Professional Documents
Culture Documents
February 2014
Abstract
Executive Summary
Executive Summary
Practicalities
Start small, measure, and scale up:
security controls can be applied itertively,
Introduction
We are currently in the middle of a step in which a compromised system based on a com- prehensive review,
computer security crisis: the number of establishes a Command & Control systematization, and contextualization of
attacks, their sophistication and potential channel (C2), i.e., a communication the substantive work in this area, done
impact have grown substantially in the channel with the attackers through which by both the academic and commercial
last few years. In particular, it can receive further commands or can community. For the academic work,
, sometimes also called advanced send any stolen data. we focus our attention on publications
persistent threats (APTs), have emerged Blocking an intrusion in the C2 appearing in top conferences and
as today’s most challenging security step has several advantages. If no
actual attack code and a “cashier” for Control is the increasingly targeted
of an attack where the compromised the monetization of stolen data. Less nature of attacks. Cyber crime activity is
system contacts back the attackers to advanced groups can rely on the wide typically opportunistic: attackers cast a
obtain addition attack instructions and to availability of commoditised attack wide net and are happy with any target
send them any relevant information that tools, such as pre-packaged exploit kits they can capture. More sophisticated
has been collected up to that point. To [41] or phishing kits [24], which simplify attacks, on the contrary, take aim at
really understand C2 activity, we need to considerably the steps required to launch
review a number of aspects that, taken relatively sophisticated attacks.
together, characterise today’s attacks. Notably, the activity of these groups is compromise them.
In particular, we will examine the factors This change in the mode of attacks
that shape the current attack landscape to active underground markets, where has several important consequences.
malicious code, stolen goods, tips and Attackers do not simply move from one
. We also review the actual way tricks are exchanged or sold [35]. An potential victim to another, in search of
in which the attacks attacks are carried overview of cyber crime evidence for the the system that, being least defended,
out ( UK has been recently published [76].
and the reasons why C2 activity is a Traditionally, criminal groups have attackers focus relentlessly on their
critical step in these attacks. Then we selected target.
look at the available data on targeted data, such as credit card numbers and
attacks to quantify them and to learn online banking account credentials, change. In particular, the attack life-cycle
which can be easily monetized. This includes a reconnaissance phase in
before reviewing notable cases of activity has been referred to as “cyber which the target’s security posture and
targeted attacks. crime”, since it replicates traditional the defensive tools it uses are carefully
criminal activities (such as money examined and analysed to identify
C.1 Attack Landscape stealing and fraud) in the online domain. possible weaknesses [73]. In addition,
However, more recently attackers have a targeted compromise attempts to
increasingly targeted sensitive data establish its presence on the victim’s
with an adversary. As the adversary’s systems for as long as possible, so
motivations, drivers, or technical means on acquiring intellectual property,
change, so does the entire security such as manufacturing designs, legal over time. Consequently, the life cycle
landscape. We posit that changes in contracts, etc. These attacks can often commonly includes phases in which
cyber attacks that have occurred lately the intruder moves “laterally”, i.e., gains
and commercial espionage. access to additional systems, and
against them) are largely the result introduces techniques to main- tain
changes to attackers’ motivation is the the attackers’ presence in the intruded
techniques and behaviours of attackers. system.
We focus here on three main thrusts: term are denoted attacks that, for their Actual attack artefacts, for example,
changes in attackers’ motivations, the scope, objectives, and cost, are likely to malware samples or network-based
increased targeting of attacks, and their attacks, tend to become unique: they
use of evasive techniques.
two typical goals: the systematic and thus, are less likely to be reused in
Motivations comprehensive espionage of other other attacks. This is problematic for
nations’ entire economic sectors with the security tools, which sometimes use
The motivations of attackers have objective of gaining strategic advantage the observation of the same suspicious
changed substantially, transforming their [13], and the sabotage of critical national artefact in multiple locations as an
activity from a reputation economy to infrastructure, such as power plants indication of maliciousness, and for
a cash economy [37]. Long gone are and transportation control systems. security companies, which may prioritise
the days when attacks were performed The impact and consequences of these the investigation of novel attacks and
predominantly by individuals with the attacks have led some commentators artefacts based on their prevalence.
intent to display their technical skills to discuss the possibility of cyber wars
and to gain “street credibility”. The last [18]. The most well-known example of to develop signatures to match these
ten years have seen instead the rise rarely-seen artefacts.
of criminal groups that use Internet- believed to be created by the United
Initial compromise language, that exploits vulnerabilities in collect, and encrypt information stolen
the user’s browser or in the browser’s from the victim’s environment. The
This stage represents the actual plugins. If successful, the exploit information is then sent to the attackers,
intrusion, in which attackers manage downloads malware on the victim’s commonly through the same C2 channel
to penetrate the target’s network. Most machine, which as a consequence, that was established earlier.
frequently, the method of compromise becomes fully under the control of the
is spear phishing. A spear phishing attacker [92, 96]. been a key step in opportunistic attacks
message may contain a malicious as well and it has been well documented
attachment or a link to a malicious web Command & Control in the literature. For example, studies
site [125]. Often times, the content of of the data stolen (or “dropped”) by
the spear phishing message are tailored The Command & Control phase of the the key loggers components employed
based on the information acquired during attack is the stage where adversaries in banking trojans have reported on
the reconnaissance stage, so that they leverage the compromise of a system. the amount of data being transferred,
appear credible and legitimate. More precisely, compromised systems its estimated value, and the modus
A second common method of intrusion are forced to establish a communication operandi of their operators [50].
is the strategic compromise of websites channel back to the adversary through Furthermore, researchers have sinkholed
of interest to the victim (or “watering which they can be directly controlled. or hijacked entire botnets with the goal
hole” attack). In these attacks, attackers The C2 channel enables an attacker of gaining an inside view of the data
place mali- cious code on sites that are to establish a “hands-on-keyboard” stolen from infected machines and the
likely to be visited by the intended target: presence on the infected system (via operations of botmasters [114]. With
when the target visits the compromised so-called remote access tools), to install
website, she will be exposed to one or additional specialised malware modules, seen in these traditional attacks, we
more exploits. Watering hole attacks and to perform additional malicious expect targeted malware to expand
represent an evolution of the traditional, actions (e.g., spread to other machines
opportunistic drive-by-download attacks or start a denial of service attack). activity and its infrastructure.
