SECURE 2015 Hands-on

On false alarms in detection of DGA botnet domains – part 1

17 April 2015 piotrb

Domain Generation Algorithms are often used in botnets to create specially crafted domain names which point to C&C servers. The main purpose of this is to make it more difficult to block connections to these servers (for example with domain blacklists) or to protect the C&C channel (and botnet itself) from a takeover. Often domains generated this way are composed of random characters, for example: gdvf5yt.pl, which appear as nonsensical, but nevertheless allow the botmaster to manage their bots. While working on detection of algorithmically generated domains (we have covered cases of their usage here and here) we have found examples of domains, which are similar in weirdness of appearance to those used in botnets, but are utilized for different – legitimate – purposes. Identification of these domains is useful in elimination of large number of false alarms in DGA botnet detection systems. In this entry we will describe how such domains are used in a non-malicious way and in a future post we will look into cases which can be seen as threats.

Read more

Sorry, but this post is not available in English

20 March 2015 Łukasz Siewierski

Read more

Another year, another wave of home router hacks

11 March 2015 alex

While researching incidents that are reported to us, we encountered a new campaign of attacks against Internet banking, this time utilizing hacked home routers.

This is a variant of a method we have first observed more than a year ago. The criminals take over control of a home router and change the DNS settings so that instead of ISP-provided DNS server addresses, devices obtaining DNS settings from the router use criminals’ DNS server.

The criminal DNS server works the same way as the legit one, with one exception – when a customer connects to Internet banking service, the browser is directed to criminals’ provided proxy server that intercepts the traffic between the user and the bank. The connection between the user and the proxy is downgraded from HTTPS to HTTP so the criminals can intercept banking credentials and steal funds from the bank

What is new is that connections between the proxy and the banking service are not direct, but are routed through the hacked routers, so from the point of view of the bank they are coming from typical consumer connectivity address ranges and thus raise no suspicions.

The routers are hacked by brute-forcing passwords of administrative interfaces (Telnet, SSH, WWW) reachable from the Internet.

To protect yourself from this kind of attack, disable WAN access to the router’s administration web panel.

Indicators of compromise: hacked routers distribute other than ISP-provided IP addresses as DNS addresses for devices that use DHCP network configuration. Recent examples of malicious DNS servers: 188.132.242.156 and 94.242.202.187. Please report such occurances using our incident report form.

(BT, JAU)

ENISA publishes report on actionable information

19 January 2015 pp

iBanking is back in Poland

16 January 2015 Łukasz Siewierski

CyberROAD – Invitation to participate in the project survey

31 December 2014 przemek

Server-side n6 code released as open-source

29 December 2014 pp