SlideShare a Scribd company logo

An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections

Marcus Botacin
Marcus Botacin

My presentation at the Brazilian Security Symposium (SBSeg) about the blocking of HTTP and DNS traffic generated from malware execution.

Technology
1 of 19
Download to read offline
Introduction Experiments & Results Concluding Remarks An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections Marcus Botacin1, Paulo L´ıcio de Geus2, Andr´e Gr´egio1 1Federal University of Paran´a (UFPR) – {mfbotacin, gregio}@inf.ufpr.br 2University of Campinas (Unicamp) – paulo@lasca.ic.unicamp.br SBSEG 2020 An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 1 / 19 SBSeg’20
Introduction Experiments & Results Concluding Remarks Agenda 1 Introduction 2 Experiments & Results 3 Concluding Remarks An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 2 / 19 SBSeg’20
Introduction Experiments & Results Concluding Remarks Agenda 1 Introduction 2 Experiments & Results 3 Concluding Remarks An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 3 / 19 SBSeg’20
Introduction Experiments & Results Concluding Remarks Malware Blocking Approaches Endpoint Level Pro: Does not cause significant side-effects. Con: Needs to be applied to every infected host. Network Level Pro: Affects all infected hosts. Con: False positives at large scale. An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 4 / 19 SBSeg’20
Introduction Experiments & Results Concluding Remarks Previously... Figure: SBSeg 2015. Previous Work. An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 5 / 19 SBSeg’20
Introduction Experiments & Results Concluding Remarks Network Discoveries Figure: Previous Work. Most used protocols. An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 6 / 19 SBSeg’20
Introduction Experiments & Results Concluding Remarks Later... Figure: Continuous Monitoring. Most contacted hosts. An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 7 / 19 SBSeg’20
Introduction Experiments & Results Concluding Remarks Now? Let’s take a closer look on network. An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 8 / 19 SBSeg’20
Introduction Experiments & Results Concluding Remarks Agenda 1 Introduction 2 Experiments & Results 3 Concluding Remarks An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 9 / 19 SBSeg’20
Introduction Experiments & Results Concluding Remarks Experiments Datasets Brazil: 20K Windows samples from a CSIRT. World: 11K Windows samples from MalShare. Methodology Analysis: Daily execution on a sandbox for 30 days. Filtering: Only HTTP and DNS. An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 10 / 19 SBSeg’20
Introduction Experiments & Results Concluding Remarks Network Metric 1 Content Sinkhole This metric evaluates whether the malicious payloads down- loaded by given samples are re- moved from the hosting servers after some time or keep infect- ing users. This is particularly important in cases where AV solutions fail to detect a given threat and payload removal is the only defense available to protect users. 0% 5% 10% 15% 20% 25% 30% 35% World BR Payload Sinkhole % Samples % Content An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 11 / 19 SBSeg’20
Introduction Experiments & Results Concluding Remarks Network Metric 2 Content Survival Time This metric evaluates how long the domains contacted by the mal- ware samples remain active be- fore being taken down. This met- ric helps evaluating whether re- moval procedures occur in reason- able time. Early removals are de- sired because AV solutions might take some time to develop signa- tures to new threats, thus network hosting providers might help reduc- ing the attack opportunity window. 0 20 40 60 80 100 0 5 10 15 20 25 30 SinkholedSamples(%) Days Sinkholed−affected samples over time WW Samples BR Samples An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 12 / 19 SBSeg’20
Introduction Experiments & Results Concluding Remarks Network Metric 3 Sinkhole Method This metric evaluates how content hosts and/or providers act to remove malicious payloads. The removal method indicates which security scope is affected/involved. 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% 55% 60% 202 203 204 400 403 404 405 406 410 447 500 502 503 522 477 522 999 Cookie Conn Page Server Domains(%) Error Codes Sinkhole Methods World BR An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 13 / 19 SBSeg’20
Introduction Experiments & Results Concluding Remarks Network Metric 4 DNS Takeover This metric evaluates how many DNS records stop be- ing resolved by the DNS re- quests performed by the mal- ware samples within the evalu- ated period. This metric eval- uates whether network admin- istrators are blocking identified malicious traffic or not. 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% World BR DNS Sinkhole % Samples % Queries An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 14 / 19 SBSeg’20
Introduction Experiments & Results Concluding Remarks Network Metric 5 DNS/IP Rotation This metric evaluates how many distinct IP addresses are resolved to the same DNS queries. This metric evaluates whether attackers rotate domains to make removal harder. Characterization 1 Content Deliver Networks (CDNs): Query to: load.s3.amazonaws.com resolves to 54.231.AA.BBB and 52.216.CC.DD. 2 Dynamic IP services: Query to: iutf.dyndns.org resolves to 216.146.EE.FF and 91.198.GG.HH. 3 Registered Domains: Query to: xlscgpqghsxopwceausfyif.ru resolves to 198.105.II.JJ and 104.239.KKK.L. An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 15 / 19 SBSeg’20
Introduction Experiments & Results Concluding Remarks Network Metric 6 DNS Takeover Time This metric evaluates for how long a given DNS query keeps being resolved until blocking. It impacts the attack opportunity of early-launched threats. 0 20 40 60 80 100 0 2 4 6 8 10 12 14 16 18 SinkholedQueries(%) Days Sinkholed DNS along time WW Samples BR Samples An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 16 / 19 SBSeg’20
Introduction Experiments & Results Concluding Remarks Agenda 1 Introduction 2 Experiments & Results 3 Concluding Remarks An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 17 / 19 SBSeg’20
Introduction Experiments & Results Concluding Remarks Discussion Many payloads stored in the Cloud How to inspect privacy servers with privacy guarantees? DNS is the most effective way to block malware payloads How to automatically block suspicious queries? Malicious domains must be reported Few providers have an easy mechanism to report abuse. The context matters The Brazilian scenario is different and our security solutions should be too. An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 18 / 19 SBSeg’20
Introduction Experiments & Results Concluding Remarks Questions & Comments. Contact mfbotacin@inf.ufpr.br twitter.com/MarcusBotacin secret.inf.ufpr.br An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 19 / 19 SBSeg’20

