piątek, 20 lutego 2015

DNS Fast Flux - Analysis and Detection

DNS Fast Flux - Analysis and Detection Malware is increasing problem and often it uses DNS fast flux to talk to its boss. I wondered how to detect fast flux on network and found tool dns-mole. I want to find more tools and compare to find the best tool. For this I need PCAP file with fast flux and compare detection of this one PCAP file between all tools. I found these malwares and I run them on VirtualBox virtual machines. Malwares try to connect to many addresses and some use a bit different way than other. I created 23 PCAP files and each of them contains a bit different type of DNS Fast Flux.

I tried the tool dns-mole but I have problems. With default configuration file it doesn't crash but doesn't detect anything. With configuration with correct subnet it usually crashes and still doesn't detect anything.

Default setting:


 Setting with correct subnet:




I sorted my PCAP files to these folders:
flux_netbios - netbios protocol is used instead of DNS
flux_no - no DNS Fast Flux
flux_no_othertraffic_netbiosflux - no DNS Fast Flux for monitored computer but other computers generate netbios fast flux
flux_yes - DNS Fast Flux

I run the following malwares:
8a628cb112872fb1f1ab66e202aeee8a
09a6205e4f67cc6c603f011c6a63f360
442a2357a6632e8e030797938d157a15
9d228daaca4722c698e38b105332439e
7cadb02628e00bc0358cd60cb8a34348
11520b965456b2a9d19f225fdaa87026
5b175d6c95ac1ea840f3aa6da5e0c984
0d91c054464a0b0e46acbe468e5dddc2
78b7fd4da798c6976db968e9079370a4
2f7afbc38b91a73de95dd0254445ff8b
4112077560169ef1b429b0abe7f53725
382db0a5f98db32154038aa9ae7b3d44
d0b456365097cf1fe84cef436d7e362d
8bb2f937cecc5113543a0dcc5986f9cb
b0b62f450e71427002acc93e1fa7f83a
ffead3bd3b21f19b54a8567f7f4bf781
5ecb1e0d2a63b430277df20bf36d43d0
1cd7a40ded04ab143362c30864085d69
014705568277d617b2012dc352056118
1cee3af66b2cfd0b16736300cb89c368
1d18f4fa766cbcd5bd7e5d4748a0eb33
1dc5cd13d90d1e370c64c7f4138788ab
1fd60434ae978e04c7fb328aa6cb11df
2afcebdf43944620b389a129712878b6
2b2a7b89e9a68e98c39576799b2ae728
2b8c325cac6e1bbca7f08c35653e6265
2c50fa02020a7e407b693bc819f33e58
2cec0209b7659d239bc7501ffa50fab1
04bf07c50d61924b9e2424ba0310eb00
20232447393a28575e145f0befafb88e
21eb1c271253d62de2b43376b08e59b5
24a1d956a27fbbf5ee36ace0873258b4
24f2d5ec1d38d7d811aa6dbb3a23dbdf
29ad5e224a9dd5c45bde82b2c17a6cac
228b30eccf0d8f21bfdd34193d88944e
309f7109f49f7f6b348cbafb597f33cd
327a177f445d0bf450667d33f72ca9c1
345b4f1388c3a9b7387dc261252a5b53
0578c970301f33aa438bd2387a018ae1
0dfe69857a973064e7d043f8b326076b
0c564d983223d714094d1b04deeefa72
171d5af7cffb6cc0ec3d82eed42e963d
30f84a26e1834cd06be2aab4d1e71adc
20bf3cdb95a37db618a9e4eb1ac68047
0089ea1a0abceb5ad4d6f87606af8cf0
33b926257632d3aa6b52707f3519c46d
19e3b6315137f78ad0ce999d26c66ff8
18e79177f7603d8d78d6a4152258bc53
172fae740cd12656e2c729a75b2443bf
10c5f8b9d9af550dc332cc416e329594
05dcf09af3460b0c63b4d17df6c12cab
01b6d930ee1dcc83c60d18777df4f181
8abaf233ef5ab09f0f0e2396dbd6e470
41ad096cba55de9bf1c2c789a74b9c24
c03aafa57cf28b545051d2c249e24276
8c529c6d9289c41258b386fc005f9e36
e19ed3e0d7f7988a6894e8debbdd1e2e
2e5e8700b884e2ea18bff3d1d73d730c
341998897d1bb0f24d3c164c2b806cd3
002324426760b1dce66e8e3af0488bdc
1a6f75c7325ef1bce3d14f7eea5b0d74
1a9bee0b7f9e7ce4b2e91460088205f6
1a78224f234dcd00f897c22fb87445dd
1b5389905b0c0d2c41614b34da136147
