Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet: Analysis of Outbound Malware Communication, Stephan Chenette, Principal Security Researcher, (@StephanChenette) & Armin Buescher, Security Researcher With advanced malware, targeted attacks, and advanced persistent threats, it’s not IF but WHEN a persistant attacker will penetrate your network and install malware on your company’s network and desktop computers. To get the full picture of the threat landscape created by malware, our malware sandbox lab runs over 30,000 malware samples a day. Network traffic is subsequently analyzed using heuristics and machine learning techniques to statistically score any outbound communication and identify command & control, back-channel, worm-like and other types of traffic used by malware. Our talk will focus on the setup of the lab, major malware families as well as outlier malware, and the statistics we have generated to give our audience an exposure like never before into the details of malicious outbound communication. We will provide several tips, based on our analysis to help you create a safer and more secure network. Stephan Chenette is a principal security researcher at Websense Security Labs, specializing in research tools and next generation emerging threats. In this role, he identifies and implements exploit and malcode detection techniques. Armin Buescher is a Security Researcher and Software Engineer experienced in strategic development of detection/prevention technologies and analysis tools. Graduated as Dipl.-Inf. (MSc) with thesis on Client Honeypot systems. Interested in academic research work and published author of security research papers.
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
Similaire à Watchtowers of the Internet - Source Boston 2012
Similaire à Watchtowers of the Internet - Source Boston 2012 (20)
Plus de Stephan Chenette
Plus de Stephan Chenette (8)
Watchtowers of the Internet - Source Boston 2012
- 1. Websense Security Labs Stephan Chenette, Armin Buescher WATCH TOWERS OF THE INTERNET ANALYSIS OF OUTBOUND MALWARE COMMUNICATION (c) 2012 Websense Security Labs.
- 2. Who we are Stephan Chenette (Northeastern Grad.) Security Researcher, UCSD M.S. Vulnerabilities, Reversing, Coding Armin Buescher Security Researcher, M.S. AV, Reversing, Coding R&D and Malware/Exploit Research
- 3. Essentials of this Talk • Malware Lab • Observations of Malware Communication • Clustering
- 4. Current State of Affairs Companies are concerned about targeted attacks ...and for good reason. • A persistent attacker will eventually penetrate your network • Malware will be installed • Most malware will eventually communicate outbound * (* unless the end goal of the attacker is complete destruction of data, malware will be used as the communication mechanism back to C&C) (c) 2012 Websense Security Labs.
- 5. Current State of Affairs Most important to you as a network administrator: • Knowledge of what machines are infected • Prevention of important information leaving your network
- 6. Value of this Presentation Better understanding of Outbound Malware Communication Deep dive into threats that are present against or on your network
- 8. Malware Lab 3 4 2 1
- 9. Malware Lab • Sandbox • VPN Services • Network Listeners • Databases • Multiple Scanner Engines • Malware…lots of it! =]
- 10. Malware Lab Output • Behavior Analysis • Network Analysis
- 11. Our Philosophy • Don't run around trying to find a particular bot/variant Run Everything! • Then figure out what it is… • Spam Bots • Network Worms • File Infectors • Etc. (c) 2012 Websense Security Labs.
- 12. Malware Samples Typically received 30-70k samples/day For this presentation we took a small representative daily subset totaling ~155,000 malware files to sample from
- 13. Malware Samples How to Classify Samples... DO NOT USE -- AV-Names ** • e.g. Trojan.Win32.Downloader DO USE -- CLUSTERING • Behavior Analysis/Network Analysis ** (AV-names are avoided as main use of classification when possible)
- 15. Malware Samples
- 18. Generic Trojan Downloader SHA-1: ab57031100a8c8c813a144b20b1ef5b9a643cec7
- 22. VPN Gateway - Canada
- 26. P2P Botnet
- 27. P2P Botnet – Encryption
- 28. Generic Trojan Downloader? • GEO/IP Lookup from a P0rn site • C&C traffic uses DGA to “sign” botnet traffic via host header • P2P communication over port 443 • Zaccess Dropper! (Sophos/Kaspersky) • Future versions with the same network behavior can be profiled
- 29. GEO/IP lookup • 2,744 samples in our malware set use fling.com to look up geo-location • 177 different AV detection variants • …clustering might have put this in the same grouping?
- 30. Another Sample…
- 31. K = (bot id) only replies if k is present! Returns instructions to DoS two targets 03 – DoS (Attack mode) 50 – Number of Threads 60 – Timeout (s) for the next C&C Request DoS: smcae.com:3306 & http://tonus.crimea.ua
- 32. DOS
- 33. DOS
- 34. Results • DirtJumper Botnet • Request commands via HTTP (unencrypted!) • DoS on mysql (3306), no SQL content • DoS on http (80), GET request
- 35. Manual Analysis • Good for deep-dive of a particular binary e.g. Flashback Mac OS X malware to find DGA • But not good for mass analysis of large number of samples daily • …Clustering
- 37. Clustering The process of grouping together samples that contain similar features
- 39. TCP Services
- 40. 2012: Malware is talking over HTTP >=70% HTTP vs. .46% IRC (6667)
- 45. Don't Rely 100% on AV Names
- 46. Don't Rely 100% on AV Names Rely on behavioral functionality
- 47. C&C Communication via HTTP
- 50. Feature: HTTP User-Agents used by Malware
- 51. Malware Communication • Most Malware uses browser user-agent strings • >17% have empty user-agent strings! • 85% use a user-agent of a browser not present on the system
- 53. Good Apps…User-Agent Bluestacks is an android emulator Completely benign…but there are characteristics that look like bot traffic…
- 54. Good Traffic
- 55. User-Agent / HTTP GET Dalvik/1.4.0 (Linux; U; Android 2.3.4; BlueStacks-c4afa5ac-7f39-11e1-b41e- 001676aa4685 Build/GRJ22)rn GET /public/appsettings/updates.txt …Essential to have a large sample set of both benign and malicious examples
- 57. URLs • www.csa.uem.br/administrator /includes/MicrosoftUpdate.exe • s1c0gv3v0x.h1.ru/Trojan.rar • ospianistas.com.br/aviso /infect.php • svpembtywvrc.eu/gate.php? cmd=ping&botnet=fr18&userid= x1lgje2mdh51kc8z&os=V2luZG93cy BYUA==
- 58. User-Agents • Mozilla/6.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) • Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) • darkness • N0PE • Trololo
- 60. Net. Clustering Features • Basic Network communication features • Protocols • Timing • Encryption • Encoding (e.g. BASE64) • DNS features • Number of lookups
- 61. Net. Clustering Features • HTTP features • Number of requests • Request method (POST/GET/…) • MIME types (server/real) • URL • User-agent • Etc.
- 63. DDoS malware Dirt Jumper • Clustering w. network behavior: • found ~900 DJ samples • Identified 90 unique C&C URLs Led to research paper “Tracking DDoS, Insights into the business of disrupting the Web” accepted at LEET academic conference for publication
- 64. Distinguishing families • Downloaders w. similar behavior • Categorizing unknown samples: • ~85% precision • Two families
- 65. Banking Trojan Zbot • Zoom into cluster w. network behavior “Zbot” • Clusters: • Alive & kickin’ • Domain killed • Server killed
- 66. Conclusion Telemetry = System behavior + Network behavior • Automated deep analysis of network behavior is underrated • Paint full picture of analyzed malware! • AV Names don’t always represent functionality
- 67. Conclusion II • Clustering on network behavior analysis • Identify malware communication techniques • Obviously malicious • Generic • Sophisticated • Clustering…yes! Just remember sophisticated might just mean generic!
- 68. Q&A questions.py: while len(questions) > 0: if time <= 0: break print answers[questions.pop()] (c) 2012 Websense Security Labs.
- 69. That’s all folks! Thanks! Stephan Chenette Twitter: @StephanChenette Armin Buescher Twitter: @armbues (c) 2012 Websense Security Labs.