Watchtowers of the Internet - Source Boston 2012
-
Upload
stephan-chenette -
Category
Documents
-
view
320 -
download
2
description
Transcript of Watchtowers of the Internet - Source Boston 2012
![Page 1: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/1.jpg)
WATCH TOWERS OF THE INTERNET
Websense Security Labs
Stephan Chenette, Armin Buescher
(c) 2012 Websense Security Labs.
ANALYSIS OF OUTBOUND MALWARE COMMUNICATION
![Page 2: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/2.jpg)
Who we are
Stephan Chenette (Northeastern Grad.)
Security Researcher, UCSD M.S.
Vulnerabilities, Reversing, Coding
Armin Buescher
Security Researcher, M.S.
AV, Reversing, Coding
R&D and Malware/Exploit Research
![Page 3: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/3.jpg)
Essentials of this Talk
• Malware Lab
• Observations of Malware
Communication
• Clustering
![Page 4: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/4.jpg)
Current State of Affairs
Companies are concerned about targeted attacks
...and for good reason.
• A persistent attacker will eventually penetrate your
network
• Malware will be installed
• Most malware will eventually communicate
outbound * (* unless the end goal of the attacker is complete destruction of data, malware will be used as the communication mechanism
back to C&C)
(c) 2012 Websense Security Labs.
![Page 5: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/5.jpg)
Current State of Affairs
Most important to you as a network administrator:
• Knowledge of what machines are infected
• Prevention of important information leaving your
network
![Page 6: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/6.jpg)
Value of this Presentation
Better understanding of
Outbound Malware Communication
Deep dive into threats that are
present against or on your network
![Page 7: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/7.jpg)
Malware Lab
Building a
![Page 8: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/8.jpg)
Malware Lab
1
2
3
4
![Page 9: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/9.jpg)
Malware Lab
• Sandbox
• VPN Services
• Network Listeners
• Databases
• Multiple Scanner Engines
• Malware…lots of it! =]
![Page 10: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/10.jpg)
Malware Lab Output
• Behavior Analysis
• Network Analysis
![Page 11: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/11.jpg)
Our Philosophy
• Don't run around trying to find a
particular bot/variant
Run Everything!
• Then figure out what it is…
• Spam Bots
• Network Worms
• File Infectors
• Etc. (c) 2012 Websense Security Labs.
![Page 12: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/12.jpg)
Malware Samples
Typically received 30-70k samples/day
For this presentation we took a small
representative daily subset totaling
~155,000
malware files to sample from
![Page 13: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/13.jpg)
Malware Samples
How to Classify Samples...
DO NOT USE -- AV-Names **
• e.g. Trojan.Win32.Downloader
DO USE -- CLUSTERING
• Behavior Analysis/Network Analysis
** (AV-names are avoided as main use of classification when possible)
![Page 14: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/14.jpg)
![Page 15: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/15.jpg)
Malware Samples
![Page 16: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/16.jpg)
Outbound
Communication
Understanding
![Page 17: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/17.jpg)
![Page 18: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/18.jpg)
Generic Trojan Downloader SHA-1: ab57031100a8c8c813a144b20b1ef5b9a643cec7
![Page 19: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/19.jpg)
![Page 20: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/20.jpg)
fling.com?...p0rn site
![Page 21: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/21.jpg)
promos.fling/geo/txt/city.php
![Page 22: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/22.jpg)
VPN Gateway - Canada
![Page 23: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/23.jpg)
![Page 24: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/24.jpg)
Botnet C&C 83.125.22.188
![Page 25: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/25.jpg)
P2P Communication
![Page 26: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/26.jpg)
P2P Botnet
![Page 27: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/27.jpg)
P2P Botnet – Encryption
![Page 28: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/28.jpg)
Generic Trojan Downloader?
• GEO/IP Lookup from a P0rn site
• C&C traffic uses DGA to “sign” botnet
traffic via host header
• P2P communication over port 443
• Zaccess Dropper! (Sophos/Kaspersky)
• Future versions with the same network
behavior can be profiled
![Page 29: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/29.jpg)
GEO/IP lookup
• 2,744 samples in our malware set use
fling.com to look up geo-location
• 177 different AV detection variants
• …clustering might have put this in the
same grouping?
![Page 30: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/30.jpg)
Another Sample…
![Page 31: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/31.jpg)
K = (bot id) only replies if k is present!
Returns instructions to DoS two targets
03 – DoS (Attack mode)
50 – Number of Threads
60 – Timeout (s) for the next C&C Request
DoS:
smcae.com:3306
&
http://tonus.crimea.ua
![Page 32: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/32.jpg)
DOS
![Page 33: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/33.jpg)
DOS
![Page 34: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/34.jpg)
Results
• DirtJumper Botnet
• Request commands via HTTP (unencrypted!)
