Professional Documents
Culture Documents
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
1 / 32
BotMiner
Clustering Analysis of Network Trac- and Structure-Independent Botnet Detection
Botnet is characterized by
C&C communication Malicious activities
Botnet structure
Centralized P2P
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
2 / 32
Assumptions
Bots within the same botnet are characterized by similar malicious activities and C&C communications
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
3 / 32
Architecture
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
4 / 32
C-Plane Monitor
The C-plane monitor captures network ows and records information on who is talking to whom Each ow contains:
Time, duration IP, port Number of packets Bytes transferred
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
5 / 32
A-Plane Monitor
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
6 / 32
C-Plane Clustering
Be responsible for:
Reading the logs generated by the C-plane monitoring Finding clusters of machines that share similar communication patterns
Performs basic ltering Performs white listing Multi-step clustering
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
7 / 32
A-Plane Clustering
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
8 / 32
Cross-plane Correlation
The idea is to cross-check clusters in two plans to nd intersections A score s (h) is computer for each host h
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
9 / 32
Experiments
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
10 / 32
Experiments
BotMiner: clustering analysis of network trac for protocol- and structure-independent botnet detection ,
Gu, Guofei and Perdisci, Roberto and Zhang, Junjie and Lee, Wenke, In Proceedings of the 17th conference on Security symposium, 2008
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
10 / 32
Pros Not bound to a particular infection life-cycle Correlation between communication and activity trac Content payload-oblivious Cons Cannot detect single infection Requires the presence of noisy behavior to start the detection
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
11 / 32
Pros Not bound to a particular infection life-cycle Correlation between communication and activity trac Content payload-oblivious Cons Cannot detect single infection Requires the presence of noisy behavior to start the detection
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
11 / 32
Pros Detects single infection Cons Bound to a particular infection life-cycle C&C-structure dependent Content-based payload inspection Requires the presence of noisy behavior to start the detection
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
12 / 32
Pros Detects single infection Cons Bound to a particular infection life-cycle C&C-structure dependent Content-based payload inspection Requires the presence of noisy behavior to start the detection
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
12 / 32
High-level idea Analyze network traces of bots to highlight interesting behaviors What is an interesting behavior? C&C communication Information theft Egg download . . . usually low-pace and stealthy activities Generally dicult to infer!
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
13 / 32
High-level idea Analyze network traces of bots to highlight interesting behaviors What is an interesting behavior? C&C communication Information theft Egg download . . . usually low-pace and stealthy activities Generally dicult to infer!
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
13 / 32
High-level idea Analyze network traces of bots to highlight interesting behaviors What is an interesting behavior? C&C communication Information theft Egg download . . . usually low-pace and stealthy activities Generally dicult to infer!
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
13 / 32
Simple Observation Network owsnot packetsdescribe processes network behaviors Mining properties from heterogeneous ows can be hard Group similar ows together Similar ows should describe a similar network behavior It is easier to infer cluster-level properties
Intra-cluster analysis to infer time-related properties Inter-cluster correlation analysiswhen possible
To optimize the results of the intra-cluster analysis To discover interesting behaviors in the absence of time-related properties
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
14 / 32
Simple Observation Network owsnot packetsdescribe processes network behaviors Mining properties from heterogeneous ows can be hard Group similar ows together Similar ows should describe a similar network behavior It is easier to infer cluster-level properties
Intra-cluster analysis to infer time-related properties Inter-cluster correlation analysiswhen possible
To optimize the results of the intra-cluster analysis To discover interesting behaviors in the absence of time-related properties
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
14 / 32
Simple Observation Network owsnot packetsdescribe processes network behaviors Mining properties from heterogeneous ows can be hard Group similar ows together Similar ows should describe a similar network behavior Network-based behavior models are automatically generated It is easier to infer cluster-level properties
No payload content inspection, i.e., encryption-oblivious Intra-cluster analysis to infer time-related properties Individual infected host detection Inter-cluster correlation analysiswhen possible Not triggered by noisy behavior To optimize the results of the intra-cluster analysis C&C-structure independent
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
14 / 32
The Framework
Malware Network behavior monitoring
f2 =< p1 , p2 , , pn >
Behavioral models 5
fn =< p1 , p2 , , pn >
Cn =< f1 , f2 , , fn >
Malware
Mining bots net behavior A1 Mining bots net behavior A2 Mining bots net behavior An
= C
{C i}
Malware
= {C i } C
Malware
} = {C i C
Optimization
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
= C
{C i V
i1
Ai }
f 1 =< p 1 , p 2 , , p n >
C1 =< f1 , f2 , , fn >
Flow Clustering
C2 =< f1 , f2 , , fn >
Cluster Analysis
15 / 32
(x , y )2
x ,y N
a , b F
|x y | 0 (x , y ) = 1
