Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CyberProbe: Towards Internet-Scale Active Detection of Malicious Server

819 views

Published on

Juan Caballero. Assistant Research Professor. IMDEA Software Institute.

Curso de Verano "Innovación Disruptiva en tecnologías de seguridad". Campus Vicálvaro de la URJC.

Summer Course "Disruptive innovation in security technologies". URJC's Vicálvaro Campus.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

CyberProbe: Towards Internet-Scale Active Detection of Malicious Server

  1. 1. CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers Antonio Nappa, M. Zubair Rafique, Juan Caballero Zhaoyan Xu, Guofei Gu
  2. 2. Research Interests Malware Analysis & Defense Software Security Vulnerabilities & Exploits Network Security IDS Forensics Memory Program Binary Analysis
  3. 3. Cyberattacks Cybercriminals Hacktivists Governments
  4. 4. Cybercrime & Targeted Attacks
  5. 5. Malicious Servers • Malicious Server Types – Exploit servers  Malware distribution – C&C servers  Control malware – Payment servers  Monetization – Redirectors  Anonymity – … • Some operations use P2P – Server-like functionality
  6. 6. Operations & Server Types Can we find the servers of an operation? How many servers in each operation? Where are the servers hosted?
  7. 7. Malicious Servers in the Cloud • Malicious servers moving to the Cloud – 60% of Exploit Servers [Nappa13] • VPS hosting predominantly abused • Replace dead servers with new ones • Servers don’t live forever – Exploit server median lifetime = 16 hours • Many servers needed!
  8. 8. Dynamic Server Infrastructures
  9. 9. • Honeypots • Spamtraps • IDS • Limitations – Limited View – Slow Server Detection Techniques • Run malware samples • Honeyclient farms – Google Safebrowsing – Microsoft Forefront • Limitations – Limited view – Specific to one server type – Expensive Passive Active
  10. 10. Active Probing
  11. 11. • General – Any server type and P2P bots • Scalable  Internet-scale • Fast  Internet in a few hours • Easy to deploy • Cheap Active Probing: Benefits
  12. 12. • Active probing approach for detecting malicious servers • Adversarial fingerprint generation technique • Implement approach into CyberProbe • Use CyberProbe to find malicious servers – 151 servers in 24 localized/Internet-wide scans – 75% servers unknown to public databases – 7000+ P2P supernodes • Identifies provider locality property Contributions
  13. 13. Outline Evaluation Intro Approach Adversarial Fingerprint Generation Scanning
  14. 14. CyberProbe in a nutshell Adversarial Fingerprint Generation Malicious Traffic Benign Traffic Fingerprints Seed Servers Scanning Port Target Ranges Malicious Servers Fingerprint # Malicious Servers Detected > # Seed Servers
  15. 15. • Fingerprint server family – Operation + server type – Possibly multiple fingerprints for same server family • A fingerprint comprises: – A probe construction function – A classification function = Snort signature Fingerprints Clickpayz1 Probe: GET /td?aid=e9xmkgg5h6&said=26427 Signature: content: “302”; http_stat_code; content: “rnrnLoading…”
  16. 16. Adversarial Fingerprint Generation • Fingerprint generation requires interacting with remote seed servers – Collect requests and responses • Remote servers controlled by attacker • Make fingerprinting inconspicuous – Minimize traffic – Use inconspicuous probes Replay traffic!
  17. 17. AFG: Architecture REPLAY CLUSTERINGRRP EXTRACTION F P SIGNATURE GENERATION Benign Traffic Seed Servers F P F P F P Fingerprints Malicious Traffic
  18. 18. AFG: Malicious Traffic RRP EXTRACTIONFP FP RRPs
  19. 19. • Replay requests to servers in traces – VPN: anonymity, IP diversity • Remove benign responses – Errors, no response – Check against random resource AFG: Replay GET /td?aid=e9xmkgg5h6&said=26427 GET /asdfg.html Similar? 200 OK 200 OK evil.com 78.1.2.3 Replayer Sinkholed Parked
  20. 20. • Cluster RRPs by request similarity – HTTP: method, path, parameters – Non-HTTP: packet size, content • Probe construction function – Identify TARGET, SET fields AFG: Clustering CLUSTERING F PF P Replayed RRPs RRP Clusters F P Probe construction function
