Universit` a degli Studi di Milano Facolt` a di Scienze Matematiche, Fisiche e Naturali Dipartimento di Informatica e Comunicazione FluXOR: Detecting and Monitoring Fast-flux Service Networks Emanuele Passerini , Roberto Paleari, Lorenzo Martignoni, Danilo Bruschi DIMVA 2008 E. Passerini, R. Paleari, L. Martignoni, D. Bruschi FluXOR 1 / 12 DIMVA 2008
Botnets What is a botnet? a network of infected machines ( bots ) used simultaneously to achieve the same purpose different purposes: spam, DDoS, phishing, scam, massive SQL injection, . . . E. Passerini, R. Paleari, L. Martignoni, D. Bruschi FluXOR 2 / 12 DIMVA 2008
Botnets What is a botnet? a network of infected machines ( bots ) used simultaneously to achieve the same purpose different purposes: spam, DDoS, phishing, scam, massive SQL injection, . . . Fast-flux service networks a new ( ∼ 2007) technique to maximize botnets availability simple idea: add an additional indirection layer (i.e., proxy) between victims and controlling elements E. Passerini, R. Paleari, L. Martignoni, D. Bruschi FluXOR 2 / 12 DIMVA 2008
Fast-flux botnets Architecture E. Passerini, R. Paleari, L. Martignoni, D. Bruschi FluXOR 3 / 12 DIMVA 2008
Fast-flux botnets Architecture Mother-ship Agent 5 Agent 1 Authoritative ( tje.mooffx.com.cn ) name server Agent 2 ( ns1.ktthe.com ) Agent 3 Agent 4 Agent 6 A? tje.mooffx.com.cn Victim Non-authoritative name server E. Passerini, R. Paleari, L. Martignoni, D. Bruschi FluXOR 3 / 12 DIMVA 2008
Fast-flux botnets Architecture Mother-ship Agent 5 Agent 1 Authoritative ( tje.mooffx.com.cn ) name server Agent 2 ( ns1.ktthe.com ) + A? tje.mooffx.com.cn Agent 3 Agent 4 Agent 6 A? tje.mooffx.com.cn Victim Non-authoritative name server E. Passerini, R. Paleari, L. Martignoni, D. Bruschi FluXOR 3 / 12 DIMVA 2008
Fast-flux botnets Architecture Mother-ship Agent 5 Agent 1 Agent 1 Authoritative ( tje.mooffx.com.cn ) name server Agent 2 Agent 2 ( ns1.ktthe.com ) + A? tje.mooffx.com.cn Agent 3 Agent 3 Agent 4 Agent 6 A 212.23.46.91 A 137.243.0.8 ... A? tje.mooffx.com.cn Victim Non-authoritative name server E. Passerini, R. Paleari, L. Martignoni, D. Bruschi FluXOR 3 / 12 DIMVA 2008
Fast-flux botnets Architecture Mother-ship Agent 5 Agent 1 Agent 1 Authoritative ( tje.mooffx.com.cn ) name server Agent 2 Agent 2 ( ns1.ktthe.com ) + A? tje.mooffx.com.cn Agent 3 Agent 3 Agent 4 Agent 6 A 212.23.46.91 A 137.243.0.8 ... A? tje.mooffx.com.cn A 137.243.0.8 A ... Victim Non-authoritative name server E. Passerini, R. Paleari, L. Martignoni, D. Bruschi FluXOR 3 / 12 DIMVA 2008
Fast-flux botnets Architecture Mother-ship Agent 5 Agent 1 Agent 1 Authoritative ( tje.mooffx.com.cn ) name server Agent 2 Agent 2 ( ns1.ktthe.com ) + A? tje.mooffx.com.cn Agent 3 Agent 3 Agent 4 Agent 6 . . . d n A 212.23.46.91 i A 137.243.0.8 / T E G ... A? tje.mooffx.com.cn A 137.243.0.8 A ... Victim Non-authoritative name server E. Passerini, R. Paleari, L. Martignoni, D. Bruschi FluXOR 3 / 12 DIMVA 2008
Fast-flux botnets Architecture Mother-ship Agent 5 Agent 1 Agent 1 Authoritative ( tje.mooffx.com.cn ) name server Agent 2 Agent 2 ( ns1.ktthe.com ) G E T / i n d . . . + A? tje.mooffx.com.cn Agent 3 Agent 3 Agent 4 Agent 6 . . . d n A 212.23.46.91 i A 137.243.0.8 / T E G ... A? tje.mooffx.com.cn A 137.243.0.8 A ... Victim Non-authoritative name server E. Passerini, R. Paleari, L. Martignoni, D. Bruschi FluXOR 3 / 12 DIMVA 2008
Fast-flux botnets Architecture Mother-ship Agent 5 Agent 1 Agent 1 Authoritative ( tje.mooffx.com.cn ) name server Agent 2 Agent 2 ( ns1.ktthe.com ) G E T / i n d . . . M a l w a r e + A? tje.mooffx.com.cn Agent 3 Agent 3 Agent 4 Agent 6 . . . d n A 212.23.46.91 i A 137.243.0.8 / T E G ... A? tje.mooffx.com.cn A 137.243.0.8 A ... Victim Non-authoritative name server E. Passerini, R. Paleari, L. Martignoni, D. Bruschi FluXOR 3 / 12 DIMVA 2008
Fast-flux botnets Architecture Mother-ship Agent 5 Agent 1 Agent 1 Authoritative ( tje.mooffx.com.cn ) name server Agent 2 Agent 2 ( ns1.ktthe.com ) G E T / i n d . . . M a l w a r e + A? tje.mooffx.com.cn Agent 3 Agent 3 Agent 4 Agent 6 . . Malware . d n A 212.23.46.91 i A 137.243.0.8 / T E G ... A? tje.mooffx.com.cn A 137.243.0.8 A ... Victim Non-authoritative name server E. Passerini, R. Paleari, L. Martignoni, D. Bruschi FluXOR 3 / 12 DIMVA 2008
Fast-flux botnets Characteristics Agent 1 Agent 5 Mother-ship Authoritative Agent 2 name server Agent 4 Agent 6 Agent 3 Victim Non-authoritative name server off-line, disinfected, and faulty bots (or agents) are immediately replaced by others Warezov/Storm networks have millions of agents! Storm: ∼ 1 billion spam messages during a six-weeks attack E. Passerini, R. Paleari, L. Martignoni, D. Bruschi FluXOR 4 / 12 DIMVA 2008
