 Hey everybody, there is a goon here a very nice guy who decided I shouldn't talk about DNS I think Paul would agree if you were here for the last session So he said hey do a different kind of session. It's Defcon and I said okay How about women girls and they're rolling Defcon over the ears? That sounded good, right? Okay, so I'll give about no one talk about that Gotta activate this shit Here we go Okay DNS abuse infrastructure Games and tricks, but first Okay, so women girls and the role and the changing role in Defcon over the years So basically we had the senior horse, right all these girls going around giving stickers and Trying to get you to buy products and whatnot. We had the girl hackers. They're cool Some of them really know their shit. Some of them don't know shit, but well, they're cool. Anyway come to Defcon girls Then we had the girlfriends and we didn't have that many of those but you know in the past year or two Dude, did everybody get married or something? I mean seriously When when hackers get old the chicks dig them or what? What the fuck is going on with all these chicks at Defcon? We need to keep it up Anyway, let's start with the actual presentation now go archangel the goon. He just invented his own nickname today. So The DNS abuse infrastructures is for straps games and tricks Okay, my name is Gaddy everyone. I work for an Israeli security vendor called beyond security and today I'm going to talk to you about well games and tricks now Contrary in contrary to to common belief. I will not be talking to you about DNS And I'll tell you why Well, you guys will be shocked about what I'm going to talk to you any guesses No, not girls. I don't know anything about girls What a rat I'm afraid of Russians. I won't say that Who oh, yes tubes and trucks. Yes, we'll talk about using tubes and trucks that joke is going getting old even for me I mean seriously Okay, I'm going to talk to you surprise surprise about botnets and I believe this is the very first time That I agreed to talk on buttons directly But since this is about DNS anyway, it won't be about buttons directly. Okay enough blah blah blah Actually, do you guys know what blood means in in a Russian? They just say blah, but it's blood and it's spelled be a yad No, well depending on what level of Russian you can speak it can be a connecting word that you say every second word You can guess by yourself what it means What? Right Okay, so we're not talking about DNS. We're talking about nets fishing water surprise. Yeah. Yeah. Yeah Yes, but that's what a surprise. Let's start Okay, before we begin Let's talk about a TTL I actually asked Paul to invent a line for me about TTL and this is what he came up with because I was too stupid to come up with it on my own but Basically the TTL is Part of DNS itself You can't do what without it That said It works Whatever you want to do whatever attack you want to use If you don't use the TTL ahead of schedule set the settings for that ahead of schedule the way you want it to be your attack probably won't be that successful and It works very well both with the good guys and the bad guys and that's basically what we're going to show But what we're going to start with is the use of DNS a Little bit about of it anyway for botnets and fishing and well, okay. I'm repeating myself again Let's start. What kind of technologies do the bad guys have they're used there still are a lot of Companies out there called dynamic DNS providers What these guys basically do is provide with often free service That lets you go to their site Register and they will give you free DNS hosting or give you a host in case you don't own a domain Whatever else it just it's cool. These guys give it to you for free and If you only ever say a geosities website, or you only have a site at home Or you don't really have the hardware the iron to put up your own DNS servers This guy's doing amazing service for the web. These guys are old news. Why do I say this? Although dynamic DNS providers in essence Provide with a great functionality for the internet users all around Whatever can be used as function as functional can also be abused as well for abuse Yes, my English is great. Thank you. So What happened was that around the year 2004 Well, that's when it started early on that but around that time What basically happened was that you know, it happened and okay, I'll stop with this now. It sounds funny Bad guys would go register with a dynamic DNS provider and say hey look dude I want this our record to point to this IP address do this for me, please and they'll say sure please register with us They would advertise this Say host on their malware on their viruses warms, whatever you want to call them So that whenever Trojan horse a warm whatever is told itself on your computer It would go out and connect to the command and control server for the botnet as you know or you don't know botnets are basically a Bot is basically a Trojan horse meaning you have a computer that is completely owned in as in as it is compromised The attacker has complete control over it That's Roger Norse's that's all these things work. Duh But multiply that by a million multiply that by 10 million these are the numbers we are talking about and One of the ways of getting them was going after a centralized point It's going after one bot at a time is not really working It might be just what we'll end up doing But it's not really scalable especially when some of the ISPs don't have the