• DoS on mysql (3306), no SQL content
• DoS on http (80), GET request
![Page 35: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/35.jpg)
Manual Analysis
• Good for deep-dive of a particular binary
e.g. Flashback Mac OS X malware to
find DGA
• But not good for mass analysis of large
number of samples daily
• …Clustering
![Page 36: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/36.jpg)
Clustering
Basics
![Page 37: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/37.jpg)
Clustering
The process of grouping together
samples that contain similar features
![Page 38: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/38.jpg)
Network Communication
![Page 39: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/39.jpg)
TCP Services
![Page 40: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/40.jpg)
2012: Malware is talking
over HTTP
>=70% HTTP
vs.
.46% IRC (6667)
![Page 41: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/41.jpg)
HTTP Outbound
Communication
Clustering on
![Page 42: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/42.jpg)
Malware downloading
executable payloads
![Page 43: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/43.jpg)
![Page 44: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/44.jpg)
Trojan:Win32/Medfos
Worm:Win32/Renocide
Trojan:Win32/Opachki
Worm:Win32/Rebhip
![Page 45: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/45.jpg)
Don't Rely 100% on AV Names
![Page 46: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/46.jpg)
Don't Rely 100% on AV Names
Rely on behavioral functionality
![Page 47: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/47.jpg)
C&C Communication via HTTP
![Page 48: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/48.jpg)
Malware Communication
![Page 49: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/49.jpg)
Malware Communication
![Page 50: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/50.jpg)
Feature: HTTP User-Agents
used by Malware
![Page 51: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/51.jpg)
Malware Communication
• Most Malware uses browser user-agent strings
• >17% have empty user-agent strings!
• 85% use a user-agent of a browser not
present on the system
![Page 52: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/52.jpg)
Good Apps…User-Agent
![Page 53: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/53.jpg)
Good Apps…User-Agent
Bluestacks is an android emulator
Completely benign…but there are
characteristics that look like bot traffic…
![Page 54: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/54.jpg)
Good Traffic
![Page 55: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/55.jpg)
User-Agent / HTTP GET
Dalvik/1.4.0 (Linux; U; Android 2.3.4;
BlueStacks-c4afa5ac-7f39-11e1-b41e-
001676aa4685 Build/GRJ22)\r\n
GET
/public/appsettings/updates.txt
…Essential to have a large sample set of
both benign and malicious examples
![Page 56: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/56.jpg)
Obviously Malicious…
![Page 57: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/57.jpg)
URLs
• www.csa.uem.br/administrator
/includes/MicrosoftUpdate.exe
• s1c0gv3v0x.h1.ru/Trojan.rar
• ospianistas.com.br/aviso
/infect.php
• svpembtywvrc.eu/gate.php?
cmd=ping&botnet=fr18&userid=
x1lgje2mdh51kc8z&os=V2luZG93cy
BYUA==
![Page 58: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/58.jpg)
User-Agents
• Mozilla/6.0 (iPhone; U; CPU
iPhone OS 3_0 like Mac OS X;
en-us)
• Mozilla/1.22 (compatible; MSIE
2.0; Windows 95)
• darkness
• N0PE
• Trololo
![Page 59: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/59.jpg)
Network behavior
features
Clustering
![Page 60: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/60.jpg)
Net. Clustering Features
• Basic Network communication features
• Protocols
• Timing
• Encryption
• Encoding (e.g. BASE64)
• DNS features
• Number of lookups
![Page 61: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/61.jpg)
Net. Clustering Features
• HTTP features
• Number of requests
• Request method (POST/GET/…)
• MIME types (server/real)
• URL
• User-agent
• Etc.
![Page 62: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/62.jpg)
Clustering examples
![Page 63: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/63.jpg)
DDoS malware Dirt Jumper
• Clustering w. network
behavior:
• found ~900 DJ samples
• Identified 90 unique
C&C URLs
Led to research paper “Tracking DDoS, Insights into the
business of disrupting the Web” accepted at LEET
academic conference for publication
![Page 64: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/64.jpg)
Distinguishing families
• Downloaders w.
similar behavior
• Categorizing
unknown samples:
• ~85% precision
• Two families
![Page 65: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/65.jpg)
Banking Trojan Zbot
• Zoom into cluster
w. network
behavior “Zbot”
• Clusters:
• Alive & kickin’
• Domain killed
• Server killed
![Page 66: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/66.jpg)
Conclusion
Telemetry = System behavior + Network behavior
• Automated deep analysis of network
behavior is underrated
• Paint full picture of analyzed malware!
• AV Names don’t always represent
functionality
![Page 67: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/67.jpg)
Conclusion II
• Clustering on network behavior analysis • Identify malware communication techniques
• Obviously malicious
• Generic
• Sophisticated
• Clustering…yes! Just remember
sophisticated might just mean generic!
![Page 68: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/68.jpg)
Q & A
questions.py:
while len(questions) > 0:
if time <= 0:
break
print answers[questions.pop()]
(c) 2012 Websense Security Labs.
![Page 69: Watchtowers of the Internet - Source Boston 2012](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/69.jpg)
That’s all folks!
Thanks!
Stephan Chenette
Twitter: @StephanChenette
Armin Buescher
Twitter: @armbues (c) 2012 Websense Security Labs.