Post on 08-Feb-2017
Detecting Malicious SSL Certificates Using
BroAndrew Beard
Ajit Thyagarajan
Motivation• SSL traffic is increasing and so is malicious usage!
Motivation• SSL traffic is increasing and so is malicious usage!
• Content visibility of SSL traffic is becoming increasingly harder
Motivation• SSL traffic is increasing and so is malicious usage!
• Content visibility of SSL traffic is becoming increasingly harder
• BSides Charm talk – Using Bro IDS to Detect X509 Anomalies by Will Glodek
Direct application of cert feeds• Well known SSL cert blacklist, SSLBL by abuse.ch
• Identifies certificates via hash (SHA1)
• Averages about 10 new entries per week
• Relatively high efficacy
David Bianco’s Pyramid Triangle of Pain• Reflects the pain you
cause to an adversary
• Generating new certificates (even signed ones) causes little pain
Using cert feeds and Bro to greater effect• Use the feeds as a starting point to gather and label data
• Analyze metadata from known bad certificates as a training set
• Treat other certs resulting from other feeds as maybes
• Try to find patterns in the metadata we can use to match as many known bad and maybes as possible, verify against known (or at least, heavily biased) good traffic
Why Bro?• Content awareness
• Ability to apply patterns to live network traffic
• Symmetry on the front and the back end
I don’t have a supercomputer• I have a 7 year old Dell workstation
my wife’s IT department was throwing out
• Nothing here would be remotely considered HPC
Generating training sets• Visit every potentially malicious site you can possibly find• OSINT feeds are great for this • Don’t have a lot of context (if any)• Look for certificates that match our known bad ones• “Everything else” creates a data set that isn’t totally trustworthy, use
for testing
Feed Data(All)
Fetch Script
In Cert
Feed?
Known Bad
Maybe Bad
Yes
No
Problems with generating data sets• Expect a low response rate• Sites get taken down, not HTTPS port 443, don’t serve anything out,
unregistered DGAs, etc• Less than 1 in 5000 respond (with no guarantee those responses are
actually bad)• Number that match on the SSLBL is even worse, and that’s biased• Based entirely on what’s already labeled as bad
x509.log Fields• ts• id• version• serial• subject• issuer• not_valid_before• not_valid_after• key_alg• sig_alg• key_type
• key_length• exponent• curve• san.dns• san.uri• san.email• san.ip• basic_constraints.ca• basic_constraints.path_len
Subjects and Issuers• CN=nycards2016.com,OU=PositiveSSL,OU=Domain Control Validated• emailAddress=ha@163.com,CN=gjf,OU=comba,O=comba,L=guangzhou,ST=china,C=CN• CN=A_LifeSize_System,C=US,ST=Texas,L=Austin,emailAddress=hostmaster@lifesize.com,OU=IT,O=LifeSize Communications\\, Inc.• CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US• OU=Test,O=Peersec Networks,L=Bellevue,ST=WA,C=US,CN=MatrixSSL Sample Server CA
Splitting the Attributes• Subject and Issuer are the string representations of multiple Attribute
Value Assertions (AVAs)• Hard to compare them as big strings, but a lot more commonality
once you split them up• Not hard to parse out each attribute using something like Splunk or
Kiabana, but it makes matching on those fields harder later• Split the fields into a new Bro log based on x509.log
(x509_extended.log)
Many attributes, but we’re just using a subset• C Country• CN Common Name (Site identifier)• L Locality (City)• O Organization• OU Organizational Unit• ST State (or Province)• emailAddress• unstructuredName• serialNumber
x509_extendedtype Info: record { fuid: string &log; sha1: string &log;
subject_c: string &log &optional; subject_cn: string &log &optional; subject_l: string &log &optional; subject_o: string &log &optional; subject_ou: string &log &optional; subject_st: string &log &optional; subject_email: string &log &optional; subject_unstruct: string &log &optional; subject_serial: string &log &optional;
