Detecting Unknown Malware using NetworkBehavior Correlation
Correlation Technology• A network behavior correlation technology used to detect known and unknownmalware.• Currently impl...
Correlation Technology                         Copyright 2007 - Trend Micro Inc.Paramount Q1 2008 - 3
How Do We Analyze Network Traffic?                                      Assemble packets into one stream                  ...
Protocol Support              We currently support over 40 protocols using port agnostic protocol detection to accurately ...
What We Do• The Threat Analysis Group is a department of the Network Content Security Group and isresponsible for the oper...
What characteristics are we looking for Downloaders Packed / Compressed Executables Names of downloaded files belong to sy...
What characteristics are we looking for Spyware/Grayware Unique / Unknown HTTP user-agents Names of downloaded files belon...
What characteristics are we looking for Backdoors Rogue services Un-authorized SMTP, HTTP servers Opened ports Loopback co...
What characteristics are we looking for Mass mailers Attachments with long filenames  (space padded) File extensions do no...
What characteristics are we looking for Bots IRC traffic Bad NICKs, channelnames, bot commands Non-standard service ports ...
Scenario                                                                       Corporate Network                    Rule 8...
Scenario             External Mail Server                                    Internet                                     ...
Scenario           IRC Server                                           Internet                                          ...
Scenario            Malicious             Website                                           Internet                      ...
Rule DescriptionsMonitored client is receiving email with phishing link (External)Rule ID: 72Scenario: SMTP server receive...
Rule DescriptionsMonitored client is sending out phishing email (Internal)Rule ID: 72Scenario: Infected host is sending ph...
Rule DescriptionsHacking attemptRule ID: 38 & 15Fields of interest: username (not SMB)•   This rule is triggered when a ce...
Rule DescriptionsHacking attemptRule ID: 38 & 15Scenario: Infected Host brute force attacks other hosts within monitored n...
Rule DescriptionsMonitored client is downloading a suspicious file.Rule ID: 66Scenario: Host downloads an executable file ...
Rule DescriptionsMonitored client is using a protocol on a non-standard port.Rule ID: 33Fields of interest: nickname, chan...
Rule DescriptionsMonitored client has a malware that is communicating to an external  party.Rule ID: 33Scenario: Infected ...
Relevance RulesHow It Works (Zeus)          Create a profile based Relevance Pattern! differences             Group the pa...
Relevance RulesPossible Relevance Rule for HupigonMD5: 5e3831266f8d68bc3713c35963a39f75                                   ...
Relevance Rules•   With the power and flexibility of the scripting language we use to create rules,    we are able to perf...
Rule Correlation• We are limited to correlating only the data within a single  session, and in a single direction. For exa...
Our Threat Assessment ResultsDespite having the most current industry standard securitytechnology… • 100% of companies had...
Detection SamplesVirut propagating via brute force login attempts and open shares                                         ...
Detection SamplesIRC bot communicating with its C&C server                                            Copyright 2007 - Tre...
Detection SamplesBot sending spam                    Copyright 2007 - Trend Micro Inc.
Detection SamplesDrive-by download and downloaders                                    Copyright 2007 - Trend Micro Inc.
Detection SamplesStuxnet!!                    Copyright 2007 - Trend Micro Inc.
Thank YouClassification   11/8/2010   33   Copyright 2007 - Trend Micro Inc.
Upcoming SlideShare
Loading in …5
×

Comment détecter des virus inconnus en utilisant des « honey pots » et d’autres technologies (David Girard & Anthony Arrott)

1,955 views

Published on

La détection des nouvelles variantes doit se faire extrêmement rapidement car ils apparaissent maintenant au rythme de 1 toutes les 1,5 secondes. Nous ne pouvons pas nous fier juste à la soumission des fichiers suspects par nos clients ou nos partenaires. Nous avons donc du développer un vaste réseau de sondes (honey pots) et développer des nouvelles façons de trouver le malware. Nous allons discuter des différentes techniques et de leur efficacité dans le monde réel.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,955
On SlideShare
0
From Embeds
0
Number of Embeds
533
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Comment détecter des virus inconnus en utilisant des « honey pots » et d’autres technologies (David Girard & Anthony Arrott)

