Upload
apnic
View
11
Download
1
Embed Size (px)
Citation preview
Characteristic of Malware Site and its Blocking
Countermeasure
Apricot 2017Yasuyuki Tanaka, CISSP
Institute of Information Security (IISEC)NTT Communications Corporation
1
Todayʼs contents
1.Internet malicious activity and blocking trend
2.Our analytical results3.Suggestion and discussion
2
Drive-by-download infection chain
3
Compromised Site
Affiliate
Advertising
Attackerʼs ResourcesLegitimate ServiceHIY
modelMalwareOwner
Exploit Pack
Developer
Exploit as a
Service model
Pay Per Install model
Malvertisingmodel
Victims
How to infect ?n Drive-by-download consists of three factors.
• Landing site, Exploit site, Malware download site
4
Landing site
Exploit site Malware
download site
Exploit site
Landing site
Landing site
Landing site
①② ③
④
Victim PC
Characteristics of each site
nexisting in legitimate servicen redirect to exploit siten short-lived
nmade of web attack toolkitn referrer from Landing siten short-lived
n repeat run and stopn change malwaren long-lived
5
Landing site
Exploit site
Malware download site
In this paper we focused on Malware download Site.
OCN malware block servicen In Feb. 2016, NTT communications started
offering users of the internet service provider OCN a free malware blocker service, the first ISP in Japan to offer such a service.
6
Personal information, Credit card number, etc.
Legitimatetraffic
Evil traffic
DNSserver
Block !User
Attacker
C&C ServerDNS
serverbased onFQDN
blacklist
Malware
FQDN Block vs URL Block
7
block method FQDN block URL block
intelligence to use FQDN blacklist URL blacklist
applydevice
exampleDNS, /etc/hosts L7 firewall
pros lightweightsimple detailed operation
cons over blocking complexityhigh cost
Over blocking problem
8
http://www.aaa.com/111/222.php benign site
http://www.aaa.com/aaa/z.php
http://www.aaa.com/111/a.js
http://www.aaa.com/111/222.exe
http://www.aaa.com/yyy/zzz
malicious site
malicious site
benign site
benign site
OVER BLOCKED
OVER BLOCKED
OVER BLOCKED
Todayʼs contents
1.Internet malicious activity and blocking trend
2.Our analytical results3.Suggestion and discussion
9
Check Malware download URL status
MalwareDownload Site Status
Benign
High Interaction Web crawler
10
MaliciousMulti Anti-Virus
software
Active
Stop
every day check manyMalware Download Site
download file
n In order to decide appropriate methods or period for blacklisting malware download site.
n We check malware download site status everyday.n Total number of URLs : 43,034. n Observation Period : 1.5 years
Status record
n status table• we recorded status of each URLs every day.• short stop span(url1), long stop span(url2,4).
11
DAY 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20url1 ✔✔✔ X ✔✔ X ✔ X ✔✔✔ X X ✔✔✔✔✔✔url2 X ✔ X X X ✔ X X X X X X X ✔ X X ✔ X X Xurl3 ✔✔✔ X ✔✔ X X ✔✔✔ X X X ✔ X X ✔ X ✔url4 X X ✔✔✔ X ✔✔✔✔ X X X X X X ✔✔ X ✔
✔ activeX stop
Malware hash record
12
n We found a certain characteristics. n malware hash table
• we recorded which files downloaded.• unchanged (url1,2)• every-time changed (url3)• change occasionally (url4)DAY 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20url1 A A A A A A A A A A A A A A Aurl2 B B B Burl3 C D F G H I J K L M Nurl4 O O O P O O O O O R
big letter alphabet : malware’s
hash
Category1 “unchanged”
nhxxp://www.xunlei333.com/xl_28413.exe
13
only one sha1hash value
number of malware
time
Category2 “every-time changed”n hxxp://download.veterants.info/index.html?e=tnfd9&clsb=1&publ
isher=11206&prv=TinyWallet&sfx=1&hid=16977029731406196910&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&ne=1&prs=4&
14
number of malware
time
every-time changed
sha1hash value
Category3 “changed occasionally”
n hxxp://proxy.piratenpartij.nl/web.icm.cn/vote/install_flash_player_active_x.exe
15
number of malware
time
most time same hash value
different hash value sometimes
n In order to decide appropriate methods or period for blacklisting malware download site.