[95, 97], in which victims are attracted,
and hardware (8%), legal (7%), media 2011 compared with 27% of 2012): it is Ability to detect
(7%), telecommunications (6%), not clear if these changes are an artefact
pharmaceutical (4%), other (25%). The of the data collection and analysis There seems to be support to the notion
report does not elaborate on how the process or correspond to actual changes that attacks in general, and especially
in the tactics of attackers. targeted ones, remain unnoticed
for a long time. This indicates that
organisations do not have appropriate
Symantec
controls, tools, and processes to
Verizon identify the presence of intruders in
their network. Unfortunately, we do not
company, focusing on virus protection.
The telecommunication company possess enough data to conclusively
They publish a yearly report on the status
Verizon publishes a yearly report on point to the precise reasons for why this
of Internet security; the latest available
data breaches. The last available report occurs: in particular, it may be result of
data covers the year 2012 [120].
at the times of writing covers 2012 factors ranging from cultural ones, such
The report investigates targeted attacks
and contains data compiled from 19 as the lack of appropriate awareness to
on the basis of the targeted malicious
organisations for a total of of more than
47,000 security incidents [127]. mentality), to technological reasons, such
products. In total, the analysed dataset
The report has a more general scope as the unavailability (real or perceived) of
comprises about 55,000 attacks. The
methodology used to discriminate than those discussed so far (it covers
data breaches in general), but it does The failure to detect intrusions for
whether a malicious email is targeted
provide some useful insights on targeted months, if not years, also implies that
or opportunistic is intuitively presented,
attacks. The report is characterised by a attackers have a long time to carry out
but there is no detailed description
careful methodology, which is explained their attacks, compounding the damage
of the algorithm used to make this
determination. in detail.
the same time, from a defensive point
is that 25% of the breaches they report of view, it shows an imbalance between
observing a number of targeted attacks
two common defensive strategies
per day ranging from 50 to about 225.
The report warns that one large attack the elusive nature of attacks (targeted
or not): 69% of breaches were spotted kill chain: defending by preventing the
campaign in April against a single target
by an external party (9% customers), intrusion and defending by detecting
and 66% of the breaches took months an intruder. More precisely, detecting
and, thus, has been removed from the
or even years to discover. Another the initial compromise requires to catch
presented results: while a reasonable
interesting observation is that, in most and identify the individual event that
course of action, this observation
cases, the initial compromise does not leads to the intrusion (e.g., the receipt
questions the sample size and
generalizability of reported data. require sophisticated techniques; in 68%
Also in this case, the report lists the
targeted sectors: manufacturing (24% and less than 1% as “high”. More
worryingly, subsequent actions may be point of time, and, lacking forensics
more sophisticated: 21% are high and capabilities, its detection requires that
real estate (19%), other services (17%),
government (12%), energy/utilities (10%), 71% are low. Unfortunately, the report
does not break down these statistics tool (e.g., intrusion detection system or
services professional (8%), aerospace
between targeted and opportunistic anti-virus tool) is capable of performing
(2%), retail (2%), wholesale (2%), and
attacks. the detection. Intuitively, detecting the
transportation (1%).
presence of an intruder may instead
The report also comments on the size of
happen at any time after the intruder has
the targets: 50% of the attacks targeted Discussion
established a presence in the target’s
large organisations (those with 2,501
network, during which time defensive
employees or more), 31% small and As we have anticipated, the available
tools may be updated or improved. This
medium business up to 250 employees. data is unfortunately somewhat limited
The analysis of the malicious email and the reporting methodology used
attack and defence: while detecting the
dataset also provides some insight into
initial compromise requires that defence
the targets of the initial compromise: described. This limits our ability to make
R&D personnel (27% of the attacks), generalizations on the basis of the data
single missed detection may lead to the
sales (24%), C-level executives (17%),
compromise), to detect the intruder’s
and shared inboxes (13%). Interestingly, However, there are several points that
the report points out a handful of are worth discussing, keeping in mind
makes a single mistake, revealing its
our objective of designing and deploying
presence.
data (for example, R&D personnel used better defences against targeted attacks.
to be targeted only 9% of the cases in
of the intrusion are not entirely clear. to respond. However, a day later, from attacks: modern businesses and
There are, however, several interesting connections to the same domain were organisations handle on a regular basis
aspects in this attack. First, attackers observed: this time, the server was
compromised Bit9 with the primary intent responding and was actually distributing
of acquiring the capability required to to attackers. It should also be noted that
successfully attack upstream targets the compromise may initiate outside of
protected by the company’s products. These events suggest that attackers run an organisation’s perimeter (and away
These are often called “supply chain from the defences that the organisation
attacks” because they target one link sectors (these could be considered has put in place), and then spread inside
of a chain that eventually leads to less targeted versions of the watering it as the infected device re-enters the
the organisation that is actually being hole attacks). Furthermore, the sudden perimeter. For example, with bring-
targeted. activation of malicious domains shows your-own-device (BYOD) policies,
that the malicious infrastructure used by organisations explicitly allow employees
Manufacturing espionage attackers (exploit sites and C2 domains) to bring on the workplace personally-
can vary quite rapidly, thus requiring its owned and managed mobile devices,
Military secrets are hardly the only ones constant and up-to-date monitoring. such as smartphones, and to use these
to be sought after by attackers. In early devices to store privileged data and to
2013, Lastline started monitoring the interact with internal systems.
