watchtowers of the internet - source boston 2012
DESCRIPTION
Watchtowers of the Internet: Analysis of Outbound Malware Communication, Stephan Chenette, Principal Security Researcher, (@StephanChenette) & Armin Buescher, Security ResearcherWith advanced malware, targeted attacks, and advanced persistent threats, it’s not IF but WHEN a persistant attacker will penetrate your network and install malware on your company’s network and desktop computers. To get the full picture of the threat landscape created by malware, our malware sandbox lab runs over 30,000 malware samples a day. Network traffic is subsequently analyzed using heuristics and machine learning techniques to statistically score any outbound communication and identify command & control, back-channel, worm-like and other types of traffic used by malware. Our talk will focus on the setup of the lab, major malware families as well as outlier malware, and the statistics we have generated to give our audience an exposure like never before into the details of malicious outbound communication. We will provide several tips, based on our analysis to help you create a safer and more secure network.Stephan Chenette is a principal security researcher at Websense Security Labs, specializing in research tools and next generation emerging threats. In this role, he identifies and implements exploit and malcode detection techniques. Armin Buescher is a Security Researcher and Software Engineer experienced in strategic development of detection/prevention technologies and analysis tools. Graduated as Dipl.-Inf. (MSc) with thesis on Client Honeypot systems. Interested in academic research work and published author of security research papers.TRANSCRIPT
![Page 1: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/1.jpg)
WATCH TOWERS OF THE INTERNET
Websense Security Labs
Stephan Chenette, Armin Buescher
(c) 2012 Websense Security Labs.
ANALYSIS OF OUTBOUND MALWARE COMMUNICATION
![Page 2: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/2.jpg)
Who we are
Stephan Chenette (Northeastern Grad.)
Security Researcher, UCSD M.S.
Vulnerabilities, Reversing, Coding
Armin Buescher
Security Researcher, M.S.
AV, Reversing, Coding
R&D and Malware/Exploit Research
![Page 3: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/3.jpg)
Essentials of this Talk
• Malware Lab
• Observations of Malware
Communication
• Clustering
![Page 4: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/4.jpg)
Current State of Affairs
Companies are concerned about targeted attacks
...and for good reason.
• A persistent attacker will eventually penetrate your
network
• Malware will be installed
• Most malware will eventually communicate
outbound * (* unless the end goal of the attacker is complete destruction of data, malware will be used as the communication mechanism
back to C&C)
(c) 2012 Websense Security Labs.
![Page 5: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/5.jpg)
Current State of Affairs
Most important to you as a network administrator:
• Knowledge of what machines are infected
• Prevention of important information leaving your
network
![Page 6: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/6.jpg)
Value of this Presentation
Better understanding of
Outbound Malware Communication
Deep dive into threats that are
present against or on your network
![Page 7: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/7.jpg)
Malware Lab
Building a
![Page 8: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/8.jpg)
Malware Lab
1
2
3
4
![Page 9: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/9.jpg)
Malware Lab
• Sandbox
• VPN Services
• Network Listeners
• Databases
• Multiple Scanner Engines
• Malware…lots of it! =]
![Page 10: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/10.jpg)
Malware Lab Output
• Behavior Analysis
• Network Analysis
![Page 11: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/11.jpg)
Our Philosophy
• Don't run around trying to find a
particular bot/variant
Run Everything!
• Then figure out what it is…
• Spam Bots
• Network Worms
• File Infectors
• Etc. (c) 2012 Websense Security Labs.
![Page 12: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/12.jpg)
Malware Samples
Typically received 30-70k samples/day
For this presentation we took a small
representative daily subset totaling
~155,000
malware files to sample from
![Page 13: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/13.jpg)
Malware Samples
How to Classify Samples...
DO NOT USE -- AV-Names **
• e.g. Trojan.Win32.Downloader
DO USE -- CLUSTERING
• Behavior Analysis/Network Analysis
** (AV-names are avoided as main use of classification when possible)
![Page 14: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/14.jpg)
![Page 15: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/15.jpg)
Malware Samples
![Page 16: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/16.jpg)
Outbound
Communication
Understanding
![Page 17: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/17.jpg)
![Page 18: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/18.jpg)
Generic Trojan Downloader SHA-1: ab57031100a8c8c813a144b20b1ef5b9a643cec7
![Page 19: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/19.jpg)
![Page 20: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/20.jpg)
fling.com?...p0rn site
![Page 21: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/21.jpg)
promos.fling/geo/txt/city.php
![Page 22: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/22.jpg)
VPN Gateway - Canada
![Page 23: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/23.jpg)
![Page 24: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/24.jpg)
Botnet C&C 83.125.22.188
![Page 25: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/25.jpg)
P2P Communication
![Page 26: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/26.jpg)
P2P Botnet
![Page 27: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/27.jpg)
P2P Botnet – Encryption
![Page 28: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/28.jpg)
Generic Trojan Downloader?
• GEO/IP Lookup from a P0rn site
• C&C traffic uses DGA to “sign” botnet
traffic via host header
• P2P communication over port 443
• Zaccess Dropper! (Sophos/Kaspersky)
• Future versions with the same network
behavior can be profiled
![Page 29: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/29.jpg)
GEO/IP lookup
• 2,744 samples in our malware set use
fling.com to look up geo-location
• 177 different AV detection variants
• …clustering might have put this in the
same grouping?
![Page 30: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/30.jpg)
Another Sample…
![Page 31: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/31.jpg)
K = (bot id) only replies if k is present!
