abuse the free subdomains. 

For this study, we are interested in evaluating the amount of dynamic DNS domains we see in our daily authoritative DNS traffic and the percentage of malicious domains within, and also find out which subdomains are the most frequently abused. 

First, we collect a sample of known malicious dynamic DNS domains, then, we compile a list of known pre-registered domains offered by a few dynamic DNS providers. For the malicious sample, the dynamic DNS providers that are mostly used are sitelutions.com, noip.com, changeip.com, and dnsdynamic.org. For the general list, we select known dynamic DNS providers such as: changeip.com, dnsdynamic.org, noip.com, freedns.afraid.org, dyndns.com, sitelutions.com, and 3322.org. These samples are not exhaustive as there are a lot more dynamic DNS providers (and more of them are abused). Some dynamic DNS providers are not limited to offering dynamic DNS services and act also as regular domain registrars, so a domain registered with a dynamic DNS provider and using its name servers might not necessarily be using the dynamic DNS service. We think, however, that these samples are representative enough for the sake of the analysis. 

Next, we resolve the NS (name servers) of all domains in both samples. This list of name servers will be used to filter out the daily logs to identify domains using dynamic DNS. The logic here is that if we already know about a set of dynamic DNS domains, we can identify their name servers, and any new domain that uses these latter name servers will be assumed to be a dynamic DNS domain. The name servers from the general list give a trend on the percentage of total dynamic DNS domains in daily traffic, whereas, the name servers from the malicious sample provide an idea on the dynamic DNS traffic most likely to be malicious. The name servers associated with the sample of malicious dynamic DNS domains are: ns[1-3].changeip.org, ns[1-5].changeip.com, ns[1,2].dnsdynamic.org, nf[1-5].no-ip.com, and ns[1-5].sitelutions.com.

In the next step, we collect sample authoritative DNS logs from three resolvers in London, Ashburn and Singapore, where we have for every domain, its associated authoritative name server(s). For each day, we collect a sample of  1,518,782 domains on average with their name servers data. We collect logs for a week, then for each day, we identify those domains whose name servers fall within the list of name servers of dynamic DNS providers.

Finally, we compare the identified dynamic DNS domains against our blacklist (which is constantly updated with new data), and we show the results in the figures below. For the sake of this discussion, we call sortecielo.2waky.com a hostname, or subdomain or 3LD and 2waky.com a domain or 2LD. We can see in the figures, that there are 30,000+ dynamic DNS hostnames (3LDs) observed daily in the sample authoritative DNS traffic, and 3000+  corresponding domains (2LDs). For the same period, out of the same daily domain sets, we identify 1400+ malicious hostnames, and 200+ associated domains every day. This gives an idea about the density of the associations between a domain and its “children” subdomains.

Top abused dynamic DNS domains

In the following tables, we show the top 20 domains observed in daily traffic over a week as well as the top 20 domains used for malicious purposes over the same period. The counts next to the domain represent the number of hostnames under that domain. For example, on the first day, disqus had 18,294 hostnames of the form subdomain.disqus.com

In the next table, we show side by side, for a single day the top 20 dynamic DNS domains in general traffic and those that had malicious hostnames. We indicate in red, those domains that are present in both top malicious domains and top popular domains in a daily DNS traffic i.e. no-ip.org, no-ip.biz, no-ip.info, hopto.org, dlinkddns.com, myftp.org, myvnc.com, myftp.biz, and us.to. What is noteworthy is that some popular dynamic DNS domains for general legitimate uses are also the top ones abused for malicious purposes. This makes blocking the entire domain a little tricky as that would deny visibility to a lot of legitimate content. Notice that the dynamic DNS provider no-ip.com is the most used one for both legitimate and malicious intent. The domains no-ip.org, no-ip.biz, no-ip.info, hopto.org, myftp.org, myvnc.com, and myftp.biz all use no-ip name servers. The right hand table for top malicious domains is illustrated at the end of this blog as a graph representation.

[top 20 domains in general traffic on the left, and top 20 malicious domains on the right]

In the next table, we show the percentage of malicious usage of hostnames under each domain. For example, 56.71% of the 3LDs under hopto.org are malicious. Clearly, some domains are heavily used for malicious purposes.

Below, we show an illustrative graph of the mapping of hostnames to domains taken from the list of detected malicious dynamic DNS domains of one day. The largest connected component on the top left corner is that of the domain hopto.org which has 245 malicious 3LDs associated with it, e.g. spilak.hopto.org, arasispodmoonf.hopto.org, 1n12.hopto.org, etc. On the right of hopto.org is the cluster of no-ip.org with 125 malicious 3LDs, then no-ip.info on the right with 103 hostnames, etc.

We further took a sample of hostnames under hopto.org, and we determined that they were used to serve urls for Fragus Exploit kit, Best Pack Exploit kit, Incognito Exploit kit, Java and PDF exploits, leading to Trojan Fake AVs downloads. They were also used as CnC for W32/Dorkbot-EK, Rogue:Win32/Winwebsec, Trojan-Ransom.Win32.Mbro.ysw, IRC botnets, and also to serve phishing urls. In another sample, we observe that malicious dynamic DNS domains are massively associated with Blackhole exploits kit, Neosploit exploits, PDF exploits, and other exploits leading to the delivery of rogue antivirus, trojans, Backdoor SDBot, etc. It is worth mentioning that it is difficult to trace back the registration information of dynamic DNS domains that are in the form of subdomain.[predefined domain].tld because the whois information only records the registration information of the domain (the 2LD).

Note: The tools and platform I used for this study are our Hadoop dev cluster, Apache Pig, Python, and Unix shell tools (sed, awk, grep, etc).

The post On the trail of malicious dynamic DNS domains appeared first on Umbrella Security Labs.