felix/master_thesis
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

updated tex

Browse Source
This commit is contained in:
Felix Steghofer
2017-11-28 11:07:41 +01:00
parent fdf54ae7e0
commit 42fce4f17c
16 changed files with 208 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
Thesis/content/Abuse_of_Domain_Names/Abuse_of_Domain_Names.tex Normal file
View File

@@ -0,0 +1,45 @@
\chapter{Abuse of Domain Names}
\label{cha:abuse_of_domain_names}
The \gls{dns} makes it easy to browse the internet with human readable domain names. It adds an extra layer to the TCP/IP model that allows administrators to reliably maintain services, especially for large applications which are served by many servers in different locations. Using techniques like round robin \gls{dns} enables efficient use of multiple machines, decreases access time for different users and enhances availability if single nodes in the machine cluster fail. Although this led to the described advantages it can also be used by malicious applications. In this work three major types of misuse of domain names are taken into account.
\section{Malware}
\label{sec:malware}
On May 12th 2017, British security researchers discovered a malware which was spreading massively at the time, especially in central Europe. After successful attack the WannaCry called malware encrypted users and companies files and pretended that the only solution to get back the decrypted files was to pay an amount of about \$ 300 in bitcoins. Researchers quickly discovered a request that was made by the malware to an unregistered domain. The purpose of the very long nonsensical domain name (\texttt{iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com}) was not known at the time one of the researchers (Darien Huss) registered it. Afterwards Huss registered many thousands of requests every second to this domain. After more investigations it was clear that the domain was acting as a kill switch for the \gls{ransomware} and by registering the domain, further spreading could be slowed down \fsCite{theguardiancom_wannacry}.
This case shows an example of how domains can be used by attackers to control their software. Usually domains are more often used to connect to command and control servers or to communicate with other infected machines (see Section~\ref{sec:botnets}). To infect a machine, attackers often use so called \textit{droppers} or \textit{injectors} that do not ship the malicious code in the first hand but that are little programs to download further source code or binaries that contain the harming functionality. It is much easier for malware authors to use domains for this purpose instead of hard coding the IP addresses for many reasons: If machines that serve the down-loadable content are e.g. confiscated by the police or taken down for other reasons, domains can simply be pointed to a redundant server and such minimizing slow downs in the distribution of the malware. Reliable endpoints are also used to maintain the malicious software and load additional code. As domains are comparably cheap (starting at a few cents per year compared to at least \$ 10 for a dedicated IPv4 address a year), attackers can build a pool of many domains and such compensate take downs of some domain names. This could possibly change when IPv6 is widely adopted (with IPv6 addresses being much cheaper) but according to statistics of Google, only about 20\% of worldwide users accessing google where IPv6 enabled (natively or using IPv6 to IPv4 bridges) \fsCite{googlecom_ipv6adoption}. This imposes the usage of IPv6 as the primary protocol in malware for obvious reasons.
\subsection{Countermeasures}
\label{subsec:countermeasures}
\section{Phishing}
\label{sec:phishing}
Phishing describes malicious activities where attackers try to steal private information from internet users which are mostly used to gain financial benefit from. There are various different types of phishing attacks that have been identified. Starting long before emails and the world wide web had significant popularity, criminals used social engineering on phones to trick users into handing over private personal and financial information. This method is known as vishing (Voice phishing). In the mid 90s AOL was the number one provider of Internet access and the first big target of phishing activities like it is known today. At the time, people from the warez community used phishing to get passwords for AOL accounts. By impersonating AOL employees in instant messengers as well as email conversations they could obtain free internet access or financially harm people using their credit card information. With the success of the world wide web including the movement of more financial services to the internet criminals used another approach to trick users. By registering domains that look very much like a benign service and imitating the appearance of the corresponding benign website many internet users unknowingly put their banking credentials into fake sites and suffer financial harm. Those credentials may be sold on black markets e.g. in the dark web and can worth up to 5\% of the balance for online banking credentials according to the SecureWorks Counter Threat Unit \fsCite{rp-2016-underground-hacker-marketplace-report}.
\section{Botnets}
\label{sec:botnets}
A Botnet is a network of mostly computers infected with malicious software and controlled as a group without the owners' knowledge under the remote control of a human operator called bot master or bot herder. Each infected machine is called a Bot; and similar to how robots are acting independently commanded by human operators, every node in the Botnet is performing actions as instructed by the Botmaster. Botnets are mostly used for sending spam emails and running \gls{ddos} attacks.
\subsection{Distribution}
\label{subsec:distribution}
\subsection{Architecture}
\label{subsec:architecture}
xl
\subsection{Discovery}
\label{subsec:botnets_discovery}