Detecting dynamic DNS domains in Splunk

Name a security breach or sample of malware in the last five years and you will come across a fairly common denominator: the malware (or the method of data exfiltration) used a “Dynamic DNS” hostname to connect to the Internet [1][2][3][4][5]. But what is dynamic DNS (DDNS)? Why do malicious actors use it? And how do network defenders detect it in their network?

On a basic level, dynamic DNS allows for sub-domains to have IP addresses that can be quickly changed, often in real-time. Legitimate users take advantage of this service by using providers such as noip.com or duckdns.org to create easy to remember subdomains (such as the example “myhouse.no-ip[.]org”) and point that subdomain towards an IP address like their home router. This means the user can easily connect to their home network using a domain name instead of a hard to remember IP address. If the user’s home IP address changes, they can just update their dynamic DNS provider with the new information.

Sadly, the same reason that the service is so useful for legitimate users is why malicious actors abuse it. The actor can hardcode these subdomains (evil.duckdns[.]org) into their malware. That way if the server infrastructure that the malware communicates to is unavailable, the actor can quickly change the IP address of the subdomain (evil.duckdns[.]org) to something else. More advanced malware will even use a domain generation algorithm (DGA) to create random looking strings of characters as a subdomain (for example d0290d00xasdf.no-ip[.]org) that could be based on something like the day of the year. If the malware author has the key to the DGA (like the day of the year) they know exactly which domain the malware will be pointing to on which day. This obfuscation can make it very difficult for network defenders to “block” the malicious domain, since it might only be valid for a single day.

The use of dynamic DNS providers for malicious purposes is extremely wide spread. OpenDNS Security Labs reported that over 56% of subdomains on some DDNS providers were malicious [6]. Similarly, Cisco reported that dynamic DNS linked websites were 19% more likely to be malicious than other websites [7]. The question is not “does the threat exist?” but rather, how does a defender detect these domains or mitigate them?

One idea is to create a lookup table by using a great blog post by OpenDNS from 2015 that discusses the top 20 most malicious dynamic DNS providers. Another option is downloading all known dynamic DNS providers (provided by www.malware-domains.com [8]). This list is much more comprehensive than the “top 20”, but it may increase your false positives as it is a substantially larger list. This zip requires some modifications to turn into a lookup table, but you can find scripts on github to help you automate the process [9]. Once you have your list of dynamic DNS provider domains, create a lookup table and run it against your domains from your DNS logs or proxy requests using the Splunk App UTbox [10] (developed by my fantastically talented team mate Cédric Le Roux).

Below is an example of a query that goes against bro DNS logs. Figure 1 shows it’s output.

index=bro *
| `ut_parse(query)`
| lookup ddns dyndns_domains AS ut_domain
| search isBad=True
| stats count by ut_domain

Figure 1

But just seeing the dynamic DNS providers isn’t that useful to a network defender. In Figure 2, a query shows all the subdomains that are connected to each dynamic DNS domain.

index=bro *
| `ut_parse(query)`
| lookup ddns dyndns_domains AS ut_domain
| search isBad=True
| stats count by ut_domain
| stats VALUES(ut_subdomain) by ut_domain
| rename "VALUES"(ut_subdomain) AS subdomain

Figure 2

Once you have this information you could create dashboards, alerts, or correlation searches in Enterprise Security that trigger whenever a users machine contacts an unusual domain hosted on a dynamic DNS providers network. You could even write a search that looked for subdomains of dynamic DNS domains that had high entropy… but I’ll leave that for another blog post

[1]
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08074802/KL_report_syrian_malware.pdf

[2]
http://threatgeek.typepad.com/files/fta-1009—njrat-uncovered-1.pdf

[3]
https://www.bluecoat.com/documents/download/2c832f0f-45d2-4145-bdb7-70fc78c22b0f

[4]
https://www.mpi-sws.org/~stevens/pubs/sec14.pdf

[5]
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070901/darkhotelappendixindicators_kl.pdf

[6]
https://labs.opendns.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/

[7]
http://blogs.cisco.com/security/dynamic-detection-of-malicious-ddns

[8]
http://www.malware-domains.com/files/dynamic_dns.zip

[9]
https://github.com/sooshie/bro-scripts/tree/master/dynamic_dns

[10]
https://splunkbase.splunk.com/app/2734/