Botnet C&C Handling with DNS Sinkhole

Jeong, Hyun Cheol hcjung@kisa.or.kr

Contents

I. Background II. Introduction of DNS Sinkhole III. How to Build up DNS Sinkhole IV. Epilogue
-1-

I. Background
Malware in Korea
Threat Level

2003.1.25 Slammer CIH (99) Worm Explosion

)

Mal. BOT
) Phishing )

Virus

Worm 2000 2002 2004 2005

Ad/Spyware

2006

Virus Enhanced Propagation

Worm Enhanced Control

Bot

-2-

I. Background
Botnet is the Cyber Army for the Attacker
Many zombies + Strong control

Botnet are used for the following purposes

Infect other computers Steal sensitive information Send spam Conduct DDoS attacks
Give me money or I will do DDoS your site

Bot C&C usually uses Dynamic DNS name

Zombie PC can connect Bot C&C through DNS query

-3-

II. Introduction of DNS Sinkhole

Before After

-4-

II. Introduction of DNS Sinkhole

Scenario
Zombie C&C DNS RR Update

Zombie C&C Resol ution

Control Syste m
Sinkhole conne ction

Internet

Sinkhole IP noti fication

Zombie PCs

ISP DNS

-5-

III. How to Build up DNS Sinkhole

1. Collecting BotNet C&C information 2. Applying DNS RR in ISPs DNS Server 3. BotNet monitoring and Response

-6-

III. How to Build up DNS Sinkhole

1. Collecting BotNet C&C information From KISA Honeynet DNS logs From KISA malware collection system From other sites dns-rr list Incidents from KrCERT/CC

-7-

III. How to Build up DNS Sinkhole

1. Collecting BotNet C&C information
From KISA Honeynet DNS logs
KISA Honeynet DNS is Located in honeynet and ho neypot PCs use it Save unique domain name in the DNS query log Automatically collect C&C domain name, IP addres s, and port We can get about 20-30 unique domain names, a nd get 1-2 new Bot C&C sever everyday
ph33r.asian-heaven.net www.pixpond.com yutunrz.1dumb.com Unity1.besley.info 64.xxx.xxx.124 85.xxx.xxx.250 143.xxx.xxx.107 220.xxx.xxx.213
-8-

2006-04-06 00:17:16 TCP 6667 2006-04-06 05:00:43 TCP 80 2006-04-06 18:58:00 TCP 80 2006-04-06 21:04:54 TCP 55166

III. How to Build up DNS Sinkhole

1. Collecting BotNet C&C information From KISA malware collection system
Collect hundreds of malware samples every day Send samples to Norman SANDBOX
We send about 200 samples everyday We can get about 10-20 Bot C&C server IPs, and get 1-2 ne w Bot C&C sever
File Name Hash Malware Name

Malware Collection System

-9-

III. How to Build up DNS Sinkhole

1. Collecting BotNet C&C information Make a DNS RR file of Bot C&C
Compare it with yesterdays file, make a new DNS RR file
[root@KNSP] head total.uniq.dns.rr.txt a11.je34ke5.net adidas.lookin.at 0x0.foolishfoe.biz a7nateam.etherdata.com afterlife.fw.nu 0x80.my-secure.name a.botdot.tk
-10-

III. How to Build up DNS Sinkhole

2. Applying DNS RR in ISPs DNS Server
Major 10 ISP/IDC are Applying our DNS RR file
DNS RR File is shared through our closed web site If the zombie PCs are querying for Bot C&C, ISPs DNS sends o ur sinkhole IP More medium/small size ISP will be Applying our DNS RR file

Over than 6,000 domain names Sinkholed since 2006

About 1,300 Active C&Cs are remained everyday

-11-

III. How to Build up DNS Sinkhole

2. Applying DNS RR in ISPs DNS Server What should do in the ISP
1. Insert following in named.conf
include "/var/named/forward_black.conf";

