catching worms, trojan horses and pups: unsupervised...
TRANSCRIPT
![Page 1: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/1.jpg)
BumJunKwon,VirinchiSrinivas,AmolDeshpande,TudorDumitrașUniversityofMaryland—CollegePark
1
BEEWOLFCatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
![Page 2: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/2.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
Host
MalwareDeliveryCampaigns
• Businessmodel– ChargefeesfordeliveringmalwareorPUPs
2
• Keymethod– OrchestrateSilentdeliverycampaigns
Downloaders DNSDomain
Payloads
![Page 3: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/3.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
SilentDeliveryCampaigns
3
Host1
Host2
Host3
DownloadersPayloadsDNS
Domains
smart.exe
downloadmanager.exe
downloadmanager2.exe
2013-11-15ppdownload.com
2013-11-22greatarcadehits.com
2013-12-05download2desktop.com
mobogenie.exe
![Page 4: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/4.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
SilentDeliveryCampaigns
4
Host1
Host2
Host3
DownloadersPayloadsDNS
Domains
smart.exe
downloadmanager.exe
downloadmanager2.exe
2013-11-15ppdownload.com
2013-11-22greatarcadehits.com
2013-12-05download2desktop.com
mobogenie.exe
IdenJfymaliciousdomains[Antonakakis+2010]Detectmalicious
downloadersontheclientside[Kwon+2015]
Malwarefamiliesdisseminated[Invernizzi+2014]MilkPUPpayloads[Caballero+2011,Thomas+2016]
![Page 5: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/5.jpg)
PresentaJonTitle(changeonallmasters)
LockstepBehavior
5
[Beutel+2013,Cao+2014,Jiang+2015]
DownloadersDNS
Domains
• Notdesignedforstreamingdata
• RequireinterpreWngeventsdefinedbymulWplefeatures
• Requireseednodes
![Page 6: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/6.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
WeIntroduceBeewolf
6
DownloadersDNS
Domains• ProposeanunsupervisedanddeterminisWctechnique
• Operateonastreamofdownloadevents
• Orthogonaltotheworkthatusemachinelearning
• RevealtheindirectrelaWonships
![Page 7: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/7.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
UnderstandingIndirectRelaJonships
7
DirectRelaWonship
IndirectRelaWonship
• Exposehiddendependenciesintheundergroundeconomy
• SuggestsuitableintervenWonsfordisrupWngthemalwaredelivery
![Page 8: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/8.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
Outline
• Systemoverview• Lockstepanalysis– A\ribuWon– ObservaWons
• EvaluaWon– Streaming
• Conclusion
8
• Systemoverview
![Page 9: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/9.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
SystemOverview
• Beewolf– Twomodes:offline/streaming– Input:downloadeventdata– WhitelisWng:downloadeventsfrombenigndownloaders
9
![Page 10: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/10.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
DataSet:DownloadAcJvityinTheWild
• DownloadacWvity– Kwonet.al.TheDropperEffectpaper(CCS’15)– Downloadevent:downloader,secondleveldomainname(domain),payload,severWmestamp
– Year2013
• Groundtruthforlabeling– VirusTotal– NSRL(NaWonalSohwareReferenceLibrary)– Undergroundforums,ReasonLabsknowledgebase
10
![Page 11: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/11.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
SystemOverviewCont’
• Beewolf– Detectlocksteppa`erns
• Offline:fromtheenWreinputdataset• Streaming:fromthestreamofdata
– Fourcorecomponents• StarDetecWon,Galaxygraph,FPtree,LockstepDetecWon
11
![Page 12: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/12.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
Goal
12
B! c b a d!
C! c b e!
A! c b a!
D! c d e!
root!DownloadersDomains
b!
c!
d!
e!
A!
B!
C!
D!
a!
Lockstep:[c,b,a][B,C,A]
Detectnear-bicliqueswithJmeconstraints
![Page 13: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/13.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
StarDetecJon
13
a!
b!
c!
d!
B!
e!
A!
C!
D!
