1. Introduction
When analyzing malware we can gather a lot of information just by identifying the IP addresses and domains the malware software uses. Most malware software programs use DNS addresses to find the resources online. The domain resolution system is a system where we provide a hostname which is automatically converted into the right IP address, so we don't need to remember the IP numbers themselves. But when programming malware programs, we don't need to remember any IP numbers, since they are embedded into the malware itself. So why is using the DNS names still beneficial for malware programmers?
There is one single very important reason: it's because the DNS name can easily be changed to point to some other IP address. So if the first server is taken down by the government or law enforcement, the IP address can quickly be changed to point to a new server location. This way, the malware can still function properly even though the initial server was taken down.
2. Suspicious Domains
Specific domains are suspicious if they apply the following categories, summarized from [1]:
- The domain is very similar to a real domain.
- The domain consists of random characters.
- The domain was registered or updates just a few moments before discovering it.
- The domain expires within a few weeks or months.
- There is no useful information about the domain's registrant.
- When searching for a domain in search engine, only suspicious results come back.
- The domain has been reported as hosting malicious content.
2.1. WHOIS
The first thing we need to do when researching a domain is gather information with WHOIS, which queries databases that store information about registered users of Internet resources, like domain names, IP address ranges, and autonomous systems. It then returns the information in a human readable form. When executing WHOIS against a database, we can get the information about the domain's registrant, its contact details, when the domain was registered, when the domain will expire, etc. When analyzing suspicious domains, the information fields in those results will often be blank or won't include useful information.
But there is one problem with the WHOIS domain search. The problem is that simply running the WHOIS against a domain name can reveal only the basic information, not all of the available information. This is because there are many domain registrars and each of them keeps its own WHOIS database, which doesn't include the information about other domains registered by competing registrars. Because of these we often need to query different registrars to get all the available information.
Let's try to determine the information about the domain name infosecresources.com. If we use the WHOIS tool, we'll find out the information presented below:
# whois infosecresources.com Domain Name: INFOSECRESOURCES.COM Registrar: GODADDY.COM, LLC Whois Server: whois.godaddy.com Referral URL: http://registrar.godaddy.com Name Server: NS1189.DIZINC.COM Name Server: NS1190.DIZINC.COM Status: clientDeleteProhibited Status: clientRenewProhibited Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 16-jul-2012 Creation Date: 31-aug-2008 Expiration Date: 31-aug-2014 Registered through: GoDaddy.com, LLC (http://www.godaddy.com) Domain Name: INFOSECRESOURCES.COM Created on: 31-Aug-08 Expires on: 31-Aug-14 Last Updated on: 16-Jul-12 Registrant: Domains By Proxy, LLC DomainsByProxy.com 14747 N Northsight Blvd Suite 111, PMB 309 Scottsdale, Arizona 85260 United States Administrative Contact: Private, Registration INFOSECRESOURCES.COM@domainsbyproxy.com Domains By Proxy, LLC DomainsByProxy.com 14747 N Northsight Blvd Suite 111, PMB 309 Scottsdale, Arizona 85260 United States (480) 624-2599 Fax -- (480) 624-2598 Technical Contact: Private, Registration INFOSECRESOURCES.COM@domainsbyproxy.com Domains By Proxy, LLC DomainsByProxy.com 14747 N Northsight Blvd Suite 111, PMB 309 Scottsdale, Arizona 85260 United States (480) 624-2599 Fax -- (480) 624-2598 Domain servers in listed order: NS1189.DIZINC.COM NS1190.DIZINC.COM
The output shows that the domain was registered through a company called GoDaddy (the registrar) on 31.8.2008. The domain expires on 31.8.2014 and was last updated on 16.8.2012 (which is about a month ago). There is also contact information for the administrative and technical staff, which are the same.
The registrars usually contain information not only about the domains registered with the registrar itself but with other registrars as well. But sometimes this is not the case and we must ask a different registrar for additional information if some information isn't available. In such cases we would have to ask different WHOIS servers for additional information. To do that we would need to use the -h option to specify which WHOIS server to ask for information about the domain.
The WHOIS usually returns the following attributes about a domain:
- inetnum: the IP range the address falls under.
- route: The address prefix to be routed.