Fast-flux botnets Characteristics Agent 1 Agent 5 Mother-ship Authoritative Agent 2 name server Agent 4 Agent 6 Agent 3 Victim Non-authoritative name server identity of the core components of the architecture (e.g., mothership) is hidden to the victims E. Passerini, R. Paleari, L. Martignoni, D. Bruschi FluXOR 4 / 12 DIMVA 2008
Fast-flux botnets Characteristics Agent 1 Agent 5 Mother-ship Authoritative Agent 2 name server Agent 4 Agent 6 Agent 3 Victim Non-authoritative name server multiple FQDNs can be associated with the same fast-flux service network it is not enough to close malicious FQDN! E. Passerini, R. Paleari, L. Martignoni, D. Bruschi FluXOR 4 / 12 DIMVA 2008
Fast-flux botnets Characteristics Agent 1 Agent 5 Mother-ship Authoritative Agent 2 name server Agent 4 Agent 6 Agent 3 Victim Non-authoritative name server Real impact The average lifetime of the scam site becomes months instead of days! The only way shut down scam site is to clean all agents E. Passerini, R. Paleari, L. Martignoni, D. Bruschi FluXOR 4 / 12 DIMVA 2008
Our contribution Observation a fast-flux service network has multiple distinguishing features taken singularly are not enough to distinguish between benign and malicious hostnames Idea: FluXOR monitor the suspicious hostname for a small period of time to collect distinguishing features, behaving like a recidivious victim combine features to distinguish between benign and malicious domains monitor malicious domains to enumerate all infected agents E. Passerini, R. Paleari, L. Martignoni, D. Bruschi FluXOR 5 / 12 DIMVA 2008
Features of fast-flux service networks Domain Domain age Domain registrar Benign Availability of the network 539 avast.com adriaticobishkek.com 65 google.com 542 # of DNS records of type “A” mean 493.27 std. dev. 289.27 TTL of DNS resource records Malicious Heterogeneity of the agents eveningher.com 18 factvillage.com 2 # of networks doacasino.com 2 mean 4.85 # of autonomous systems std. dev. 4.9 # of resolved QDNs # of assigned network names # of organisations E. Passerini, R. Paleari, L. Martignoni, D. Bruschi FluXOR 6 / 12 DIMVA 2008
Features of fast-flux service networks Domain Domain age Domain registrar Benign Availability of the network NetworkSolutions avast.com adriaticobishkek.com Melbourne IT google.com MarkMonitor # of DNS records of type “A” mean N/A std. dev. N/A TTL of DNS resource records Malicious Heterogeneity of the agents eveningher.com PayCenter factvillage.com PayCenter # of networks doacasino.com NameCheap mean N/A # of autonomous systems std. dev. N/A # of resolved QDNs # of assigned network names # of organisations E. Passerini, R. Paleari, L. Martignoni, D. Bruschi FluXOR 6 / 12 DIMVA 2008
Features of fast-flux service networks Domain Domain age Domain registrar Benign Availability of the network 12 avast.com adriaticobishkek.com 21 google.com 3 # of DNS records of type “A” mean 2.86 std. dev. 3.89 TTL of DNS resource records Malicious Heterogeneity of the agents eveningher.com 127 factvillage.com 117 # of networks doacasino.com 33 mean 98.13 # of autonomous systems std. dev. 37.27 # of resolved QDNs # of assigned network names # of organisations E. Passerini, R. Paleari, L. Martignoni, D. Bruschi FluXOR 6 / 12 DIMVA 2008
Features of fast-flux service networks Domain Domain age Domain registrar Benign Availability of the network 3600 avast.com adriaticobishkek.com 1200 google.com 300 # of DNS records of type “A” mean 4592.53 std. dev. 7668.74 TTL of DNS resource records Malicious Heterogeneity of the agents eveningher.com 300 factvillage.com 300 # of networks doacasino.com 180 mean 261.49 # of autonomous systems std. dev. 59.64 # of resolved QDNs # of assigned network names # of organisations E. Passerini, R. Paleari, L. Martignoni, D. Bruschi FluXOR 6 / 12 DIMVA 2008
Features of fast-flux service networks Domain Domain age Domain registrar Benign Availability of the network 5 avast.com adriaticobishkek.com 1 google.com 2 # of DNS records of type “A” mean 1.27 std. dev. 0.65 TTL of DNS resource records Malicious Heterogeneity of the agents eveningher.com 83 factvillage.com 81 # of networks doacasino.com 19 mean 63.75 # of autonomous systems std. dev. 23.91 # of resolved QDNs # of assigned network names # of organisations E. Passerini, R. Paleari, L. Martignoni, D. Bruschi FluXOR 6 / 12 DIMVA 2008
Recommend
More recommend