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
(x , y )2
x ,y N
a , b F
|x y | 0 (x , y ) = 1
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
Intra-cluster Analysis
Goal To mine time-related characteristic among similar ows Flows F in a cluster c are ordered based on their timestamps Dierences, , among ows timestamps are determined, and
(a) The Kolmogorov-Smirnov test, K-S(, X ), holds
c is said to be periodic with a periodicity that follows a sampling drawn from a known probability distribution X In our experiments, X = U (min , max ), where U (, ) is a uniform probability distribution dened between the min and max timestamps dierences encountered
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
Intra-cluster Analysis
Goal To mine time-related characteristic among similar ows Flows F in a cluster c are ordered based on their timestamps Dierences, , among ows timestamps are determined, and
(a) The Kolmogorov-Smirnov test, K-S(, X ), holds
c is said to be periodic with a periodicity that follows a sampling drawn from a known probability distribution X In our experiments, X = U (min , max ), where U (, ) is a uniform probability distribution dened between the min and max timestamps dierences encountered
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
Intra-cluster Analysis
Goal To mine time-related characteristic among similar ows Flows F in a cluster c are ordered based on their timestamps Dierences, , among ows timestamps are determined, and
(a) The Kolmogorov-Smirnov test, K-S(, X ), holds
c is said to be periodic with a periodicity that follows a sampling drawn from a known probability distribution X In our experiments, X = U (min , max ), where U (, ) is a uniform probability distribution dened between the min and max timestamps dierences encountered
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
Intra-cluster Analysis
Optimization
Performance Constraint for Online Detection The Kolmogorov-Smirnov test can be computationally intense We generally observe well-dened period(s), per-cluster
Often, just one period is observed (e.g., Torpig bots)
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
18 / 32
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
Behavior Detection
Network Behavior Detection Model Generation Automatic generation of detection models as Bro NIDS policy A bots behavior detection consists in the verication of
Flow-cluster membership Flow(s)-cluster time-related properties
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
20 / 32
Evaluation
Goal To show that the models detect bots with very low false positives
Network Swiss ISP Greek University Trace 77.96 TB 835.78 TB # Conns 541, 466, 576 5, 259, 757, 228 Days 2 62 IP Space 786, 420 4, 096 IPs Flagged 8 6 Alerts 8 42 Alerts/Day 4.00 0.67
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
21 / 32
Evaluation
Model Generalization How much our detection models can generalize?
1 Models Coverage
0.8
% Coverage
0.6
0.4
0.2
0 0.3 0.4 0.5 0.6 Training set (% of total models) 0.7 0.8
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
Evaluation
Model Generalization How much our detection models can generalize?
1 Models Coverage
0.8
% Coverage
0.6
0.4
0.2
Christopher Kruegel, and Giovanni Vigna, Technical Report 2009-12 Department of Computer Science, University California, Santa Training set: randomly-selected models out ofof 308 IRC-based Barbara (UCSB), 2009 i.e., from 30% to 80% Dierent percentage,
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
22 / 32
Rootkits
(Hide your Malware)
Rootkits
A rootkit is a tool used to hide, to the system administrator, the presence of a malware on the system What to hide Files Registry keys Services
App App
User-space vs kernel-space
Jun 17, 2013Week 1-5 24 / 32
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
Rootkits
A rootkit is a tool used to hide, to the system administrator, the presence of a malware on the system What to hide Files Registry keys Services
App App
User-space vs kernel-space
Jun 17, 2013Week 1-5 24 / 32
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
Root-kit: hooking
Hijack the ow of the execution by modifying a code pointer Examples User-space : IAT Kernel-space : IDT, MSR, SSDT
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
25 / 32
Handler
Interrupt &handleri
IDT
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
26 / 32
Handler
Interrupt &handlerm
IDT
Malicious handler
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
26 / 32
Problems It is not possible to do ltering System calls cannot be intercepted if sysenter/syscall are used Easy to detect: if (IDT[0x2e] != KiSystemService) then ...
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
26 / 32
int/sysenter/syscall
SSDT
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
27 / 32
int/sysenter/syscall
SSDT
Malicious handler
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
27 / 32
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
27 / 32
It is possible to intercept the execution in multiple points More dicult to detect (no common hooking point)
... NtOpenFile: movl $0x74, %eax movl $0x7ffe0300, %edx nop call *%edx ret $0x18 ...
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
28 / 32
It is possible to intercept the execution in multiple points More dicult to detect (no common hooking point)
... NtOpenFile: movl $0x74, %eax pushl MaliciousHandler ret call *%edx ret $0x18 ...
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
28 / 32
It is possible to intercept the execution in multiple points More dicult to detect (no common hooking point)
... NtOpenFile: movl $0x74, %eax pushl MaliciousHandler ret call *%edx ret $0x18 ...
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
28 / 32
It is possible to intercept the execution in multiple points More dicult to detect (no common hooking point)
... NtOpenFile: movl $0x74, %eax pushl MaliciousHandler ret call *%edx ret $0x18 ...
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
28 / 32
It is possible to intercept the execution in multiple points More dicult to detect (no common hooking point)
... NtOpenFile: movl $0x74, %eax pushl MaliciousHandler ret call *%edx ret $0x18 ...