manpower or will to do that And I'm not sure that's really their jobs anyway So going after a centralized point that controls all these bots is Pretty good idea. It's pretty neat. It doesn't work anymore because these botnets have become extremely smart And we'll show that in a few minutes how they do it though that if you kill the command scroll server, it doesn't help you That said dynamic DNS is great. Why because I take down That IP address I take down that command and control server the bot sitting on your computer on million a million of computers Trying to connect to that command control server will not find it That's amazing right wrong. I'll go to the dynamic DNS provider log into my account Go to the control over that particular host that the bot knows to connect to and I'll change the IP address Isn't that smart? So it wants that dynamic DNS provider is on to me and they get abused real bad it really hurt hurts them that these guys do this because Botnets basically suck and even though they're only using the service provided by dynamic DNS providers They're taking a lot of badmits Now the dynamic DNS providers will see them because they take a lot of botnets and kill that particular account That same day two other accounts will be opened with that dynamic DNS provider Then other dynamic DNS providers and these guys are heroes on the internet Even though there are businesses they do a lot to stop this threat and all this is old news. Yes They're still being abused. Yes dynamic DNS providers are still being used for botnets But that's not you're really the biggest threat out there That was the beginning of our DNS was abused because before that what you would do you would find a command and control server say in 1996 Okay, people started working. I'm old kind of So people started working on this at 2004 2003 and you find an IP address from that You would somehow get to the our record and you'll try to find other ours because the bot itself The Trojan horse would store other hosts it can connect to if one went down. It would go to the next That said the sample could be analyzed locally So you'd have all these hosts and could go after everything much like with games computer games network games when the When when the user profile was saved locally in any security system at all but computer games are a good example They could be hacked Hacking became a lot more difficult. I wish Luigi was here is cool I can became a lot more difficult because the user information was saved on the remote server That's what these DNS records mean and when this could be changed very very quickly. We had a trap with some trouble with that now Okay, we just covered that Multi-homing now I didn't even know it's called multi-homing or multi-homing. I don't know how you guys pronounce it Well, basically that means you have a lot of a records or when you search for say blood dot or I own your ass dot example dot com. Oh Come on. That's one of the more boring names You really have to see some of the hosts the button controllers are using sometimes. Hey guys. I know you're in there somewhere Do you speak Russian black? No, okay So an ex-girlfriend of mine the Russian I love Russian that six of Israel is Russian seriously I love Russian. This is just something I have against the Russian mob. Okay So basically when you would look for the record when you look for those you will find 10 IP addresses 13 IP addresses and you have to take down each and every of these IP addresses each and every compromised IRC server or Special he put their IRC server that was used with the CNC as a command control server in order to get rid of the botnet That meant you had to run a lot after a lot more ISPs all around the world to get rid of just one point of control that got a little bit more complicated and At this point in time we said hey, you know guys we can do this I mean we know we're doing something bad because whenever you push the bad guys and again bad guys for me are not blackheads Bad guys for me are people who steal your mother's money or people who steal your thesis your people destroy your computer or people who steal your Grandma's money. Okay, you get the point the mob people who do real crime online and Things were pretty nice then because we could kill the command control servers We could with one coordinated strike bring down a botnet of 500 K hosts Okay, and that was three years ago We had one of 250 Ks I believe David Dagon was involved with that back then and David Ulvich from every DNS That's a test case they often show Life was good back then but we pushed the bad guys to evolve Just like we spam you ignore the problem when it's small you know it when it's not bothering you When the cost of dealing with it is not worth it because you don't lose that much Two or three years later. It's too late, and you enter a never-ending war That's basically reactive and when you do something the bad guys invent a new technology because they ever return on investment They then don't want to lose if you get into their business. They'll find a way to get their business back So they will invent new technologies to do that So that's multi-homing and that's the that was the good life fast flux Fast flux is something that's been around for a while There are several people who can tell you about examples of this with worms for several years ago Who kept changing IP addresses it's an alarming rate? That said it was brought to the fore again. It was used just by a