fast flux « milcord blog

Posts Tagged ‘fast flux’

GFIRST 2010: social malware, insider threat, fast flux botnets ….

Wednesday, September 8th, 2010

I attended the 6th Annual GFIRST National Conference organized by US-CERT. GFIRST stands for Government Forum of Incident Response and Security Teams. This year’s theme was: Building Today, Shaping Tomorrow – Ensuring an Effective Response Capability to Manage Risks in Cyberspace. The conference was well attended with some talks standing room only in a 300-person conference room. Most commercial information security vendors interested in this space were participating exhibitors in the accompanying expo. I will not be able to cover some of the really interesting presentations in this public forum due to the sensitivity of the topics, but here are a couple of tidbits for general consumption.

“Emerging Threats in 2010″ by Dave Marcus, Director of Security Research and Communications, McAfee Labs was one of my favorite presentations of the conference. Dave Marcus, who blogs at Reclaim Hacking, posited that he can make anyone click on malicious malware by mining personal information from the social media aggregated by several services. Dave uses Twitscoop to find the trending topics for messaging that the recipient will be interested in, uses Bing to figure out what OS the user is is using and what the user is yapping about so that he can send targeted malware on the right platform like Android, MacOS, etc., mines pic tags using PicFog (alert: potential offensive material), uses Twittermap to deliver malware to folks attending an event, mines twitter trends using Trendistic, uses hashtags.org to track trends, uses Openbook that mines Facebook, and designs url’s by appending keywords to tinyURL. Openbook exposes the awful default privacy settings in Facebook as lots of users don’t know how to set their preferences. After listening to this presentation, I have no doubt a determined adversary can figure out anyone’s hot button to push to deliver targeted malware. So what can you do? Check the privacy settings of your social media accounts, start using url expanders, install safe browsing plug-in’s …

Dawn Capelli and Adam Cummings of CERT gave a nice talk on insider threat by presenting their empirical analysis of the MERIT database, which covers 157 fraud, 116 sabotage, 77 theft, 120 espionage, 44 miscellaneous cases, and SpyDR (Spy Data Repository) espionage database, which covers 120 cases. Their findings show that sabotage is perpetrated by former employees who insert malicious code before leaving while fraud is carried out typically by help desk person recruited from outside. Their recommendations: enable message tracking on your mail server, use Splunk to track mail flow to competitors, foreign entities, etc., look for email with size over a certain size, do continuous logging, targeted monitoring, real time alerting. You can find more detailed information on this research here.

Aaron Shelmire and Ed Stoner of CERT presented their Dynamic DNS and Fast Flux analysis. They started their analysis with a malicious software catalog and appended the malware domains list with ISC-SIE A, MX, NS records. They define a fast flux domain as one that resolves to at least 25 different IPs on 20 ASNs. It was a good chance to validate each other’s results. For instance, Shelmire and Stoner see 1.5%-2% fast flux in malware. Our FastFluxMonitor detects flux about 1.4% – 4% in malware domain feeds. Their high level findings were similar to the trends we observed in our Botnet Threat Intelligence database.

Our presentation in the Event Detection via DNS and Route Monitoring session was received well. Daniel Massey discussed how to detect network route prefix hijacking via BGP monitoring. Our presentation focused on the use of the botnet social networks in detection and mitigation. In summary, our Botnet Threat Intelligence solution provides two levels of evidence as shown in the table below. Our guilt by association score is based upon a domain’s, nameserver’s, or IP’s relationship to other malicious entities through the historical social network knowledge. In contrast, our fast flux score is based on the domain’s or nameserver’s real-time behavior. Guilt by association scores provide pre-zero day intelligence while fast flux scores provide near-real time situation assessment.

GBA vs. FF.tiff

Tags: botnet, fast flux, information security
Posted in Conferences | 1 Comment »

Kneber Botnet – less fluxy but more stealthy

Friday, February 19th, 2010

The recent news story about the Kneber botnet based on the excellent work done by the NetWitness team and informative posts by Dancho Danchev and others brought the ZeuS Trojan botnet into limelight. In contrast to some misleading reports, the security community has been following this botnet, which infected more than 75,000 computer systems at nearly 2,500 companies, for quite a long time. We have been tracking ZeuS with our Fast Flux Monitor for some time as well. Given the recent interest in this botnet, we decided to analyze the reported ZeuS data using our Fast Flux Monitor database to provide some additional insight.

Most of the domain, nameserver and IP entities associated with the attacking infrastructure reported in the NetWitness Kneber report have been in our FastFluxMonitor database. What is interesting is that most of the reported Kneber domains and nameservers are not exhibiting fast flux behavior. For instance, all of the reported Kneber domains for the Trojan installers resolve to 1 to 4 IPs, which is not enough for using a fast flux evasion scheme. The number of domains the Kneber Trojan installers resolve to are shown in the table below.

