1. Characteristic of Malware
Site and its Blocking
Countermeasure
Apricot 2017
Yasuyuki Tanaka, CISSP
Institute of Information Security (IISEC)
NTT Communications Corporation
1
3. Drive-by-download infection chain
3
Compromised Site
Affiliate
Advertising
Attackerʼs ResourcesLegitimate Service
HIY
model
Malware
Owner
Exploit
Pack
Developer
Exploit
as a
Service
model
Pay Per
Install
model
Malvertising
model
Victims
4. How to infect ?
n Drive-by-download consists of three factors.
• Landing site, Exploit site, Malware download site
4
Landing
site
Exploit
site
Malware
download
site
Exploit
site
Landing
site
Landing
site
Landing
site
①
② ③
④
Victim PC
5. Characteristics of each site
n existing in legitimate service
n redirect to exploit site
n short-lived
n made of web attack toolkit
n referrer from Landing site
n short-lived
n repeat run and stop
n change malware
n long-lived
5
Landing
site
Exploit
site
Malware
download
site
In this paper we focused on Malware download Site.
6. OCN malware block service
n In Feb. 2016, NTT communications started
offering users of the internet service provider
OCN a free malware blocker service, the first
ISP in Japan to offer such a service.
6
Personal information,
Credit card number, etc.
Legitimate
traffic
Evil traffic
DNS
server
Block !
User
Attacker
C&C Server
DNS
server
based on
FQDN
blacklist
Malware
7. FQDN Block vs URL Block
7
block method FQDN block URL block
intelligence to
use
FQDN blacklist URL blacklist
apply
device
example
DNS, /etc/hosts L7 firewall
pros
lightweight
simple
detailed operation
cons over blocking
complexity
high cost
8. Over blocking problem
8
http://www.aaa.com/111/222.php benign site
http://www.aaa.com/aaa/z.php
http://www.aaa.com/111/a.js
http://www.aaa.com/111/222.exe
http://www.aaa.com/yyy/zzz
malicious site
malicious site
benign site
benign site
OVER BLOCKED
OVER BLOCKED
OVER BLOCKED
10. Check Malware download URL status
Malware
Download
Site Status
Benign
High Interaction
Web crawler
10
Malicious
Multi Anti-Virus
software
Active
Stop
every day check many
Malware Download Site
download file
n In order to decide appropriate methods or period for
blacklisting malware download site.
n We check malware download site status everyday.
n Total number of URLs : 43,034.
n Observation Period : 1.5 years
11. Status record
n status table
• we recorded status of each URLs every day.
• short stop span(url1), long stop span(url2,4).
11
DAY 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
url1 ✔ ✔ ✔ X ✔ ✔ X ✔ X ✔ ✔ ✔ X X ✔ ✔ ✔ ✔ ✔ ✔
url2 X ✔ X X X ✔ X X X X X X X ✔ X X ✔ X X X
url3 ✔ ✔ ✔ X ✔ ✔ X X ✔ ✔ ✔ X X X ✔ X X ✔ X ✔
url4 X X ✔ ✔ ✔ X ✔ ✔ ✔ ✔ X X X X X X ✔ ✔ X ✔
✔ active
X stop
12. Malware hash record
12
n We found a certain characteristics.
n malware hash table
• we recorded which files downloaded.
• unchanged (url1,2)
• every-time changed (url3)
• change occasionally (url4)
DAY 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
url1 A A A A A A A A A A A A A A A
url2 B B B B
url3 C D F G H I J K L M N
url4 O O O P O O O O O R
big letter
alphabet :
malware’s
hash
14. Category2 “every-time changed”
n hxxp://download.veterants.info/index.html?e=tnfd9&clsb=1&publ
isher=11206&prv=TinyWallet&sfx=1&hid=169770297314061
96910&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&am
p;ne=1&prs=4&
14
number of
malware
time
every-time
changed
sha1hash value
15. Category3 “changed occasionally”
n hxxp://proxy.piratenpartij.nl/web.icm.cn/vote/install_flash
_player_active_x.exe
15
number of
malware
time
most time same
hash value
different hash
value sometimes
16. n In order to decide appropriate methods
or period for blacklisting malware
download site.
n We defined three categories focusing on
variation of malware.
n We divided URLs on its definition.
• UNC : unchanged
• ETC : every-time changed
• COC : changed occasionally
n Total number of URLs : 43,034.
n Observation Period : 1.5 years
16
Analytical purpose and procedure
17. nWe analyzed features in the three
category UNC, ETC, and COC.
• lifetime, revived activity, IP address
resource, malware variation, etc.
nWe considered the operation and
resources of attackers and discussed
how to mitigate these categories.
17
Analytical purpose and procedure
18. Lifetime and Active days definition
n Lifetime
• Period of first and last observation day.
• here, we considered first and last only.
n Active days
• the number of active days.
18
our observation period : 1.5
year
URL A
Lifetime : 20
Active days : 4
URL B
40days
✔
20days
✔ ✔✔
✔ ✔✔✔ ✔✔ ✔
URL A
Lifetime : 40
Active days : 7
URL B
24. 24
Characteristics UNC ETC COC
Lifetime Longevity Short-lived Longevity
Revive NA NA many times
IP resource Substantial Fewer Substantial
IP variation Fewer Substantial Substantial
Activity NA Sparse Intensive
Malware Known Known Unknown
URL NA Long query part NA
Characteristics and countermeasure
Counterme-
asure
Blacklisting TBD Blacklisting
26. Suggestion - What should operators do ?
n Fully extermination of malicious site is the
most important.
n When operators received abuse reports, they
should perform concrete action until
malicious site disappear fully.
n but according to [1], about 60%(12/19)
reports were not handled properly by ISPs.
• case1: no reply.
• case2: enable to locate an abuse@domain in
WHOIS.
• case3: good case ! immediately disconnected
site.
• case4: forwarded to customer by ISP, but the
server was still alive.
26
[1] Antonio Nappa, M. Zubair Rafique, Juan Caballero. The MALICIA dataset: identification and analysis of drive-by
download operations <https://lirias.kuleuven.be/bitstream/123456789/464045/1/malicia_dataset.pdf>
27. Suggestion - What should ISPs do ?
nTodayʼs increasing Internet use has
become plagued by malicious activity
such as exploit-as-a-service model.
nItʼs import to consider IP or FQDN
block service such as “malware block
service” of NTTcom OCN.
nIP or FQDN block have over blocking
problem. So in addition to IP and
FQDN block, it is desirable to use URL
blocking.
27
28. 28
Personal information,
Credit card number, etc.
Legitimate
traffic
Evil traffic
DNS
server
Block !
User
Attacker
C&C Serverbased on
FQDN
blacklist
Suggestion - What should ISPs do ?
L7 FW
based on URL
blacklist
and
Malware DNS
server
This is simple image. Only my opinion.
29. Discussion - FQDN, IP, and URL blocking
nOur survey shows that URL
blacklisting is effective for some
malicious site.
• UNC and COC, especially COC provide
unknown malware.
nURL blacklisting on ISP ?
• high operation cost ? do you think
realistic way?
nHow about FQDN blacklisting on ISP ?
• how about domain, IP address, AS ?
• combination is important ?
29