If you are having trouble viewing this email, click here to view this online

 

VOLUME 27

   ISSUE 27

23 October  2013

Article of the Month  Around the World

Passive DNS monitoring: Identifying Phishing sites, Botnets and other hosted illegitimate activities via Port 53 calls using Big Data Analysis

  What is DNS…?


DNS as many of us know is a service which maps human user-friendly host name to a valid IP address. It is a hierarchical and a distribute database providing the above service commonly known as “resolving” where one or more servers are responsible for a given name space. According to Dells Secure Works, this essential component of the internet for its existence has become a common target for malicious activity since early 1990s

 

 

Common exploitations of DNS

The most common exploitation of DNS is “Fast-Flux” which is the association of a single fully qualified domain name with several IP addresses. This technique is most commonly employed when it comes to hosting phishing sites and bot-net command and controls (C&C). According to a research at the University of Luxembourg its architecture is considered to be highly resilience. This resilience is achieved by the use of a combination of round-robin based registration and caching manipulation which can avoid almost all common IP address oriented access control and defense mechanisms such as firewalls.
Another common DNS exploitation is the improved version of Fast-Flux which is “Double Flux”. This method avoids the single point of vulnerability which can be seen in Fast-Flux by dynamically updating the Name Server entry list for a zone rather than keeping a static record as in Fast-Flux.
But it should be kept in mind that a “Content Distribution Network” also known as a CDN uses this same network architecture and should be carefully identified by thorough phased analysis.



Figure 1: Fast-Flux Network

1. DNS query (to Recursive DNS server)
2. DNS query (forwarded to Root DNS server)
3. Root server’s DNS response (to Recursive server)
4. DNS query (forwarded to Authoritative server)
5. DNS response (to Recursive server)
6. DNS resolved response (to User’s machine)
7. HTTP GET request intended to request.domain.com at 147.36.245.156
8. Command & Control Sending content and commands
9. Serving malicious content

 

Figure 2: Double Flux Network

1. DNS query (to Recursive DNS server)
2. DNS query (forwarded to Root DNS server)
3. Root server’s DNS response (to Recursive server)
4. DNS query (forwarded to Authoritative server)
5. DNS response (to Recursive server)
6. DNS resolved response (to User’s machine)
7. HTTP GET request intended to request.domain.com at 147.36.245.156
8. Command & Control Sending content and commands
9. Redirected request and response (Command & Control)
10. Serving malicious content by a “Bot”12.

The Passive DNS Monitoring Architecture...

This is rather simple in theory. The whole network comprises of three (3) major components.
1. Passive DNS sensor
2. Centralized data storage
3. End user tools and Interface

Figure 3: Passive DNS Monitoring Network Layout

The DNS sensor is a simple packet capture which can perform filtering DNS related traffic. It is to be placed between the local recursive sever (caching server) and the upstream DNS server. It should then listen to DNS replies, filter data and feed the retrieved information in to the centralized data storage.
Once the data is placed in the data storage the data mining phase can be initialized using the centralized database and the end user tools. Using entropy based indexing for IP addresses scattering over different subnets on the internet, all IP addresses associating the same domain name can be sorted. This a specialized application area of the data mining technique of clustering. Using different weighting schemes based on the relevancy of the selected IP addresses for a given domain name, the illegitimate IP addresses can be identified. These illegitimate IP addresses exhibits a distinct separation from the normal IP addresses which are legally associated to that domain name.
Another characteristic to be monitored is the relatively short life span of the TTL (Time-to-Live) values of “A records”. This characteristic is a useful indicator of possible fast-flux network operation.
The total count of the requests during the time period of the observation is an important variable which may give clues of possible phishing activities. The total count of authoritative severs for a particular domain is another parameter which can be integrated for the purification process of the results. If the count of authoritative servers is high, it is a possible indication of a double-flux network operation.

 

W.M. Milinda Wickramasinghe

Milinda is an undergraduate of the University of Colombo School of Computing who is currently following Bachelor of Information and Communication Technology (BICT) Currently he is working as Intern - Information Security Engineer at Sri Lanka CERT|CC .

 

References

1.http://www.secureworks.com/
  resources/articles/other_articles/dns-cache-poisoning/
2.http://en.wikipedia.org/wiki/Round-robin_scheduling
3.http://ieeexplore.ieee.org/xpl/
articleDetails.jsp?arnumber=6212019
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
 

 
  
  THREE NEW ATTACKS USING IE ZERO DAY EXPLOITS
  

“. . . Attackers are continuing to pile on a critical Internet Explorer zero day that remains unpatched two weeks after it was reported.
During the last two weeks, it appears that at least three separate targeted attack campaigns have been using the same bug previously used by Operation Deputy Dog, a campaign that wound up compromising Japanese media outlets and tech systems in the middle of September..”

  Connections between personality types and phishing
  

'.... Phishing scams are some of the most effective online swindles, hooking both savvy and naive computer users.

