Watchtowers of the Internet: Analysis of Outbound Malware Communication, Stephan Chenette, Principal Security Researcher, (@StephanChenette) & Armin Buescher, Security Researcher
With advanced malware, targeted attacks, and advanced persistent threats, it’s not IF but WHEN a persistant attacker will penetrate your network and install malware on your company’s network and desktop computers. To get the full picture of the threat landscape created by malware, our malware sandbox lab runs over 30,000 malware samples a day. Network traffic is subsequently analyzed using heuristics and machine learning techniques to statistically score any outbound communication and identify command & control, back-channel, worm-like and other types of traffic used by malware.
Our talk will focus on the setup of the lab, major malware families as well as outlier malware, and the statistics we have generated to give our audience an exposure like never before into the details of malicious outbound communication. We will provide several tips, based on our analysis to help you create a safer and more secure network.
Stephan Chenette is a principal security researcher at Websense Security Labs, specializing in research tools and next generation emerging threats. In this role, he identifies and implements exploit and malcode detection techniques.
Armin Buescher is a Security Researcher and Software Engineer experienced in strategic development of detection/prevention technologies and analysis tools. Graduated as Dipl.-Inf. (MSc) with thesis on Client Honeypot systems. Interested in academic research work and published author of security research papers.
1. Websense Security Labs
Stephan Chenette, Armin Buescher
WATCH TOWERS OF THE INTERNET
ANALYSIS OF OUTBOUND MALWARE COMMUNICATION
(c) 2012 Websense Security Labs.
2. Who we are
Stephan Chenette (Northeastern Grad.)
Security Researcher, UCSD M.S.
Vulnerabilities, Reversing, Coding
Armin Buescher
Security Researcher, M.S.
AV, Reversing, Coding
R&D and Malware/Exploit Research
3. Essentials of this Talk
• Malware Lab
• Observations of Malware
Communication
• Clustering
4. Current State of Affairs
Companies are concerned about targeted attacks
...and for good reason.
• A persistent attacker will eventually penetrate your
network
• Malware will be installed
• Most malware will eventually communicate
outbound *
(* unless the end goal of the attacker is complete destruction of data, malware will be used as the communication mechanism
back to C&C)
(c) 2012 Websense Security Labs.
5. Current State of Affairs
Most important to you as a network administrator:
• Knowledge of what machines are infected
• Prevention of important information leaving your
network
6. Value of this Presentation
Better understanding of
Outbound Malware Communication
Deep dive into threats that are
present against or on your network
11. Our Philosophy
• Don't run around trying to find a
particular bot/variant
Run Everything!
• Then figure out what it is…
• Spam Bots
• Network Worms
• File Infectors
• Etc.
(c) 2012 Websense Security Labs.
12. Malware Samples
Typically received 30-70k samples/day
For this presentation we took a small
representative daily subset totaling
~155,000
malware files to sample from
13. Malware Samples
How to Classify Samples...
DO NOT USE -- AV-Names **
• e.g. Trojan.Win32.Downloader
DO USE -- CLUSTERING
• Behavior Analysis/Network Analysis
** (AV-names are avoided as main use of classification when possible)
28. Generic Trojan Downloader?
• GEO/IP Lookup from a P0rn site
• C&C traffic uses DGA to “sign” botnet
traffic via host header
• P2P communication over port 443
• Zaccess Dropper! (Sophos/Kaspersky)
• Future versions with the same network
behavior can be profiled
29. GEO/IP lookup
• 2,744 samples in our malware set use
fling.com to look up geo-location
• 177 different AV detection variants
• …clustering might have put this in the
same grouping?
31. K = (bot id) only replies if k is present!
Returns instructions to DoS two targets
03 – DoS (Attack mode)
50 – Number of Threads
60 – Timeout (s) for the next C&C Request
DoS:
smcae.com:3306
&
http://tonus.crimea.ua
34. Results
• DirtJumper Botnet
• Request commands via HTTP (unencrypted!)
• DoS on mysql (3306), no SQL content
• DoS on http (80), GET request
35. Manual Analysis
• Good for deep-dive of a particular binary
e.g. Flashback Mac OS X malware to
find DGA
• But not good for mass analysis of large
number of samples daily
• …Clustering
51. Malware Communication
• Most Malware uses browser user-agent strings
• >17% have empty user-agent strings!
• 85% use a user-agent of a browser not
present on the system
55. User-Agent / HTTP GET
Dalvik/1.4.0 (Linux; U; Android 2.3.4;
BlueStacks-c4afa5ac-7f39-11e1-b41e-
001676aa4685 Build/GRJ22)rn
GET
/public/appsettings/updates.txt
…Essential to have a large sample set of
both benign and malicious examples
58. User-Agents
• Mozilla/6.0 (iPhone; U; CPU
iPhone OS 3_0 like Mac OS X;
en-us)
• Mozilla/1.22 (compatible; MSIE
2.0; Windows 95)
• darkness
• N0PE
• Trololo
60. Net. Clustering Features
• Basic Network communication features
• Protocols
• Timing
• Encryption
• Encoding (e.g. BASE64)
• DNS features
• Number of lookups
61. Net. Clustering Features
• HTTP features
• Number of requests
• Request method (POST/GET/…)
• MIME types (server/real)
• URL
• User-agent
• Etc.
63. DDoS malware Dirt Jumper
• Clustering w. network
behavior:
• found ~900 DJ samples
• Identified 90 unique
C&C URLs
Led to research paper “Tracking DDoS, Insights into the
business of disrupting the Web” accepted at LEET
academic conference for publication
64. Distinguishing families
• Downloaders w.
similar behavior
• Categorizing
unknown samples:
• ~85% precision
• Two families
65. Banking Trojan Zbot
• Zoom into cluster
w. network
behavior “Zbot”
• Clusters:
• Alive & kickin’
• Domain killed
• Server killed
66. Conclusion
Telemetry = System behavior + Network behavior
• Automated deep analysis of network
behavior is underrated
• Paint full picture of analyzed malware!
• AV Names don’t always represent
functionality
67. Conclusion II
• Clustering on network behavior analysis
• Identify malware communication techniques
• Obviously malicious
• Generic
• Sophisticated
• Clustering…yes! Just remember
sophisticated might just mean generic!