ZeuS Installer.jpg

Comparing the ZeuS network graph with the various botnets in our database reveals that ZeuS botnet has a different network graph than others like Avalanche, Conficker, Gumblar and Pushdo. The figure below shows the domain, nameserver and IP connectivity for the Avalanche botnet:

In this graph, the blue, red, green nodes denote the IPs, domains, and nameservers addresses, respectively. Each cluster represents a set of entities where any two nodes can be linked through the domain, nameserver and IP connectivity . The Avalanche graph has one large cluster and six small clusters, making it easy to discover the various entities of this botnet. In contrast, the same graph for the ZeuS botnet shown below has one large cluster and over 200 small clusters, thus making it hard to discover the various entities of this botnet.

Referring to the data shown in the table above, the reported Kneber domains and nameservers belong to one of the small clusters on the right. These clusters consist of domains and nameservers that do not exhibit fast flux behavior. Whether the small clusters represent the discreet probe of networks by large criminal organizations, or small operator hosting set-ups that downloaded free phishing kits, the ZeuS botnet is stealthier than the others by relying on a large number of smaller clusters used for attack campaigns.

We will present our comparative analysis of the Avalanche, Conficker, Gumblar, Pusdhdo, and ZeuS at the NATO IST-091 Symposium on “Information Assurance and Cyber Defence”, which will provide an explanation for the difference.

Tags: fast flux, information security
Posted in Research Brief | No Comments »

Operation Aurora – Searching for Stars, Finding Comets

Monday, February 1st, 2010

When the ‘Operation Aurora, AKA trojan.hydraq’ controversy surfaced, we investigated the role, if any, of fast-flux botnets in the reputed exfiltration attacks from Chinese-supported actors against 33 US technology companies. Our preliminary results using FastFluxMonitor found no direct indication of fast-flux activity associated with the reported domain names. But just as astronomers may detect comets when observing stars, we did find associations between nameservers with fast-flux history and some of the domains and IPs involved in the attacks. In the FastFluxMonitor table below, we see that three of the reported domains used in these attacks share the same nameserver, ns1.3322.net, which is registered to Chinese network operator, CHINANET, ASN 4134, the leading ASN worldwide in terms of Conficker activity.

domains-table-feb-11

Building on this finding, we then used FastFluxMonitor to discover more than 600 bots associated with fast-flux behavior registered to this ASN. In the FastFluxMonitor table below, we see that a few of the nameservers associated with a known-spamming IP from this ASN, 60.191.221.123, are classified as fast-flux. While the IP in question is not classified as fast-flux, its association with nameservers that are fast-flux is reason for suspicion.

nameserver-table-feb-1

With guilt-by-association, domain names or IPs associated with these nameservers are suspicious, irrespective of whether the individual IPs or domains are classified as fast-flux. Cyber-defenders can apply this intelligence as a proactive measure to filter access to or from these domains, IPs, and nameservers. As exfiltration attacks are often complex attacks preceded by social engineering probes such as spear-phishing, proactive measures such as real-time filtering are essential. Perimeter and vulnerability-based defenses are necessary, but insufficient, measures against social engineering attacks.

News Scan – Cyber Security

“… unless Google had told us about the attack on it and other companies, we probably never would have seen it. When you think about that, it’s really scary.” – “In Digital Combat, U.S. Finds No Easy Deterrent”, NY Times, Jan 26, 2010
‘Had this attack employed more sophisticated hosting or resolution techniques like fast flux, even the IP addresses would have been useless..” – “Finding Aurora (googlehack)”, NetWitness Blog, Jan 15, 2010

Tags: botnet, Cyber_security, fast flux, Operation_Aurora
Posted in Uncategorized | No Comments »

Notes from CSIIRW-09

Friday, April 24th, 2009

We attended and presented at the Cyber Security and Information Intelligence Research Workshop, April 13-15, 2009 at Oak Ridge National Labs (ORNL). www.ioc.ornl.gov/csiirw/ . The audience numbered about 150 attendees, with academic and government representing the biggest segment, and a few representatives from government, systems integrator , and technology providers.

In his keynote, Dr. Doug Maughan from DHS reviewed and assessed federal cyber initiatives from 2003 to the present. While noting that the amount of activity around cyber security is encouraging, Doug challenged the cyber security research community to be “bolder and riskier in their thinking”, to do a better job of capitalizing on the increased interest, and to come together on an agreement for a “National Cyber Security R&D Agenda”. In other featured presentations, Dr. Nabil Adam from DHS and Rutgers University introduced issues and programs at the intersection of Cyber and Physical Systems Security. SCADA and Smart Grid systems were highlighted. In his “Are we on the Right Road” presentation, George Hull from Northrop Grumman confronted basic challenges. With 5.4 million unique malware samples discovered in 2007, and companies like Symantec now doing up to 300 updates per day, signature-based systems don’t and can’t work. And as systems become ever more complex, the complexity works against security and reliability. Hull suggested that cyber security is not about the endpoints or the network. Rather, the real focus needs to be defending the information. Dr. Robert Stratton from Symantec presented findings from Symantec’s Internet Security Threat Report (April 2009). Of particular interest to Milcord was the finding that in 2008 “Symantec observed an average of 75,158 active bot-infected computers per day in 2008, an increase of 31 percent from the previous period.”

