Transcript
Page 1: Watchtowers of the Internet - Source Boston 2012

WATCH TOWERS OF THE INTERNET

Websense Security Labs

Stephan Chenette, Armin Buescher

(c) 2012 Websense Security Labs.

ANALYSIS OF OUTBOUND MALWARE COMMUNICATION

Page 2: Watchtowers of the Internet - Source Boston 2012

Who we are

Stephan Chenette (Northeastern Grad.)

Security Researcher, UCSD M.S.

Vulnerabilities, Reversing, Coding

Armin Buescher

Security Researcher, M.S.

AV, Reversing, Coding

R&D and Malware/Exploit Research

Page 3: Watchtowers of the Internet - Source Boston 2012

Essentials of this Talk

• Malware Lab

• Observations of Malware

Communication

• Clustering

Page 4: Watchtowers of the Internet - Source Boston 2012

Current State of Affairs

Companies are concerned about targeted attacks

...and for good reason.

• A persistent attacker will eventually penetrate your

network

• Malware will be installed

• Most malware will eventually communicate

outbound * (* unless the end goal of the attacker is complete destruction of data, malware will be used as the communication mechanism

back to C&C)

(c) 2012 Websense Security Labs.

Page 5: Watchtowers of the Internet - Source Boston 2012

Current State of Affairs

Most important to you as a network administrator:

• Knowledge of what machines are infected

• Prevention of important information leaving your

network

Page 6: Watchtowers of the Internet - Source Boston 2012

Value of this Presentation

Better understanding of

Outbound Malware Communication

Deep dive into threats that are

present against or on your network

Page 7: Watchtowers of the Internet - Source Boston 2012

Malware Lab

Building a

Page 8: Watchtowers of the Internet - Source Boston 2012

Malware Lab

1

2

3

4

Page 9: Watchtowers of the Internet - Source Boston 2012

Malware Lab

• Sandbox

• VPN Services

• Network Listeners

• Databases

• Multiple Scanner Engines

• Malware…lots of it! =]

Page 10: Watchtowers of the Internet - Source Boston 2012

Malware Lab Output

• Behavior Analysis

• Network Analysis

Page 11: Watchtowers of the Internet - Source Boston 2012

Our Philosophy

• Don't run around trying to find a

particular bot/variant

Run Everything!

• Then figure out what it is…

• Spam Bots

• Network Worms

• File Infectors

• Etc. (c) 2012 Websense Security Labs.

Page 12: Watchtowers of the Internet - Source Boston 2012

Malware Samples

Typically received 30-70k samples/day

For this presentation we took a small

representative daily subset totaling

~155,000

malware files to sample from

Page 13: Watchtowers of the Internet - Source Boston 2012

Malware Samples

How to Classify Samples...

DO NOT USE -- AV-Names **

• e.g. Trojan.Win32.Downloader

DO USE -- CLUSTERING

• Behavior Analysis/Network Analysis

** (AV-names are avoided as main use of classification when possible)

Page 14: Watchtowers of the Internet - Source Boston 2012
Page 15: Watchtowers of the Internet - Source Boston 2012

Malware Samples

Page 16: Watchtowers of the Internet - Source Boston 2012

Outbound

Communication

Understanding

Page 17: Watchtowers of the Internet - Source Boston 2012
Page 18: Watchtowers of the Internet - Source Boston 2012

Generic Trojan Downloader SHA-1: ab57031100a8c8c813a144b20b1ef5b9a643cec7

Page 19: Watchtowers of the Internet - Source Boston 2012
Page 20: Watchtowers of the Internet - Source Boston 2012

fling.com?...p0rn site

Page 21: Watchtowers of the Internet - Source Boston 2012

promos.fling/geo/txt/city.php

Page 22: Watchtowers of the Internet - Source Boston 2012

VPN Gateway - Canada

Page 23: Watchtowers of the Internet - Source Boston 2012
Page 24: Watchtowers of the Internet - Source Boston 2012

Botnet C&C 83.125.22.188

Page 25: Watchtowers of the Internet - Source Boston 2012

P2P Communication

Page 26: Watchtowers of the Internet - Source Boston 2012

P2P Botnet

Page 27: Watchtowers of the Internet - Source Boston 2012

P2P Botnet – Encryption

Page 28: Watchtowers of the Internet - Source Boston 2012

Generic Trojan Downloader?

