Watchtowers of the Internet - Source Boston 2012


Published on

Watchtowers of the Internet: Analysis of Outbound Malware Communication, Stephan Chenette, Principal Security Researcher, (@StephanChenette) & Armin Buescher, Security Researcher

With advanced malware, targeted attacks, and advanced persistent threats, it’s not IF but WHEN a persistant attacker will penetrate your network and install malware on your company’s network and desktop computers. To get the full picture of the threat landscape created by malware, our malware sandbox lab runs over 30,000 malware samples a day. Network traffic is subsequently analyzed using heuristics and machine learning techniques to statistically score any outbound communication and identify command & control, back-channel, worm-like and other types of traffic used by malware.
Our talk will focus on the setup of the lab, major malware families as well as outlier malware, and the statistics we have generated to give our audience an exposure like never before into the details of malicious outbound communication. We will provide several tips, based on our analysis to help you create a safer and more secure network.

Stephan Chenette is a principal security researcher at Websense Security Labs, specializing in research tools and next generation emerging threats. In this role, he identifies and implements exploit and malcode detection techniques.

Armin Buescher is a Security Researcher and Software Engineer experienced in strategic development of detection/prevention technologies and analysis tools. Graduated as Dipl.-Inf. (MSc) with thesis on Client Honeypot systems. Interested in academic research work and published author of security research papers.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Watchtowers of the Internet - Source Boston 2012