issuer_c: string &log &optional; …}
Need a prototyping system• Wanted to gather data, then test patterns on the same data sets over
and over
• Could do this with Bro directly, but you don’t really need to reprocess the packets and sessions over and over again
• Process traffic into Bro logs, evaluate via Splunk or SQL
• May want to apply new certificate feeds to existing logs outside of Bro
Analysis• Look at data in $VISUALIZATION
• Clustering -> Pattern Synthesis
• Check for hits in the bad table
• Check for hits in the unknown table
• Confirm against a known good set
Examples
Default ValuesC ST O emailAddress
AU Some-State Internet Widgits Pty Ltd -
AU Some-State Internet Widgits Pty Ltd chmod 0600 /etc/nginx/ssl/server.key
AU Some-State Internet Widgits Pty Ltd -
openssl Command DefaultsYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (e.g. server FQDN or YOUR name) []:Email Address []:
Is it actionable?• Very strong correlation between sites that were hosting malware or
control nodes, though• Gozi, Gootkit, Shifu, others have all been identified running from
servers with “Internet Widgits Pty Ltd” certificates• Non-malicious sites mostly default server pages and sites under
development• A user visiting a site outside the network could be considered
anomalous• Default Company Ltd, Default City, also used by some OpenSSL
distributions
Copypastasha1 O L ST
1147947433f261bcd2cd8f508461e01898c3960b
Dis
Springfield
Denial
f2a61975cb541e6a62ed8ca5214020108d922a14
Dis
Springfield
Denial
368e6beb6f8d2f6049831fe25dd397287823c5e6
Dis
Springfield
Denial
a9650a4522140d42e5ca4529da54805625eebe64
Dis
Springfield
Denial• 4 cert feed matches in our original sample set• SSLBL lists all four as TorrentLocker C2 servers• 14 others were found with the same ST, L, and O fields (and other
fields not present)• 5 of those have shown up in the SSLBL feed since• So far ALL TorrentLocker C2 servers seem to use the same pattern
Where did it come from?
“Random” ValuesC CN L O ST
CN TJMauph2wkefdglVFzqmyEvM
3KLyyRWQF0IRfH91yu5frdLX
rfUvM2rqVg1P8IpFP2mJbEjD
ST
CN RJHeFQ9nCz69k5RNTTLmVCIf
gBEUDkp44OE7ihODZD4VbdDv
oLsGPV9bx43NaNg1ZjOqIGfJ
ST
CN Hcoc6tfYqmEXPnDtwJ39vBFg
N9El3p9XpqOBDcqUQxKCbw5V
OJ2vl3Vz2Tn0skdsUsLUMwFz
ST
CN X5WBo9o5AqvtVGGAVyBiNgwO
wHMhVyFMNPcbdG84Q8gKcijH
8V3jDPLZIGdNoOmKQ42ZmhlE
ST
CN rQ9YqiO7S1pgULTmD3nNahn7
OBfmruLgjF88LKyg0fVHqRzU
zs3L7avZO3gDESogMpf4HBxj
ST
• Fixed C and ST values, and exactly 24 character in the CN, L, and O fields
• Over 27 matches for the same pattern in the “maybe” set• All C2 nodes from the same malware family
Applying Patterns to Bro• Wrote collection of bro scripts that load the x509_extended module
• Hooks into an event after subject and issuer subfields have been parsed out
• Logs to notice.log
Triangle of Pain, Revisited
Recap• Bro makes it easy to extract certificate metadata• Using OSINT and Bro you can easily collect large sets of data on bad
and suspect certificates• Patterns in the certificate metadata can yield higher-value information
than the feeds alone• Hard to definitively say something is malicious with no context, but
you can get to a high level of confidence• Since Bro can operate a line speed, it can be used to match against
those patterns with live traffic
Future • Better ways of applying patterns in Bro (less hardcoding into scripts)
• Certificate analysis has potential for uncovering a lot more patterns
• Better automatic clustering
• BSides DC talk focusing on clustering and analysis (Oct 22, '16)
• Continuing to enhance our collection of good/bad certs
• Looking for collaborators - let us know if you are interested...
Thanks to:• Abuse.ch• John Bambenek and Bambenek Consulting• AlienVault and numerous OTX contributors• Ravi Pandey from University of Maryland
Questions?Andrew Beardandrew@atomicmole.com
Ajit Thyagarajanajit@atomicmole.com
Atomic Mole GitHubhttps://github.com/atomicmole/brocon2016