network of a manufacturer active in the As a consequence, it is clear that
This case study was collected after
it determined that an internal server was the installation of Lastline product in . Ideally, the detection
infected: further investigation revealed a University environment. Here, an is performed as early as possible in
an unexpected remote connection administrative user received a malicious the life cycle of the attack, to limit the
to that server originating from China. email and clicked on link contained
Among other data, the server contained therein twice in a short span of time. The
all the designs of the manufacturer’s link caused the download of a malware stolen). Unfortunately, we have seen,
new collection, which had not yet been program. Interestingly, the binaries in particular with the Verizon data on
downloaded as a consequence of the
This episode shows that the data infections go completely unnoticed for a
targeted by sophisticated attackers is not long amount of time.
C2 detection and disruption seems
Industrial espionage, in certain an online service that scans submitted
binaries with over 40 anti-virus tools. by focusing on the C2 phase of an
governmental blessing, has targeted a This episode shows that the use of attack, one accepts that a device may
large spectrum of economic sectors [73]. evasion techniques, polymorphism in this become under control of attackers,
case, is a built-in component in many may enter organisation’s network, and
Malicious infrastructure agility attacks: all the binaries downloaded in
However, the successful detection of
C2 activity will preclude the attackers
In mid 2013, a Lastline product was
the importance of user security from performing the actual malicious,
education: users are all too often a weak damaging activity of their actions,
Lastline detected a successful drive-by-
link in the security of an organisation.
course, C2 detection should be seen
employees. The drive-by had started
as a complementary approach to the
when the employee visited a legitimate C.5 A New Focus
prevention of compromise, rather than a
web site that had been compromised;
substitution for it: completely blocking an
the web site collects information relevant There are several lessons that we can
attacker, whenever possible, is preferable
learn from the statistics on today’s
than having to deal with it after the fact.
by-download attacks were detected attacks and the case studies that we
With this approach in mind, we review
short thereafter, originating again from have presented.
in the next sections the techniques that
web sites belonging to companies and One is that
attackers use to set up C2 channels,
We have seen that
and then the approaches that have been
intrusions happen, even at security
proposed to detect and disrupt such
After one of the successful drive-by- conscious organisations which possess
channels.
download attacks, connection attempts considerable domain knowledge,
to a malicious domain were observed: expertise, and budget for security. We
the connections did not succeed have also seen that there does not really
because the destination server failed appear to be a sector that is immune
C&C Techniques
C&C Techniques
C&C Techniques
table (DHT) based p2p network. Each bot use of steganographic communication feature of C2 channels that distinguishes
has an 128 bit DHT id, which is randomly techniques, which we will discuss this in them from other malicious activity is
generated. Routing is performed by future sections of the report. the fact that the individual malware-
There have already been numerous infested hosts communicate with
IDs to the destination, node a which examples in the wild of malware that each other. This lets them carry out
has a message for node d will forward uses social networks (or similar sites) sophisticated coordinated activities,
to the peer (neighbour) with the closes as part or all of the command and but it can also be used as a point of
control system. One (possible) botnet
uses a publish/subscribe style of that has been found is an unnamed can be used to detect communication
communication. A node publishes piece of malware that receives its patterns among bots, and how such
commands through tweets posted to
from the contents of the information. a particular Twitter account [132]. It is
Consumers can then subscribe to the unclear however if in this case this was between botnet performance, resilience,
a researcher testing a new toolkit for and stealth. is an old
Twitter command and control rather
to using the day and a random number than an actual botnet. An example are applicable. We will review these
between 0 and 31. The controller can found by Arbor Networks [85] also
demonstrates a botnet using Twitter as designers have adopted techniques to
information using them. The information part of it’s C2 channel; in this case the hide communication patterns.
twitter account posts base64 encoded is a much desired
form ”*.mpg;size=*”, where * represents URLs, which represent secondary C2 property by C2 designers. Anonymous
a 16 bit number. The malware converts servers. The same behaviour is also communications technologies study
this to an IP address and port number, found on identically named Jaiku and the design of communication channels
at which point the malware performs a
direct connection to talk to the controller that uses a malicious application on For C2 designers, the ultimate goal
directly. the Google App Engine cloud hosting is unobservable communications.
platform which also returns URLs to The property of
which the malware will then proceed to strongest form of communication
Social Networks
connect to [84].
capability that a third party cannot
malware that is using a social network distinguish between a communicating
as part of its command and control is and non-communicating entity. For
that they bring to both businesses and
Taidoor. Taidoor attacks organisations instance, by appearing indistinguishable
end users are hard to ignore. In fact,
that have links to Taiwan (hence the
Facebook, the largest social network,
now has over 1.1 billion users, and
found that the malware has been substantial amount of knowledge in the
is currently the second most visited
public domain on the topic on which C2
website (www.alexa.com) in the world.
binaries in a Yahoo blog post [129]. designers can build upon.
