Malware

Domain Name Seizures Prominent in Dismantling the ZeuS botnet

On 19 March 2012 Microsoft, FS-ISAC , and NACHA filed a Complaint with the US District Court, Eastern District of New York, against thirty nine John Doe defendants who allegedly participated in a criminal enterprise, the Zeus botnet.

Microsoft alleges that ZeuS botnets have purportedly infected an estimated 13 million PCs and have been used to steal over $100M during the past five years. The official Microsoft blog post provides a summary of Operation b71, which involved seizures by US Marshalls of command and control servers in Scranton, PA and Lombard, IL., sinkholing of traffic for subsequent analysis, and the seizure of Harmful Domains and IP addresses used to manage and operate the criminal botnet infrastructure.

Swat_2
Photo by ElDave

Gary Warner and Brian Krebs have again posted excellent analyses of the ZeuS botnet takedown.  Rather than duplicate their efforts,  I’ll instead highlight what I thought to be aspects of the ZeuS Complaint that went beyond actions from earlier takedowns (see Coreflood). I’ll then focus on the seizure of Harmful Domains and comment on the value of providing complete and accurate DNS, Whois, and registry information in legal orders. 

The Complaint and the xTRO 

Microsoft, FC-ISAC, and NACHA identify the 39 John Doe Defendants by their fictitious names: the user IDs of email addresses of the defendants found in Whois records for the thousands of domains enumerated in the Complaint. The claims for relief include the usual suspects Microsoft has included in prior complaints against Rustock, Coreflood or Kelihos: computer fraud or abuse, spam, electronic communications privacy violations, trademark or Lanham Act violations, trespass, unjust enrichment...

New among the claims for relief is the allegation that the 39 defendants acted in concert and conspiracy and thus violated the RICO (Racketeer Influenced and Corrupt Organizations) Act.

John Does 1-3 are alleged to have organized the racketeering enterprise and John Does 4-39 to have contributed various skills to the enterprise: botnet, exploit, and web software development, mule recruiting, botnet and hosting administration, domain and IP registrations.  Botnet customers and "cash out" operators who sold credit card and credentials obtained via infected PCs were also listed.

The Complaint thus alleges that certain defendants conspired as a group to construct the botnet, others used (“leased”) to commit criminal acts, and still others turned stolen properties into cash.

The Temporary Restraining Order is ex parte because the fraudulently composed Whois records are the only identification available to the plaintiffs.The Court accepted the plaintiffs' claims that harms cited in the Complaint will continue unless the defendants are restrained, and ordered simultaneous actions at hosting companies (Continuum Data Center LLC and Burstnet Technologies, Inc.) 'to disable and seize servers and associated stored data' at hosting centers and to monitor and collect traffic for analysis.

Walloffaces
Photo by xfordy

John Doe Defendants

The Court also ordered domain registries with US presence to assist in discovering the true identities of John Does 1-39, redirect traffic to servers at a Microsoft secured IP address and to disable Defendants' IP addresses.

It's noteworthy that the order sought to minimize collateral damage to parties that are not named as defendants but are affected by the seizure of equipment and disconnects. 

TRO-collateraldamage

Seizing Harmful Domains

Domain names and name servers play a prominent roles in the ZeuS criminal enterprises. "eCrime" name servers operated by criminals are used to resolve host names for command and control servers and for servers that host ZeuS files.  In Guidance for Preparing Domain Name Orders, Seizures & Takedowns, I explain that providing complete and unambiguous information to domain name registration providers can prevent confusion or delay, and may help prevent or minimize collateral damage. The ZeuS xTRO is a good case study for why I believe this guidance paper is important. 

