Tracking down malware hosts identified by OpenDNS

I've always been a fan of OpenDNS. Even before they switched to being a  security outfit, I used them for content filtering in the office and at home. If you're not familiar with their offering I'd recommend visiting their website and taking a look for yourself.

OpenDNS.com

Earlier this year, a colleague overseas got in touch to let me know he'd put OpenDNS in at a few office locations based in other countries. The good news was that change had been seamless and that OpenDNS had instantly started to spot malicious DNS requests originating from both sites. The bad news was that he had no way or idea of working out which desktops or servers were making the bad requests as he had almost no visibility on those networks and no body on site able to help. 

OpenDNS Dashboard

Activity Summary

Having your public DNS alert you to malicious requests originating from an office or country is a bit like having a smoke alarm on the 40th floor. Sure, it lets you know you have a fire, but it can't tell you what floor its on, how bad the fire is, where it started or whether or not its spreading. For us, the 'identity' as defined by OpenDNS was the country.

These sites were remote, isolated and with little to no logging or monitoring in place. After various discussions the only logs we could lay our hands on were the gateway firewall logs. Not much use you might think in trying to find the infected hosts as they don't contain the DNS query contents.

After spending a bit of time observing, reviewing and testing how OpenDNS worked I found a way to identify the infected hosts from the sites firewall logs alone, not through looking at the DNS requests but through looking at the responses OpenDNS serves for malicious requests. I'm sharing it here because the scenario is common enough that this may come in use to someonelse, someday.

When OpenDNS receives a DNS request attempting to resolve a 'bad domain' it responds to the lookup request rather than ignoring it:

Manual lookup against OpenDNS Vs. Google DNS
OpenDNS does this in order to present the user with a holding page which matches the type of threat category OpenDNS classify that particular domain under:

OpenDNS malware holding page

Now, although the malware in question is unlikely to render such a warning page to the user, it will still probably go off and attempt to connect to the recently resolved domain to do whatever unspeakable evil it was programmed to do. This means that, although you might not have visibility to differentiate between good and bad DNS requests, you will probably have visibility of which of your desktops or servers are trying to connect to the OpenDNS holding IP addresses by looking at your firewall logs for any connection attempts to 67.215.66.149. This isn't OpenDNS' only 'repsonse' IP address, not by a long way, but you can always perform a manual lookup against OpenDNS of any domains they flag as evil using nslookup or similar (see above) and then search for connections to that 'response' IP in your logs.

So for me, with a bit of grep and awking through the logs I was able to work out which of my workstations were in trouble:
Firewall log review, OpenDNS block page dsts
Also, whilst I was there I was able to check which systems were still using other DNS services and then request that they be changed:
Firewall log review, other DNS dsts

Popular posts from this blog

PCI-DSS: Your CDE may be getting bigger

Image
In December, the PCI Security Standards Council released guidance around scoping and network segmentation for card data environment (CDE) assets. In their own words: “Many organizations struggle to understand where PCI DSS controls are required and which systems need to be protected. This document provides guidance to help organizations identify the systems that, at a minimum, need to be included in scope for PCI DSS. Additionally, the document provides guidance on how segmentation can be used to help reduce the number of systems that require PCI DSS controls.” The guidance goes on to visualise a scoping process, considering each category of system in turn: I believe it’s worth highlighting the ‘broadness’ of the “Connected to OR Security Impacting Systems” . These are cases where the: System component is on a different network (or subnet or VLAN), but can connect to or access the CDE (e.g., via internal network connectivity). System component can connect
Read more

Splunk Security Cheat Sheet

Image
Apart from being a source of all too frequent and embarrassing typos, Splunk is a big data platform which allows you to interrogate data and present results is a variety of contexts and visualisations. I've been using it for a little over 12 months, self teaching or Googleing as I go, predominantly to sift through the terabytes of logs from various applications and appliances that get generated in my 9-5 every day.  You can use Splunk to build dashboards which are typically better than the ones that come with the product ( full size )  I've started to pull together all the searches, notes and bits of code into a sort of security cheat sheet which I thought would be a good thing to share as well as providing some real world examples of how you might use Splunk in a security context.  Cheat Sheet I'm actively working back through my notes and adding to this all the time so it might be a good thing to reference via the URL or re-visit from time to time. I'll t
Read more

Developing Leeds Scene

Image
Conscious that it's been some time since I wrote a post so I thought I'd write a little something about the developing Leeds 'scene' since co-founding DC151 and helping (albeit a little) with BSides Leeds.  DC151 (Every 2nd Wednesday) I'd complained for years that Leeds had no regular social gathering for people like us so when Mark C  announced BSides Leeds and everyone looked this way I picked up the phone and start texting. After some hurried planning I agreed a format and charter with Matt  and we committed to a date for the first gathering, October 11th. We gave ourselves around two months to sort everything, including finding a venue.  So far we've now held four gatherings and I couldn't be happier with how it's worked out. We've had to learn as we go and tweak the format along the way.  We've had some great talks and we continue to receive  support and attract interest beyond LS1.  If you're interested in com
Read more