• GEO/IP Lookup from a P0rn site

• C&C traffic uses DGA to “sign” botnet

traffic via host header

• P2P communication over port 443

• Zaccess Dropper! (Sophos/Kaspersky)

• Future versions with the same network

behavior can be profiled

Page 29: Watchtowers of the Internet - Source Boston 2012

GEO/IP lookup

• 2,744 samples in our malware set use

fling.com to look up geo-location

• 177 different AV detection variants

• …clustering might have put this in the

same grouping?

Page 30: Watchtowers of the Internet - Source Boston 2012

Another Sample…

Page 31: Watchtowers of the Internet - Source Boston 2012

K = (bot id) only replies if k is present!

Returns instructions to DoS two targets

03 – DoS (Attack mode)

50 – Number of Threads

60 – Timeout (s) for the next C&C Request

DoS:

smcae.com:3306

&

http://tonus.crimea.ua

Page 32: Watchtowers of the Internet - Source Boston 2012

DOS

Page 33: Watchtowers of the Internet - Source Boston 2012

DOS

Page 34: Watchtowers of the Internet - Source Boston 2012

Results

• DirtJumper Botnet

• Request commands via HTTP (unencrypted!)

• DoS on mysql (3306), no SQL content

• DoS on http (80), GET request

Page 35: Watchtowers of the Internet - Source Boston 2012

Manual Analysis

• Good for deep-dive of a particular binary

e.g. Flashback Mac OS X malware to

find DGA

• But not good for mass analysis of large

number of samples daily

• …Clustering

Page 36: Watchtowers of the Internet - Source Boston 2012

Clustering

Basics

Page 37: Watchtowers of the Internet - Source Boston 2012

Clustering

The process of grouping together

samples that contain similar features

Page 38: Watchtowers of the Internet - Source Boston 2012

Network Communication

Page 39: Watchtowers of the Internet - Source Boston 2012

TCP Services

Page 40: Watchtowers of the Internet - Source Boston 2012

2012: Malware is talking

over HTTP

>=70% HTTP

vs.

.46% IRC (6667)

Page 41: Watchtowers of the Internet - Source Boston 2012

HTTP Outbound

Communication

Clustering on

Page 42: Watchtowers of the Internet - Source Boston 2012

Malware downloading

executable payloads

Page 43: Watchtowers of the Internet - Source Boston 2012
Page 44: Watchtowers of the Internet - Source Boston 2012

Trojan:Win32/Medfos

Worm:Win32/Renocide

Trojan:Win32/Opachki

Worm:Win32/Rebhip

Page 45: Watchtowers of the Internet - Source Boston 2012

Don't Rely 100% on AV Names

Page 46: Watchtowers of the Internet - Source Boston 2012

Don't Rely 100% on AV Names

Rely on behavioral functionality

Page 47: Watchtowers of the Internet - Source Boston 2012

C&C Communication via HTTP

Page 48: Watchtowers of the Internet - Source Boston 2012

Malware Communication

Page 49: Watchtowers of the Internet - Source Boston 2012

Malware Communication

Page 50: Watchtowers of the Internet - Source Boston 2012

Feature: HTTP User-Agents

used by Malware

Page 51: Watchtowers of the Internet - Source Boston 2012

Malware Communication

• Most Malware uses browser user-agent strings

• >17% have empty user-agent strings!

