faster c c detection strategies for finding
play

faster c&c detection - strategies for finding algorithmically - PowerPoint PPT Presentation

Oct 24, 2022 •371 likes •1.38k views

. Malgorzata Debska September 22, 2015 CERT Polska faster c&c detection - strategies for finding algorithmically generated domain names Introduction - what is DGA? Malicious usage in botnets Benign DGA - false alarms in detection

  1. . Malgorzata Debska September 22, 2015 CERT Polska faster c&c detection - strategies for finding algorithmically generated domain names

  2. Introduction - what is DGA? Malicious usage in botnets Benign DGA - false alarms in detection systems Current detection techniques - classification Challenges and conclusion list of topics

  3. . introduction - what is dga?

  4. 4 algorithmically generated domain names

  5. • randomness of characters • characters set • distribution of frequency of character usage • length of generated domains • level of domain generation • utilized set of top level domains 5 diffrencies in generated domains:

  6. • randomness of characters • characters set • distribution of frequency of character usage • length of generated domains • level of domain generation • utilized set of top level domains 5 diffrencies in generated domains:

  7. • randomness of characters • characters set • distribution of frequency of character usage • length of generated domains • level of domain generation • utilized set of top level domains 5 diffrencies in generated domains:

  8. • randomness of characters • characters set • distribution of frequency of character usage • length of generated domains • level of domain generation • utilized set of top level domains 5 diffrencies in generated domains:

  9. • randomness of characters • characters set • distribution of frequency of character usage • length of generated domains • level of domain generation • utilized set of top level domains 5 diffrencies in generated domains:

  10. • randomness of characters • characters set • distribution of frequency of character usage • length of generated domains • level of domain generation • utilized set of top level domains 5 diffrencies in generated domains:

  11. dyre gameover-zeus banjori a3f6e2d182a40304a8874e994a294ec314.cc bnmtsemitismgavenuteq.com antisemitismgavenuteq.com hlrfrsensinaix.com xjsrrsensinaix.com 5bpzt0njqbkqlbwupc8vi3yt.org 1fhvdfa1hr7na1gu9vmv6r710j.biz 1yz3uuo1yg5zmf1u7goe81sy0xy9.net 1g22l018lpt4alpeypioqq24k.com cc466dc54278d8e0fe14bdd2038b927e6f.to b5191b0ad53da1f1fa66653610e7601856.ws 6 galin.eu puzej.eu qekol.eu lykef.eu safkylboxhb.com ctskthnhq.com mhrmhuxlcvkxay.com pttthldqrdt.net qeh2p2u9pd3i1.com fg4zstnd3ftwh.net jmqvlmmbred2e.com examples tinba-dga dircrypt simda

  12. 6 qekol.eu 1yz3uuo1yg5zmf1u7goe81sy0xy9.net 1g22l018lpt4alpeypioqq24k.com xjsrrsensinaix.com cc466dc54278d8e0fe14bdd2038b927e6f.to b5191b0ad53da1f1fa66653610e7601856.ws a3f6e2d182a40304a8874e994a294ec314.cc hlrfrsensinaix.com galin.eu puzej.eu lykef.eu 5bpzt0njqbkqlbwupc8vi3yt.org antisemitismgavenuteq.com safkylboxhb.com ctskthnhq.com mhrmhuxlcvkxay.com bnmtsemitismgavenuteq.com pttthldqrdt.net qeh2p2u9pd3i1.com fg4zstnd3ftwh.net jmqvlmmbred2e.com 1fhvdfa1hr7na1gu9vmv6r710j.biz examples tinba-dga dyre gameover-zeus dircrypt simda banjori

  13. . malicious usage in botnets

  14. Every second infected host try to connect with hundreds or thousands alghoritmically generated domain name • most of domains return NX response • attacker needs to have a couple of registered domains 8 c&c server’s name example

  15. Every second infected host try to connect with hundreds or thousands alghoritmically generated domain name • most of domains return NX response • attacker needs to have a couple of registered domains 8 c&c server’s name example

  16. • DNS communication • algorithm that generates domain names • shared seed between botmaster and clients • victims search C&C server by DNS query 9 dga botnet communication

  17. • DNS communication • algorithm that generates domain names • shared seed between botmaster and clients • victims search C&C server by DNS query 9 dga botnet communication

  18. • DNS communication • algorithm that generates domain names • shared seed between botmaster and clients • victims search C&C server by DNS query 9 dga botnet communication

  19. • DNS communication • algorithm that generates domain names • shared seed between botmaster and clients • victims search C&C server by DNS query 9 dga botnet communication

  20. 10 generator’s seed Is it easy to predict and sinkhole DGA domains ahead?

  21. Figure 1: Ramnit All domains generated alghoritmically are dependent on specified seed • date (CryptoLocker, Conficker, GameOverZeus) • currently trending Twitter hashtag (Torpig) • seed hardcoded in infected file (Tinba) • ... Seeds are globally consistent - victims use the same one at the same time 11 generator’s seed

  22. Figure 1: Ramnit All domains generated alghoritmically are dependent on specified seed • date (CryptoLocker, Conficker, GameOverZeus) • currently trending Twitter hashtag (Torpig) • seed hardcoded in infected file (Tinba) • ... Seeds are globally consistent - victims use the same one at the same time 11 generator’s seed

  23. Figure 1: Ramnit All domains generated alghoritmically are dependent on specified seed • date (CryptoLocker, Conficker, GameOverZeus) • currently trending Twitter hashtag (Torpig) • seed hardcoded in infected file (Tinba) • ... Seeds are globally consistent - victims use the same one at the same time 11 generator’s seed

