11.24.2017

Malware Domains and Botnet Jacking

Okay, now some of you white hat "the rules make ethics" types may not like anyone discussing it, but lets do this. Domain and botnet jacking, as it pertains to not only threat actors but for blueteamers as well. In this thread, we discuss how a simple script can find domains to take over, how to monitor changes in botnets, and identify how people build their domain resolution pools. Protip: a lot of people just fake it. That 200 bot domain is actually more like 4 and a vpn, at best. But we're not actually messing with that yet.


We start today with this little bit of nonsense. It's simple python script designed to create a webpage based on domain resolution tracking. The page shows numerous domains and how they change.

lists=[ 
]
filetowrite="/var/www/html/index.html"
failedtowrite="./faileddomains.log"
initialinfo="<html><head><title>DomainTracking</title></head><body>Begin Run<br>Domain ip loggedtime<br>"
open(filetowrite, "wb").write(initialinfo)
open(failedtowrite,'wb').write("")
while True:
 for i in lists:
  try:
   open(filetowrite,'a').write(i+" "+str(dns.resolver.query(i,'A')[0])+" "+time.strftime("%T-%x")+"<br>")
  except:
   open(failedtowrite,'a').write(str(i)+"\n")
   pass
  time.sleep(5)
 time.sleep(30)


Then, we have a cronjob (every 15 minutes) for the following. This grabs the information (left as curl instead of just grabbing from the file to express that this can be pulled from a remote repository as well, hint hint). The data is seperated into lines, then only the domain and resolution are collected (leaving time out of it).
 */15 *  * * *   root    curl http://localhost/|sed s/"<br>"/"\n"/g|awk '{print $1, $2}'|grep -iv "<html\|Domain ip"|sort |uniq > /var/www/html/useful.log
Image of that page:


Being able to see the variance in different domains between multiple ips is important. As it helps us identify the range of use for each domain or group of domains. It's a tool not just for researchers, but for bad actors as well. Having some form of automated visibility into everyone else's actions is key for most people and you can do it with a super easy setup. Now for the next piece, seeing which of those domains is available. There is a number of ways to do this so you're on your own to find those, but I did catch an easy way to determine their prior usage, which may lead to changes in how the domain is able to be leveraged by you, for good or evil.


In this situation, I compared this versus the malwaredomains blacklist, as it specifies why the domain was blacklisted.

You can also check virustotal, hybridanalysis, etc... etc... for these domains. You'd be surprised how many people are still infected years later from some domains (such as free-inet-help, or abandoned no-ip domains).

When I say that only malware authors, criminals, or attacking governments are comfortable hijacking domains out from malware usage.

You can also generate your list of domains once a week or so from hybridanalysis or malwr, or any repo really that shows c2s, if you want c2 takeovers. Phishing campaigns pre-configured and ready to launch at a moment's notice, those are there too. This is actually a common thing between criminal world and for some white hats. We're just catching up to par quickly by automating the dumb stuff.



Final word:

If you're going to randomize ips between domains for fun and profit, use other malware domains and help out those actors too.

-Ferasdour
https://keybase.io/ferasdour

No comments:

Post a Comment

2am rant