1c2a7b31bd8037030d56a4edd9ba3bf5
bc1f0144fcf44b9511f7b89834b63cfb
38884379eca6cc10fd0b4a5b43a162bd
60a2216276c9cb51532427590716163a
4fbd7a565d49f7b7e14be858f5e40c21
3c3da87c2a171da05d9c4ccbc4b18496
57b226751b921c75812e5b90d8d0b7f3
af81ae6b52bfe81dceadec305e18d0c1
80615bbc4397aeb0a342ee029d65691a
76f2d06a50855ad92296db0893de776f
488a39acaf1f5862baa99a4ec6fc0a16
53424a8d491bb28d1a9feb3c0057ee38
4aed84babb1f9d5db28bfa3694d883ad
28be38044f15f81c801d48da853ff668
533c92d45008dbf0c9874473ed9f9f3c
3a92770d766f71c97a5859b43fe957b1
1642786d9422192bb509c55ea5db1413
b6f9e5a3a5b9d8a1fb8b65cc8f8b85e3
ce736197b51c392e738189a1fb5eb71c
e99d0362c51187adfc5183325840ba5a
6c86aaf45ccf59d57fa2d5beaf25b5d2
3e12d6d1005108168584a8f8f2deaf93
8186c40e1e81a6bc3ff6b19521035374
f56083e6bae9f0b091d74365459fc253
696bf4f5df8f6343764805c42478548e
a1662f435439aad1cfe6e82b1f6795d5
5b233c23f2c28db5c2302217074e1f32
a18c1cea4b60ea1adbff2b92158a1725
add0b9758becb5a9885eade03e7ed1ac
6350066a874dc217ce11c959e1940c65
304d72c867072a554b4a58f683877cd2
c42df26d82b85098f2084b3a9c3d0fe9
57b5886ad26cf13ab95e861d5bae67e8
1d178fb6d1747eec753eecac389135ee
1ccb1a50f6c60460fc71418e65f5f9a3
15309bff1ba8ff3be58383cba470c00f
b5f39fd464f931a62067639c97f9e5d3
b18cc791694878df3d58563b04cab9d3
29d820947773a5921742854fbfc54225
32aa0ee51de32e782165ea4c81cf59b1
3c4ce88012ebcde539764664df49eb14
2f7ad3ab9827fed4f533198c9ebff2fd
1a958588cd73938138d686432230f556
7411cfd748442e555a22268e7a0d2776
9add0c7671d053c415920b5fb12c6a0e
ef9e15c23d979dd4e163991fd510c2f8
ebeb1debd65c8a204c4d0a7e61011bc3
b1dacb18e0d8aa7630b3a9b132477bc9
f0c71cba0491058d9eace336954750a8
127b07aa8a2aa87223c4a55940cbfa33
68fc7b8b008e26214b6577c016680b41
bede85d2c654916ef50c0895c7d3ec6e
9983770cffe1b537f553209f8f8c3fd6
4c5728fce37bfaf20b801f6a1712816f
990490e2c3db663f7eb11589a47263bf
aa4d0f1ffa83cf5818e36a70d46634b9
0a66251168266c5ec01a189856c1b0e3
192e75d113b6795cd9ae61f9153a2052
9a685ef3d6dc9a8713a07dcdbb5e8fa8
97b7b26b8a1be152e137743bd59ec45d
82d0279dcd7baa0b69522fd721f0665e
424d5c6c263466e1ab90ae70c9d9948e
c08f0a530c10db65bcc9c44d9d59b6ff
cce435c87f4643f74345c051b173025b
55c54288fc6cf31ea93a71905387e7cd
34bbc3dff8b51b62998bda4647a99237
450c9cf96fa967dda8e5aa74177c897d
f0a6b412cf6ad5d9cf04f7aa8ff52fe7
eee96d2588da26e4edd4685949f3b2a9
eec33d2805992bef8a649742b766ccd9
b18e1aeca49d4beb380df2de6d65467f
9060a10d03f8d0cc04e203f72862ceca
3a81a1597ba8feb405bddb4fe6b2dcae
6ead5b909229a3054e6e241414c86131
d067c1a463544d87e54944cf3156c71d
5f54addd88c6fa06382a9098cb508dc8
62ba468b2be47c165684841cabe3b8e5
d0ea7ac8ad15f701234e20617bbd74f0
dfc73e136deb33be9045bb2058c2cba8
44a156580792dfdddf52aacf937a152c
fe504de82de3f7f6eb6a082c40aec809
79811cfa27f29a594936e9479bcc0453
b33e291059ad1b1386518882a48c5306
3dbf80b626cd192766c903d3b96eff4d
39f831a3d439fdfc91db48a9949d74d6
f1fe6730a6379de0b82510d0f9ac2678
1b0f1515eb0f35abf21f09d4b108031e
0ca648255ee78c224dd8c155b9ea1305
19c25892889d81d8b5876d7d1a89cad5
fab1e6c8ec5efdc4bec6623f124af6da
bb47a1126dd738e575f73ed92df6374c
6bd7c7d5817b2bbe9526e1ade68d327f
096bc5473670eb2269974ac20f16b3e7
98b4d9e8070ea68c64f315c69bff4687
fbba1bece223a88dd9e759c55ad254c5
25770fcca1f288435a4d69b2b72dab1f
b04f0395add4205fa71f6384d5134ab2
93502f5dccfb85d76a6b4ab186839520
94944003d8bb08445d69f041da6b2b05
506a423a25cbd4abc18edf1ac617edda
0d7f6b1b98cfac1e81feb2c335f78293