Recommended

Rapid dna -_disruptive new technology for criminal justice_rbj
Rapid dna -_disruptive new technology for criminal justice_rbjRapid dna -_disruptive new technology for criminal justice_rbj
Rapid dna -_disruptive new technology for criminal justice_rbj
rbjamieson
 
GIAB Technical Germline Benchmark roadmap discussion
GIAB Technical Germline Benchmark roadmap discussionGIAB Technical Germline Benchmark roadmap discussion
GIAB Technical Germline Benchmark roadmap discussion
GenomeInABottle
 
A mixed abstraction level simulation model of large scale internet worm infes...
A mixed abstraction level simulation model of large scale internet worm infes...A mixed abstraction level simulation model of large scale internet worm infes...
A mixed abstraction level simulation model of large scale internet worm infes...
UltraUploader
 
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Marcus Botacin
 
Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...
Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...
Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...
IRJET Journal
 
On the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesOn the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software Repositories
Marcus Botacin
 
How do we detect malware? A step-by-step guide
How do we detect malware? A step-by-step guideHow do we detect malware? A step-by-step guide
How do we detect malware? A step-by-step guide
Marcus Botacin
 
Limiting self propagating malware based
Limiting self propagating malware basedLimiting self propagating malware based
Limiting self propagating malware based
IJNSA Journal
 

Recommended

Rapid dna -_disruptive new technology for criminal justice_rbj
Rapid dna -_disruptive new technology for criminal justice_rbjRapid dna -_disruptive new technology for criminal justice_rbj
Rapid dna -_disruptive new technology for criminal justice_rbj
rbjamieson
 
GIAB Technical Germline Benchmark roadmap discussion
GIAB Technical Germline Benchmark roadmap discussionGIAB Technical Germline Benchmark roadmap discussion
GIAB Technical Germline Benchmark roadmap discussion
GenomeInABottle
 
A mixed abstraction level simulation model of large scale internet worm infes...
A mixed abstraction level simulation model of large scale internet worm infes...A mixed abstraction level simulation model of large scale internet worm infes...
A mixed abstraction level simulation model of large scale internet worm infes...
UltraUploader
 
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Marcus Botacin
 
Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...
Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...
Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...
IRJET Journal
 
On the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesOn the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software Repositories
Marcus Botacin
 