few worms three years ago four years ago two years ago There is a girl that it's called April or it was called April Lorenzen was done a lot of work in this area And she deserves a lot of the credit Now fast flux basically means that you you'll take the a record Okay, you'll set a really low TTL and within a day for example in the better cases That IP address would be somewhere else entirely So you would waste that day trying to take down the tenant IP addresses that that botnet uses for the command and control server Not to speak of the secondary controls channel and not to speak of all the other shit that the bad guys put in there And then it would already be already be somewhere else Because it's changed already sucks, right What happens if it's happening every ten minutes? By the time you run after one address One IP address that's currently hosting the IRC server or whatever other means or mediums this botnet is using to communicate Or to be controlled It's already gone In botnet we've been a little bit more lucky. It's not been ten minutes, but in fishing. Oh, yeah definitely Fishing has seen this kind of games a lot and it's wearing us down Now I'll show some example for fast flux with the botnet that we handled a year ago and then more recently What happened with the sense and the group that was controlling it? now what you see here for example is an NS record for Addicted to drugs.info.ns.bnmq.com The TTL is set quite normally to 86 thousand and four hundred Now as you move down you can see other addresses that are somewhat related to the first one Other name servers We'll get back to what that is happening later But if you look down and that's a bit disturbing and I still haven't been able to explain that one by the way You can see name servers with TTLs of 15 seconds Dude 15 seconds. I Mean that's a deal us by itself right the bots keep checking for what the fuck is the host? I can't hear you You're probably right. You're probably very smart, but I can't hear you. Please go to the mic Won't most resolvers just ignore TTLs that small probably Okay Like I said, I haven't been able to figure the 15 seconds part, but you know Every go down you can see other examples here and what's amazing really oh Okay, I'll explain why I skipped that here Okay, my slides are a little bit confusing allow me to go ahead with them and explain something else I will get back to the examples in a second I can't really give you live examples with botnets that are running right now and show you how we track them down Using DNS rigs because well my screen isn't working, but oh well There's enough info here The bad guys use other type of fast flux, which is called NS fast flux now imagine you don't Play with the a record anymore You don't move the a record around you move the name server around Okay, imagine every day the name server itself just switches an IP address Imagining spam. Okay, that you would go out there register a domain When you register it you put it on say ns3.google.com and NS4.google.com these don't really have any traffic as far as I know, but they may be wrong and Then you change it to something real the domain to show to point to real name servers You had a little while you send out your spam run spam everybody and their brothers and go get it back to google.com How do you find what was used to spam with you look at the domain and you have no idea what was used You see Google. Hey, what's going on here? These guys are starting to hide themselves because we got ahead of the game again We started to think hey They're moving very fast. We'll have to move very fast too. So once again, whack em all That's one of the every IP address out there every changes on the spot on the fly Sounds good, right? Well, let's do it with name servers But the problem with name servers is They're a little bit harder to replace the domains as power can go out there and buy say 5k domains for funds throw away domains and move on to the next domain and name server is the real server You it's it's not that complicated, but it's a little bit more complicated just using another domain, you know kind of So that's the difference between regular fast flux and name server fast flux It's just another record, but people often confuse that Now let's take a look at this example and we'll get to the examples. I intended to show earlier I was getting ahead of myself Yp whatever blah blah blah.com It's this is Randy Vaughn's Kind of writing by the way, so I have no idea what he wants for me It's an odd duck. There is a group called OMG as in oh my god, I think but I don't want to know what it means If it's not that And I really bounced around I don't know what cats with masking tape on their toes means Okay Now they used ns.x Z net dot CN and NS dot Z net DNS Dot com now the a record only used in one other and 20 TTL and yes that worked in most cases Shouldn't it you seem to know about DNS. What do you think? You ask the question. Where are you? Yo, would it work? You're on the spot now answer me now Come on. I don't hear you go to the microphone. No Okay, I don't want to hear from you go about your seat No, I'm serious. I'm asking a question really and back at you. I suspect that oh in much in much kind of way Okay, I Think that do you know the joke that much users because I don't want to steal it from him. So please tell me you know this joke Okay That the Microsoft encryption. Yeah. Yeah. Yeah I seem to recall that most reasonable resolvers won't cash