The sheer volume of social network
The malware is initially delivered by
email end performs an exploit against adoption of anonymous communications
information within a social network page
technology by C2 designers.
for little to no cost, has made them a
installed. This downloader connects
very attractive tool to malware creators.
to a Yahoo blog post, which contains Tor
In this case, C2 channels are built as an
seemingly random data. The data is in
overlay network over a social network,
fact the actual malware binary, contained Tor (originally TOR:The Onion Router) is
again both centralised and decentralised
between two markers and encrypted a service used to provide anonymity over
using the RC4 stream cipher, with the the internet. It is used by governments
social networks are largely based around
resulting cipher-text being base64 and the public alike (for example it is
a small number of highly well-connected
encoded. When decrypted, the data is extremely popular with whistle-blowers),
central servers, it’s not possible to simply
and even receives a large proportion of
malware then connects directly to two
popularity with legitimate users. Further,
C&C servers. Defence. The basic system works by
C&C Techniques
a target for malware coders, and there mining and Bitcoin mining. When the low-latency communications but this
have been cases of malware that use malware is installed onto a machine, the
the Tor network (and some of its extra Tor client for Windows is also installed, unobservable communication methods,
features) to aid in command and control. and a Tor hidden service is set up for the which often provide a higher-latency for
To become a part of the Tor network, one machine itself. All C&C communication of communication. While this is often
simply has to install a simple piece of deemed unacceptable for the user-base
software. The machine can then act as a running locally on the machine. The of Tor like systems where usability is
replay node for others, and make use of hidden service is opened on port 55080. a factor, it is not an issue for malware
the Tor network. The primary method of C&C is an coders. The most common form of
One of the more advanced features IRC server hosted behind a Tor providing unobservable communications
of Tor is the ability to set up Hidden hidden service. The server runs at is through the use of steganography.
“uy5t7cus7dptkchs.onion” on port
behind a proxy, keeping the actual 16667. The controller issues com- mands
identity of the server hidden from those to the malware through the IRC channel. 1 http://www.reddit.com/r/IAmA/
who access it. Hidden services work These actions can include performing comments/sq7cy/iama_a_malware_
by setting up “Rendezvous” points. attacks and returning info on the host coder_ and_botnet_operator_ama/
A rendezvous point is a node on the machines.
Tor network, whicis used as the entry The malware also includes a version of
the Zeus malware family. Zeus is a very
the rendezvous point and the server common banking trojan, with a primary writing”) is the art of writing messages
is routed in the normal Tor fashion, in such a way that nobody, apart from
providing anonymity. A rendezvous point details (for example credit card numbers the sender and receiver, suspects
is access using an “.onion” link. and online banking passwords). Zeus the existence of the message.
While few examples of actual bots have provides a web- based C&C server,
which the controller has hidden behind a used for thousands of years, and has
their C&C channel, there is growing second Tor hidden service. By accessing been reinvigorated in the digital age. The
evidence that this is occurring on a large the control server, the researchers were main purpose of using steganography
is that it can make the communication
2013 the Tor network experienced a the current target websites. unobservable. There are two ways
large increase in the number of users in which steganography can be used
performs Bitcoin mining. The malware by malware to hide the command
nodes, however, only showed a minimal includes the open source “CGMiner” and control communications. The
software used for Bitcoin mining, which
connects to a number of Bitcoin mining communication protocol appear as
proxy servers. Interestingly, seven IP another, and secondly it can embed
and control server behind a Tor hidden addresses for proxy servers were found, itself within otherwise legitimate content
service. The botnet, however, shows of which two were active, but none were online, such as images.
little activity, and is believed to simply be hidden by Tor. Today most media types, including
used for installing other malware. Due to the use of Tor, it is almost text, images and video, are capable of
impossible to identify the actual location contain- ing hidden data in a number of
(and owner) of the command and ways. In the simplest cases, this can be
Case Study: Skynet
control servers. Through responses achieved by adding extra metadata to
on the Reddit post, plus the botnets
concentration in central Europe (in although this is easily discovered. The
machines) botnet based upon the Zeus
particular the Netherlands and Germany) alternative, and more advanced, method
family of malware. The interesting thing
there is a strong chance that the operator
(apart from the usage of Tor) about
is based in Germany.
IAmA (Q&A) session on Reddit 1. When
Unobservable C2 image can store the data. This will allow
a team of researchers [46] discovered
a relatively large amount of data to be
an instance of the malware, they were Communications
stored (directly corresponding to the size
able to use the information provided by
of the image), and to the untrained eye
the Reddit post, plus a small amount of Whereas systems such as Tor aim to
the image will appear to be unchanged.
reverse engineering, to provide an almost provide anonymity through unlinkability
(i.e. disguising who is talking to whom),
botnet. unobservable communication methods Unobservable C2
The malware is spread primarily through aim to hide the fact that anyone is Communications
communicating altogether. Tor, and
similar systems, are designed to provide
C&C Techniques
C&C Techniques
C&C Techniques
over UDP between the ports opened for networks is starting to adopt this is to make use of the microphones and
speakers found in most laptops in order
to transmit data between machines
bridge. details an targeted attack against a using inaudible frequencies. Using this
major internet hosting provider in which channel, a data rate of approximately
malware was installed on linux servers 20bit/s up to a range of 19.7m can be
which opened a backdoor. The backdoor achieved. By extending the system into a
operated as a network monitor which mesh network, multi-hop communication
can be achieved. While 20bits/s seems
contain simulated headers that match monitor looked for a certain sequence of transmit small amounts of data such as
passwords, banking details or memory
also uses a similar approach with HTTP seen, the malware extracted encrypted dumps.
by generating fake HTTP requests and encoded data which followed.
from clients, and fake HTTP responses The data could be embedded in any D.5 Future Trends
from the server to transmit data (which
appear as normal HTTP browsing). The detect. As malware writers attempt to make their
HTTP requests are replays based upon malware more resilient to take-down
previously collected traces, with header Future: Namecoin attempts and detection, there are a
information replaced with the data to be number of trends that we can expect in
transmitted. The same approach is used Another further development that is the near future.
for the responses from the server, except beginning to appear in the wild is the First, the use of decentralised malware
the data is hidden within the returned use of the Namecoin service. Namecoin will increase. This will be both down to
is related to Bitcoin, and provides a the additional redundancy provided by
decentralised method to register and a decentralised network, and also the
control domain names. Domains that scalability provided by such systems,
belong to the Namecoin service use the as it is also expected that botnets will
designed for obfuscated web “.bit” top-level domain. The advantage continue to increase in size. We expect
browsing, decouples the upstream and to a malicious user is that is provides that the malware designers will start to
downstream channels. HTTP requests the means to anonymously purchase
are sent to the server over a low capacity a domain outside the control of any
channel such as email or instant international body. McCardle et al [75]
messaging. The server responds to the have found malware that is using this will also increase. As it is harder to avoid
client by mimicking UDP-based VoIP service in the wild, and it is expected that detection, and it is getting easier for
ti will become more widespread. authorities to locate malware operators,
the operators will increasingly want to
based VoIP.