B! c b a d!
C! c b e!
A! c b a!
D! c d e!
root!DownloadersDomains
![Page 14: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/14.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
GalaxyGraph
14
a!
b!
c!
d!
B!
e!
A!
C!
D!
B! c b a d!
C! c b e!
A! c b a!
D! c d e!
root!DownloadersDomains
a!
b!
c!
d!
e!
A!
B!
C!
D!
![Page 15: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/15.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
FrequentPa`ernTree
15
B! c b a d!
C! c b e!
A! c b a!
D! c d e!
a!
d!
B!
B!
B!
B!
root!
b!
c!
DownloadersDomains
a!
b!
c!
d!
e!
A!
B!
C!
D!
![Page 16: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/16.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
FrequentPa`ernTree
16
a!
b!
c!
d!
e!
A!
B!
C!
D!
B! c b a d!
C! c b e!
A! c b a!
D! c d e!
B, C, A, D!
B, C, A!
B, A!
B!
C!
D!
D!
root!
e!
d!
e!
c!
b!
a!
d!
DownloadersDomains
![Page 17: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/17.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
LockstepDetecJon
17
a!
b!
c!
d!
e!
A!
B!
C!
D!
B! c b a d!
C! c b e!
A! c b a!
D! c d e!
B, C, A, D!
B, C, A!
B, A!
B!
C!
D!
D!
root!
e!
d!
e!
c!
b!
a!
d!
CompleteBiclique:[c,b][B,C,A]
![Page 18: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/18.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
AddressingLimitaJons(1)
18
b!
c!
d!
e!
A!
B!
C!
D!
B! c b a d!
C! c b e!
A! c b a!
D! c d e!
B, C, A, D!
B, C, A!
B, A!
B!
C!
D!
D!
root!
e!
d!
e!
c!
b!
a!
d!
Lockstep:[c,b,a][B,C,A]
HeurisJcfordetecJngnear-bicliquesa!
![Page 19: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/19.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
AddressingLimitaJons(2)
19
B! c b a d!
C! c b e!
A! c b a!
D! c d e!
B, C, A, D!
B, C, A!
B, A!
B!
C!
D!
D!
root!
e!
d!
e!
c!
b!
a!
d!
a!
b!
c!
d!
e!
A!
B!
C!
D!
CompleteBiclique:[c,d,e][D]
CompleteBiclique:[c,b,e][C]
SupplementaJonphase
![Page 20: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/20.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
Outline
• Systemoverview• Lockstepanalysis– A\ribuWon– ObservaWons
• EvaluaWon– Streaming
• Conclusion
20
![Page 21: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/21.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
LockstepAnalysis
21
• Beewolfinofflinemode• Timewindow∆tof3days– ShorterthanthetypicalreacWonWmeofdomainblacklist
• Summary– Locksteps:67,094
![Page 22: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/22.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
LabelbyPublisher
• IdenWfytheorganizaWon
22
• RepresentaJvepublisher(rep-pub)– Apublisherthataccountsmorethan50%ofthesigneddownloadersinthelockstepex)[OutBrowse,OutBrowse,MindAdLTD]
– CannotidenWfyrep-pub:mixed
• CategorizaWon(rep-pub)– PUP,PPI,benign(BN),other,mixed,unknown(UK)
OutBrowse
![Page 23: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/23.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
LabelbyPublisherResult
• IdenWfied335rep-pubs• InvesWgatethetop50rep-pubs• LargeporWonofthelockstepscorrespondtotheMixedcategoryfollowedbyPUP
23
Difficulttoplaceinaspecificcategory
![Page 24: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/24.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
LabelbyPayload
• Understandthepurposeofthelockstep• DetecWonperformanceevaluaWon• First,labelthedownloaderbythepayloadtheydistribute– Malwaredownloader(MD)– PUPdownloader(PD)– Benigndownloader(BD)– Unknowndownloader(UD)
24
![Page 25: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/25.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
LabelbyPayloadCont’
• Malwaredownloaderlockstep(MDL):lockstepthatincludeatleastoneMD
• PUPdownloaderlockstep(PDL):containsPDbutnoMD• Unknowndownloaderlockstep(UDL):nosuspiciousdownloader
• Benigndownloaderlockstep(BDL):nosuspiciousdownloader,containBD
25
Suspicious
Benign