In my thought paper, I point out that seizures typically instruct registries or registrars to modify the TLD zone file, the domain name registration record (and what is displayed by Whois), and the registry database (of domain names). In the ZeuS botnet xTRO, the Plaintiffs instruct the TLD registry operators to take the following action:

"2. For currently registered domains, the domain name registrant information and point of contact shall not be changed and associated WHOIS information shall not be changed;

"3. Domain names shall not be deleted or otherwise made available for registration by any party, but rather should remain active and redirected to IP address 199.2.137.141;

"4. Domain names shall not be transfered to any other person or registrar, pending further notice from the court.

"5. The Registries shall assume authority for name resolution of domain names to IP address 199.2.137.141 using the name servers of the Registries;

"6. Name resolution services shall not be suspended"

Instruction (2) is clear with respect to preserving registrant and point of contact information, but a consequence of saying only that "associated WHOIS information shall not be changed" is that some of the Whois returned is exactly what was in the registration data "pre-seizure",some of the Whois returned has the registrant/contact information the same as "pre-seizure" but the name server information is changed to NS1.MICROSOFTINTERNETSAFETY.NET, and Whois for some (try FILMV.NET) returns conflicting NS data from the the "thin" .NET registry and the sponsoring registrar. These inconsistencies might have been prevented if specific instructions for how name server information associated with the domain name had been provided.

(3) and (4) instruct registries or registrars to set domain status codes. These are adequately clear, but to eliminate any ambiguity, the order might have specified the exact EPP Status Codes for both registrar (client) and registry (server).

(3) further instructs the registries to keep the domain names "active and redirected to IP address 199.2.137.141." Neither instructions (3) nor (5) make clear whether the Plaintiffs are asking for changes to TLD name server configuration, name service for each domain name listed in the Complaint, or hosting, so they could be interpreted to mean that the registries are supposed to modify the name server configuration information ("glue") in the TLD zone file. They could also mean that Registries should provide name resolution for the Harmful Domains (which would be well out of scope).

A DNS lookup using the dig command shows that 199.2.137.141 is asssociated with a name server, NS1.MICROSOFTINTERNETSAFETY.NET.  In this case it was easy to deduce that the Plaintiffs' intention was that Microsoft was to act as the authority for the nameservers and would provide authoritative name resolution for the domains from a name server operating at IP address 199.2.137.141. In other (future) cases, orders could more accurately say "we want TLD name servers to be configured so that the authoritative name server for all the Harmful Domains listed in the Complaint is NS1.MICROSOFTINTERNETSAFETY.NET/199.2.137.141". The Plaintiffs are then in a position to decide whether to host zone data for the Harmful Domains or to return NXDOMAIN for hosts in the Harmful Domains".

(6) instructs that "name resolution services shall not be suspended". A random sample of the names in the xTRO shows that some return non-existent domain (NXDOMAIN) and some timeout without a response. So by some definition, either (6) was not executed properly by some parties subject to the order but the instruction did not make clear whether "name resolution services" applied to the TLD, which is responsible for identfying the name server(s) associated with the Harmful Domains listed in the Complaint, or resolution of host names associated with the Harmful Domains.

Closing remarks

Inaccuracies and ambiguities are not uncommon in legal orders, in part because the courts or plaintiffs are unfamiliar with the DNS or domain registrations, are imprecise when using domain name-related technology, operations, and terminology, or pressed for time. Checklists like those provided in Guidance for Preparing Domain Name Orders, Seizures & Takedowns may be beneficial in minimizing omissions and inaccuracies. 

David Dittrich has written a brilliant post on the Zeus botnet civil action entitled Thoughts on the Microsoft "Operation b71". One of the points he makes dovetails nicely with what I've discussed here:

"The act of writing up a complaint, backing it up with declarations in support of the plaintiff's motions, and having a federal judge review and grant plaintiff's motions is a very clear, very thorough, and very public justification for taking bold action. This process explains of who is being harmed, how they are being harmed, what can be done to stop the harm, and why the court should grant the plaintiff's motions. If this were a federally funded research study on developing a treatment for a disease, it is this level of detail that must be provided in order to get approval from ethics review boards. If we require such justification of doctors doing risky medical research that can harm us, why should we not have to similarly justify risky actions we take to resolve infected computers? This is the kind of standard that is warranted in order to show defensible justification for taking risky and aggressive action, before such action is initiated."