2. Get forward_black.conf file from our web site (Once a day)

zone "ad.kardun.com" IN { type master; file "/var/named/forward/black/xx.com"; }; zone "aap.bla.widge.org" IN { type master; file "/var/named/forward/black/xx.com"; }; zone "a11.je34ke5.net" IN { type master; file "/var/named/forward/black/xx.com"; };

-12-

III. How to Build up DNS Sinkhole

2. Applying DNS RR in ISPs DNS Server What should do in the ISP (cont.)
3. Make zone file for xx.com
$TTL 600 @ IN SOA localhost root ( 2005090815 ; serial (d. adams) 3600 ; refresh(1H)

;; Omitted ;; Server ;; @ IN

xxx.xxx.xxx.10

4. Tell the nameserver to read in the new zone f ile (Once a day)
$ rndc reconfig
-13-

III. How to Build up DNS Sinkhole

2. Applying DNS RR in ISPs DNS Server
Role of KrCERT/CC
Collect & Update DNS RR List Upload DNS RR File (forward_black.conf)

Role of ISPs
Download DNS RR File (forward_black.conf) Reconfigure name server

Consideration
DNS RR should not be duplicated, otherwise Name S erver may cause error It takes 1~2 seconds for reconfiguring Name Server

-14-

III. How to Build up DNS Sinkhole 3.BotNet Monitoring & Response

Bot C&C Server IPs Bot Infected IP Search

Bot Infection Nation top5

Bot Use Port top5

KrCERT/CC Monitoring Room

Status of Bot connection

-15-

III. How to Build up DNS Sinkhole 3.BotNet Monitoring & Response

Manage the Botnet Sinkhole Network
Collecting & Updating Bot C&C

Alarm when malicious activity is detected at the Sinkhole network

Get C&C server IP from IDS signature JOIN and get channel n ames from captured packet If we find some malicious keywords in the packet payload, alarm it

Making BOT infected IP statistics from each ISP

Get SrcIP addresses, classify according to ISP and inform it

Making BOT infected IP statistics for each Bot C&C

-16-

III. How to Build up DNS Sinkhole 3.BotNet Monitoring & Response

Bot removing project discontinued
We already sinkholed more than 80,000 Bot s We can remove them with bots remove c ommand But after discussion several times with ISPs and a lawyer, we gave up
Because, there are some legal issues.

-17-

III. How to Build up DNS Sinkhole 3.BotNet Monitoring & Response

We Inform ISPs about their Bot C&C and Zombies
But, ISP just forwarding it to their customer Most of Bot C&C or Zombie IPs are hacked and the IPs own er didnt know how to fix it So, We provide following services to the internet users
Remote PC Checking Servi ce PC Auto Security Update P rogram Free Virus Vaccine

-18-

IV. Effect
Bot-infected computers by country
1st 2nd half 2005 1st half 2006 2nd half 2006 A 26% C 20% C 26% 2nd B 22% A 19% A 14% 3rd C 9% B 7% D 6% 4th D 4% J 6% H 6% 5th KOREA 4% D 6% G 5% 6th E 4% H 4% B 4% 7th F 3% KOREA 3% J 4% 8th G 3% G 3% L 3% 9th H 3% K 3% K 3% 10th I 2% I 2% E 2%

< Source : Symantec Internet Security Threat Report >

-19-

V. Epilogue
Need information sharing & International Co-Response
Bot C&C

Zombies are inter-AS a DNS Sinkhole nd inter-country

DNS Sinkhole

Sinkhole Server

-20-

V. Epilogue
Our sinkhole server is secure?
Bot Herder can detect Sinkhole
When Bot Herder detect his bots are Sinkholed, he distribut es new bot and makes another botnet Actually we met one Bot Herder in our Sinkhole network Some Bot herder do DDoS to our Sinkhole Server

-21-

V. Epilogue
Need more proactive response
Not enough just informing that you are infecte d
They said so what?

Provide tools and services so they can fix the mselves Fix the infected PCs
But we should consider our countrys law and rece ive the agreement from the user

-22-

Thank you !!
http://www.krcert.or.kr hcjung@kisa.or.kr

-23-