  21. 21. • Response parts unique to malicious traffic • Token-set signatures – Snort, Suricata • Tokenizes fields – If known protocol • Multiple sig. per cluster AFG: Signature Generation F P SIGNATURE GENERATION Benign Traffic F P SignaturesClusters
  22. 22. Outline Evaluation Intro Approach Adversarial Fingerprint Generation Scanning
  23. 23. • Localized scans – Some ranges more likely due to locality 1. Localized-reduced – BGP Route for Seed Server 2. Localized-extended – All ranges with same description 3. Internet-wide – Use BGP ranges Scan Ranges Google.com 173.194.41.231 173.194.0.0/16 Google Inc. F P F P Google Inc. 173.194.0.0/16 8.8.8.0/24 8.8.4.0/24 8.6.48.0/21 8.35.200.0/21 … Full Unreserved Allocated BGP 4.3B (100%) 3.7 B (86%) 3.7 B (86%) 2.6 B (60%)
  24. 24. • Horizontal Scanner – SYN scan  Live servers on port • AppTCP scanner – Probes live servers with fingerprint • UDP scanner – Does not require horizontal scan Scanners
  25. 25. • Scan rate – One scanner saturates 1-10 Gbps link  Distribute – Limited to ≤ 60,000 pps; ≤ 400 cps • Scan order – LCG for horizontal/UDP, shuffle for AppTCP • Whitelisting – 512 MB bit array, O(1) lookup • Output – Pcap / result for AppTCP/UDP – IP list for horizontal Scanning Properties
  26. 26. Ethical Considerations • Scan as politely as possible • Rate-limit scanners • One fingerprint at a time • Set up forward, backward DNS entries for scanners • Set up webpage in scanners explaining experiment • Remove ranges from providers that request so • Manually check fingerprints
  27. 27. Outline Evaluation Intro Approach Adversarial Fingerprint Generation Scanning
  28. 28. Fingerprint Generation Results Type Source Fam. Pcaps RRPs RRPs Replayed Seeds Finger prints Malware VirusShare 152 918 1,639 193 19 18 Malware MALICIA 9 1,059 764 602 2 2 Honeyclient MALICIA 6 1,400 42,160 9,497 5 2 Honeyclient UrlQuery 1 4 11 11 1 1 • 23 fingerprints for 13 families (1 UDP, 22 HTTP) • Families: 3 exploit kits, 10 malware • Challenges • No seed server, families with many traces, no replay
  29. 29. • 11 localized scans • 9 find previously unknown servers • 11 Internet-wide scans • 14 hours (4 scanners), 24 hours (3 scanners) • 151 servers found • 15 seeds  10x amplification HTTP Scans Summary
  30. 30. Coverage Comparison Cyberprobe VirusTotal URLQuery VxVault MDL 151 (100%) 40 (26%) 23 (15%) 1 (0.7%) 1 (0.7%) 4x coverage improvement
  31. 31. Operations Operation Fingerprints Seeds Servers # Provid. Provider Locality bestav 3 6 23 7 3.3 bh2-adobe 1 1 13 7 1.8 bh2-ngen 1 1 2 2 1.0 blackrev 1 1 2 2 1.0 clickpayz 2 2 51 6 8.5 doubleighty 1 1 18 9 2.0 kovter 2 2 9 4 2.2 ironsource 1 1 7 4 1.7 optinstaller 1 1 18 4 2.0 soft196 1 1 8 4 2.0 TOTAL 14 15 151 47 3.2(avg.)
  32. 32. • Affiliate pay-per-install – Winwebsec, Urausy, other • 29 servers – 11 C&C servers – 16 payment servers – 2 web servers for affiliates • 4 hosting providers (C&C,payment) – A: 6 payment + 5 C&C – B: 9 payment + 4 C&C – C: 2 C&C – D: 1 payment Example Operation: BestAV
  33. 33. • Blackhole2-ngen – 2 – 3 servers simultaneously since October’12 • Blackhole2-adobe – 13 servers – 3 known to VT, +2 4d later, +1 13d later • Doubleighty – 18 servers – Visit 9 with honeyclient, 7 exploited – One month later another starts exploiting Exploit Server Operations
  34. 34. P2P bots Scan Results Type Date Port Fingerprint Targets SC Rate Time Found R 03/19 UDP/ 16471 zeroaccess 40,448 1 10 1.2h 55 (0.13%) I 05/03 UDP/ 16471 zeroaccess 2,6B 4 50,000 3.6h 7,884 (0.0003%)
  35. 35. Related Work Scanning • Leonard et al. IMC ‘10 • Heninger et al. Usenix Security ’12 • Zmap Fingerprinting • FiG • PeerPress Signature Generation • Honeycomb, Autograph, EarlyBird, Polygraph, Hamsa • Botzilla, Perdisci et al., Firma
  36. 36. • Active probing approach for detecting malicious servers • Adversarial fingerprint generation technique • Implement approach into CyberProbe • Use CyberProbe to find malicious servers – 151 servers in 24 localized/Internet-wide scans – 75% servers unknown to public databases – 7000+ P2P supernodes • Identifies provider locality property Conclusion
  37. 37. MALICIA Project • Malware in Cybercrime • 5 Publications • Dataset released • Collaborators: http://malicia-project.com

×