  1. 1. Detecting Unknown Malware using NetworkBehavior Correlation
  2. 2. Correlation Technology• A network behavior correlation technology used to detect known and unknownmalware.• Currently implemented in an out-of-band network sensor appliance called the “ThreatDiscovery Appliance” which is bundled with a series of different service packagesknown collectively as “Threat Management Services”.• Adoption of this technology in other Trend Micro products is ongoing. Copyright 2007 - Trend Micro Inc.Paramount Q1 2008 - 2
  3. 3. Correlation Technology Copyright 2007 - Trend Micro Inc.Paramount Q1 2008 - 3
  4. 4. How Do We Analyze Network Traffic? Assemble packets into one stream Extract embedded files & send to scanning engines Extract embedded URLs and perform WRS check Scan the traffic stream for exploits and network worms Perform single-session correlation on the traffic stream Copyright 2007 - Trend Micro Inc.Paramount Q1 2008 - 4
  5. 5. Protocol Support We currently support over 40 protocols using port agnostic protocol detection to accurately identify protocols regardless of the port used Network Services Web Traffic DNS HTTP DCE-RPC SSH Telnet AIM RDP IRC VNC Supported Protocols File Transfer Email and Messaging FTP SMTP TFTP POP3 SMB Gmail Yahoo Mail Hotmail Copyright 2007 - Trend Micro Inc.Paramount Q1 2008 - 5
  6. 6. What We Do• The Threat Analysis Group is a department of the Network Content Security Group and isresponsible for the operations that utilize our correlation technology.• Over the years we have developed and improved upon several dedicated malwarereplication systems, also known as “sandboxes”. These systems are responsible for executingmalware and logging all of their activities.• Early on, we processed current malware along with a few years backlog of older samples.Analysis of this network traffic provided us with the data used to create a majority of our earlyruleset. These rules are generic in nature and based upon the common behavior of differentmalware types.• Due to the volatile nature of malware, we determined that older samples were not worth ourtime any longer and now focus solely on brand new malware, utilizing various feeds ofmalware samples. Nowadays, the majority of our new rules focus on specific malware families. Copyright 2007 - Trend Micro Inc. Paramount Q1 2008 - 6
  7. 7. What characteristics are we looking for Downloaders Packed / Compressed Executables Names of downloaded files belong to system files svchost.exe winlogon.exe lsass.exe File extension do not match expected file type JPG extension but file is actually EXE Unique / Unknown HTTP user-agents 7 Copyright 2007 - Trend Micro Inc.
  8. 8. What characteristics are we looking for Spyware/Grayware Unique / Unknown HTTP user-agents Names of downloaded files belong to trademarked/copyrighted spyware applications Gain, Media Motor, Hotbar, SpySherrif 8 Copyright 2007 - Trend Micro Inc.
  9. 9. What characteristics are we looking for Backdoors Rogue services Un-authorized SMTP, HTTP servers Opened ports Loopback commands shells Loopback command shells DOS Shell visible at the network traffic Non standard service ports HTTP Traffic on non HTTP port 9 Copyright 2007 - Trend Micro Inc.
  10. 10. What characteristics are we looking for Mass mailers Attachments with long filenames (space padded) File extensions do not match expected file type File inside archive attachment contains double extension Packed files Suspicious URLs in message body 10 Copyright 2007 - Trend Micro Inc.
  11. 11. What characteristics are we looking for Bots IRC traffic Bad NICKs, channelnames, bot commands Non-standard service ports Typically HTTP or IRC Ex. IRC traffic on port 8080 (HTTP proxy) File transfers to blacklisted domains 11 Copyright 2007 - Trend Micro Inc.
  12. 12. Scenario Corporate Network Rule 8 - Packed executable file dropped on a network share C$ WORM_AGOBOT, Admin$ PE_LOOKED 12 Copyright 2007 - Trend Micro Inc.
  13. 13. Scenario External Mail Server Internet Corporate Network Internal Mail Server WORM_NETSKY, WORM_MYTOB, WORM_AGOBOT 13 Copyright 2007 - Trend Micro Inc.
  14. 14. Scenario IRC Server Internet Corporate Network Rule 26 - IRC session Rule 7 - IRC BOT established with a known commands found bad C&C WORM_IRCBOT.EN 14 Copyright 2007 - Trend Micro Inc.
  15. 15. Scenario Malicious Website Internet Corporate Network Rule 88 - HTTP requests attempted to download known Malware- Malware-used filenames TROJ_DLOADER, TROJ_AGENT 15 Copyright 2007 - Trend Micro Inc.
  16. 16. Rule DescriptionsMonitored client is receiving email with phishing link (External)Rule ID: 72Scenario: SMTP server receives phishing emailsEmail sender domain is in list of commonly phished domains and email contains IP addressThe email will trigger rule ID 72, direction is external Sender: customerservice@ebay.com URL: http://70.88.210.45:81/ebay.com/index.html Monitored Network Copyright 2007 - Trend Micro Inc.
  17. 17. Rule DescriptionsMonitored client is sending out phishing email (Internal)Rule ID: 72Scenario: Infected host is sending phishing emailsEmail sender domain is in list of commonly phished domains and email contains IP addressThe email will trigger rule ID 72, direction is internal Sender: customerservice@ebay.com URL: http://70.88.210.45:81/ebay.com/index.html Monitored Network Copyright 2007 - Trend Micro Inc.