  1. 1. Websense Security Labs Stephan Chenette, Armin BuescherWATCH TOWERS OF THE INTERNET ANALYSIS OF OUTBOUND MALWARE COMMUNICATION (c) 2012 Websense Security Labs.
  2. 2. Who we areStephan Chenette (Northeastern Grad.)Security Researcher, UCSD M.S.Vulnerabilities, Reversing, CodingArmin BuescherSecurity Researcher, M.S.AV, Reversing, CodingR&D and Malware/Exploit Research
  3. 3. Essentials of this Talk• Malware Lab• Observations of Malware Communication• Clustering
  4. 4. Current State of AffairsCompanies are concerned about targeted attacks...and for good reason.• A persistent attacker will eventually penetrate your network• Malware will be installed• Most malware will eventually communicate outbound *(* unless the end goal of the attacker is complete destruction of data, malware will be used as the communication mechanismback to C&C) (c) 2012 Websense Security Labs.
  5. 5. Current State of AffairsMost important to you as a network administrator:• Knowledge of what machines are infected• Prevention of important information leaving your network
  6. 6. Value of this PresentationBetter understanding ofOutbound Malware CommunicationDeep dive into threats that arepresent against or on your network
  7. 7. Building aMalware Lab
  8. 8. Malware Lab3 4 2 1
  9. 9. Malware Lab• Sandbox• VPN Services• Network Listeners• Databases• Multiple Scanner Engines• Malware…lots of it! =]
  10. 10. Malware Lab Output• Behavior Analysis• Network Analysis
  11. 11. Our Philosophy• Dont run around trying to find a particular bot/variantRun Everything!• Then figure out what it is… • Spam Bots • Network Worms • File Infectors • Etc. (c) 2012 Websense Security Labs.
  12. 12. Malware Samples Typically received 30-70k samples/day For this presentation we took a small representative daily subset totaling ~155,000 malware files to sample from
  13. 13. Malware SamplesHow to Classify Samples...DO NOT USE -- AV-Names **• e.g. Trojan.Win32.DownloaderDO USE -- CLUSTERING• Behavior Analysis/Network Analysis** (AV-names are avoided as main use of classification when possible)
  14. 14. Malware Samples
  15. 15. UnderstandingOutboundCommunication
  16. 16. Generic Trojan Downloader SHA-1: ab57031100a8c8c813a144b20b1ef5b9a643cec7
  17. 17. site
  18. 18. promos.fling/geo/txt/city.php
  19. 19. VPN Gateway - Canada
  20. 20. Botnet C&C
  21. 21. P2P Communication
  22. 22. P2P Botnet
  23. 23. P2P Botnet – Encryption
  24. 24. Generic Trojan Downloader?• GEO/IP Lookup from a P0rn site• C&C traffic uses DGA to “sign” botnet traffic via host header• P2P communication over port 443• Zaccess Dropper! (Sophos/Kaspersky)• Future versions with the same network behavior can be profiled
  25. 25. GEO/IP lookup• 2,744 samples in our malware set use to look up geo-location• 177 different AV detection variants• …clustering might have put this in the same grouping?
  26. 26. Another Sample…
  27. 27. K = (bot id) only replies if k is present!Returns instructions to DoS two targets03 – DoS (Attack mode)50 – Number of Threads60 – Timeout (s) for the next C&C
  28. 28. DOS
  29. 29. DOS
  30. 30. Results• DirtJumper Botnet• Request commands via HTTP (unencrypted!)• DoS on mysql (3306), no SQL content• DoS on http (80), GET request
  31. 31. Manual Analysis• Good for deep-dive of a particular binary e.g. Flashback Mac OS X malware to find DGA• But not good for mass analysis of large number of samples daily• …Clustering
  32. 32. BasicsClustering
  33. 33. Clustering The process of grouping together samples that contain similar features
  34. 34. Network Communication
  35. 35. TCP Services
  36. 36. 2012: Malware is talking over HTTP >=70% HTTP vs. .46% IRC (6667)
  37. 37. Clustering onHTTP OutboundCommunication
  38. 38. Malware downloadingexecutable payloads
  39. 39. Trojan:Win32/MedfosWorm:Win32/RenocideTrojan:Win32/OpachkiWorm:Win32/Rebhip
  40. 40. Dont Rely 100% on AV Names
  41. 41. Dont Rely 100% on AV NamesRely on behavioral functionality
  42. 42. C&C Communication via HTTP
  43. 43. Malware Communication
  44. 44. Malware Communication
  45. 45. Feature: HTTP User-Agentsused by Malware
  46. 46. Malware Communication• Most Malware uses browser user-agent strings• >17% have empty user-agent strings!• 85% use a user-agent of a browser not present on the system
  47. 47. Good Apps…User-Agent
  48. 48. Good Apps…User-AgentBluestacks is an android emulatorCompletely benign…but there arecharacteristics that look like bot traffic…
  49. 49. Good Traffic
  50. 50. User-Agent / HTTP GETDalvik/1.4.0 (Linux; U; Android 2.3.4;BlueStacks-c4afa5ac-7f39-11e1-b41e-001676aa4685 Build/GRJ22)rnGET/public/appsettings/updates.txt…Essential to have a large sample set ofboth benign and malicious examples
  51. 51. Obviously Malicious…
  52. 52. URLs• /includes/MicrosoftUpdate.exe•• /infect.php• cmd=ping&botnet=fr18&userid= x1lgje2mdh51kc8z&os=V2luZG93cy BYUA==
  53. 53. User-Agents• Mozilla/6.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us)• Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)• darkness• N0PE• Trololo
  54. 54. ClusteringNetwork behaviorfeatures
  55. 55. Net. Clustering Features• Basic Network communication features • Protocols • Timing • Encryption • Encoding (e.g. BASE64)• DNS features • Number of lookups
  56. 56. Net. Clustering Features• HTTP features • Number of requests • Request method (POST/GET/…) • MIME types (server/real) • URL • User-agent • Etc.
  57. 57. Clustering examples
  58. 58. DDoS malware Dirt Jumper • Clustering w. network behavior: • found ~900 DJ samples • Identified 90 unique C&C URLsLed to research paper “Tracking DDoS, Insights into thebusiness of disrupting the Web” accepted at LEETacademic conference for publication
  59. 59. Distinguishing families • Downloaders w. similar behavior • Categorizing unknown samples: • ~85% precision • Two families
  60. 60. Banking Trojan Zbot • Zoom into cluster w. network behavior “Zbot” • Clusters: • Alive & kickin’ • Domain killed • Server killed
  61. 61. ConclusionTelemetry = System behavior + Network behavior• Automated deep analysis of network behavior is underrated • Paint full picture of analyzed malware!• AV Names don’t always represent functionality
  62. 62. Conclusion II• Clustering on network behavior analysis • Identify malware communication techniques • Obviously malicious • Generic • Sophisticated• Clustering…yes! Just remember sophisticated might just mean generic!
  63. 63. Q& len(questions) > 0: if time <= 0: break print answers[questions.pop()] (c) 2012 Websense Security Labs.
  64. 64. That’s all folks!Thanks!Stephan ChenetteTwitter: @StephanChenetteArmin BuescherTwitter: @armbues (c) 2012 Websense Security Labs.