![Page 26: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/26.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
LabelbyPayloadResult
26
• Highersuccessrateinlabeling(2.33%UDLs)• MDLoccupymorethan80%ofthetotallockstepwhileBDLarelow(4.82%)
![Page 27: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/27.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
OverlapBetweenMalwareandPUPDeliveryEcosystems
27
• Overlapofdownloaders– Largeoverlap
• 36.7%ofthedownloadersarepresentinbothMDLsandPDLs• Associatedwith97.8%ofallthePDLs
• Malsignblacklist– 1,926downloaderssignedby212publishersinlocksteps– Involvedin66.8%ofMDLsand37.2%ofPDLs
ManyPUPpublishersarelikelyinvolvedinmalwaredelivery
![Page 28: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/28.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
OverlapBetweenMalwareandPUPDeliveryEcosystemsCont’
28
• RecentmeasurementsofcommercialPPIs(Kotzias+2016,Thomas+2016)– DidnotfindsubstanWaloverlap
• KeydisWncWon– GeographicaldistribuWon
• Hostsfrom72differentcountries
– DifferentobservaWonperiod/malwareset– LockstepsdetectindirectrelaWonships
• UWlizeunsigneddownloadersformaliciouspayloads
![Page 29: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/29.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
BusinessRelaJonships
29
• Publishersappearingtogetherinlocksteps– UWlizethesameserversideinfrastructure
• ReflectsarelaWonshipamongthecorrespondingdistribuWonnetworks
– TwodifferentpublisherrelaWonships• Partner:downloadersindownloaded-byrelaWonship• Neighbor:NodirectdownloadrelaWonship
– OrganizaWonthatusemulWplecodesigningcerWficate– RelaWonshipswithacommonthirdparty
![Page 30: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/30.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
BusinessRelaJonshipsCont’
30
• BusinessrelaWonshipgraphoftop13rep-pubs– Node:publisher– Edge:businessrelaWonship
PUP,PPI,benign(BN),other
![Page 31: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/31.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
BusinessRelaJonshipsCont’
31
• Example– OutbrowseLTD
• AdverWsersortheaffiliatesoftheOutbrowsePPI
• Variantsoftherep-pub’scerWficate
ExposeorganizaJonsuJlizingcerJficatepolymorphism
OrganizaJonssharingthesamethirdpartyinfrastructure
PUP,PPI,benign(BN),other
![Page 32: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/32.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
Outline
• Systemoverview• Lockstepanalysis– A\ribuWon– ObservaWons
• EvaluaWon– Streaming
• Conclusion
32
![Page 33: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/33.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
StreamingSetup
33
• BatchofDownloadeventsfromtheyear2013– DownloadeventsinWmewindowΔt=3daysperbatch– 122batchintotal– CheckthecomputaWoncost(Wme)growth
![Page 34: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/34.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
StreamingPerformance:Serial
34
![Page 35: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/35.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
StreamingPerformance:Serial
35
Slowdown:7.7s/batch Upto20min
OverheadofsupplementaJonphase
![Page 36: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/36.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
StreamingPerformance:OpJmalParallelism
36
Slowdown:0.1s/batch
SupplementaJonprocessesareindependent=>Runinparallel
![Page 37: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/37.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
Outline
• Systemoverview• Lockstepanalysis– A\ribuWon– ObservaWons
• EvaluaWon– DetecWonperformance– Streaming
• Conclusion
37
![Page 38: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/38.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
Conclusion• WeintroduceBeewolf– UnsupervisedanddeterminisWcsystem,operatesonstreamofdata
– DiscoverindirectrelaWonships(reflectPUP/malwareoverlap)