A late, final word

A recent analysis of operation b71 by Michael Sandee calls attention to the easily overlooked issue that collateral damage is not limited to suspending or making legitimate domains or web sites unreachable. A criminal enterprise the size of ZeuS will no doubt be the target for numerous investigations. Absent sufficient information sharing, cooperation, coordination and trust among investigating parties, there is too much room for error or interference, and one party's success can hamper the erstwhile and equally important efforts of others. Looking ahead, providing clear instructions for domain registries or registrars can be an important part of the level of detail that Dittrich insists must be provided.  Coupling this with the kinds of reasonable efforts Sandee encourages to verify that domains listed in complaints are "harmful" when the legal orders are executed is equally important to minimize collateral damage.


A Behavioral Analysis Unit assessment of a APT unsub

The US Federal Bureau of Investigation's National Center for Analysis of Violent Crime (NCAVC) has four Behavioral Analysis Units:

  • Unit 1 deals with counterterrorism, threat assessment;
  • Unit 2 handles crimes against adults; 
  • Unit 3 investigates crimes against children; and 
  • Unit 4 manages the Violent Criminal Apprehension Program-ViCAP.

An APT Unsub Profile

If the FBI were to create an APT behavior analysis Unit (5) dedicated to assessing APT actors, and on the extraordinarily small chance that the writers of Criminal Minds were to run out of horrible, real world crimes to base scripts on, the story writers just might profile "the APT unsub" as follows:

The APT unsub is a sponsored actor. We believe his sponsor is a nation state. He has ample funding and technology at his disposal. While not necessarily the author of malicious software, we believe he has knowledge of and access to executable code that exploits common vulnerabilities. 

He combines or modifies malicious software to penetrate network defenses, compromise hosts, monitor activity or exfiltrate information. The APT unsub's activities can persist without detection for long periods of time. He targets military, commercial, government, or critical infrastructure facilities and networks. The APT unsub deliberately seeks out and collects information that can offer a military, commercial, or similarly highly valued advantage for his sponsor. 

FBI
Photo by PopCultureGeek

He is patient and meticulous, willing to sift through and correlate information fromsurveillance conducted across many hosts over long periods of time.

 The APT unsub studies targets carefully before acting. He is skilled at disguising his intent. Through social engineering initiated via electronic mail, the unsub manipulates individuals within a targeted organization or agency by instilling such fear or uncertainty that the individual acts in haste and in so doing, introduces an infection that is designe to spread across the infected indvidual's network. Malicious code operating on the infected computers are remotely controlled and directed by the unsub to look for information of interest to the unsub's sponsors. This is not a single attack but an occupation.

Unit 5 would next explain what the investigating parties should look for as they pursue the unsub.

Binoculars1
Binoculars2
Binoculars3
Photo by Christophe Verdier

Look for unusual traffic patterns on your networks. Client computers that usually generate "request traffic" outbound may begin to generate "response traffic", typically of much larger volume and most likely encrypted. Devices on your network may receive login requests from unauthorized systems. New application traffic and executing processes associated with remote control protocols may appear in event logs on your client computers. Your client computers may begin to resolve domain names using resolvers that are unfamiliar or unauthorized. Remember. You're looking for new or different activity: any network or host operating behavior that is "never before seen" should be carefully examined for possible malicious intent.

Lastly, Unit 5 might act in the interest of public safety by attempting to inform the public.

While we are taking measures to identify and apprehend the perpetrators, we advise the public to become familiar with the APT unsub and the threat he poses. Most importantly be vigilant in monitoring for signs of this threat. We are circulating a handout that summarizes what we've discussed here. The handout recommends measures you should implement to mitigate the threat this unsub poses.

The handout would look remarkably similar to Mitigation Guidelines for Advanced Persistent Threats.