All three of these approaches were
deemed broken by Houmansadr et al. become more widespread.
[53], who proved that all three systems It is also expected that attacker will
Finally, although in the wild it is currently
are detectable due to their lack of make use of further unusual channels for
complete protocol emulation. All three command and control in order to evade
is a high probability that techniques
systems do not fully emulate all aspects controls. A common control is to provide
involving steganography will become
(for example, error handling) of the more widespread. This will allow the
protocol that they are attempting to hide machine is physically disconnected from
malware to use legitimate services to
as, allowing for detection by comparing any other machine, including the internet.
transmit information, i.e. by hiding in
In the perfect situation, this would be
plain sight. This will vastly reduce the
While this has debunked these three a laptop disconnected from the power
systems, there is ongoing work to make supply (data can be transmitted through
methods.
systems like these less detectable. Even power cabling, a method that is used
though this approach has not been seen in the consumer “Powerline” network
in malware yet, it is fully expected that adapters). Recently, however, Hanspach
malware will start to take this approach and Goetz [49] have proposed a design
in the near future. At the simplest level, for malware that can operate even in the
malware that makes use of social face of an air gap. The proposed channel
C&C Detection
Given the range of C2 design techniques, traces go unrecorded, then detection techniques can support the creation
there is much interest in the design of systems cannot work. of arbitrary sub-aggregates to support
techniques to localise C2 communication Current measurement techniques have detection techniques that need not be
addressed scalability limitations of data
Detection techniques can be used to collection by developing measurement place.
architectures for aggregation and The challenge is to achieve the following
large scale networks to engage with sampling. However they do so requirements: 1. Fairness: yield accurate
malicious network activity. In recent without addressing evasion resilience
years, a number of new techniques have requirements. Also, little attention has
been paid to measurement control
data in order to support correlation and mechanisms — tuning measurement in samples to be gathered from data
response to C2 evasion.
of machine learning, semantic analysis, Timeliness: provide samples in a timely
E.2 Scalable measurement manner to detection mechanisms.
C&C detection falls broadly into two Fairness is an important criteria. If
categories: signature-based and non- the fairness guarantees are weak or
signature based. In signature-based non-existent, then the adversary can
detection, the detection algorithms are feature or the sFlow feature. Alternatively, exploit weaknesses in the sampling
designed to look for known patterns standalone measurement devices [25]
of behaviour collected from malware evading the monitoring system, as a
samples (or “signatures”). These devices or splitters (optical or electrical) consequence detection would fail.
algorithms are often good at detecting In the rest of this section section, we will
the C&C of particular malware, but not
so good at detecting new malware. to collectors which store the traces. collection that are used by the detection
Host-based anti virus systems usually fall Enterprise networks carrying a few methods discussed later.
into this category. Non-signature based tens of terabytes a day, resulting in
algorithms instead look for anomalies NetFlow
compared to the norm. They are often currently manageable as all records can
much more adaptable to new variants be collected. However, the growth in NetFlow is a network protocol for
of malware, but may not perform as network speeds might change this in the
well against known malware. Further future. Additionally, C2 designers can Developed by Cisco, NetFlow is used
attack the measurement system to evade
store and process!). to gain a much bigger picture of the will generate multiple signatures as
the conditions on a host machine can
Honeynets/Malware Traps situations.
and control activity. Conversely, a
signature may represent multiple pieces
Honeynets and malware traps are
Reverse Engineering of malware that exhibit very similar
essentially bait and traps for malware in
behaviour.
the wild. A honeynet is typically made
up of a number of honeypot nodes, Perhaps the most labour intensive,
which are machines that run vulnerable reverse engineering is probably the Communication Detection
(un-patched) software with a goal of most useful tool in learning about
becoming infected with malware. The the command and control systems As we have seen, many malware variants
infected machines can then be used to of malware. Many of the examples have very particular protocols when it
of command and control systems comes to communication. These are
or human means. This data is one if discussed in the previous section
the primary sources of signatures for were discovered through reverse
signature-based detection methods. engineering. To reverse engineer the behaviour of the communications.
Honeynet nodes do not have to be a malware, the researcher will analyse the This makes signature based detection
single machine. It is possible, through actual malware binary, and attempt to methods very good for detecting known
the use of virtual machines, to run recover the source code. This can give
large volumes of honeynet nodes on a valuable insights into the operation of pieces of malware may also be based
relatively small amount of hardware. It is the malware, and can even give vital upon a common component, meaning
important to note that often the malware information such as hardcoded C&C that a single signature can be used to
will be prevented from performing illegal server addresses and encryption keys. detect multiple pieces of similar malware.