• ImplicaWonbeyondmalwaredetecWon– BeewolfcandetectotherkindsofcoordinatedacWons(Beaconing,C&CcommucaWon,posWnginSNS)
• Datarelease– h\p://www.beewolf.org
38
![Page 40: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/40.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns 40
![Page 41: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/41.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
TheDetecJonLag
• Downloaders– Downloadingisnotasignofinherentlymaliciousintent– Signeddownloaders
41
AnJvirusDetecJonLag
Average71.6daysbeforediscovery
![Page 42: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/42.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
DetecJonPerformance
42
MDL 54,497(81.22%)
PDL 7,800(11.63%)
BDL 3,231(4.82%)
UDL 1,566(2.33%)
FalseposiJvefewerthan5%
TrueposiJve(suspiciouslocksteps)accountfor92.85%oflocksteps
![Page 43: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/43.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
DetecJonLeadTime
43
• Howearlywecandetectsuspiciousdownloadersordomainsthatarepreviouslyunknown?– Downloaders:detectunknownexecutablesinlockstepbeforetheirfirstsubmissiontoVirusTotal
mediandetecJonleadJmeof165days
![Page 44: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/44.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
DetecJonLeadTimeCont’
44
• Howearlywecandetectsuspiciousdownloadersordomainsthatarepreviouslyunknown?– Downloaders:detectunknownexecutablesinlockstepbeforetheirfirstsubmissiontoVirusTotal
– Domains:flagunknowndomainsinlockstepbeforelistedtopublicURLblacklists
mediandetecJonleadJmeof196days
![Page 45: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/45.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
FrequentPa`ernTree(1)
45
a!
b!
c!
d!
e!
A!
B!
C!
D!
2
3
4
2
2
3
4
3
3
• Pre-setup– Bipartitegraphofdownloadersandsecondleveldomainnames(domains)
Getthedegreeforthenodes
LHN RHN
![Page 46: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/46.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
FrequentPa`ernTree(1)
46
a!
b!
c!
d!
e!
A!
B!
C!
D!
B! c b a d!
C! c b e!
A! c b a!
D! c d e!
2
3
4
2
2
3
4
3
3
• Adjacencylist– Sortedindegree-descendingorder(FirstsortRHNs,thenforeachRHNsortitsneighborLHNs)
![Page 47: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/47.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
a!
d!
C!
B, C!
B,C!
B!
B!
FrequentPa`ernTree(2)
47
B! c b a d!
C! c b e!
A! c b a!
D! c d e!
B!
B!
B!
B!
root!
e!
b!
c!
CreatetherootofanFP-treePerforminserJon(node:LHN)1)Notthechild:insertaschild2)AddtheRHNtothevisitedlist
![Page 48: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/48.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
FrequentPa`ernTree(2)
48
B! c b a d!
C! c b e!
A! c b a!
D! c d e!
B, C, A, D!
B, C, A!
B, A!
B!
C!
D!
D!
root!
e!
d!
e!
c!
b!
a!
d!
PerforminserJon(node:LHN)1)Notthechild:insertaschild2)AddtheRHNtothevisitedlist
C!
B,C!
B,C!
B, A!
B!
![Page 49: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/49.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
FrequentPa`ernTree(3)
49
B, C, A, D!
B, C, A!
B, A!
B!
C!
D!
D!
root!
e!
d!
e!
c!
b!
a!
d!Lockstep: [c,b,a] [B,A]!
Lockstep: [c,b] [B,C,A]!
![Page 50: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/50.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
Outline• DetecWngsilentdeliverycampaigns– Lockstepbehavior– Howtodetectlocksteps:Frequentpa\erntree– Dataset– Lockstepa\ribuWon
• System• SilentdistribuWoncampaigns– ProperWesoflocksteps– OverlapbetweenmalwareandPUPdeliveryecosystems– BusinessrelaWonships
• EvaluaWon• Conclusion
50
![Page 51: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/51.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
LockstepBehaviors
• Lockstepbehavior– Downloader-Domaininteraction– Temporalpattern:accessthesamedomainwithinaboundedtimeperiod∆t
– Coordinateddownloadsthatdonotexperiencerandomdelays
51
MINIBAR-!MASTER.EXE!
