Catching Malware En Masse: DNS and IP Style

Presented at DEF CON 22 (2014), Aug. 10, 2014, noon (60 minutes)

The Internet is constantly growing, providing a myriad of new services both legitimate and malicious. Criminals take advantage of the scalable, distributed, and rather easily accessible naming, hosting and routing infrastructures of the Internet. As a result, the battle against malware is raging on multiple fronts: the endpoint, the network perimeter, and the application layer. The need for innovative measures to gain ground against the enemy has never been greater. In this talk, we will present a novel and effective multi-pronged strategy to catch malware at the DNS and IP level, as well as our unique 3D visualization engine. We will describe the detection systems we built, and share several successful war stories about hunting down malware domains and associated rogue IP space. At the DNS level, we will describe original methods for tracking botnets, both fast flux and DGA-based. We use a combination of fast, light-weight graph clustering and DNS traffic analysis techniques and threat intelligence feeds to rapidly detect botnet domain families, identify new live CnC domains and IPs, and mitigate them. At the IP level, classical reputation methods assign “maliciousness” scores to IPs, BGP prefixes, or ASNs by merely counting domains and IPs. Our system takes an unconventional approach that combines two opposite, yet complementary views and leads to more effective predictive detections. (1) On one hand, we abstract away from the ASN view. We build the AS graph and investigate its topology to uncover hotspots of malicious or suspicious activities and then scan our DNS database for new domains hosted on these malicious IP ranges. To confirm certain common patterns in the AS graph and isolate suspicious address space, we will demonstrate novel forensics and investigative methods based on the monitoring of BGP prefix announcements. (2) On the other hand, we drill down to a granularity finer than the BGP prefix. For this, we zero in on re-assigned IP ranges reserved by bad customers within large prefixes to host Exploit kit domains, browlock, and other attack types. We will present various techniques we devised to efficiently discover suspicious smaller ranges and sweep en masse for candidate suspicious IPs. Our system provides actionable intelligence and preemptively detects and blocks malicious IP infrastructures prior to, or immediately after some of them are used to wage malware campaigns, therefore decisively closing the detection gap. During this presentation, we will publicly share some of the tools we built to gather this predictive intelligence. The discussion of these detection engines and “war stories” wouldn’t be complete without a visualization engine that adequately displays the use cases and offers a graph navigation and investigation tool. Therefore, in this presentation, we will present and publicly release for the first time our own 3D visualization engine, demonstrating the full process which transforms raw data into stunning 3D visuals. We will also present different techniques used to build and render large graph datasets: Force Directed algorithms accelerated on the GPU using OpenCL, 3D rendering and navigation using OpenGL ES, and GLSL Shaders. Finally, we will present a few scripts and methods used to explore our large networks. Every concept is intended to detect and highlight precise features and will be presented with its corresponding visual representation related to malware detection use cases.

Presenters:

• Andree Toonk - Manager of Network Engineering, OpenDNS
  Andree Toonk is the manager of network engineering at OpenDNS. At OpenDNS Andree is responsible for the OpenDNS global Network architecture, development, implementation and operations of the OpenDNS infrastructure. Managing all aspects:transit, peering, anycast, DDOS mitigation, facilities, routing, switching, firewalls, etc. Andree is the founder and lead developer of BGPMon.net, where he specializes in BGP routing and BGP security incidents such as routing hijacks and large scale outages. Andree received his M.Sc. degree in System and Network Engineering from the University of Amsterdam. He has presented about network security at network engineering conferences around the world such as Nanog and Terena and Canheit. Twitter: @atoonk
• Thibault Reuille - Security Researcher, OpenDNS Inc
  Thibault Reuille is a Security Researcher at OpenDNS Inc. His research is mainly focused on big data visualization. At a very young age, Thibault fell in love with the demo scene and everything related to computer generated art. He started to teach himself 3D graphics and went to EPITA school in Paris, France. He later joined the LSE, the computer security laboratory, for a total period of 4 years where he spent a lot of time breaking everything he could. He built a solid knowledge of reverse engineering, pen-testing, secure programming, exploit writing and many other (in)security related techniques. After obtaining his master's degree in 2010. Thibault decided to move to California and accepted a position at Nvidia Corporation. This is where he had the chance to refine his 3D graphics knowledge and to dig deep inside the GPU mechanisms and the OpenGL API. He stayed at this position for 4 years. Finally, Thibault found a new job at OpenDNS Inc. as a Security Researcher and has been working there since June 2013. He is developing a 3D engine capable of rendering large amount of data and extract intelligent patterns from it using advanced graph theory. He believes the combination of visualization, distributed computing and machine learning is the key to take computer intelligence to the next level. Thibault has given several presentations in world renowned conferences, such as: CanSecWest Vancouver (March 14, 2014) BSides SF (February 23, 2014) BayThreat 4 (December 6, 2013) You can consult some of his work here: http://labs.umbrella.com/author/thibault/ And some of his artsy work here : http://thibaultreuille.tumblr.com/ Twitter: @ThibaultReuille
• Dhia Mahjoub - Senior Security Researcher, OpenDNS
  Dhia Mahjoub works on research and development problems involving DNS, security, big data analysis, and networks. He focuses on building fast predictive threat detection systems based on the monitoring and analysis of traffic and hosting infrastructures. Dhia holds a PhD in Computer Science from Southern Methodist University, Dallas with a specialty in graph theory applied on Wireless Sensor Networks. He has a background in Computer Networks with experience in writing sniffers and port scanners among other things. Dhia presented his research at BSides NOLA, APWG eCrime, BSides Raleigh, BotConf, BSides San Francisco, ISOI 13, SOURCE Boston and will be talking at the upcoming BSides NOLA and VirusBulletin. He is also member of the non-profit security research group MalwareMustDie helping track botnets and other malicious sources on the Internet. Twitter: @DhiaLite

Links:

• https://defcon.org/html/defcon-22/dc-22-speakers.html#Mahjoub
• https://infocon.org/cons/DEF CON/DEF CON 22/DEF CON 22 slides/DEF CON 22 - Hacking Conference Presentation Dhia Mahjoub & Thibault Reuille & Andree Toonk - Catching Malware En Masse - DNS and IP Style - Slides.mp4
• https://infocon.org/cons/DEF CON/DEF CON 22/DEF CON 22 slides/DEF CON 22 - Hacking Conference Presentation Dhia Mahjoub & Thibault Reuille & Andree Toonk - Catching Malware En Masse - DNS and IP Style - Slides.srt (subtitles)
• https://infocon.org/cons/DEF CON/DEF CON 22/DEF CON 22 video and slides/DEF CON 22 - Dhia Mahjoub & Thibault Reuille & Andree Toonk - Catching Malware En Masse - DNS and IP Style - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=KFx4lhxMi-M

Similar Presentations:

• VB2017 / Beyond lexical and PDNS: using signals on graphs to uncover online threats at scale
• Black Hat USA 2014 / Catching Malware En Masse: DNS and IP Style
• Black Hat USA 2016 / Towards a Holistic Approach in Building Intelligence to Fight Crimeware