The main issue is that it can take a very One possibility for this kind of detection
the researchers control. long time to completely reverse engineer is to produce signatures based upon
Honeypot techniques have been widely a piece of malware (and in some cases the contents of packets. It is often the
used by researchers. Cooke et al. [22] it may not be possible at all), and it is case that packets of data involved in the
conducted several studies of botnet C&C of malware will be almost identical
propagation and dynamics using automate. across multiple hosts. Even though
Honeypots; Barford and Yegneswaran some malware familes use encryption in
[9] collected bot samples and carried their communications, that encryption is
E.3
out a detailed study on the source code usually a simple, lightweight algorithm
(as the encryption is often for obscurity
In signature-based detection methods, rather than security), so their are
al. [38] and Rajab et al. [99] carried out
malware C&C is detected by looking
measurement studies using Honeypots.
for known patterns of behaviour, or For example, in the work of Rieck et al
Collins et al. [21] present a novel botnet
detection approach based on the [103], in which n-gram based signatures
for known malware samples, and are generated for the payloads of
tendency of unclean networks to contain
compromised hosts for extended periods malware that is run under controlled
of time and hence acting as a natural
Honeypot for various botnets. However
Honeypot-based approaches are limited with this method the system can achieve
by their ability to attract botnets that detection rates of close to 95%, with a
depend on human action for an infection false positive rate of close to zero when
various sources. The main sources are running on a network gateway.
to take place, an increasingly popular
honeynets and sandboxes. Malware Encryption can make the detection of
aspect of the attack vector [80].
is run in controlled conditions, and its
activity logged. What is logged depends especially if the system uses widespread
Sandboxes on the detection algorithm being used, protocols such as HTTP. One approach
but almost every aspect of the malware’s is then to attempt to decrypt all packets
A slight variant on a honeynet is a behaviour can be included in a signature. and then perform signature detection on
malware sandbox. In this instance,
the decrypted contents, as is done by
malware is directly installed on a signatures upon the payload data of Rossow et al [104]. They take advantage
machine and the activities analysed. packets, while others can cover entire of the fact that in many cases the
encryption used is very simple, and often
however, is that the owner will also is also not the case that one piece of the key for encryption is hardcoded
interact with the malware (for example, malware will be represented by a single into the malware binary. They keys are
by mimicking command and control signature, and vice versa. It is often fetched by reverse engineering, and
servers). This allows the researcher the case that a single malware sample then the payloads can be decrypted,
C&C Detection
ans signature-based detection applied. Server Detection related to malicious activities [6]. In
The obvious down- side to this method this system (Notos), domains are
is that it requires the labour intensive clustered in two ways. First, they are
reverse engineeing step. system for identifying malicious domains clustered according to the IP addresses
proposed a system for large-scale by creating network traces from known are clustered according to similarities
automatic signature generation. The malware samples to create signatures, in the syntactic structure of the domain
system uses network traces collected that can then be compared with network names themselves. These clusters
from sandboxes and produces
signatures for groups of similar malware, based upon the domain names, but based upon a collection of whitelists
covering numerous protocols. This also the full HTTP requests associated and blacklists: domains in a cluster that
system is able to identify numerous with them. How this system is unique, contains blacklist domains are likely to
malware example with a high rate, and however, is that the signatures are be malicious themselves. This system
experiences a low false positive rate tailored to the network that they will be
used on based upon the background achieve a true positive rate of 96% and
generated. The signatures are designed an low false positive rate. In a further
to be exported to intrusion detection useful at reducing the level of false piece of work from the same authors as
positives by exploiting the fact that Notos, the idea is vastly expanded to
detection.
browsing behaviour (for example a car hierarchy. In this new system (Kopis) [7],
Spam Detection manufacturer is unlikely to visit the same
websites as a hospital). at the domains’ IP and name, looks at
There have also been attempts at
They leverage the fact that malware-
performing spam detection based E.4 Non-Signature Based
related domains are likely to have an
upon the method that the spam email
inconsistent, varied pool of requesting
was sent, which is quite often through
hosts, compared to a legitimate domain
The main disadvantage of using a which will be much more consistent.
signature based detection method They also look at the locations of the
mail clients, including malware, introduce
is that these detection systems are requesters: requesters inside large
networks are given higher weighting as
protocol. They use this to produce
new, or updated, malware. Every time a large network is more likely to contain
“dialects”, which are signatures for
a new piece of malware is discovered, infected machines. When tested, this
each mail client that can represent
or an exiting piece updates itself, the system was actually able to identify a
these variations. Dialects are collected
signatures have to be recreated. If the new botnet based in China, which was
for known sources of spam, including
new variant is not discovered, then it is later removed from the internet.
malware, and also for legitimate mail
unlikely to be detected by these systems.
services. It is then a simple case of
This is where non-signature based malware controllers that we have not yet
matching incoming emails to a dialect to
detection comes in. In these systems,
make the decision of if the email is spam.
the algorithms look for behaviour that
In a further piece of work from the same
is not expected, rather than looking for
particular known behaviour, or looking for
will often query these blacklists for IPs
use of signatures. under their control to test their own
to their content, and then measures the
networks [101]. The behaviour of a
source and destination IP addresses
to match clusters to known botnets. Server Detection: DNS
This allows for both the enumeration of
known botnets, and the discovery of new There has been a large amount of work
ones. It is of course the case that many that attempts to provide a detection
mechanism that can identify domains on behalf of the controller will perform
spam campaigns could originate from
lots of queries, but will not be queried
the same botnet, so clusters that share
itself, while a legitimate service will
source IPs are liked to the same botnet.
large amount of malware that makes use receive incoming queries. This behaviour
It also is observed that a particular
of a centralised command and control is relatively easy to detect by simply
botnet will often target a particular set
structure. looking for queries that exhibit this
of destinations, such as one particular
One proposed detection method behaviour.
country, which is used to add precision.
