BlackHat资料us-14-Mahjoub-Catching-Malware-En-Masse-DNS-And-IP-Style-WP.pdfVIP

CATCHING MALWARE EN MASSE: DNS AND IP STYLE Dhia Mahjoub (@DhiaLite) dhia@ Thibault Reuille (@ThibaultReuille) thibault@ Andree Toonk (@atoonk) andree@ Abstract The Internet is constantly growing, providing a myriad of new services, both legitimate and malicious. Criminals take advantage of the scalable, distributed, and rather easily accessible naming, hosting and routing infrastructures of the Internet. As a result, the battle against malware is raging on multiple fronts: the endpoint, the network perimeter, and the application layer. The need for innovative measures to gain ground against the enemy has never been greater. In this paper, we present novel strategies to catch malware at the DNS and IP level, as well as our unique 3D visualization engine. We will describe the detection systems we built, and share several successful war stories about hunting down malware domains and associated rogue IP space. At the DNS level, we describe efficient methods for tracking fast flux botnets and describe a study we carried for several months of the Zeus fast flux proxy network. At the IP level, classical reputation methods assign maliciousness scores to IPs, BGP prefixes, or ASNs by merely counting domains and IPs. Our system takes an unconventional approach that combines two opposite, yet complementary views and leads to more effective predictive detections. On one hand, we abstract away from the ASN view. We build the AS graph and investigate its topology to uncover hotspots of malicious or suspicious activities and monitor our DNS traffic for new domains hosted on these malicious IP ranges. We will also describe a unique method of identifying seemingly autonomous