Returns instructions to DoS two targets
03 – DoS (Attack mode)
50 – Number of Threads
60 – Timeout (s) for the next C&C Request
DoS:
smcae.com:3306
&
http://tonus.crimea.ua
![Page 32: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/32.jpg)
DOS
![Page 33: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/33.jpg)
DOS
![Page 34: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/34.jpg)
Results
• DirtJumper Botnet
• Request commands via HTTP (unencrypted!)
• DoS on mysql (3306), no SQL content
• DoS on http (80), GET request
![Page 35: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/35.jpg)
Manual Analysis
• Good for deep-dive of a particular binary
e.g. Flashback Mac OS X malware to
find DGA
• But not good for mass analysis of large
number of samples daily
• …Clustering
![Page 36: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/36.jpg)
Clustering
Basics
![Page 37: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/37.jpg)
Clustering
The process of grouping together
samples that contain similar features
![Page 38: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/38.jpg)
Network Communication
![Page 39: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/39.jpg)
TCP Services
![Page 40: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/40.jpg)
2012: Malware is talking
over HTTP
>=70% HTTP
vs.
.46% IRC (6667)
![Page 41: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/41.jpg)
HTTP Outbound
Communication
Clustering on
![Page 42: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/42.jpg)
Malware downloading
executable payloads
![Page 43: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/43.jpg)
![Page 44: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/44.jpg)
Trojan:Win32/Medfos
Worm:Win32/Renocide
Trojan:Win32/Opachki
Worm:Win32/Rebhip
![Page 45: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/45.jpg)
Don't Rely 100% on AV Names
![Page 46: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/46.jpg)
Don't Rely 100% on AV Names
Rely on behavioral functionality
![Page 47: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/47.jpg)
C&C Communication via HTTP
![Page 48: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/48.jpg)
Malware Communication
![Page 49: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/49.jpg)
Malware Communication
![Page 50: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/50.jpg)
Feature: HTTP User-Agents
used by Malware
![Page 51: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/51.jpg)
Malware Communication
• Most Malware uses browser user-agent strings
• >17% have empty user-agent strings!
• 85% use a user-agent of a browser not
present on the system
![Page 52: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/52.jpg)
Good Apps…User-Agent
![Page 53: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/53.jpg)
Good Apps…User-Agent
Bluestacks is an android emulator
Completely benign…but there are
characteristics that look like bot traffic…
![Page 54: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/54.jpg)
Good Traffic
![Page 55: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/55.jpg)
User-Agent / HTTP GET
Dalvik/1.4.0 (Linux; U; Android 2.3.4;
BlueStacks-c4afa5ac-7f39-11e1-b41e-
001676aa4685 Build/GRJ22)\r\n
GET
/public/appsettings/updates.txt
…Essential to have a large sample set of
both benign and malicious examples
![Page 56: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/56.jpg)
Obviously Malicious…
![Page 57: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/57.jpg)
URLs
• www.csa.uem.br/administrator
/includes/MicrosoftUpdate.exe
• s1c0gv3v0x.h1.ru/Trojan.rar
• ospianistas.com.br/aviso
/infect.php
• svpembtywvrc.eu/gate.php?
cmd=ping&botnet=fr18&userid=
x1lgje2mdh51kc8z&os=V2luZG93cy
BYUA==
![Page 58: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/58.jpg)
User-Agents
• Mozilla/6.0 (iPhone; U; CPU
iPhone OS 3_0 like Mac OS X;
en-us)
• Mozilla/1.22 (compatible; MSIE
2.0; Windows 95)
• darkness
• N0PE
• Trololo
![Page 59: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/59.jpg)
Network behavior
features
Clustering
![Page 60: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/60.jpg)
Net. Clustering Features
• Basic Network communication features
• Protocols
• Timing
• Encryption
• Encoding (e.g. BASE64)
• DNS features
• Number of lookups
![Page 61: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/61.jpg)
Net. Clustering Features
• HTTP features
• Number of requests
• Request method (POST/GET/…)
• MIME types (server/real)
• URL
• User-agent
• Etc.
![Page 62: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/62.jpg)
Clustering examples
![Page 63: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/63.jpg)
DDoS malware Dirt Jumper
• Clustering w. network
behavior:
• found ~900 DJ samples
• Identified 90 unique
C&C URLs
Led to research paper “Tracking DDoS, Insights into the
business of disrupting the Web” accepted at LEET
academic conference for publication
![Page 64: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/64.jpg)
Distinguishing families
• Downloaders w.
similar behavior
• Categorizing
unknown samples:
• ~85% precision
• Two families
![Page 65: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/65.jpg)
Banking Trojan Zbot
• Zoom into cluster
w. network
behavior “Zbot”
• Clusters:
• Alive & kickin’
• Domain killed
• Server killed
![Page 66: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/66.jpg)
Conclusion
Telemetry = System behavior + Network behavior
• Automated deep analysis of network
behavior is underrated
• Paint full picture of analyzed malware!
• AV Names don’t always represent
functionality
![Page 67: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/67.jpg)
Conclusion II
• Clustering on network behavior analysis • Identify malware communication techniques
• Obviously malicious
• Generic
• Sophisticated
• Clustering…yes! Just remember
sophisticated might just mean generic!
![Page 68: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/68.jpg)
Q & A
questions.py:
while len(questions) > 0:
if time <= 0:
break
print answers[questions.pop()]
(c) 2012 Websense Security Labs.
![Page 69: Watchtowers of the Internet - Source Boston 2012](https://reader034.vdocument.in/reader034/viewer/2022052522/554ffc05b4c905bc138b4f31/html5/thumbnails/69.jpg)
That’s all folks!
Thanks!
Stephan Chenette
Twitter: @StephanChenette
Armin Buescher
Twitter: @armbues (c) 2012 Websense Security Labs.