nWe defined three categories focusing on variation of malware.
nWe divided URLs on its definition.• UNC : unchanged• ETC : every-time changed• COC : changed occasionally
nTotal number of URLs : 43,034. nObservation Period : 1.5 years
16
Analytical purpose and procedure
nWe analyzed features in the three category UNC, ETC, and COC.• lifetime, revived activity, IP address
resource, malware variation, etc.nWe considered the operation and
resources of attackers and discussed how to mitigate these categories.
17
Analytical purpose and procedure
Lifetime and Active days definitionn Lifetime
• Period of first and last observation day.• here, we considered first and last only.
n Active days• the number of active days.
18our observation period : 1.5 year
URL ALifetime : 20Active days : 4
URL B
40days
✔
20days✔ ✔✔
✔ ✔✔✔ ✔✔ ✔
URL A
Lifetime : 40Active days : 7
URL B
Stop5, Stop10 definitionnThe number of continuous stopped
status• Stop5 : over 5days• Stop10 : over 10days
20
our observation priod : 1.5 year
URL A6days
URL B7days
✔13days
12days11days
Stop5 : 2Stop10 : 1
Stop5 : 3Stop10 : 2
✔✔ ✔✔ ✔✔
✔✔✔✔✔
24
Characteristics UNC ETC COC
Lifetime Longevity Short-lived Longevity
Revive NA NA many times
IP resource Substantial Fewer Substantial
IP variation Fewer Substantial Substantial
Activity NA Sparse Intensive
Malware Known Known UnknownURL NA Long query part NA
Characteristics and countermeasure
Counterme-asure Blacklisting TBD Blacklisting
Todayʼs contents
1.Internet malicious activity and blocking trend
2.Our analytical results3.Suggestion and discussion
25
Suggestion - What should operators do ?n Fully extermination of malicious site is the
most important.n When operators received abuse reports, they
should perform concrete action until malicious site disappear fully.
n but according to [1], about 60%(12/19) reports were not handled properly by ISPs. • case1: no reply.• case2: enable to locate an abuse@domain in
WHOIS.• case3: good case ! immediately disconnected
site.• case4: forwarded to customer by ISP, but the
server was still alive.
26[1] Antonio Nappa, M. Zubair Rafique, Juan Caballero. The MALICIA dataset: identification and analysis of drive-by download operations <https://lirias.kuleuven.be/bitstream/123456789/464045/1/malicia_dataset.pdf>
Suggestion - What should ISPs do ?nTodayʼs increasing Internet use has
become plagued by malicious activitysuch as exploit-as-a-service model.
nItʼs import to consider IP or FQDN block service such as “malware block service” of NTTcom OCN.
nIP or FQDN block have over blocking problem. So in addition to IP and FQDN block, it is desirable to use URL blocking.
27
28
Personal information, Credit card number, etc.
Legitimatetraffic
Evil traffic
DNSserver
Block !User
Attacker
C&C Serverbased onFQDN
blacklist
Suggestion - What should ISPs do ?
L7 FWbased on URLblacklist
and
Malware DNSserver
This is simple image. Only my opinion.
Discussion - FQDN, IP, and URL blockingnOur survey shows that URL
blacklisting is effective for some malicious site. • UNC and COC, especially COC provide
unknown malware.nURL blacklisting on ISP ?
• high operation cost ? do you think realistic way?
nHow about FQDN blacklisting on ISP ?• how about domain, IP address, AS ?• combination is important ?
29