How I learned to stop worrying and love malware DGAs....
The growth of malware families using algorithms to generate domains in 2014 has been somewhat substantial. For instance, P2P Gameover Zeus, Post-Tovar Zeus and Cryptolocker all used DGAs. The idea is that code generates domains (usually but not always) by taking the data and running it throw some magic math to come up with a list of many domains per day. This allows the attacker to avoid static lists of domains for callbacks in their code and allow them additional flexibility to make takedowns a little more difficult. Instead of getting one domain suspects, now you have to get thousands suspended. And if you think the "good guys" are on to you, you can change your encryption seed and get a new list of domains.
That said, it's also a double edged sword. If you can get the algorithm, you can proactively block an entire family in one foul swoop. Take, for instance, hesperbot. Garage4Hackers has a nice write up on how they reverse engineered the DGA and provide a helpful script at the end.
This particular DGA doesn't generate many domains, but it provides a good example. From the word go, you can simply dump the list of domains into RPZ or another DNS blocking technology. That's nice, but what if you wanted to do some threat intelligence ninjitsu instead?
You can take that list of domains, attempt to resolve them and then dump the active IPs and domains into a feed. Now you have data you can pivot off of, throw into CIF, or make available as OSINT to get mad love from your peers.
Currently I track 11 families this way and process about 200,000 domains every 10 minutes to generate feeds (my New Years goal is to increase that tenfold). That brings an interesting scalability problem to the fore... how to lookup that many hosts in parallel instead of serial. For that I use two linux commands: parallel (self-explanatory) and adns-tools. Adns-tools is a suite that allows for asynchronous DNS lookups across many hostnames. As long as you have a friendly DNS resolver that doesn't mind your unmitigated complete assault of its sensibilities, you're good to go.
Doing this allows patterns to emerge pretty quickly... usually it is the same IP addresses involved, typically they have a dedicated domain that does authoritative DNS for all the DGA-ized domains, and you can assess what nationality the actors are by what holidays they take from registering domains. :)
All for the price of learning a little bit of python, you can set up a homebrew malware surveillance system.
--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting
What do you think will be the top cybersecurity story of 2015?
I was asked by a reporter a few days ago what I thought the top cybersecurity story of 2015 will be. 2014 saw some big stories, Target (and the myriad of PoS breaches), Heartbleed/Shellshock/et al, Sony...
Will it be the year people finally get serious about cybersecurity or will the status quo prevail? Leave your thoughts in the comment section below and will follow up next week.
--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago