2018-08-08
火眼公司指出,越来越多的威胁源使用.bit域名来隐藏载荷、窃取的数据和C&C服务器。
一个让企业和执法部门头疼的趋势是,威胁源正在加大对区块链域名的使用,以隐藏其恶意活动并提高其对抗清除的能力。
火眼公司发现,最近网络黑市中对加密货币基础设施的兴趣正在增加。在过去的一年中,开始在恶意软件工具中整合对区块链域名支持的威胁源数量出现了大幅增长。
据火眼公司称,许多不同的恶意软件家族——包括一些知名家族,如Necurs、GandCrab、Emotet、SmokLoader和Corebot——已经被重新配置,以使用区块链域名作为C&C基础设施。
自2016年起,使用“Namecoin”(域名币)、“blockchain”(区块链)和“.bit”等关键字的搜索频率大幅增加,这表明犯罪分子对于使用区块链基础设施隐藏载荷、窃取数据以及C&C服务器的兴趣增长。
火眼公司高级分析师兰迪�艾兹曼(Randi Eitzman)表示,威胁源使用区块链域名的主要优势在于,他们注册的域名没有集中监管机构——例如互联网名称与数字地址分配机构(ICANN)或其他第三方注册商。
“在传统的由ICANN控制的域中,如果一个域名被认为托管了恶意内容,那么执法机构可以联系域名监管机构,要求其撤销该域名。”艾兹曼说。
由于区块链顶级域名(如.bit)并未集中管理,并且在P2P网络中共享DNS查询表,因此清除工作变得更加困难。“要注册一个.bit域名或其他基于区块链的域名,只需几个步骤,这个过程只需花费几块钱。”
域名注册与个人姓名或地址无关,而是与每个用户的唯一加密散列相关。“这基本上就是为互联网基础设施创建与比特币相同的匿名系统,只能通过加密身份识别用户。”
犯罪分子对加密货币相关主题感兴趣并不是什么新鲜事。正如火眼公司所指出的,威胁源至少自2009年以来一直在探索利用区块链技术的独特属性来支持恶意活动的可能性。
以威胁源对域名币的兴趣为例。域名币是一种基于比特币代码的加密货币,允许几乎任何人注册和管理.bit域名。任何人都可以使用域名币注册.bit域名,而不必将身份或地址与它关联起来。
域名币自我描述为支持域名所有权完全匿名的分散域名系统,因此很难在不造成附带损害的情况下关闭这些域名。
通过标准域名系统(DNS)无法直接访问利用域名币注册的域名。因此,越来越多的犯罪分子开始配置他们的恶意软件,以查询他们自己管理的、与域名币兼容的域名服务器,以便访问.bit域名。或者,他们配置恶意软件来查询黑市中与域名币兼容的服务器。在很多情况下,恶意软件作者在样本中硬编码了与区块链兼容的DNS服务器。
“由于DNS查询表是分散在区块链中的,因此常用和默认的DNS服务器(如谷歌和各个互联网服务提供商[ISP]运行的服务器)无法解析域名。”艾兹曼解释说。
所谓的防弹(bulletproof)托管服务的提供商也开始加入战场。据火眼公司称,其中一个例子是Group 4,该公司最近增加了允许威胁源查询.bit兼容服务器的服务。
火眼公司预测威胁源将会继续使用洋葱头(Tor)、域名生成算法(DGA)和快速通量(Fast-flux)技术来隐藏恶意活动。但是,他们也会越来越多地使用区块链基础设施。
火眼公司高级分析师金伯利�古迪(Kimberly Goody)表示:“吸引网络犯罪分子使用加密货币作为支付方法的优势也存在于此。”
区块链域名是分散的,对清除更具抵抗性,并能够提供更好的匿名性。“由于这些因素以及越来越多支持.bit的恶意软件开发人员,我们预计这些域名将会继续受到威胁源的青睐。”古迪说。
《Threat Actors Turn to Blockchain Infrastructure to Host & Hide Malicious Activity》
4/23/2018
04:05 PM
.bit domains are increasingly being used to hide payloads, stolen data, and command and control servers, FireEye says.
In a troubling trend for enterprises and law enforcement, threat actors are ramping up their use of blockchain domains to hide malicious activity and improve their ability to withstand takedown efforts.
Security vendor FireEye says it has observed a recent uptick in interest in cryptocurrency infrastructure in the cyber underground. Over the last year, there has been a big surge in the number of threat actors that have begun incorporating support for blockchain domains in their malware tools.
Many different software families — including some well-known ones, such as Necurs, GandCrab, Emotet, SmokLoader, and Corebot — have been reconfigured to use blockchain domains for command and control infrastructure, according to FireEye.
Searches using keywords such as Namecoin, blockchain, and .bit have also increased sharply in frequency since at least 2016, which suggests heightened criminal interest in the use of blockchain infrastructure to hide payloads, stolen data, and command and control servers.
The main advantage for threat actors in using blockchain domains is that the domains they register have no central authority — such as Internet Corporation for Assigned Names and Numbers (ICANN) or other third-party registrars — says Randi Eitzman, senior analyst at FireEye.
"In traditional ICANN-controlled domains, if a domain is known to be hosting malicious content, then law enforcement agencies could contact the central authority and request that the domain be taken down," Eitzman says.
Because blockchain top-level domains such as .bit are not centrally managed and have DNS lookup tables shared across a peer-to-peer network, takedown efforts become much more difficult. "When an individual registers a .bit — or another blockchain-based domain — they are able to do so in just a few steps online, and the process costs mere pennies."
Domain registration is not associated with an individual's name or address but with a unique encrypted hash of each user. "This essentially creates the same anonymous system as Bitcoin for Internet infrastructure, in which users are only known through their cryptographic identity."
Criminal interest in cryptocurrency-related topics are not new. As FireEye notes, threat actors have been exploring the possibility of leveraging the unique properties of blockchain technology to support malicious operations since at least 2009.
One example is malicious actors' interest in Namecoin, a Bitcoin code-based cryptocurrency that allows pretty much anyone to register and manage domain names with the .bit extension. Any individual can use Namecoin to register a .bit domain without having to directly associate their identity or address with it.
Namecoin describes itself as enabling a decentralized domain name system where domain ownership can remain completely anonymous, and domains themselves can therefore be hard to shut down without causing collateral damage.
Domains registered with Namecoin are not directly accessible via standard DNS. So, criminals increasingly have begun configuring their malware to query their own, privately managed Namecoin-compatible domain name servers in order to reach their .bit domains. Or they have been configuring the malware to query Namecoin-compatible servers that are available via underground services. In many cases, malware authors have been hard-coding blockchain-compatible DNS servers in the sample.
"Because the DNS lookup table is decentralized on a blockchain, commonly used and default DNS servers — like ones run by Google and various ISPs — are unable to resolve the domain," Eitzman explains.
Providers of so-called bulletproof hosting services have begun jumping into the fray as well. One example, according to FireEye, is Group 4, which recently has added support that allows malicious actors to query .bit-compatible servers.
FireEye expects that threat actors will continue to use Tor, domain generation algorithms, and so-called fast-flux techniques to hide malicious activity. But, increasingly, expect them to start using blockchain infrastructure as well.
"The same perks that continue to draw cybercriminals to using cryptocurrencies as a method of payment apply here," says Kimberly Goody, senior analyst at FireEye.
Blockchain domains are decentralized and more resistant to takedowns, and they provide comparative anonymity. "Due to these factors and the increasing number of malware developers supporting .bit, we can expect to see these domains to continue to grain popularity amongst threat actors," says Goody.
附件:
《Threat Actors Turn to Blockchain Infrastructure to Host & Hide Malicious Activity》--原文.pdf
《Threat Actors Turn to Blockchain Infrastructure to Host & Hide Malicious Activity》--译文.pdf
微信公众号