is to make use of the reputation of Paxson et al [89] attempt to provide a
domain names to decide if they are detection mechanism that leverages
the amount of information transmitted
C&C Detection
C&C Detection
based on the observation that an BotMiner [43] and TAMD [135] using detection, bots can also use a variety of
attacker will increase the number of behaviour based clustering are better VM (Virtual Machine) based techniques
connected graph components due to for extra stealth, such as installing
a sudden growth of edges between information which can have legal and virtual machines underneath the existing
unlikely neighbouring nodes. While it privacy implications. It is also important operating system [65] to prevent access
depends on being able to accurately to think about possible defences that from software running on the target
model valid network growth, this is a botmasters can apply, the cost of these system and being able to identify a
powerful approach because it avoids virtual analysis environment including
depending on protocol semantics or VMs and Honeypots [36]. Graph analysis
packet statistics. However this work only Nicol [87, 107] describe schemes to techniques have also been used in
makes minimal use of spatial relationship mask the statistical characteristics of host-based approaches. BLINC [62] is
information. Additionally, the need
for historical record keeping makes it
challenging in scenarios where the victim of such schemes will only require
network is already infected when it seeks minimal alterations to existing botnet of analyzing the “IP social-network”
of a machine. Graph analysis has also
while our scheme can be used to detect against detection schemes that depend been applied to automated malware
pre-existing botnets as well. Illiofotou on packet level statistics including
et al. [56,57] also exploit dynamicity of BotMiner and TAMD. graphs [54].
One of the areas that is most important
in order to detect P2P networks. It uses E.5 Host Detection to organisations is to identify hosts that
static (spatial) and dynamic (temporal) are infected malware so appropriate
metrics centred on node and edge An initial defence against botnets is to actions can be taken. It is important to
level metrics in addition to the largest- prevent systems from being infected note here that we are only interested in
connected-component-size as a graph host detection through the command
level metric. Our scheme however and control actions of the malware, NOT
systems, and vulnerability patches help, the actual infection of the malware itself
for expanders) and uses the full extent but completely preventing infection is through binary detection (as is covered
of spatial relationships to discover by anti-virus software).
P2P graphs including the joint degree encryption [136] and polymorphism [123]
distribution and the joint-joint degree among other obfuscation techniques
distribution and so on. [123] to thwart static analysis based
Of the many botnet detection and approaches used by anti-virus software.
mitigation techniques mentioned above, In response, dynamic analysis (see
most are rather and only apply Vasudevan et al. [126] and references
therein) overcomes obfuscations that
botnets such as IRC/HTTP/FTP botnets, prevent static analysis. Malware authors
although studies [42] indicate that the have countered this by employing trigger
centralised model is giving way to the based behaviour such as bot command
P2P model. Of the techniques that inputs and logic bombs which exploit
do address P2P botnets, detection is analyzer limitations of only observing a
single execution path. These limitations
are overcome by analyzing multiple
of certain types of botnets, reverse execution paths [14, 78], but bots may in
engineering botnet protocols and so on, turn counter this using schemes relying
which limits the applicability of these on the principles of secure triggers
techniques. Generic schemes such as [39, 109]. In order to remain invisible to
deal with the detection of C2 activity may be easy for a reader to focus on the
is necessary to avoid or minimise defensive mechanisms rather than on the of compromise. Both assumptions
the damages of an attack or ongoing results that they provide. may need to be re-evaluated from
infection. time to time: we have seen that
Finally, Generalization of controls for C2 attackers are devising new methods
should detection and disruption
also be taken in account in the context
of C2 activity as a way to test the From our discussion of C2 techniques a network may change as new
and defences, it is evident that most services and devices are introduced.
used within an organisation. In particular, approaches to the detection of C2
such security exercises should test
whether attempts to set up C2 channels, and applying some form of detection
using both known and new techniques for this recommendation is that it
or variations on existing techniques, include activities that lead organisations may be easier to collect such data,
would be detected by the other controls toward this approach to security; here, rather than setting up a full network
employed by the organisation. we will generalise and comment on these monitoring system. As we have seen
recommendations: from our literature review, several
approaches have been devised to
F.4 Discussion
Monitor all inbound and outbound
inputs.
Limitations
Architect the network in such a way
attacks that may lead to an infection,
Our review of the Critical Controls shows
for ex- ample, drive-by-download or and the activation of responses to
that while they do include sensible
spear phishing attacks. Outbound attacks. For example, by having a
advice on defending against C2 activity,
they also have some limitations that
for indications that a C2 channel has passes through, an organisation
can simplify the full collection of
the most part, these limitations seem a
Command & Control check-in, etc.)
consequence of the general nature of
Monitor network activity to identify example, network segmentation
the 20 Critical Controls, which are not
connection attempts to known- can help keeping separated
bad end points, i.e., IPs and
First, controls are often extremely
domains that are known to be (e.g., networks hosting front- facing
servers vs. those hosting internal domain names) in multiple attacks. studies.
services). In addition, the use of rate To work around anomaly detection An approach that we have seen applied
limiting techniques may slow down approaches, attackers may make their successfully to the introduction of
new controls for C2 activity could be
data and increase the window of summarised as “start small, measure,
time in which a detection can occur. and scale up”. An organisation does
Practical matters not need to apply a control throughout
Risks its entire infrastructure ( ): for
We will conclude our review of security example, it could choose to initially
There are several factors that may limit controls with a discussion of some protect a subset of users, such as
non technical issues that may face an a high-risk group, or a group that is
are always looking for ways to “remain adopter of the controls. For example, tolerant to initial experimentation with
under the radar” and avoid detection. potentially higher than normal false
content analysis techniques, they may apply a control in its entirety. In addition,
use encrypted communication protocols, implementing a control may require
changes to or collaboration from a performance requirements and still a
multitude of departments or groups good potential of leading to the detection
a network. To thwart controls that call inside organisation. For example, of C2 channel activity. After the initial,
limited implementation of a control,
that the security group interacts with the
of known malicious entities, attackers networking group. It would be helpful ( ). If successful, the control
refrain from re-using artefacts (such to have some guidance on addressing could be extended to larger portions of
as actual attack vectors, servers, and such issues, perhaps in the form of case the organisation ( ).