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
28 / 32
It is possible to intercept the execution in multiple points More dicult to detect (no common hooking point)
... NtOpenFile: movl $0x74, %eax pushl MaliciousHandler ret call *%edx ret $0x18 ...
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
28 / 32
It is possible to intercept the execution in multiple points More dicult to detect (no common hooking point)
... NtOpenFile: movl $0x74, %eax pushl MaliciousHandler ret call *%edx ret $0x18 ...
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
28 / 32
It is possible to intercept the execution in multiple points More dicult to detect (no common hooking point)
... NtOpenFile: movl $0x74, %eax pushl MaliciousHandler ret call *%edx ret $0x18 ...
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
28 / 32
It is possible to intercept the execution in multiple points More dicult to detect (no common hooking point)
... NtOpenFile: movl $0x74, %eax pushl MaliciousHandler ret call *%edx ret $0x18 ...
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
28 / 32
It is possible to intercept the execution in multiple points More dicult to detect (no common hooking point)
... NtOpenFile: movl $0x74, %eax pushl MaliciousHandler ret call *%edx ret $0x18 ...
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
28 / 32
It is possible to intercept the execution in multiple points More dicult to detect (no common hooking point)
... NtOpenFile: movl $0x74, %eax pushl MaliciousHandler ret call *%edx ret $0x18 ...
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
28 / 32
EPROCESS
malware.exe
EPROCESS
svchost.exe
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
29 / 32
EPROCESS
malware.exe
EPROCESS
svchost.exe
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
29 / 32
EPROCESS
malware.exe
EPROCESS
svchost.exe
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
29 / 32
MODULE_ENTRY
malware.sys
MODULE_ENTRY
pci.sys
C:\WINDOWS> drivers.exe ModuleName Code Data Bss Paged ... ntfs.sys 96000 7040 0 412544 malware.sys 3903 0 0 0 pci.sys 16000 1664 0 34176 ...
Init
LinkDate
14080 0 5632
Wed Aug 04 08:15:06 2004 Sat Mar 13 02:22:32 2010 Wed Aug 04 08:07:45 2004
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
29 / 32
MODULE_ENTRY
malware.sys
MODULE_ENTRY
pci.sys
C:\WINDOWS> drivers.exe ModuleName Code Data Bss Paged ... ntfs.sys 96000 7040 0 412544 pci.sys 16000 1664 0 34176 ...
Init
LinkDate
14080 5632
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
29 / 32
Recommended Readings I
[1] M. Antonakakis, R. Perdisci, Y. Nadji, N. Vasiloglou, S. Abu-Nimeh, W. Lee, and D. Dagon. From throw-away trac to bots: detecting the rise of dga-based malware. In Proceedings of the 21st USENIX conference on Security symposium, Security12, pages 2424, Berkeley, CA, USA, 2012. USENIX Association. [2] L. Cavallaro, C. Kruegel, and G. Vigna. Mining the network behavior of bots. Technical Report 2009-12, Department of Computer Science, University of California at Santa Barbara (UCSB), CA, USA, July 2009. [3] G. Gu, R. Perdisci, J. Zhang, and W. Lee. Botminer: clustering analysis of network trac for protocol- and structure-independent botnet detection. In Proceedings of the 17th conference on Security symposium, SS08, pages 139154, Berkeley, CA, USA, 2008. USENIX Association. [4] R. Perdisci, W. Lee, and N. Feamster. Behavioral clustering of http-based malware and signature generation using malicious network traces. In Proceedings of the 7th USENIX conference on Networked systems design and implementation, NSDI10, pages 2626, Berkeley, CA, USA, 2010. USENIX Association.
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
30 / 32
Suggested Readings I
M. Cova, C. Kruegel, and G. Vigna. Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code. In Proceedings of the World Wide Web Conference (WWW), 2010. A. Lanzi, M. I. Sharif, and W. Lee. K-tracer: A system for extracting kernel malware behavior. In NDSS, 2009. E. Passerini, R. Paleari, L. Martignoni, and D. Bruschi. Fluxor: Detecting and monitoring fast-ux service networks. In Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 08, pages 186206, Berlin, Heidelberg, 2008. Springer-Verlag. B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna. Your botnet is my botnet: analysis of a botnet takeover. In Proceedings of the 16th ACM conference on Computer and communications security, CCS 09, pages 635647, New York, NY, USA, 2009. ACM
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
31 / 32
Suggested Readings II
L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi. Exposure: Finding malicious domains using passive dns analysis. In NDSS, 2011. A. Nappa, A. Fattori, M. Balduzzi, M. DellAmico, and L. Cavallaro. Take a Deep Breath: a Stealthy, Resilient and Cost-Eective Botnet Using Skype. In GI SIG SIDAR Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), July 2010. T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling. Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. In Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, LEET08, pages 9:19:9, Berkeley, CA, USA, 2008. USENIX Association.
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
32 / 32