Tag: DNS

How non-existent domain names can unveil DGA botnets

Date of publication: 01/10/2015, piotrb

dga_icon

Domain Generation Algorithms are used in botnets to make it harder to block connections to Command & Control servers and to make it difficult to takeover botnet infrastructure. The main objective of these algorithms is to generate a big number of different domain names which usually look random, like

<span class="text">pkjdgjwzcr.pl</span>

. Only some of them are registered by a botmaster, however compromised hosts tend to query all of them until they find a working domain. As a result bots can receive a big number of non-existent domain name responses (in short: NXDomain). In this entry we will show how such behavior can be utilized to detect DGA botnets using examples of different detection methods.
Read more

DGA botnet domains: on false alarms in detection

Date of publication: 17/04/2015, CERT Polska

dga_icon

Domain Generation Algorithms are often used in botnets to create specially crafted domain names which point to C&C servers. The main purpose of this is to make it more difficult to block connections to these servers (for example with domain blacklists) or to protect the C&C channel (and botnet itself) from a takeover. Often domains generated this way are composed of random characters, for example:

<span class="text">gdvf5yt.pl</span>

, which appear as nonsensical, but nevertheless allow the botmaster to manage their bots. While working on detection of algorithmically generated domains (we have covered cases of their usage here and here) we have found examples of domains, which are similar in weirdness of appearance to those used in botnets, but are utilized for different – legitimate – purposes. Identification of these domains is useful in elimination of large number of false alarms in DGA botnet detection systems. In this entry we will describe how such domains are used in a non-malicious way and in a future post we will look into cases which can be seen as threats.
Read more

Another year, another wave of home router hacks

Date of publication: 11/03/2015, CERT Polska

While researching incidents that are reported to us, we encountered a new campaign of attacks against Internet banking, this time utilizing hacked home routers.

This is a variant of a method we have first observed more than a year ago. The criminals take over control of a home router and change the DNS settings so that instead of ISP-provided DNS server addresses, devices obtaining DNS settings from the router use criminals’ DNS server.

The criminal DNS server works the same way as the legit one, with one exception – when a customer connects to Internet banking service, the browser is directed to criminals’ provided proxy server that intercepts the traffic between the user and the bank. The connection between the user and the proxy is downgraded from HTTPS to HTTP so the criminals can intercept banking credentials and steal funds from the bank

What is new is that connections between the proxy and the banking service are not direct, but are routed through the hacked routers, so from the point of view of the bank they are coming from typical consumer connectivity address ranges and thus raise no suspicions.

The routers are hacked by brute-forcing passwords of administrative interfaces (Telnet, SSH, WWW) reachable from the Internet.

To protect yourself from this kind of attack, disable WAN access to the router’s administration web panel.

Indicators of compromise: hacked routers distribute other than ISP-provided IP addresses as DNS addresses for devices that use DHCP network configuration. Recent examples of malicious DNS servers: 188.132.242.156 and 94.242.202.187. Please report such occurances using our incident report form.

(BT, JAU)

Large-scale DNS redirection on home routers for financial theft

Date of publication: 06/02/2014, CERT Polska

malware-mitr

In late 2013 CERT Polska received confirmed reports about modifications in e-banking websites observed on… iPhones. Users were presented with messages about alleged changes in account numbers that required confirmation with mTANs. This behavior would suggest that some Zeus-like trojan had been ported to iOS. As this would be the first confirmed case of such malware targeting the platform, and at the same time it targeted Polish e-banking users, it immediately attracted our attention. Internally we have come up with several scenarios of how it might have happened, but unfortunately were not able to gather enough first-hand data about the case to rule out any options.Read more

A quick look at a (new?) cross-platform DDoS botnet

Date of publication: 16/12/2013, CERT Polska

malware-icon

At the beginning of December we started to observe a new botnet spreading on both Linux and Windows machines. In case of the Linux operating systems, the bot was installed through an SSH dictionary attack. The attacker logged in to compromised server and simply downloaded and executed a bot file. The malware itself is relatively simple – its only functionality is to perform DDoS attacks, mainly DNS Amplification. There is also a version targeting the Windows operating system, which installs a new service in order to gain persistence. The antivirus detectability is fairly high for Windows version: 34/48, while the Linux version is detected by only a couple of antivirus solutions: 3/47.
Read more

Citadel plitfi botnet report

Date of publication: 15/04/2013, CERT Polska

At the end of February 2013 Polish Research and Academic Computer Network and CERT Polska took over 3 domains used by one of the Citadel botnets, known as “plitfi”. All the network traffic from these domains was directed to a sinkhole server controlled by CERT Polska. Today we publish a report outlining the details of the takedown and our findings.
Read more

Otwarte serwery DNS – najlepszy przyjaciel ataków DDoS

Date of publication: 28/03/2013, CERT Polska

OpenResolver

DDoS via DNS?

Ataki DoS (denial-of-service) znane są od dawna. Jedynym ich celem jest sparaliżowanie infrastruktury teleinformatycznej ofiary – a co za tym idzie uniemożliwienie świadczenia usługi w sieci. Jedną z najbardziej popularnych form tego ataku jest wersja rozproszona – DDoS (distributed denial-of-service).

Od kilku dni trwa jeden z największych znanych do tej pory ataków DDoS. Jak donoszą media (np. BBC NEWS, The New York Times) wielkość ataku dochodzi do 300 Gbps (gigabitów na sekundę!). Co ciekawe do przeprowadzenia tego ataku zostały użyte otwarte serwery DNS. W jaki sposób?

Read more

Virut botnet report

Date of publication: 21/02/2013, CERT Polska

At the end of January and the beginning of February 2013 NASK (Research and Academic Computer Network) — the .pl ccTLD Registry — and its security team CERT Polska took over 43 .pl domains used to control the Virut botnet and to spread malicious applications. As a result of this action, all traffic from infected computers to the Command and Control servers were redirected to the sinkhole server controlled by CERT Polska.
Read more

DNSChanger – sprawdź swoje ustawienia DNS!

Date of publication: 01/03/2012, CERT Polska

dnschanger

System DNS jest to usługa dostarczająca informacji na temat nazw domenowych. Jej głównym zastosowaniem jest tłumaczenie nazw domen – czytelnych i łatwych do zapamiętania przez człowieka – na adresy IP – czytelne i łatwe do interpretacji dla komputera. Dostarcza ona również różnych innych informacji, takich jak np: który serwer obsługuje pocztę dla danej domeny. Śmiało można powiedzieć, że DNS jest usługą kluczową jeżeli chodzi o działanie internetu. Bez prawidłowo działającego serwera DNS praktycznie nie byli byśmy w stanie odwiedzić żadnej strony internetowej ani wysłać żadnej wiadomości e-mail. Nasz komputer nie wiedziałby z jakim adresem IP należy się połączyć, aby wysłać zlecone przez użytkownika polecenie. Oczywiście z każdym serwisem nadal można by łączyć się podając bezpośrednio jego adres IP, ale było by to strasznie niewygodne. Istotną jest również aby informacje docierające do nas z systemu DNS były prawdziwe i pochodziły z zaufanego źródła. Nic więc dziwnego, iż pojawiło się złośliwe oprogramowanie, które atakuje ten właśnie element.

Read more

12