BI_RUN!ONCE.EXE!
At t = [0, ∆t]!
bigspeedpro.com!
BISEHUP!35464.EXE!
2013-01-06!
At t = [3δt, ∆t + 3δt]!
bispd.com!2013-01-13!
At t = [6δt,∆t + 6δt]!
2013-01-24!cloudfront.net!
Lockstep
Lockstepbehaviorexposesremotelycontrolleddownloadersandrevealsthedomainsinvolvedinsubsequentcampaigns
![Page 52: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/52.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
FrequentPa`ernTree(1)
52
a!
b!
c!
d!
e!
A!
B!
C!
D!
• Pre-setup– Bipartitegraphofdownloadersandsecondleveldomainnames(domains)
LHN RHN
![Page 53: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/53.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
FrequentPa`ernTree(1)
53
a!
b!
c!
d!
e!
A!
B!
C!
D!
B! c b a d!
C! c b e!
A! c b a!
D! c d e!
2
3
4
2
2
3
4
3
3
• Adjacencylist– Sortedindegree-descendingorder
![Page 54: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/54.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
a!
d!
C!
B, C!
B,C!
B!
B!
FrequentPa`ernTree(2)
54
B! c b a d!
C! c b e!
A! c b a!
D! c d e!
B!
B!
B!
B!
root!
e!
b!
c!
CreatetherootofanFP-treePerforminserJon(node:LHN)1)Notthechild:insertaschild2)AddtheRHNtothevisitedlist
VisitedListofc
![Page 55: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/55.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
FrequentPa`ernTree(2)
55
B! c b a d!
C! c b e!
A! c b a!
D! c d e!
B, C, A, D!
B, C, A!
B, A!
B!
C!
D!
D!
root!
e!
d!
e!
c!
b!
a!
d!
PerforminserJon(node:LHN)1)Notthechild:insertaschild2)AddtheRHNtothevisitedlist
![Page 56: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/56.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
FrequentPa`ernTree(3)
56
B, C, A, D!
B, C, A!
B, A!
B!
C!
D!
D!
root!
e!
d!
e!
c!
b!
a!
d!Lockstep: [c,b,a] [B,A]!
Lockstep: [c,b] [B,C,A]!
![Page 57: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/57.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
HowtoDetectSilentDeliveryCampaignsCont’
57
Lockstepbehavior:• Coordinateddownloadswithoutrandomdelays
• Downloaders-domainsinnear-bicliques
DownloadersDNS
Domains
Remotelycontrolleddownloadersandthedomainsinvolvedinsubsequentcampaigns
![Page 58: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/58.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
StarDetecJon
• DetectStars– CompletebiparWtegraphofasingledomainandatleast2downloaders
– Starcorrespondstotherowoftheadjacencylist• CollectallstarswithinWmewindow∆t– Foreachdomain,aggregatetheadjacentdownloaders
58
![Page 59: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/59.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
GalaxyGraph
• BiparWtegraphofsetofstars• Updatethegalaxygraphincrementally– Foreachstar,addthecentralnodeanditsadjacentnodestothegraph
– DiscardifthestarisasubsetofsomeexisWngstar
59
![Page 60: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/60.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
FPTree
• LimitaWons– Doesnotreturnnear-bicliques• HeurisWcfordetecWngnear-bicliques
60
– Missespartofcompletebicliques• IndependentsupplementaJonphase
![Page 61: Catching Worms, Trojan Horses and PUPs: Unsupervised ...wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · download manager.exe download manager2.exe 2013-11-15](https://reader031.vdocument.in/reader031/viewer/2022022711/5c00373509d3f2c9268ce417/html5/thumbnails/61.jpg)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
LockstepDetecJon
• TraversetheFPtreefromtherootandcollectallthelocksteps
• AssignidenWfierstothedetectedlocksteps
61