- descr: A short description related to the domain, including the organization responsible for the route object.
- origin: The AS number used to route the address prefix. The AS number must be registered in the APNIC WHOIS database before it can be referenced in the route object.
- mnt-by: Lists a registered mntner used to authorize and authenticate changes to this object. A mntner object is a database object used to authorize updates to the APNIC database. If the database is protected by the mntner user, then only he or she can change the details.
- changed: The email address of who last updated the database object and the date it occurred. This address shouldn't be used as a contact address.
- source: The database where the object is registered.
Optional attributes are:
- country: Two letter code of the country where the admin-c is located.
- holes: Lists address prefixes that are not reachable through the route.
- member of: Identifies a route-set object of which you with this route are a member.
- inject: Specifies which routers perform the aggregation and when the routers should perform the aggregation.
- aggr-mtd: Specifies how the route aggregate is generated.
- aggr-bndry: TA set of AS which form the aggregation boundary.
- export-comps: The RPSL filter that matches the more specific routes that need to be exported outside the aggregation boundary.
- components: The component routes used to form the aggregate.
- remarks: General remarks related to the role object.
- notify: The email address to which notifications of changes to this object should be sent.
- mnt-lower: If the mnt-routes attribute is included, the registered mntnet object specified in the mnt-lower attribute is used to control the creation of more specific route objects.
- mnt-routes: The identifier of a registered mntner object used to control the creation of route objects more specific than this route object.
We can search the WHOIS database by the use of primary keys, lookup key and inverse keys:
- Primary Key: distinguishes an object from all other objects in the database. Primary keys are: route, origin.
- Lookup Key: Attribute can be queried in the database to return the object. Lookup key is: route.
- Inverse Key: Attribute can be used when performing an inverse query using the -i flag. Inverse keys are: origin, member-of, notify, mnt-lower, mnt-routes, mnt-by. This allows us to search for results using various attributes, and not just IP address. For example, the query below will return the IP range of a specific <ASN> number.
# whois -h whois.ripe.net -i origin -T route <AS> | grep -w "route:"
| awk '{print $NF}' | sort -n
In the above example, we need to know the ASN number. The ASN number is the number of the autonomous system which groups a number of IP address blocks assigned to the ISP. Each autonomous system must also have a number that uniquely identifies it. First we need to find out the IP address of infosecresources.com:
# nslookup infosecresources.com Server: 10.1.1.1 Address: 10.1.1.1#53 Non-authoritative answer: Name: infosecresources.com Address: 66.7.209.205
The IP address is 66.7.209.205. We can use the IP address to get the information about the ASN number to which the IP belongs.
# whois -h whois.cymru.com 66.7.209.205 AS | IP | AS Name 33182 | 66.7.209.205 | DIMENOC - HostDime.com, Inc.
We've discovered the ASN number where the IP 66.7.209.205 belongs: it's the ASN 33182. We've asked the whois.cymru.com for the information about the IP address 66.7.209.205. There's another server we can ask for the information about IP address, asn.shadowserver.org. To check for the ASN number of the IP address 66.7.209.205 we can execute the command below:
# whois -h asn.shadowserver.org 'origin 66.7.209.205' 33182 | 66.7.192.0/19 | DIMENOC | US | HOSTDIME.COM | HOSTDIME.COM INC.
We've again gotten the ASN number 33182, which is correct. And the IP belongs to the IP address block 66.7.192.0/19, which is located in the United States. The DIMENOC represents the ISP that owns the ASN 33182. The IP address block has been further assigned to HOSTDIME INC.
Now we can do another query to determine what other blocks are owned by the ASN 33182:
# whois -h asn.shadowserver.org 'prefix 33182' 8.10.120.0/24 37.46.120.0/24 64.37.48.0/20 64.72.112.0/20 <strong>66.7.192.0/19 </strong>67.23.224.0/20 67.23.240.0/20 69.80.224.0/20 72.29.64.0/19 103.13.242.0/24 109.73.162.0/24 109.73.163.0/24 109.73.165.0/24 109.73.167.0/24 109.73.168.0/24 109.73.169.0/24 109.73.170.0/24 109.73.171.0/24 109.73.172.0/24 129.75.64.0/24 129.75.88.0/21 129.134.64.0/19 184.171.240.0/20 198.136.48.0/20 199.166.30.0/23 199.168.184.0/21 201.163.118.0/24
The output shows that the Hostdime controls several different IP address ranges. If we want to find the peer of infosecresources.com, we can run the following command:
# whois -h asn.shadowserver.org 'peer 66.7.209.205 verbose' 33182 | 66.7.192.0/19 | DIMENOC | US | HOSTDIME.COM | HOSTDIME.COM INC. 3356 LEVEL3 Level 3 Communications 3549 GBLX Global Crossing Ltd.