anything with less than a 60 second TTL So 120 would probably probably work. Thank you for saying that I appreciate it So yes, you're right again, and I didn't call you to make fun of you. I wanted that to be affirmed. Thanks now Shut up Shut up. I can do it in metal screaming too. Wait a second shot. No, I won't work for now now The original command control servers were on the United States and in Europe But well, you know even in the if the United States and Europe can't be played around with and ISPs can be moved and the command control servers can be jumped really quickly. Well, China is so much easier You know kind of so it's moved to China now There are quite a few CNC's okay that we throw short details and long name server details for exactly the same reason that we talked about fast flux for a records and Well, for example got robbed your info at a system at a TTL of 600 which is just 600 seconds not that much and Whatever blah blah blah Yeah, well again, they use dynamic DNS providers nothing big that much nothing that big and we are done with Monday's text Thank God Okay, now here's an example of a promising command control server game lame dot Hungary Is Hungary lame? I don't know about gay and Actually, I don't know Hungary. It's a beautiful country whatever and the IP address and The name server was a net quest 60. You said 60 right as the minimum here you go Gay lemon on guerrilla gay lane Hungary and all that whatever now. This is pretty interesting the a record God like dot Ostabil dot and you whatever changes These keep changing IP addresses and what I wanted to do basically was take these IP addresses Take these hosts take these domains and show you how many IP addresses they have right now and what the history is But sorry I can't do that Whatever next now as you can see all these name servers were used For that for these are a records of the previous. Oh my god, but not that I just showed you Interesting name servers now. There is one. That's really interesting which is nameserver 2 dot BNMQ dot com What do you think about that? All these area chords now mitigated as you can see they've all been mapped to a non-existing IP addresses Dero dot Dero dot Dero dot Dero whatever and So these are all closed now. They don't exist and then we see some other examples down there As you can see and these are all at a narrow telecom whatever somewhere Whatever University of New Mexico, sorry about that University of New Mexico, but you guys closed it pretty quickly The old ad not very interesting right now Take a look this All these addresses have been used and these are not this is not just multi-homing This is keeping addresses every couple of hours It was pretty annoying There actually these are live right now if you want to check them This is the IRC server main dot I breathe the web DX dot com Maybe we shut it down by now got it a few days ago could be what still they're alive right now Probably the last IP address whatever Here's some of the bounces they had as you can see IP addresses again all the time should have kept it Kind of the timer stamp would have helped No long tto's though on the a record and then an NS records as you can see they're not really that word Now the good guys have a lot of okay, let's first talk about that we before I move to what the good guys are doing to come But this issue Do you guys have questions about this? How it works what it does? How this command control servers and phishing servers are controlled Everybody understood am I dead slow? Whoo cool Okay, let's move on Now what what can we do to track these these guys really? We can do a lot. We can use a lot of good tools such as trace route reverse DNS Looking just to his and whatnot and just see what the DNS answers are When we said requests, that's pretty straightforward. That said the lot of other tools such as for example, Florian whimmers whimmers I'm sorry. I never remember how to spell the out to pronounce the last name is a very good guy from Germany and Invented something called a passive a passive DNS replication What it basically means is that you sit with with a sniffer Outside of the DNS box on the same network basically and you look at queries You don't look at who's always sending the queries You only look at the actual response responses the actual Answers and that way you skip them all in the database and for example if you look for one IP address Historically you can from actually their perspective again. They don't have perfect coverage. This is basically a harvesting they can see all the historic IP addresses all the historic hosts and In some occasions when I look for example for some domain that was spammed in an email and I'm quick enough. I can see 400 or a thousand IP addresses in the history when I look at the IP address I can find 400 other domains or a thousand other domains that were used It's pretty interesting to follow these things and with every domain. It's never ending You would need a huge huge visual system to be able to visualize all these things And maybe that won't really help us at all because who can handle such huge pictures. Maybe maybe Duncan insky. I can't If you have seen his presentation visual stuff 100 megabytes pictures now The other things we can do for example Again, April Lorenzen really reinvented this field. You can download basically Dot-com You can download the zone files for dot-com dot net or dot info a little bit of others Some of them you need to read register some