How do we detect malware? A step-by-step guide
How do we detect malware? A step-by-step guideHow do we detect malware? A step-by-step guide
How do we detect malware? A step-by-step guide
Marcus Botacin
 
Limiting self propagating malware based
Limiting self propagating malware basedLimiting self propagating malware based
Limiting self propagating malware based
IJNSA Journal
 
A taxonomy of botnet detection approaches
A taxonomy of botnet detection approachesA taxonomy of botnet detection approaches
A taxonomy of botnet detection approaches
Fabrizio Farinacci
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking Data
James Sirota
 
lab3cdga.ziplab3code.c#include stdio.h#include std.docx
lab3cdga.ziplab3code.c#include stdio.h#include std.docxlab3cdga.ziplab3code.c#include stdio.h#include std.docx
lab3cdga.ziplab3code.c#include stdio.h#include std.docx
smile790243
 
Cisco 2015 Midyear Security Report Slide Deck
Cisco 2015 Midyear Security Report Slide DeckCisco 2015 Midyear Security Report Slide Deck
Cisco 2015 Midyear Security Report Slide Deck
Cisco Security
 
Network Measurement and Monitori - Assigment 1, Group3, "Classification"
Network Measurement and Monitori - Assigment 1, Group3, "Classification"Network Measurement and Monitori - Assigment 1, Group3, "Classification"
Network Measurement and Monitori - Assigment 1, Group3, "Classification"
Valentin Thirion
 
A new way to prevent Botnet Attack
A new way to prevent Botnet AttackA new way to prevent Botnet Attack
A new way to prevent Botnet Attack
yennhi2812
 
QBD for Downstream Virus Filtration
QBD for Downstream Virus Filtration QBD for Downstream Virus Filtration
QBD for Downstream Virus Filtration
Merck Life Sciences
 
QBD for Downstream Virus Filtration
QBD for Downstream Virus FiltrationQBD for Downstream Virus Filtration
QBD for Downstream Virus Filtration
MilliporeSigma
 
An Empirical Study of Adoption of Software Testing in Open Source Projects
An Empirical Study of Adoption of Software Testing in Open Source ProjectsAn Empirical Study of Adoption of Software Testing in Open Source Projects
An Empirical Study of Adoption of Software Testing in Open Source Projects
Pavneet Singh Kochhar
 
Network Security: Experiment of Network Health Analysis At An ISP
Network Security: Experiment of Network Health Analysis At An ISPNetwork Security: Experiment of Network Health Analysis At An ISP
Network Security: Experiment of Network Health Analysis At An ISP
CSCJournals
 
The Kyoto Protocol ( Kp )
The Kyoto Protocol ( Kp )The Kyoto Protocol ( Kp )
The Kyoto Protocol ( Kp )
Tara Hardin
 
Detect Threats Faster
Detect Threats FasterDetect Threats Faster
Detect Threats Faster
Force 3
 
Limiting Self-Propagating Malware Based on Connection Failure Behavior
Limiting Self-Propagating Malware Based on Connection Failure Behavior Limiting Self-Propagating Malware Based on Connection Failure Behavior
Limiting Self-Propagating Malware Based on Connection Failure Behavior
csandit
 
Remedying Web Hijacking: Notification
Remedying Web Hijacking: NotificationRemedying Web Hijacking: Notification
Remedying Web Hijacking: Notification
Andrey Apuhtin
 
Webmasterbreach
WebmasterbreachWebmasterbreach
Webmasterbreach
Édgar Medina
 
Website fingerprinting on TOR
Website fingerprinting on TORWebsite fingerprinting on TOR
Website fingerprinting on TOR
E Hacking
 
Advanced Threat Protection
Advanced Threat ProtectionAdvanced Threat Protection
Advanced Threat Protection
Lan & Wan Solutions
 
Lan & Wan
Lan & WanLan & Wan
Lan & Wan
Lan & Wan Solutions
 
Lan & Wan
Lan & WanLan & Wan
Lan & Wan
Lan & Wan Solutions
 
ATP
ATPATP
ATP
Lan & Wan Solutions
 
Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024
Marcus Botacin
 
Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless Malware
Marcus Botacin
 

More Related Content

Similar to An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections

A taxonomy of botnet detection approaches
A taxonomy of botnet detection approachesA taxonomy of botnet detection approaches
A taxonomy of botnet detection approaches
Fabrizio Farinacci
 
lab3cdga.ziplab3code.c#include stdio.h#include std.docx
lab3cdga.ziplab3code.c#include stdio.h#include std.docxlab3cdga.ziplab3code.c#include stdio.h#include std.docx
lab3cdga.ziplab3code.c#include stdio.h#include std.docx
smile790243
 
