Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[ASK] Block Malware Generate Random Subdomain, Domain and TLD

82 views
Skip to first unread message

Syaifudin

unread,
Jan 17, 2018, 7:41:42 AM1/17/18
to bind-...@lists.isc.org
Hi all,
is there regex for bind config or something else to anticipation or block
malware where generate random subdomain ( 2 or 3 character )+ random domain
( 7 character ) + random tld.
log bind show in picture in this link Malware Generate Random Subdomain,
Domain and TLD <https://pbs.twimg.com/media/DTlz0ifVoAAD6-h.jpg:large>
for now i use iptables and REGEX ( KPCRE
<https://github.com/xnsystems/kpcre> )



thank's




--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/

Tony Finch

unread,
Jan 17, 2018, 9:57:14 AM1/17/18
to Syaifudin, bind-...@lists.isc.org
Syaifudin <syai...@jsn.net.id> wrote:

> is there regex for bind config or something else to anticipation or block
> malware where generate random subdomain ( 2 or 3 character )+ random domain
> ( 7 character ) + random tld.

This is a job for RPZ.

I'm currently at UKNOF39 where we have just had a couple of talks about
RPZ. One of the speakers talked about algorithmically generated malware
domains: if you know the algorithm, you can pre-generate the malicious
domains and add them to your RPZ in advance.

If they are truly random attack domains then you'll need some other
strategy.

Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode
Humber, Thames: West 6 to gale 8, occasionally severe gale 9 at first,
increasing severe gale 9 to violent storm 11 later. Rough or very rough. Rain
later. Moderate or good.

Grant Taylor

unread,
Jan 17, 2018, 10:36:59 PM1/17/18
to bind-...@lists.isc.org
On 01/17/2018 07:57 AM, Tony Finch wrote:
> I'm currently at UKNOF39 where we have just had a couple of talks about
> RPZ. One of the speakers talked about algorithmically generated malware
> domains: if you know the algorithm, you can pre-generate the malicious
> domains and add them to your RPZ in advance.

Did you see or hear any talks about RPS in addition to RPZ?

> If they are truly random attack domains then you'll need some other
> strategy.

I suspect that an intelligent RPS filter could detect and possibly
prevent such communications.



--
Grant. . . .
unix || die

Daniel Stirnimann

unread,
Jan 18, 2018, 2:33:40 AM1/18/18
to Tony Finch, Syaifudin, bind-...@lists.isc.org
> domains: if you know the algorithm, you can pre-generate the malicious
> domains and add them to your RPZ in advance.

RPZ by default will not stop the upstream query. You would have to use
"qname-wait-recurse yes" in addition if stopping upstream queries is
your goal.

I believe this malware DGA is discussed on this site [1]. According to
one user, the DGA is unpredictable and used to decoy only:

"There is a large list of hardcoded domains with ports that the malware
contact. But in addition to that, there is a DGA that generates domains
that look exactly like the hardcoded domains. The seeding of the DGA is
done with GetTickCount and therefore unpredictable."

It seems to me that some of the hardcoded domains resolve to
195.22.26[.]248 e.g. m23.pxrrhqd[.]net, m16.nkksufo[.]net. Thus, I have
the following RPZ rule in place at the moment:

32.248.26.22.195.rpz-ip CNAME .

This will of course only match some of the hardcoded domains and none of
the DGA domains. I'm not sure what you could use to prevent any of these
queries to go upstream.

Maybe "synth-from-dnssec" in Bind 9.12 is something if the domain name
happens to hit a TLD which uses NSEC. According to the Bind 9.12
documentation [2] Bind will support NSEC3 for "synth-from-dnssec" at
some point in the future. However, as most TLDs use NSEC3 opt-out I
guess this is not the right solution either.

Or RRL (rate-limit) with only "nxdomains-per-second". However, I have
never used RRL on recursive resolvers. I guess this is not a good idea
either.

Daniel

[1] https://github.com/360netlab/DGA/issues/36
[2]
https://ftp.isc.org/isc/bind9/9.12.0rc3/doc/arm/Bv9ARM.ch09.html#relnotes_features

Tony Finch

unread,
Jan 18, 2018, 9:39:03 AM1/18/18
to Grant Taylor, bind-...@lists.isc.org
Grant Taylor via bind-users <bind-...@lists.isc.org> wrote:
>
> Did you see or hear any talks about RPS in addition to RPZ?

I'm afraid not - I guess it's still too new.

Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode
German Bight, Humber, Thames: North or northwest 7 to severe gale 9 backing
west 5 or 6, occasionally 4 in German Bight. Rough or very rough becoming
slight or moderate. Rain then wintry showers. Moderate or good occasionally
poor.

Syaifudin

unread,
Jan 19, 2018, 6:02:18 PM1/19/18
to bind-...@lists.isc.org
Hi Daniel

thank you very much for your answer. i want ask much more but my english
not good so once again thank you very much.

Josh Kuo

unread,
Jan 19, 2018, 8:31:07 PM1/19/18
to Syaifudin, bind-...@lists.isc.org
You might want to check out the free service offered by Quad Nine (9.9.9.9), they use RPZ in the backend to filter out known malicious domain names. I do not know if they can filter out malware-related names.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Syaifudin JW

unread,
Jan 19, 2018, 8:55:53 PM1/19/18
to Josh Kuo, bind-...@lists.isc.org
As i know RPZ is usefull for random subdomain. So we can respon it localy. But if request with random sub domain, random domain and random tld its imposible to use RPZ. Dns server will check to root server. For now i still use iptables with regex to block that request so request not to dns but droped by iptables
0 new messages