of them do a little bit of vetting such as hey, what's your name? Some of that not that difficult to get them a little some are a little bit more paranoid than others and When you download these files these databases every day and you look for diffs you can find what domains have been registered since yesterday and That's that has been very helpful in tracking down phishing tracking down what New spam domains are about if there is one spam domain that we know is a spam domain looking for others like it Searching by a lay method just such as keywords or for example checking What domains are on what name servers? Yeah That could help right So if for example, we see that the bed domain is using a name server We could potentially look historically at the data and see what other domains are using this name server Is it a legitimate name server? Is it not a legitimate name server? So like I said earlier the bad guy started using Google when they spammed out Still it was a clear trick Now there are other games not really related to botnet and you can do with DNS And these are not really related to botnets to DNS itself for example with Google You all heard about blog spam right comment spam and all the related stuff around it So for example Google Okay, this is a bit of a story, but let's go over the slide real quickly you can see here Five billion and a half results. It's something like five million apparently by some Google guy who clarified this But five billion results for ELQ Z to Q org Which basically was a blog spam run for that register domains the domain with Three of these which means coming before the ELQ Z to Q with the dot They basically spammed a ton of blogs a ton of comments a ton of sites and what they got to Was making sure that whatever ad that domain in it would have a really high ranking in Google Yeah, Google did something called No follow for the blogs to help deal with comment spam and rating poisoning and all that shit But they still indexed the sites so it doesn't really help us So for example an unrelated system and unrelated to DNS in any way Well in almost any way and it's still the way they archived DNS entries the way they archived sites was abused I'm not saying this is something against Google. This is just the way it happened And these things keep happening because DNS whether by use of the infrastructure itself as you notice I try not to talk about the infrastructure than the root servers the TLD servers Because either taken care of you've seen Paul Vixie sitting here stunning here just an hour ago But what can be done by the use of DNS, which is a network. It's everywhere Everyone is using it all the time It's pretty cool For example, if you want to hijack a site Right, that's that's not beyond reason that you will be able to do it There are far easier ways to get users to go to a malicious web page and get installed with a lot of spyware There are hundreds to thousands of new sites every day each of them installing rootkits and Trojan horses with rootkits technologies to steal banking information from users every day legitimate sites you can find them on Google still You don't really need To hack a DNS server or to do some trick to do all this if you already have a trojan horse on the machine go to the host file put in www.google.com and point it to your own server and you will serve spyware in every place in the chain whether it's the name server the actual Record on your machine that can be played with and these games are being played with daily spy spyware malware all this Stuff have been doing it for years on the machine itself if we have whole herd of domain hijacking Although that's less of a threat and there are so many easier ways to get this stuff done And here we go with Google's just stores this information and a domain that was just spamver ties on blogs Which is basically another way to do regular spam. It's not some other type of unoffensive spam out there It's very disturbing. It's very huge as you can see Has been affected. So yes, there are a lot of games fast flux moving domains around moving name servers around Requestion and Adam. I forgot your last name. I apologize. Please don't kill me. Are you here? Can you tell me your last name? Never mind there? For example started a black listing probably gray listing service that will tell you if a domain that being emailed to you Is less than five days old That's very effective in Corning against spam that said spammers would just wait a month You know for the first month or so they'll have higher costs because they'll register double the domains or a lot more domains And start using them off only after a certain period of time But their costs would go down and the effectiveness of the black listing will go down as well Whatever we do they always have a different way of approaching that and if our Response is playing kill the fire now Instead of seeing it coming at us and trying to deal with it at the core when it's still small and when nobody cares about it We're never going to win. So That's basically about that and other things that can be done for example Black listing name servers Again ns3.google.com on your domain after you finish spamming you finish the spam in 10 minutes sent a billion messages from A million bots and you're done Now we have about 10 or a little bit more minutes to hear questions about all these issues out Botnets fishing and everything else uses DNS I would love to hear your questions or not. Thanks guys