New insights from researchers at the Polytechnic Institute of New York University (NYU-Poly) point to two factors that may boost the likelihood that a computer user will fall prey: being female and having a neurotic personality.
...'

Could the EU cyber security directive cost companies billions?

   
  

'.... Many of the world’s largest enterprises are not prepared for the new European Union Directive on cyber security, which states that organizations that do not have suitable IT security in place to protect their digital assets will face extremely heavy fiscal penalties. The directive, which was adopted in July this year, will require that organizations circulate early warnings of cyber risks and incidents, and that actual security incidents are reported to cyber security authorities. Organizations that suffer a breach because they do not have sufficient IT security in place to protect their digital assets face fines of up to two percent of their annual global turnover.
......'

Apple's Siri is helping users bypass iOS security

  

'.... Siri was designed to be an effective personal assistant, but since the release of iOS 7, the artificial intelligence is bringing the bad with the good.Apple released iOS 7.0.2 to address the first big passcode-bypass in its weeks-old iOS 7 mobile software, but it didn't take techies long to circumvent the passcode security feature in the latest version of the platform.The workaround only grants access to the phone app, but from there people can use the phone to dial anywhere they wish, listen to saved voicemails, view and change contact information, access photos, use Twitter, login to email and shoot out texts........'

50 Security issues fixed with the release of Chrome 30

".... The list of vulnerabilities reported by external researchers includes ten high-impact and six medium-impact flaws. The high-impact issues refer to use-after-free vulnerabilities in inline-block rendering, in PPAPI, in XML document parsing, in DOM, in resource loader, in the Windows color chooser dialog, and in template element. A memory corruption in V8 and an address bar spoofing bug related to the “204 No Content” status code also fall into this category ....”

Month in Brief
Facebook Incidents Reported to Sri Lanka CERT|CC in September 2013
 
  
 Fake + Harassment
 Hacked
 Abuse
 Other
   
  Gender wise
 
  
 Female
 Male
   
  Statistics - Sri Lanka CERT|CC

Alerts

The FBI busted Silk Road, but not the 'dark web' behind it

'.... Silk Road, the underground website where dealers sold illegal drugs, was supposed to be safe. The site was nestled deep in the dark web, accessible only through the anonymizing network Tor. All transactions were done in the anonymizing virtual currency Bitcoin. Its owner-operator, Dread Pirate Roberts, was said to be a criminal mastermind and technical wunderkind who never left a trail. It was all very hackerish and clandestine.And yet, today the FBI shut down the site and arrested Dread Pirate Roberts. "This is supposed to be some invisible black market bazaar. We made it visible," an FBI spokesperson told Forbes after the bust. "No one is beyond the reach of the FBI. We will find you."........'

GnuPG 2.0.22 fixes security problem

'.... version.
What's new:
• Fixed possible infinite recursion in the compressed packet parser. [CVE-2013-4402]
• Improved support for some card readers.
• Prepared building with the forthcoming Libgcrypt 1.6.
• Protect against rogue keyservers sending secret keys.
Special crafted input data may be used to cause a denial of service against GPG (GnuPG's OpenPGP part) and some other OpenPGP implementations. All systems using GPG to process incoming data are affected. ....’

Door control systems: An Examination of lines of Attack

'.... Over recent years many businesses have, in the interest of security, turned to the use of computerised door control systems. These systems, which usually require the entrant to possess some sort of token or swipe card which is authenticated against a central database, are intended to ensure that nobody can enter a business' premises (or restricted sections of those premises) without the proper authorisation.
.......'

Security issue in Ruby on Rails could expose cookies

 
 

'...... Versions 2.0 to 4.0 of the popular open source Web framework Ruby on Rails are vulnerable to a Web security issue involving cookies that could make it much easier for someone to log in to an app as another user.
According to security researcher G.S. McNamara, Ruby on Rails’ defacto session storing mechanism, CookieStore, stores the entire session hash in the cookie. By doing this session cookies are kept valid for life because there isn’t an entry in a sessions database table the Rails app can use to delete it when logging out.
.......'

How the NSA Attacks Tor/Firefox Users With QUANTUM and FOXACID

 

 

'..... The online anonymity network Tor is a high-priority target for the National Security Agency. The work of attacking Tor is done by the NSA's application vulnerabilities branch, which is part of the systems intelligence directorate, or SID. The majority of NSA employees work in SID, which is tasked with collecting data from communications systems around the world........'

 
Notice Board
  Training and Awareness Programmes - October 2013
  
DateEventVenue
- 14th Oct -5th Nov Web design and development training for Academic staff of Zonal and Provincial ICT Centers. National Institute of Business Management.
-

 

28th Oct- 16th Nov Animation and graphic design training for Academic staff of Zonal and Provincial ICT Centers. National Institute of Business Management.
- 28th Oct, 29th Oct

07th Nov , 08th Nov
Awareness program on SMS gateway and "e-Thaksalawa Learning Management System" for Zonal and Provincial educational officials. Computer Laboratory -ICT Branch , Ministry of Education

Brought to you by: