Weekend Malware Research 2012
Le téléchargement de votre SlideShare est en cours.
×
![Q&A
questions.py:
while len(questions) > 0:
if time <= 0:
break
print answers[questions.pop()]
...](https://image.slidesharecdn.com/sourceboston2012presentationfinal-13440253576259-phpapp02-120803152752-phpapp02/75/watchtowers-of-the-internet-source-boston-2012-63-2048.jpg?cb=1670049188)
Consultez-les par la suite
Plus De Contenu Connexe
Diaporamas pour vous (20)
Les utilisateurs ont également aimé (6)
Similaire à Watchtowers of the Internet - Source Boston 2012 (20)
Plus par Stephan Chenette (8)
Watchtowers of the Internet - Source Boston 2012
- 1. Websense Security Labs Stephan Chenette, Armin Buescher WATCH TOWERS OF THE INTERNET ANALYSIS OF OUTBOUND MALWARE COMMUNICATION (c) 2012 Websense Security Labs.
- 2. Who we are Stephan Chenette (Northeastern Grad.) Security Researcher, UCSD M.S. Vulnerabilities, Reversing, Coding Armin Buescher Security Researcher, M.S. AV, Reversing, Coding R&D and Malware/Exploit Research
- 3. Essentials of this Talk • Malware Lab • Observations of Malware Communication • Clustering
- 4. Current State of Affairs Companies are concerned about targeted attacks ...and for good reason. • A persistent attacker will eventually penetrate your network • Malware will be installed • Most malware will eventually communicate outbound * (* unless the end goal of the attacker is complete destruction of data, malware will be used as the communication mechanism back to C&C) (c) 2012 Websense Security Labs.
- 5. Current State of Affairs Most important to you as a network administrator: • Knowledge of what machines are infected • Prevention of important information leaving your network
- 6. Value of this Presentation Better understanding of Outbound Malware Communication Deep dive into threats that are present against or on your network
- 7. Building a Malware Lab
- 8. Malware Lab 3 4 2 1
- 9. Malware Lab • Sandbox • VPN Services • Network Listeners • Databases • Multiple Scanner Engines • Malware…lots of it! =]
- 10. Malware Lab Output • Behavior Analysis • Network Analysis
- 11. Our Philosophy • Don't run around trying to find a particular bot/variant Run Everything! • Then figure out what it is… • Spam Bots • Network Worms • File Infectors • Etc. (c) 2012 Websense Security Labs.
- 12. Malware Samples Typically received 30-70k samples/day For this presentation we took a small representative daily subset totaling ~155,000 malware files to sample from
- 13. Malware Samples How to Classify Samples... DO NOT USE -- AV-Names ** • e.g. Trojan.Win32.Downloader DO USE -- CLUSTERING • Behavior Analysis/Network Analysis ** (AV-names are avoided as main use of classification when possible)
- 14. Malware Samples
- 15. Understanding Outbound Communication
- 16. Generic Trojan Downloader SHA-1: ab57031100a8c8c813a144b20b1ef5b9a643cec7
- 17. fling.com?...p0rn site
- 18. promos.fling/geo/txt/city.php
- 19. VPN Gateway - Canada
- 20. Botnet C&C 83.125.22.188
- 21. P2P Communication
- 22. P2P Botnet
- 23. P2P Botnet – Encryption
- 24. Generic Trojan Downloader? • GEO/IP Lookup from a P0rn site • C&C traffic uses DGA to “sign” botnet traffic via host header • P2P communication over port 443 • Zaccess Dropper! (Sophos/Kaspersky) • Future versions with the same network behavior can be profiled
- 25. GEO/IP lookup • 2,744 samples in our malware set use fling.com to look up geo-location • 177 different AV detection variants • …clustering might have put this in the same grouping?
- 26. Another Sample…
- 27. K = (bot id) only replies if k is present! Returns instructions to DoS two targets 03 – DoS (Attack mode) 50 – Number of Threads 60 – Timeout (s) for the next C&C Request DoS: smcae.com:3306 & http://tonus.crimea.ua
- 28. DOS
- 29. DOS
- 30. Results • DirtJumper Botnet • Request commands via HTTP (unencrypted!) • DoS on mysql (3306), no SQL content • DoS on http (80), GET request
- 31. Manual Analysis • Good for deep-dive of a particular binary e.g. Flashback Mac OS X malware to find DGA • But not good for mass analysis of large number of samples daily • …Clustering
- 32. Basics Clustering
- 33. Clustering The process of grouping together samples that contain similar features
- 34. Network Communication
- 35. TCP Services
- 36. 2012: Malware is talking over HTTP >=70% HTTP vs. .46% IRC (6667)
- 37. Clustering on HTTP Outbound Communication
- 38. Malware downloading executable payloads
- 39. Trojan:Win32/Medfos Worm:Win32/Renocide Trojan:Win32/Opachki Worm:Win32/Rebhip
- 40. Don't Rely 100% on AV Names
- 41. Don't Rely 100% on AV Names Rely on behavioral functionality
- 42. C&C Communication via HTTP
- 43. Malware Communication
- 44. Malware Communication
- 45. Feature: HTTP User-Agents used by Malware
- 46. Malware Communication • Most Malware uses browser user-agent strings • >17% have empty user-agent strings! • 85% use a user-agent of a browser not present on the system
- 47. Good Apps…User-Agent
- 48. Good Apps…User-Agent Bluestacks is an android emulator Completely benign…but there are characteristics that look like bot traffic…
- 49. Good Traffic
- 50. User-Agent / HTTP GET Dalvik/1.4.0 (Linux; U; Android 2.3.4; BlueStacks-c4afa5ac-7f39-11e1-b41e- 001676aa4685 Build/GRJ22)rn GET /public/appsettings/updates.txt …Essential to have a large sample set of both benign and malicious examples
- 51. Obviously Malicious…
- 52. URLs • www.csa.uem.br/administrator /includes/MicrosoftUpdate.exe • s1c0gv3v0x.h1.ru/Trojan.rar • ospianistas.com.br/aviso /infect.php • svpembtywvrc.eu/gate.php? cmd=ping&botnet=fr18&userid= x1lgje2mdh51kc8z&os=V2luZG93cy BYUA==
- 53. User-Agents • Mozilla/6.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) • Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) • darkness • N0PE • Trololo
- 54. Clustering Network behavior features
- 55. Net. Clustering Features • Basic Network communication features • Protocols • Timing • Encryption • Encoding (e.g. BASE64) • DNS features • Number of lookups
- 56. Net. Clustering Features • HTTP features • Number of requests • Request method (POST/GET/…) • MIME types (server/real) • URL • User-agent • Etc.
- 57. Clustering examples
- 58. DDoS malware Dirt Jumper • Clustering w. network behavior: • found ~900 DJ samples • Identified 90 unique C&C URLs Led to research paper “Tracking DDoS, Insights into the business of disrupting the Web” accepted at LEET academic conference for publication
- 59. Distinguishing families • Downloaders w. similar behavior • Categorizing unknown samples: • ~85% precision • Two families
- 60. Banking Trojan Zbot • Zoom into cluster w. network behavior “Zbot” • Clusters: • Alive & kickin’ • Domain killed • Server killed
- 61. Conclusion Telemetry = System behavior + Network behavior • Automated deep analysis of network behavior is underrated • Paint full picture of analyzed malware! • AV Names don’t always represent functionality
- 62. Conclusion II • Clustering on network behavior analysis • Identify malware communication techniques • Obviously malicious • Generic • Sophisticated • Clustering…yes! Just remember sophisticated might just mean generic!
- 63. Q&A questions.py: while len(questions) > 0: if time <= 0: break print answers[questions.pop()] (c) 2012 Websense Security Labs.
- 64. That’s all folks! Thanks! Stephan Chenette Twitter: @StephanChenette Armin Buescher Twitter: @armbues (c) 2012 Websense Security Labs.