• 85% use a user-agent of a browser not

present on the system

Page 52: Watchtowers of the Internet - Source Boston 2012

Good Apps…User-Agent

Page 53: Watchtowers of the Internet - Source Boston 2012

Good Apps…User-Agent

Bluestacks is an android emulator

Completely benign…but there are

characteristics that look like bot traffic…

Page 54: Watchtowers of the Internet - Source Boston 2012

Good Traffic

Page 55: Watchtowers of the Internet - Source Boston 2012

User-Agent / HTTP GET

Dalvik/1.4.0 (Linux; U; Android 2.3.4;

BlueStacks-c4afa5ac-7f39-11e1-b41e-

001676aa4685 Build/GRJ22)\r\n

GET

/public/appsettings/updates.txt

…Essential to have a large sample set of

both benign and malicious examples

Page 56: Watchtowers of the Internet - Source Boston 2012

Obviously Malicious…

Page 57: Watchtowers of the Internet - Source Boston 2012

URLs

• www.csa.uem.br/administrator

/includes/MicrosoftUpdate.exe

• s1c0gv3v0x.h1.ru/Trojan.rar

• ospianistas.com.br/aviso

/infect.php

• svpembtywvrc.eu/gate.php?

cmd=ping&botnet=fr18&userid=

x1lgje2mdh51kc8z&os=V2luZG93cy

BYUA==

Page 58: Watchtowers of the Internet - Source Boston 2012

User-Agents

• Mozilla/6.0 (iPhone; U; CPU

iPhone OS 3_0 like Mac OS X;

en-us)

• Mozilla/1.22 (compatible; MSIE

2.0; Windows 95)

• darkness

• N0PE

• Trololo

Page 59: Watchtowers of the Internet - Source Boston 2012

Network behavior

features

Clustering

Page 60: Watchtowers of the Internet - Source Boston 2012

Net. Clustering Features

• Basic Network communication features

• Protocols

• Timing

• Encryption

• Encoding (e.g. BASE64)

• DNS features

• Number of lookups

Page 61: Watchtowers of the Internet - Source Boston 2012

Net. Clustering Features

• HTTP features

• Number of requests

• Request method (POST/GET/…)

• MIME types (server/real)

• URL

• User-agent

• Etc.

Page 62: Watchtowers of the Internet - Source Boston 2012

Clustering examples

Page 63: Watchtowers of the Internet - Source Boston 2012

DDoS malware Dirt Jumper

• Clustering w. network

behavior:

• found ~900 DJ samples

• Identified 90 unique

C&C URLs

Led to research paper “Tracking DDoS, Insights into the

business of disrupting the Web” accepted at LEET

academic conference for publication

Page 64: Watchtowers of the Internet - Source Boston 2012

Distinguishing families

• Downloaders w.

similar behavior

• Categorizing

unknown samples:

• ~85% precision

• Two families

Page 65: Watchtowers of the Internet - Source Boston 2012

Banking Trojan Zbot

• Zoom into cluster

w. network

behavior “Zbot”

• Clusters:

• Alive & kickin’

• Domain killed

• Server killed

Page 66: Watchtowers of the Internet - Source Boston 2012

Conclusion

Telemetry = System behavior + Network behavior

• Automated deep analysis of network

behavior is underrated

• Paint full picture of analyzed malware!

• AV Names don’t always represent

functionality

Page 67: Watchtowers of the Internet - Source Boston 2012

Conclusion II

• Clustering on network behavior analysis • Identify malware communication techniques

• Obviously malicious

• Generic

• Sophisticated

• Clustering…yes! Just remember

sophisticated might just mean generic!

Page 68: Watchtowers of the Internet - Source Boston 2012

Q & A

questions.py:

while len(questions) > 0:

if time <= 0:

break

print answers[questions.pop()]

(c) 2012 Websense Security Labs.

Page 69: Watchtowers of the Internet - Source Boston 2012

That’s all folks!

Thanks!

Stephan Chenette

Twitter: @StephanChenette

Armin Buescher

Twitter: @armbues (c) 2012 Websense Security Labs.


Recommended