834fe3055fc1817b359adf10a6670f1e
3882d4d283f9cdf0bbdce1c094cad02b
4ba282fad58599339bde0f98009236cf
a629a7e0b69bd38778cb07b82d578329
6dd5812c8966be8d606fb8b219645491
47e1aeb5503308498c5957e8a89568a5
8e7338f9f99121ec79d25217be40c59c
da64f44381489e6cb62aaf824a0cc2a6
061476c1bbc20371e11f7e60f20fd9c5
56595f48c4accbf17d20f1de5e2d3012
0556c44935db01d26449f72ea93c4cb8
87b18d8c464e49328a6a9e8e9a66b8a9
d18fadbd452b6d5b6d28f0ad35f40dad
19d054603ac7341aabd12e3a1fe220ab
18ef6cd9eeb98ad018b75bcb84f07e1e
c00876709ae83d0a622a67211b1d5aec
5baef453b334b936937007c447e2034f
393927b9275505c8b6cdce7b41a32db3
a680993006f02d576d31532bfea74932
65d6cb10b38c2300ababefbca4a4878e
97d250012267f13a4f38abc6bfa928ee
d664a3f179e483c18e8d915b7229fdf8
1feb1bf77199b9567d90b44173f6cb31
a98ecffc4d353faabdc34024f14bf9d9
59d6bf8d28a6d5d8e18c7655bad493cb
0ce7e4c8df66209e4483b2edfc3a650d
966fcb9746b081a529aebdbceb571595
b66bf484ef5ca141a1392392d8763dad
636574f0f0515bcfbc2fa346373175a6
9d2907064175b76243570257e08dd63f
000961b9371c0f5cfdceea5e9de59bee
1189d7919b789e045a823619b9ee309d
51418d198416819efb08c6aadee8071f
4dd536cb1282182fb8c1ede56d308530
5d73a3e13742e279a95f5c88889af567
d645c0d06ea2b37df30e5223c66f039d
574b7fd2b63f3ececadbc0017a90a931
1a852b5dfc6b3607c1a4ebf3138513f4
c15b63080aeb52f4fdf47f32e01bc561
f7bce56372033895f4c0213037139195
c57f527352ca0817ccb636752079c1aa
c7ade7cb10f7e1cc28b9b7799dba3175
e099b7f12ce51bd608a56f887aef19dd
603c3077cb55e3dde7b7c90fbbe9eee4
e6d09260428e821fc5bb45ab85e864af
67ba20d5f901b11bcf9f0c74bf81645b
9bdc3150af4c850997f20e0470ac2487
747ac35af9b953749ed8851ae05714a7
023042cfad2a3f8fb999cbd369e26fe7
970cbe413cb89c275514f8e7c87e8cef
64cce0d2383903eab92a54d1d6a02805
b5809a056cb66d67168eb0847c05c562
16139a2c04ec5daa0c22db6989df9e3b
8c65a70c27c0aaaa4796c87b5d67502c
fb33b0d6650e1da5543acfd50f1b1e35
008c47f63d907c577159c6c250756bbd
1169c142927e7ada469cdad8c96dfec0
436b8790ffaf074b4c443b27ea49d5c5
6711990e5824b1b500ba0b17e88f33d2
a0f8ef26bf00a350f58920a950dccd37
02e063c691acb191f93c3defabd0c93a
e98650f01435fbd44f0489bdcf882b65
8361e0853e7924626162ceb17cc9f560
a00a95553f5b3e8ac19d5b3978ebe474
60341e589cfb74b2684a418ccaadecda
8b61e02097ea3e467e9f0862905c0e89
1462625fd8ac2ddb46d4185b2d2201b7
d9e3d73115c56922b2a48db282cc6ccf
7f1501a3caf11649bbbb69c690819813
a5b9b36b257ad6314b98c8aed7f93a57
863729c45b826d7f2267838b34e0bd8e
affd630e0a8ac0063c985bcf935a11de
6e787b35f4926304e0c573305cd3bfb8
dac364aa63b18d208cc64986de5fb3a6
b9e89562cf7ba9468c54464be0d51818
25d9dbb2dccdb19c6d1947155656b89e
039364bda1241885b680ff5c786c3577
2a26510f56b3feca8b2d684a77d1dcb3
29d6aff85b087713895d7ccb829635c9
a1f726190eae744d73f5f1dc41cdce72
c623dfa60516accd9ddf9df100b68799
41d4d2e97d92e23a40a49888a1f24666
56e6a9b783abdeef30dbd3f89bdbac8c
3aa92d745b03f028206ad37372dda2e2
75a7f395e2e14fd1290703459531d4cd
c9e1b9c18a3e65748b902107af36d111

Update: reuploaded to Dropbox. Apparently, depositfiles don't work well. You can download them here.

I wanted only to ask my friend but then I thought that by making this blog other people can help me too.

1. Please, are there other DNS Fast Flux detection programs?

2. Please, why dns-mole doesn't work?


Please comment and share more fast flux detection tools.  Sorry for my english, it is not my native language.


Lew Szulc
Autor: o

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)