This domain name will self-destruct tomorrow

This!domain name!

will!self-destruct!

tomorrow

Frank Denis !

OpenDNS Security Labs !

frank@opendns.com !

@jedisct1

OpenDNS

• Open DNS resolvers:208.67.220.220 & 208.67.222.222

• Can be used to block malware, botnets, phishing.

• Security Graph: DNSDB + reputation systems

</marketing>

Reputation

trust level

IP reputation: just one of the many features

used for classification

price(IP) > price(domain) > price(subdomain)

l7099.com q8940.com s5416.com u1105.com v9054.com w1130.com w9148.com x1132.com y1149.com z0338.com z2837.com a0257.com f0390.com h9169.com t7149.com

penispaldevice.com beautifulwebcamsgirls.com

Ransomware

Malvertising

count(items known to be malicious)count(full set) + C

Co-occurrence relation between queries

Useful to extend existing lists

What if we didn’t label anything before?

DGA patterndwayoq.gkxvxvtoq.biz 06vjbb.eiclpilgp.biz 0vq1ol.egivdjpyb.biz!33qd6r.trdtffxya.biz 3h31h3.ohtnaoani.biz 4trmrj.trdtffxya.biz!5vdckg.ohtnaoani.biz 8i7ugu.eiclpilgp.biz b0tse7.eiclpilgp.biz!bcx5nd.mrelvrobu.biz dckc3d.trdtffxya.biz dlvmsz.eiclpilgp.biz!duf2jj.ohtnaoani.biz htzcni.eiclpilgp.biz hwsotz.ojdomjbri.biz!jf2mkk.aaefpbrwf.biz mqihxp.xyevppjpw.biz nfq70m.huiabgkfh.biz!ow6vt1.ojdomjbri.biz q1kfvx.eiclpilgp.biz qbjp6w.aaefpbrwf.biz!u49zqt.hslrnwqtr.biz v9lpyh.mrelvrobu.biz wn2xci.mpnlnwnbd.biz!x71goh.ohtnaoani.biz ygig8u.trdtffxya.biz 01lt9k.ljabojeag.biz!05w2p4.xjlwqsshk.biz 0c7d7i.ljabojeag.biz 0l3grl.qeqfofqil.biz!0lkvfq.wcjlbyikh.biz 0ln3gs.bucbbqswa.biz 0tg47r.bucbbqswa.biz!163em8.kpoisetkp.biz 1n2rw9.ljabojeag.biz 1njh89.kpoisetkp.biz!1r9a3p.bucbbqswa.biz 23b8fw.xjlwqsshk.biz 2684sc.jpitlicla.biz!2y4hdx.qeqfofqil.biz 34uzo7.jhbleynam.biz 36vgh9.pwrueetru.biz!

Notalways malicious

Blackhat SEO CDNs

Mobile sites

Fast flux pattern

californiyaslososemk.com !

8,855 unique IPs 564 ASNs!

45 countries !

over a 5 months period

But a lot of malicious IPs are not part of a fast-flux

infrastructure. !

Example:DGA-based C&Cs

Another IP reputation system: Dorothy

Because there is no place like 127.0.0.1

Constantly moving to new subdomains, new

domains, new IPs makes malware more resistant to

takedown.

Subdomain rotation is free

Domain rotation happens at regular intervals or

shortly after a domain has been flagged by

some security products.

IP rotation happens as well, but is usually slower

than domain rotation.

Hosting a C&C on a compromised host would

be a terrible idea.

price(IP) > price(domain) > price(subdomain)

t-6 t-5 t-4 t-3 t-2 t-1 t

N1 X

N2 X

N3 X

N4 X

N5 X X

N6 X

N7 X

N8 X X

N9 X

X : Ni resolves to this IP and real client queries were observed for this (name, IP, time window) tuple

t-6 t-5 t-4 t-3 t-2 t-1 t

N1 X X X X X X X

N2 X X X X X X

N3 X X X X X X

N4 X X X X X X X

N5 X X X X X

N6 X X X X X X

N7 X X X X X X

N8 X X X

N9 X X X X

X : Ni resolves to this IP and real client queries were observed for this (name, IP, time window) tuple

92.48.122.132

Names 19993

Median lifetime (days) 1.0

Median client IPs/name/day 1.0

208.73.211.247

Names 15964

Median lifetime (days) 1.0

Median client IPs/name/day 10.0

198.27.90.196

Names 244

Median lifetime (days) 1.0

Median client IPs/name/day 1.0

193.169.86.247

Names 19069

Median lifetime (days) 1.0

Median client IPs/name/day 1.0

100.2.24.243

Names 135

Median lifetime (days) 3.65

Median client IPs/name/day 10953.0

A lot of names on a single IP is not necessarily bad.

A lot of names only active for a very short period of time on a single IP looks pretty bad.

count(domains) x

(max_lifetime - median_lifetime(domains))

88.208.18.34! -99.99994344508787!66.6.40.14! -99.99991902141797!66.6.40.41! -99.99991881331263!66.6.40.38! -99.99991849346496!66.6.40.40! -99.99991847539887!66.6.40.58! -99.99991843314294!66.6.40.55! -99.99991764598933!92.48.122.132! -99.9999137065818!107.20.206.69! -99.99990925954143!198.52.243.229!-99.99990697303538!181.41.202.249!-99.99990279989224!208.93.0.128! -99.99990129681458!

109.123.127.228! -99.99989610061355!208.73.211.247!-99.99989518133837!10.0.15.201!-99.99989386815456!

208.73.211.249!-99.99989356270828!208.73.211.230!-99.9998933650058!208.73.211.246!-99.99989335858926!168.63.160.30! -99.99989324720488!75.98.17.61!-99.99988611752897!62.149.128.160!-99.9998744487991!62.149.128.151!-99.99987442160271!62.149.128.154!-99.99987441006259!62.149.128.157!-99.99987419281405

88.208.18.34! -99.99994344508787

DGAs

66.6.40.14! -99.99991902141797

Tumblr

92.48.122.132! -99.9999137065818

Caphaw banking trojan

Immediately followed by:• Parked domains

• More Caphaw!

• Livejournal subdomains

• Malicious redirection service!

• Nuclear Exploit kit!

• Microsoft CDN (msedge.net)

• Browlock ransomware!

• Sinkhole

• Fast flux (Rogue pharmacies)

t-6 t-5 t-4 t-3 t-2 t-1 t

N1 X

N2 X

N3 X

N4 X

N5 X X

N6 X

N7 X

N8 X X

N9 X

X : Ni resolves to this IP and real client queries were observed for this (name, IP, time window) tuple

X

• Ni resolves to this IP

• number of real client queries > (median(number of queries per day) / 4)for this (name, ip, time window) tuple

92.48.122.132! -79.552485207211

Active Cryptolocker domains

Dorothy

• A simple IP reputation model, reflecting the stability of an IP address.

• Not a replacement for your current models, but another feature worth considering to help researchers to spot C&Cs, hosts serving exploit kits and massive spam campaigns.

Thanks!

• This is slide #42

• OpenDNS: http://opendns.com

• Umbrella Security Labs: http://labs.umbrella.com

• frank@opendns.com

• Github/Twitter/Flickr: @jedisct1