Combating Malware is a herculean task, one would admit. There are many things that go into it , decryption of the logic used, identification of the IP addresses, domain-names, and signatures. Majority of the antiviruses depend on these methods to block the malware. Many of the researchers go to the extent of tracking the domains and the IP addresses used and then try to bring down these domains / IP addresses.
There are a few things which one needs to be aware of :
1: Botnets use CnC servers which are hosted on various IP addresses and a domain-name is used to communicate with these CnC servers.
2: Fake-AV / BHEK and many other exploit kits use numerous preregistered domains and quite a lot of IP addresses to assist them in the nefarious activities.
The reason for using multiple IP addresses and multiple domains is:
1: When domains are blocked by AVs , new domains are used which will point to the same IP address
2: When IP addresses are blocked / cleaned , then the domains are made to point to newer IP addresses
3: When both of them ie. IP address and the Domain-names are blocked, new domains and IP addresses are procured and the cycle of infection goes on.
4: Most of the time, CnC servers are hosted on servers / IP addresses belonging to these bad-actors, they rarely use a hacked server to serve malware. Mostly, hacked servers are used to host the obfuscated JS with a redirection or an IFrame pointing to a rogue Domain Name. When it comes to infections sent via email, then the probability of finding the rogue Domain Name / NS is very high.
5: The infrastructure which belongs to these bad-actors is
a: Domain Names
b: IP addresses / VPS – virtual private server
For past few days, I have been closely observing this activity, which ultimately resulted in the take-down of quite a few domains.
Requisite tools: nslookup / dig, whois and a few web-services like the ones provided by webboar.com / dailychanges.com / domaintools.com and the Google Search.
To begin with, we pick up the offending domain from any of the globally available malware lists and process it as follows:
> dig domain-name ANY
extract the Name-Server and the A Record details
> whois domain-name
Extract the Creation date, Registrant email-id and Registrant ID
Conduct dig and whois on the domain-name of the name-server and extract the Name-Server , Creation Date, Registrant email-id and Registrant ID.
Find all the domains based on the search criteria mentioned below, using any / all of the web-based services which have been mentioned above:
B: Registrant ID
C: Registrant Email-ID
D: IP address of the offending Domain-Name
The domain-names procured from the third-run will now have to be processed and comparisons have to be drawn.
Before I move ahead, a brief explanation about the various data-fields which have been extracted.
1: Name-Server – this is the base of all DNS queries. Every domain-name which has to serve content , has to have a name-server. Name-Server tells the client about the exact location i.e. the IP address from where the content will be served or processed.
a: In order to send email, the mail server needs to know the SMTP server responsible for processing mails pertaining the specific domain-name.
b: for browsing a web-site, the browser needs to know the IP address of the web-server.
All this information is stored and served by the Name-server. Bad-Actors, prefer to host their own DNS infrastructure / servers , as it is easy for them to update the NS records and manage the entire malware campaign.
We will be using the basic fundamentals of DNS and the MO used by Bad-Actors to investigate malware-domains.
2: Domain Name – Bad-Actors, use Domain-name for multiple purposes, as far as we are concerned, we are more interested in the Registrant-ID, which is provided by the registrar. Registrant-ID differs from registrar to registrar, hence exercise caution.
3: Registrant-ID – When a domain is being registered, registrar provides a unique id to identify the creator of the domain. This id differs from registrar to registrar. However, it has been observed that Bad-Actors, often use “Bulk Registration” to register a few dozen domains, which are later-on used for spreading / deploying malware.
4: Registrant email id – The email ID is a per-requisite for successfully registering a domain-name, as login details, payment details and other registrar related transactions are conducted. It has been observed that Bad-Actors, during “bulk registrations”, will choose different registrars however will use the same email-id for registrations.
5: Domain Creation Date – This field can be extracted using the whois service. Almost all the domains which belong to the rogue DNS/NS schema, will be very young domains ie. 2 days or 3 days old and sometimes 3-4 months old. Bad-Actors, will immediately start the campaign, once the domains have been registered and attached to a name-server. They normally wait for 2 days after the domain has been registered in order to allow the domain records to propagate.
6: IP address – Without an IP-Address, a malware domain will cease to exist. Bad-Actors use globally distributed servers alongwith the IP addresses and distribute the registered domain and the name-servers to these servers. It is a known fact that cleaning of IP address is the hardest of all tasks and due to this reason, an IP address will be used in multiple campaigns. Only the domains and the name-server domains are changed quite often.
Sometimes during investigation, you may come across non-responsive domains, as the servers hosting these domains are down.
1: In case, you observe a name-server related activity, and all the evidence points to particular registrars, contact them via the abuse section.
2: In case, you observe a country-tld, then contact the CERT of that particular country. As there many be different registrars involved in registering these domains, however, CERT of that particular country are responsible for all the domains belonging to their country-tld.
3: Google Search and other online resources will provide you with bulk of domains, Name-servers or IP addresses. However, CERTs or Registrars have a better access to the above mentioned information. If it takes a researcher 3-4 hours to come up with the list, CERTs/registrars can pull it up in no time.
The CERT List:
The Anti-Abuse Policy of a few registrars:
Came across the Evil-NS/Rogue-DNS schema during one of the week-end crusades of #MalwareMustDie and hence this blog-post was required to teach each and everyone interested in fighting malware. Over a period of time, this method of detection has been perfected and I can assure you that it is possible to identify all the domains associated with a malware campaign within 24 hours of its initial infection.
Secondly, most of the newer infections have a very short duration 6-7 days hence it is imperative for us to look into various resources/directions to combat / detect malware. Relying on URL / Domain DB can be a costly affair.
Since this blog-post speaks about finding patterns, an analyzer utility will just do the trick and very soon, I will be releasing an analyzer utility for a select few.
The next blog post will contain some live examples and CERTs/Registrars response.