A new way to prevent Botnet Attack
A new way to prevent Botnet AttackA new way to prevent Botnet Attack
A new way to prevent Botnet Attack
yennhi2812
 
QBD for Downstream Virus Filtration
QBD for Downstream Virus Filtration QBD for Downstream Virus Filtration
QBD for Downstream Virus Filtration
Merck Life Sciences
 
QBD for Downstream Virus Filtration
QBD for Downstream Virus FiltrationQBD for Downstream Virus Filtration
QBD for Downstream Virus Filtration
MilliporeSigma
 
Detect Threats Faster
Detect Threats FasterDetect Threats Faster
Detect Threats Faster
Force 3
 
Limiting Self-Propagating Malware Based on Connection Failure Behavior
Limiting Self-Propagating Malware Based on Connection Failure Behavior Limiting Self-Propagating Malware Based on Connection Failure Behavior
Limiting Self-Propagating Malware Based on Connection Failure Behavior
csandit
 

Similar to An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections (20)

A taxonomy of botnet detection approaches
A taxonomy of botnet detection approachesA taxonomy of botnet detection approaches
A taxonomy of botnet detection approaches
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking Data
 
lab3cdga.ziplab3code.c#include stdio.h#include std.docx
lab3cdga.ziplab3code.c#include stdio.h#include std.docxlab3cdga.ziplab3code.c#include stdio.h#include std.docx
lab3cdga.ziplab3code.c#include stdio.h#include std.docx
 
Cisco 2015 Midyear Security Report Slide Deck
Cisco 2015 Midyear Security Report Slide DeckCisco 2015 Midyear Security Report Slide Deck
Cisco 2015 Midyear Security Report Slide Deck
 
Network Measurement and Monitori - Assigment 1, Group3, "Classification"
Network Measurement and Monitori - Assigment 1, Group3, "Classification"Network Measurement and Monitori - Assigment 1, Group3, "Classification"
Network Measurement and Monitori - Assigment 1, Group3, "Classification"
 
A new way to prevent Botnet Attack
A new way to prevent Botnet AttackA new way to prevent Botnet Attack
A new way to prevent Botnet Attack
 
QBD for Downstream Virus Filtration
QBD for Downstream Virus Filtration QBD for Downstream Virus Filtration
QBD for Downstream Virus Filtration
 
QBD for Downstream Virus Filtration
QBD for Downstream Virus FiltrationQBD for Downstream Virus Filtration
QBD for Downstream Virus Filtration
 
An Empirical Study of Adoption of Software Testing in Open Source Projects
An Empirical Study of Adoption of Software Testing in Open Source ProjectsAn Empirical Study of Adoption of Software Testing in Open Source Projects
An Empirical Study of Adoption of Software Testing in Open Source Projects
 
Network Security: Experiment of Network Health Analysis At An ISP
Network Security: Experiment of Network Health Analysis At An ISPNetwork Security: Experiment of Network Health Analysis At An ISP
Network Security: Experiment of Network Health Analysis At An ISP
 
The Kyoto Protocol ( Kp )
The Kyoto Protocol ( Kp )The Kyoto Protocol ( Kp )
The Kyoto Protocol ( Kp )
 
Detect Threats Faster
Detect Threats FasterDetect Threats Faster
Detect Threats Faster
 
Limiting Self-Propagating Malware Based on Connection Failure Behavior
Limiting Self-Propagating Malware Based on Connection Failure Behavior Limiting Self-Propagating Malware Based on Connection Failure Behavior
Limiting Self-Propagating Malware Based on Connection Failure Behavior
 
Remedying Web Hijacking: Notification
Remedying Web Hijacking: NotificationRemedying Web Hijacking: Notification
Remedying Web Hijacking: Notification
 
Webmasterbreach
WebmasterbreachWebmasterbreach
Webmasterbreach
 
Website fingerprinting on TOR
Website fingerprinting on TORWebsite fingerprinting on TOR
Website fingerprinting on TOR
 
Advanced Threat Protection
Advanced Threat ProtectionAdvanced Threat Protection
Advanced Threat Protection
 
Lan & Wan
Lan & WanLan & Wan
Lan & Wan
 
Lan & Wan
Lan & WanLan & Wan
Lan & Wan
 
ATP
ATPATP
ATP
 

More from Marcus Botacin

More from Marcus Botacin (20)

Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024
 
Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless Malware
 
GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?
 