The panel discussions surfaced some points for pondering, including observations that as venture capitalists seem to be moving away from cyber security as an investment area the government needs to fill the void in R&D funding. Some questioned the effectiveness of some government cyber R&D programs like NSF, going so far as to refer to it as ‘welfare for scientists’, disconnected from real-world needs, and unlikely to produce innovation that results in deployable systems.

Milcord presented findings from its DHS-sponsored botnet research on the Behavioral Analysis of Fast Flux Service Networks. Specifically we discussed behavioral patterns of domains, name servers, and bots that we discovered from our FastFlux Monitor into the short-term behavior, long-term behavior, organizational behavior, and operational behavior of botnets that use fast flux service networks. www.csiir.ornl.gov/csiirw/09/CSIIRW09-Proceedings/Slides/Caglayan-Slides.pdf

Tags: botnets, cybersecurity, fast flux, fastflux
Posted in Conferences, Uncategorized | 1 Comment »

Reflections on CATCH

Friday, March 6th, 2009

I attended the Cybersecurity Applications and Technology Conference for Homeland Security conference on March 3-4, 2009 in Washington, DC. I had to leave on Sunday to escape the snowstorm but it was well worth the effort. The keynote speech American Crisis in Innovation by Pascal Levensohn was the most thought provoking presentation. (See related BusinessWeek blog.) Pascal articulated the broken ecosystem of innovation in USA, and argued forcefully about the need for promoting effective innovation partnerships between government and university research organizations, corporations, and entrepreneurs.

Pascal quoted several statistics from Judy Estrin’s book Closing the Innovation Gap. Estrin has empirically proven that America has relied too much on incremental innovation in recent years at the expense of the open-ended scientific research that eventually leads to truly breakthrough innovation. How true! NRL funded the development of GPS in 1970s when no one could foresee the applications it spawned today. How many American organizations are investing today in the GPSs of the future? More importantly, how many decision makers are heeding Levensohn’s alarm?

Another interesting session was the panel discussion on the second day. I was particularly impressed with the comments of DHS Cybersecurity Chief Rod Beckstrom, who called for the adoption of Web 2.0 platforms within the government and the development of a generalized model for sensorizing the Internet. I was sad to read that Rod Beckstrom resigned today. It’s great loss for DHS.

Our presentation on Real-time Detection of Fast Flux Service Networks was received well. The presentation generated lots of questions, and considerable interest in our Fast Flux Monitor demo at the expo. Tina Williams of Unisys asked one of the more interesting questions: From the tens of thousands of IPs in your DB, what user segments (ISP, edu, enterprise…) have this problem? Is the solution policy or technology? There is no question that ISPs and universities in USA are most seriously inflicted with the fast flux problem. The enterprise has a botnet problem with its mobile workforce. The government has started doing a better job in protecting its machines being recruited into zombies. The solution is both technology and policy. You can’t be aware of the problem without the technology. However, you still need to train your personnel for effective remedies.

One final note. Congratulations to Dr. Doug Maughan, who runs the cybersecurity R&D at DHS using a collaborative model. As Milcord, we have participated in this program for the last three years. Open collaboration did improve our botnet defense solution with the suggestions of our colleagues in this program. Collaborative research programs in information technology are rare within the government. I wish more Program Managers adopted such a philosophy.

Tags: botnet, collaborative research, cybersecurity, fast flux, open innovation
Posted in Conferences, Publications | No Comments »

Milcord presents FastFlux Botnet Intelligence service at CATCH Conference

Tuesday, March 3rd, 2009

Milcord, LLC. – WALTHAM, MA – Milcord LLC presented findings from and announced the launch of a Cyber Security Intelligence Web service that detects and monitors Fast Flux botnets at the CATCH (Cybersecurity Applications and Technology Conference for Homeland Security) Conference in Washington D.C. The Web service was developed under a Phase II STTR (Small Business Innovation Research – Technology Transfer) project funded by DHS Cyber S&T. Milcord also received support from Sandia National Labs. The FastFlux Monitor service is a tool for cyber defenders in government and enterprises that detects and tracks the behavior of key components (domain names, IP addresses, domain name servers, ISPs) in fast flux botnets. The service is available for evaluation and subscription.

About Milcord: Since 2003 Milcord has been delivering knowledge management technologies and solutions for a range of applications including cyber defense, human and social modeling, geospatial intelligence, and information management. Milcord’s federal customers include Air Force Research Labs, Office of Naval Research, Army Research Labs, Army Geospatial Center, Office of Secretary of Defense, Department of Energy, and NASA. For more information see www.milcord.com.

Tags: botnet, cybersecurity, DNS, fast flux
Posted in Press Release | No Comments »

milcord blog