2.2. NsLookup
NsLookup is a program to query DNS servers and get information about the DNS configuration. NsLookup can query DNS servers for answers related to network host/domain name resolution. It can find records of the following types:
- SOA : core information about the host
- A : the IPv4 address that belongs to machine name
- AAAA : the IPv6 address that belongs to machine name
- NS : authoritative nameserver for a domain
- MX : mail exchanger of a domain
- CNAME : alias for a machine
- PTR : the hostname for a given IP address
- TXT : descriptive text about the machine
- HINFO : hardware and software used by the host
- RP : responsible person for a domain
- ANY : any records
- AXFR : request for zone transfer
For all types we can check out the following web page: http://www.zytrax.com/books/dns/ch8/ or wiki.
Basic commands of the NsLookup program are as follows:
- [l]server dns: Direct queries to this DNS server, rather than the one specified in the /etc/resolv.conf. - ls [options] domain: List all the information for the target domain. Options can be: -a: -t CHNAME -d: -t ANY -h: -t HINFO -s: -t WKS -t type - set class=[CLASS]: Set the class value for all subsequent commands. Class value can be one of the following: IN, ANY, CHAOS, HESIOD. - set domain=domainname: Set the base domain. - set [no]debug: Debugging information. - set [no]d2: More debugging information. - set [no]def: Whether a domain is added to a target which does not end with a dot. - set [no]ignoretc: Ignore packet truncation errors or cause termination. - set [no]msxfer: Whether or not to use MS Fast zone transfer. - set [no]recurse: Whether to recurse or not. - set [no]vs: Whether to use TCP or UDP. - set [no]search: Control how to srchlist value is used. - set port=portnum: Change the default port 53 to portnum. - set type=[TYPE]: Return records of the specified type. Only works on the root domain. The type variable can be one of the following: ANY, A, CNAME, HINFO, MINFO, MX, NS, PTR, SOA, TXT, UINFO or WKS. - set retry=returynum: Specify the number of retries. - set root=rootdns: Control the DNS used in the root command. - set srchlist=dom1/dom2: Allow setting a searchlist. Up to six names are allowed separated by forward slash.
An example of using NsLookup to query the domain www.infosecresources.com is presented below:
# nslookup > set domain=infosecresources.com > www Server: 10.1.1.1 Address: 10.1.1.1#53 Non-authoritative answer: www.infosecresources.com canonical name = infosecresources.com. Name: infosecresources.com Address: 66.7.209.205
We can see that first we've set the domain to infosecresources.com, and afterward executed the www command, which isn't really a command, but is added in front of the domain, thus making the whole hostname www.infosecresources.com.
We must remember that we should stay anonymous when doing WHOIS, NsLookup, dig, ping and commands like that. Those commands don't normally reveal our IP to the target system, since the tools never send any traffic to the target system. But if the DNS server itself is controlled by the malware writers and if they are monitoring the network traffic, they may find out our IP from the DNS to IP resolution queries. To avoid that, it's better to use online web applications that know how to perform WHOIS queries, reveal IP addresses from DNS names, etc. If even that is not enough, we can also use Tor to anonymize our activity.
We must also check whether there are other domains running on a specific IP address. This can happen if a malicious website uses some kind of hosting solution where multiple other legitimate domains also reside.
3. Conclusion
We've seen how to get various information from domain names and IP addresses, which can help us identify malware domains, but is also a good reference if we're doing a penetration test.
References:
[1] Michael Ligh , Steven Adair , Blake Hartstein, Matthew Richard, Malware Analyst's Cookbook, Tools and Techniques for Fighting Malicious Code. Malware Analyst's Cookbook, Tools and Techniques for Fighting Malicious Code.
Comments