Bibliography
[2]
CompatibilityisNotTrans- parency: VMM Detection Myths and
Realities. In
2007.
[3]
networks.
[4]
In
, 2012.
[5]
, 2011.
,
2010.
[12]
detection. In
Bibliography
[13] J. Brenner.
. The Penguin Press HC,
2011.
[14]
Yin. Au- tomatically identifying trigger-based behavior in malware. In
[15] http://www.leginfo.
ca.gov/pub/01-02/bill/asm/ab_0651-0700/ab_700_bill_ 20020929_
chaptered.pdf.
[16]
In
, dec 2002.
[17] http://www.cisco.com/
[18] R. Clarke.
Ecco, 2010.
[19]
http://computer-forensics.sans.org/blog/2009/10/14/ security-
intelligence-attacking-the-kill-chain, 2009.
[21]
addresses. In
[23]
2013.
Bibliography
[25]
Gigascope: a stream database for network applications. In
[27]
http://
,
2011.
[28]
http://blog.cj2s.de/archives/28-Feederbot-a-bot- using-DNS-as-
carrier-for-its-CC.html, 2011.
[29] R. Dingledine. Many more Tor users in the past week? https: //
lists.torproject.org/pipermail/tor-talk/2013- August/029582.html,
2013.
[30]
generation onion router. In
, Aug. 2004.
[31]
Dynamic Malware Analysis Techniques and Tools.
, 44(2), 2012.
[32] M.Felegyhazi,C.Kreibich,andV.Paxson.
OnthePotentialofProactiveDomain Blacklisting. 2010.
Bibliography
[36]
van Doorn. Towards sound detection of virtual machines. In
. 2008.
[37]
the Nature and Causes of the Wealth of Internet Miscreants. In Proc.
of the
[39]
Foundations and applications for secure triggers. ACM Trans. Inf.
[42]
Peer-to-peer botnets: Overview and case study. In Hot
, Apr. 2007.
Correlation. In , 2007.
[45]
[46]
Bibliography
https://community.rapid7.com/community/infosec/blog/
2012/12/06/skynet-a-tor-powered-botnet-straight- from-reddit,
2012.
[47]
[48]
In
, 2009.
), 2008.
[53]
is dead: Observ- ing unobservable network communications. In
,
2013.
[54]
indexing using function-call graphs. In Proceedings of the 16th ACM
Bibliography
[58]
Web Pages. In ,
2012.
[61]
Association.
[63]
detection and characterization. In
, Apr. 2007.
[65]
[67]
, February 13 2013.
[68]
Blacklists. ,
35(1), 2012.
Bibliography
[70]
analysis of structured peer-to-peer systems: Routing distances and
fault resilience. In , Aug. 2003.
[76]
,
2012.
[79] http://www.
symantec. com/connect/blogs/morto-worm-sets-dns-record,
2011.
[80]
malwaresurveillance of the tibetan movement. Technical Report
UCAM-CL-TR-746, University of Cambridge, March 2009.
[81]
Bibliography
[82]
BotGrep: Finding P2P bots with structured graph analysis. In
[83]
designs compromised by Chinese cyberspies. ,
May 27 2013.
[86]
New C&C Do- mains in Live Networks with Adaptive Control Protocol
Templates. In , 2013.
[87]
[89]
Network Traces. In
, 2010.
[91] N. Perlroth. Hackers in China Attacked The Times for Last 4
Months. , January 30 2013.
Bibliography
, 2008.
[93]
10-
01, 2007.
[94]
[98]
Emulators. In ,
2007.
[100]
blacklists keep up with bots? In , 2006.
(RAID), 2013.
[103]
Bibliography
, 2010.
, 2013.
[106]
Iran. , 1 June 2012.
[107]
[108] https://www.
schneier.com/ blog/archives/2013/03/security_awaren_1.html,
2013.
[109]
analysis using conditional code obfuscation. In
, 2008.
[110]
Zhang. An empirical analysis of phishing blacklists. In , 2009.
[111]
Awareness to Com- bat the Advanced Persistent Threat. In Proc.
, 2009.
[112]
behavior. In . 2008.
[113]
Locating Neighborhoods of Malware on the Web. 2010.
[114]
Kemmerer, C. Kruegel, and G. Vigna. Your Botnet is my Botnet:
Analysis of a Botnet Takeover. In
, 2009.
[115]
Through the iFrame. In
, 2011.
Bibliography
[116]
32(6), Dec. 2007.
[117]
detection based on network behavior. In
. 2008.
[118]
, 2012.
[119]
, 2011.
[120]
[121]
protocol.
http://www.symantec.com/connect/blogs/linux-back- door-uses-
covert-communication-protocol, 2013.
[122]
Times Cyber Attack. http://www.symantec.com/connect/blogs/
symantec- statement-regarding-new-york-times-cyber-attack,
2013.
[123] .
Addison-Wesley Professional, 2005.
[124]
, 2011.
[125]
Favored APT Attack Bait. Technical report, Trend Micro Incorporated,
2012.
[127]
Technical report, Verizon, 2013.
Bibliography
[128]
taidoor-3.html, 2013.
[130]
[131]
[133]
Command and Control.
, 10(3), 2013.
[135]
detection. In DIMVA ’08: Proceedings of the 5th international
conference on Detection of Intrusions and Malware, and Vulnerability
Verlag.
[138]
Botgraph: Large scale spamming botnet detection. In , 2009.