  18. 18. Rule DescriptionsHacking attemptRule ID: 38 & 15Fields of interest: username (not SMB)• This rule is triggered when a certain threshold of failed login attempts is reached. Below are the details of these thresholds per protocol.• For the SMB protocol, the possible attacker is the destination IP address. Rule ID 38 Rule ID 15 Protocol (threshold trigger) (threshold trigger) FTP =4x =20x POP3 =4x =20x *Cisco Telnet =3x =6x **SMB =12x =18x Copyright 2007 - Trend Micro Inc.
  19. 19. Rule DescriptionsHacking attemptRule ID: 38 & 15Scenario: Infected Host brute force attacks other hosts within monitored networkThere are a high number of failed login attempts on each attacked hostThe attacks will trigger rule IDs 38 & 15, direction is internal for both 15 failed SMB logins 21 failed SMB logins Monitored Network Copyright 2007 - Trend Micro Inc.
  20. 20. Rule DescriptionsMonitored client is downloading a suspicious file.Rule ID: 66Scenario: Host downloads an executable file from web siteWeb server reports content type as image/gifThis event will trigger rule ID 66, direction is external HTTP Response reports content type as: image/gif But file is actually executable Monitored Network Copyright 2007 - Trend Micro Inc.
  21. 21. Rule DescriptionsMonitored client is using a protocol on a non-standard port.Rule ID: 33Fields of interest: nickname, channelname• The Internet Relay Chat (IRC) protocol typically uses a port in the range of 6665-6669. It is common for malicious IRC bots to use non- standard ports for their communication.• This rule is triggered when an incoming or outgoing connection is detected using the IRC protocol on a port outside of this range. There is still a chance this is legitimate IRC traffic, but more likely it is a “bot” communication. Copyright 2007 - Trend Micro Inc.
  22. 22. Rule DescriptionsMonitored client has a malware that is communicating to an external party.Rule ID: 33Scenario: Infected host is communicating with an IRC C&C server using the IRC protocol, but using port 8080 instead of one of the standard ports in the range of 6665-6669.This communication will trigger rule ID 33, direction is internal but could just as well be external if the response was captured instead. Port: 8080 Monitored Network Copyright 2007 - Trend Micro Inc.
  23. 23. Relevance RulesHow It Works (Zeus) Create a profile based Relevance Pattern! differences Group the packet captures of the same family Create the on similarities and 23 Copyright 2007 - Trend Micro Inc.
  24. 24. Relevance RulesPossible Relevance Rule for HupigonMD5: 5e3831266f8d68bc3713c35963a39f75 MD5: fbdc7c613fb23527929c18eb55fad5f0 GET /*.txt HTTP/1.0rnUser-Agent: *rnHost: *rnPragma: no-cachernMD5: 5e5c3e7cbc5ca7ecb48964494519068d Note: * wildcard for any MD5: 46fd78ea03e2e8a6a07196f791fbb03c 24 Copyright 2007 - Trend Micro Inc.
  25. 25. Relevance Rules• With the power and flexibility of the scripting language we use to create rules, we are able to perform calculations and bitwise operations in order to validate custom malware protocols such as the one used by the Palevo (Mariposa/Butterfly) bot. Copyright 2007 - Trend Micro Inc.
  26. 26. Rule Correlation• We are limited to correlating only the data within a single session, and in a single direction. For example, we can correlate the data within an HTTP request or an HTTP response, but not between the two.• To address this issue, further correlation is performed in a separate process on these initial events generated.• With this approach, any type of correlation is possible, and the results are quite powerful. Reports are delivered that can pinpoint confirmed malware infections so the customer does not have to analyze logs and make his own determinations. Copyright 2007 - Trend Micro Inc.
  27. 27. Our Threat Assessment ResultsDespite having the most current industry standard securitytechnology… • 100% of companies had active malware • 72% of companies had one or more IRC bots • 56% of companies had information stealing malware • 50% of companies had 4 or more IRC bots • 80% of companies had malware web downloads • 42% of companies had a network worm (1)• $6M = average total cost of a major data breach in 2008 (2) 1 Based on 130 assessments worldwide at company’s averaging over 7,484 employees and included representatives from the manufacturing, government, education, financial services, retail, and healthcare industries. 2 Ponemon Institute 27 Copyright 2007 - Trend Micro Inc.
  28. 28. Detection SamplesVirut propagating via brute force login attempts and open shares Copyright 2007 - Trend Micro Inc.
  29. 29. Detection SamplesIRC bot communicating with its C&C server Copyright 2007 - Trend Micro Inc.
  30. 30. Detection SamplesBot sending spam Copyright 2007 - Trend Micro Inc.
  31. 31. Detection SamplesDrive-by download and downloaders Copyright 2007 - Trend Micro Inc.
  32. 32. Detection SamplesStuxnet!! Copyright 2007 - Trend Micro Inc.
  33. 33. Thank YouClassification 11/8/2010 33 Copyright 2007 - Trend Micro Inc.

×