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
[HackInTheBOx] All You Always Wanted to Know About Antiviruses[HackInTheBOx] All You Always Wanted to Know About Antiviruses
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
 
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change![Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
 
Hardware-accelerated security monitoring
Hardware-accelerated security monitoringHardware-accelerated security monitoring
Hardware-accelerated security monitoring
 
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
Extraindo Caracterı́sticas de Arquivos Binários ExecutáveisExtraindo Caracterı́sticas de Arquivos Binários Executáveis
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
 
On the Malware Detection Problem: Challenges & Novel Approaches
On the Malware Detection Problem: Challenges & Novel ApproachesOn the Malware Detection Problem: Challenges & Novel Approaches
On the Malware Detection Problem: Challenges & Novel Approaches
 
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
 
Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless Malware
 
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
 
Integridade, confidencialidade, disponibilidade, ransomware
Integridade, confidencialidade, disponibilidade, ransomwareIntegridade, confidencialidade, disponibilidade, ransomware
Integridade, confidencialidade, disponibilidade, ransomware
 
UMLsec
UMLsecUMLsec
UMLsec
 
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
 
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
 
Towards Malware Decompilation and Reassembly
Towards Malware Decompilation and ReassemblyTowards Malware Decompilation and Reassembly
Towards Malware Decompilation and Reassembly
 
Reverse Engineering Course
Reverse Engineering CourseReverse Engineering Course
Reverse Engineering Course
 
Malware Variants Identification in Practice
Malware Variants Identification in PracticeMalware Variants Identification in Practice
Malware Variants Identification in Practice
 
Machine Learning for Malware Detection: Beyond Accuracy Rates
Machine Learning for Malware Detection: Beyond Accuracy RatesMachine Learning for Malware Detection: Beyond Accuracy Rates
Machine Learning for Malware Detection: Beyond Accuracy Rates
 
The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!
 

Recently uploaded

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 

Recently uploaded (20)

Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections

  • 1. Introduction Experiments & Results Concluding Remarks An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections Marcus Botacin1, Paulo L´ıcio de Geus2, Andr´e Gr´egio1 1Federal University of Paran´a (UFPR) – {mfbotacin, gregio}@inf.ufpr.br 2University of Campinas (Unicamp) – paulo@lasca.ic.unicamp.br SBSEG 2020 An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 1 / 19 SBSeg’20
  • 2. Introduction Experiments & Results Concluding Remarks Agenda 1 Introduction 2 Experiments & Results 3 Concluding Remarks An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 2 / 19 SBSeg’20
  • 3. Introduction Experiments & Results Concluding Remarks Agenda 1 Introduction 2 Experiments & Results 3 Concluding Remarks An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 3 / 19 SBSeg’20
  • 4. Introduction Experiments & Results Concluding Remarks Malware Blocking Approaches Endpoint Level Pro: Does not cause significant side-effects. Con: Needs to be applied to every infected host. Network Level Pro: Affects all infected hosts. Con: False positives at large scale. An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 4 / 19 SBSeg’20
  • 5. Introduction Experiments & Results Concluding Remarks Previously... Figure: SBSeg 2015. Previous Work. An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 5 / 19 SBSeg’20
  • 6. Introduction Experiments & Results Concluding Remarks Network Discoveries Figure: Previous Work. Most used protocols. An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 6 / 19 SBSeg’20
  • 7. Introduction Experiments & Results Concluding Remarks Later... Figure: Continuous Monitoring. Most contacted hosts. An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 7 / 19 SBSeg’20
  • 8. Introduction Experiments & Results Concluding Remarks Now? Let’s take a closer look on network. An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 8 / 19 SBSeg’20
  • 9. Introduction Experiments & Results Concluding Remarks Agenda 1 Introduction 2 Experiments & Results 3 Concluding Remarks An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 9 / 19 SBSeg’20
  • 10. Introduction Experiments & Results Concluding Remarks Experiments Datasets Brazil: 20K Windows samples from a CSIRT. World: 11K Windows samples from MalShare. Methodology Analysis: Daily execution on a sandbox for 30 days. Filtering: Only HTTP and DNS. An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 10 / 19 SBSeg’20
  • 11. Introduction Experiments & Results Concluding Remarks Network Metric 1 Content Sinkhole This metric evaluates whether the malicious payloads down- loaded by given samples are re- moved from the hosting servers after some time or keep infect- ing users. This is particularly important in cases where AV solutions fail to detect a given threat and payload removal is the only defense available to protect users. 0% 5% 10% 15% 20% 25% 30% 35% World BR Payload Sinkhole % Samples % Content An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 11 / 19 SBSeg’20
  • 12. Introduction Experiments & Results Concluding Remarks Network Metric 2 Content Survival Time This metric evaluates how long the domains contacted by the mal- ware samples remain active be- fore being taken down. This met- ric helps evaluating whether re- moval procedures occur in reason- able time. Early removals are de- sired because AV solutions might take some time to develop signa- tures to new threats, thus network hosting providers might help reduc- ing the attack opportunity window. 0 20 40 60 80 100 0 5 10 15 20 25 30 SinkholedSamples(%) Days Sinkholed−affected samples over time WW Samples BR Samples An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 12 / 19 SBSeg’20
  • 13. Introduction Experiments & Results Concluding Remarks Network Metric 3 Sinkhole Method This metric evaluates how content hosts and/or providers act to remove malicious payloads. The removal method indicates which security scope is affected/involved. 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% 55% 60% 202 203 204 400 403 404 405 406 410 447 500 502 503 522 477 522 999 Cookie Conn Page Server Domains(%) Error Codes Sinkhole Methods World BR An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 13 / 19 SBSeg’20
  • 14. Introduction Experiments & Results Concluding Remarks Network Metric 4 DNS Takeover This metric evaluates how many DNS records stop be- ing resolved by the DNS re- quests performed by the mal- ware samples within the evalu- ated period. This metric eval- uates whether network admin- istrators are blocking identified malicious traffic or not. 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% World BR DNS Sinkhole % Samples % Queries An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 14 / 19 SBSeg’20
  • 15. Introduction Experiments & Results Concluding Remarks Network Metric 5 DNS/IP Rotation This metric evaluates how many distinct IP addresses are resolved to the same DNS queries. This metric evaluates whether attackers rotate domains to make removal harder. Characterization 1 Content Deliver Networks (CDNs): Query to: load.s3.amazonaws.com resolves to 54.231.AA.BBB and 52.216.CC.DD. 2 Dynamic IP services: Query to: iutf.dyndns.org resolves to 216.146.EE.FF and 91.198.GG.HH. 3 Registered Domains: Query to: xlscgpqghsxopwceausfyif.ru resolves to 198.105.II.JJ and 104.239.KKK.L. An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 15 / 19 SBSeg’20
  • 16. Introduction Experiments & Results Concluding Remarks Network Metric 6 DNS Takeover Time This metric evaluates for how long a given DNS query keeps being resolved until blocking. It impacts the attack opportunity of early-launched threats. 0 20 40 60 80 100 0 2 4 6 8 10 12 14 16 18 SinkholedQueries(%) Days Sinkholed DNS along time WW Samples BR Samples An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 16 / 19 SBSeg’20
  • 17. Introduction Experiments & Results Concluding Remarks Agenda 1 Introduction 2 Experiments & Results 3 Concluding Remarks An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 17 / 19 SBSeg’20
  • 18. Introduction Experiments & Results Concluding Remarks Discussion Many payloads stored in the Cloud How to inspect privacy servers with privacy guarantees? DNS is the most effective way to block malware payloads How to automatically block suspicious queries? Malicious domains must be reported Few providers have an easy mechanism to report abuse. The context matters The Brazilian scenario is different and our security solutions should be too. An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 18 / 19 SBSeg’20
  • 19. Introduction Experiments & Results Concluding Remarks Questions & Comments. Contact mfbotacin@inf.ufpr.br twitter.com/MarcusBotacin secret.inf.ufpr.br An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections 19 / 19 SBSeg’20