Characteristic of Malware Site and its Blocking Countermeasure

Characteristic of Malware Site and its Blocking

Countermeasure

Apricot 2017Yasuyuki Tanaka, CISSP

Institute of Information Security (IISEC)NTT Communications Corporation

1

Todayʼs contents

1.Internet malicious activity and blocking trend

2.Our analytical results3.Suggestion and discussion

2

Drive-by-download infection chain

3

Compromised Site

Affiliate

Advertising

Attackerʼs ResourcesLegitimate ServiceHIY

modelMalwareOwner

Exploit Pack

Developer

Exploit as a

Service model

Pay Per Install model

Malvertisingmodel

Victims

How to infect ?n Drive-by-download consists of three factors.

• Landing site, Exploit site, Malware download site

4

Landing site

Exploit site Malware

download site

Exploit site

Landing site

Landing site

Landing site

①② ③

④

Victim PC

Characteristics of each site

nexisting in legitimate servicen redirect to exploit siten short-lived

nmade of web attack toolkitn referrer from Landing siten short-lived

n repeat run and stopn change malwaren long-lived

5

Landing site

Exploit site

Malware download site

In this paper we focused on Malware download Site.

OCN malware block servicen In Feb. 2016, NTT communications started

offering users of the internet service provider OCN a free malware blocker service, the first ISP in Japan to offer such a service.

6

Personal information, Credit card number, etc.

Legitimatetraffic

Evil traffic

DNSserver

Block !User

Attacker

C&C ServerDNS

serverbased onFQDN

blacklist

Malware

FQDN Block vs URL Block

7

block method FQDN block URL block

intelligence to use FQDN blacklist URL blacklist

applydevice

exampleDNS, /etc/hosts L7 firewall

pros lightweightsimple detailed operation

cons over blocking complexityhigh cost

Over blocking problem

8

http://www.aaa.com/111/222.php benign site

http://www.aaa.com/aaa/z.php

http://www.aaa.com/111/a.js

http://www.aaa.com/111/222.exe

http://www.aaa.com/yyy/zzz

malicious site

malicious site

benign site

benign site

OVER BLOCKED

OVER BLOCKED

OVER BLOCKED

Todayʼs contents



9

Check Malware download URL status

MalwareDownload Site Status

Benign

High Interaction Web crawler

10

MaliciousMulti Anti-Virus

software

Active

Stop

every day check manyMalware Download Site

download file

n In order to decide appropriate methods or period for blacklisting malware download site.

n We check malware download site status everyday.n Total number of URLs : 43,034. n Observation Period : 1.5 years

Status record

n status table• we recorded status of each URLs every day.• short stop span(url1), long stop span(url2,4).

11

DAY 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20url1 ✔✔✔ X ✔✔ X ✔ X ✔✔✔ X X ✔✔✔✔✔✔url2 X ✔ X X X ✔ X X X X X X X ✔ X X ✔ X X Xurl3 ✔✔✔ X ✔✔ X X ✔✔✔ X X X ✔ X X ✔ X ✔url4 X X ✔✔✔ X ✔✔✔✔ X X X X X X ✔✔ X ✔

✔ activeX stop

Malware hash record

12

n We found a certain characteristics. n malware hash table

• we recorded which files downloaded.• unchanged (url1,2)• every-time changed (url3)• change occasionally (url4)DAY 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20url1 A A A A A A A A A A A A A A Aurl2 B B B Burl3 C D F G H I J K L M Nurl4 O O O P O O O O O R

big letter alphabet : malware’s

hash

Category1 “unchanged”

nhxxp://www.xunlei333.com/xl_28413.exe

13

only one sha1hash value

number of malware

time

Category2 “every-time changed”n hxxp://download.veterants.info/index.html?e=tnfd9&clsb=1&publ

isher=11206&prv=TinyWallet&sfx=1&hid=16977029731406196910&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&ne=1&prs=4&

14

number of malware

time

every-time changed

sha1hash value

Category3 “changed occasionally”

n hxxp://proxy.piratenpartij.nl/web.icm.cn/vote/install_flash_player_active_x.exe

15

number of malware

time

most time same hash value

different hash value sometimes

n In order to decide appropriate methods or period for blacklisting malware download site.

nWe defined three categories focusing on variation of malware.

nWe divided URLs on its definition.• UNC : unchanged• ETC : every-time changed• COC : changed occasionally

nTotal number of URLs : 43,034. nObservation Period : 1.5 years

16

Analytical purpose and procedure

nWe analyzed features in the three category UNC, ETC, and COC.• lifetime, revived activity, IP address

resource, malware variation, etc.nWe considered the operation and

resources of attackers and discussed how to mitigate these categories.

17

Analytical purpose and procedure

Lifetime and Active days definitionn Lifetime

• Period of first and last observation day.• here, we considered first and last only.

n Active days• the number of active days.

18our observation period : 1.5 year

URL ALifetime : 20Active days : 4

URL B

40days

✔

20days✔ ✔✔

✔ ✔✔✔ ✔✔ ✔

URL A

Lifetime : 40Active days : 7

URL B

Lifetime CDF

19

10% of UNC livesover 500 days

LifetimeETC < UNC, COC

Stop5, Stop10 definitionnThe number of continuous stopped

status• Stop5 : over 5days• Stop10 : over 10days

20

our observation priod : 1.5 year

URL A6days

URL B7days

✔13days

12days11days

Stop5 : 2Stop10 : 1

Stop5 : 3Stop10 : 2

✔✔ ✔✔ ✔✔

✔✔✔✔✔

Stop5, Stop10 CDF

21

10% of COC revivesover 15 times

Revive activityETC < UNC < COC

UniqIP CDF

22

2% of UNC usedmore than 180 IP

IP Entropy CDF

23

IP variationUNC < ETC < COC

24

Characteristics UNC ETC COC

Lifetime Longevity Short-lived Longevity

Revive NA NA many times

IP resource Substantial Fewer Substantial

IP variation Fewer Substantial Substantial

Activity NA Sparse Intensive

Malware Known Known UnknownURL NA Long query part NA

Characteristics and countermeasure

Counterme-asure Blacklisting TBD Blacklisting

Todayʼs contents



25

Suggestion - What should operators do ?n Fully extermination of malicious site is the

most important.n When operators received abuse reports, they

should perform concrete action until malicious site disappear fully.

n but according to [1], about 60%(12/19) reports were not handled properly by ISPs. • case1: no reply.• case2: enable to locate an abuse@domain in

WHOIS.• case3: good case ! immediately disconnected

site.• case4: forwarded to customer by ISP, but the

server was still alive.

26[1] Antonio Nappa, M. Zubair Rafique, Juan Caballero. The MALICIA dataset: identification and analysis of drive-by download operations <https://lirias.kuleuven.be/bitstream/123456789/464045/1/malicia_dataset.pdf>

Suggestion - What should ISPs do ?nTodayʼs increasing Internet use has

become plagued by malicious activitysuch as exploit-as-a-service model.

nItʼs import to consider IP or FQDN block service such as “malware block service” of NTTcom OCN.

nIP or FQDN block have over blocking problem. So in addition to IP and FQDN block, it is desirable to use URL blocking.

27

28

Personal information, Credit card number, etc.

Legitimatetraffic

Evil traffic

DNSserver

Block !User

Attacker

C&C Serverbased onFQDN

blacklist

Suggestion - What should ISPs do ?

L7 FWbased on URLblacklist

and

Malware DNSserver

This is simple image. Only my opinion.

Discussion - FQDN, IP, and URL blockingnOur survey shows that URL

blacklisting is effective for some malicious site. • UNC and COC, especially COC provide

unknown malware.nURL blacklisting on ISP ?

• high operation cost ? do you think realistic way?

nHow about FQDN blacklisting on ISP ?• how about domain, IP address, AS ?• combination is important ?

29

30

Thank you very much.

Any question ?