  24. Figure 1: Ramnit All domains generated alghoritmically are dependent on specified seed • date (CryptoLocker, Conficker, GameOverZeus) • currently trending Twitter hashtag (Torpig) • seed hardcoded in infected file (Tinba) • ... Seeds are globally consistent - victims use the same one at the same time 11 generator’s seed

  25. Figure 1: Ramnit All domains generated alghoritmically are dependent on specified seed • date (CryptoLocker, Conficker, GameOverZeus) • currently trending Twitter hashtag (Torpig) • seed hardcoded in infected file (Tinba) • ... Seeds are globally consistent - victims use the same one at the same time 11 generator’s seed

  26. Figure 1: Ramnit All domains generated alghoritmically are dependent on specified seed • date (CryptoLocker, Conficker, GameOverZeus) • currently trending Twitter hashtag (Torpig) • seed hardcoded in infected file (Tinba) • ... Seeds are globally consistent - victims use the same one at the same time 11 generator’s seed

  27. All domains generated alghoritmically are dependent on specified seed • date (CryptoLocker, Conficker, GameOverZeus) • currently trending Twitter hashtag (Torpig) • seed hardcoded in infected file (Tinba) • ... Seeds are globally consistent - victims use the same one at the same time 11 generator’s seed Figure 1: Ramnit

  28. All domains generated alghoritmically are dependent on specified seed • date (CryptoLocker, Conficker, GameOverZeus) • currently trending Twitter hashtag (Torpig) • seed hardcoded in infected file (Tinba) • ... Seeds are globally consistent - victims use the same one at the same time 11 generator’s seed Figure 1: Ramnit

  29. 12 • Cryptolocker AND MORE ... • Ramdo • Necrus • Flashback • Gozi • DirCrypt • Qakbot • BankPatch • Gozi • Emotet • Rovnix • Pykspa • Dyre • Shiotob • Necurs • Murofet • Bobax • Conficker • Ramnit • Pykpsa • Emotet • Pushdo • Matsu • Banjori • GameoverZeus is it a serious problem? what malware use dga?

  30. • domain name contains random alphanumeric characters and words from dictionary • names are builds from english syllables 13 different techinques but still dga

  31. • domain name contains random alphanumeric characters and words from dictionary • names are builds from english syllables 13 different techinques but still dga

  32. . benign dga - false alarms in detection systems

  33. 0.0.0.0.1.0.0.4e.135jg5e1pd7s4735ftrqweufm5.avqs.mcafee.com 0.0.0.0.1.0.0.4e.13cfus2drmdq3j8cafidezr8l6.avqs.mcafee.com 0.0.0.0.1.0.0.4e.13kqas3qjj46ttkdhastkrdsv6.avqs.mcafee.com 0.0.0.0.1.0.0.4e.13pq3hfpunqn1d51pmvbdkk5s6.avqs.mcafee.com 0.0.0.0.1.0.0.4e.13qh71bf782qb54uzz9uhdz4mq.avqs.mcafee.com This higher level domain contains basic information about the file, its hash, version of the McAfee system and information about the execution environment 1 DNS Noise: Measuring the Pervasiveness of Disposable Domains in Modern DNS Traffic, Yizheng Chen et al. 15 requests of av tools Example 1

  34. 0.0.0.0.1.0.0.4e.135jg5e1pd7s4735ftrqweufm5.avqs.mcafee.com 0.0.0.0.1.0.0.4e.13cfus2drmdq3j8cafidezr8l6.avqs.mcafee.com 0.0.0.0.1.0.0.4e.13kqas3qjj46ttkdhastkrdsv6.avqs.mcafee.com 0.0.0.0.1.0.0.4e.13pq3hfpunqn1d51pmvbdkk5s6.avqs.mcafee.com 0.0.0.0.1.0.0.4e.13qh71bf782qb54uzz9uhdz4mq.avqs.mcafee.com This higher level domain contains basic information about the file, its hash, version of the McAfee system and information about the execution environment 1 DNS Noise: Measuring the Pervasiveness of Disposable Domains in Modern DNS Traffic, Yizheng Chen et al. 15 requests of av tools Example 1

  35. • Now, IDNs are also used for malicious purposes • IDNs always begin with ’xn–’ prefix 16 internationalized domain name

  36. • Now, IDNs are also used for malicious purposes • IDNs always begin with ’xn–’ prefix 16 internationalized domain name

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Gene Finding Strategies to find gene structures on the web Swiss Institute of Bioinformatics

Gene Finding Strategies to find gene structures on the web Swiss Institute of Bioinformatics

Gene Finding Strategies to find gene structures on the web Swiss Institute of Bioinformatics (SIB) 26-30 November 2001 Course 2001 Gene finding Introduction Gene finding is about detecting coding regions and infer gene structure Gene finding

647 views • 36 slides
Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences J.

Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences J.

Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences J. Bi, J-S. Coron, J-C. Faug` ere, P . Nguyen, G. Renault, R. Zeitoun Public Key Cryptography 2014 26-28 March, 2014 - Buenos Aires, Argentina

613 views • 36 slides
A Faster Algorithm for Finding Minimum Tucker Submatrices Guillaume Blin Romeo Rizzi St

A Faster Algorithm for Finding Minimum Tucker Submatrices Guillaume Blin Romeo Rizzi St

A Faster Algorithm for Finding Minimum Tucker Submatrices Guillaume Blin Romeo Rizzi St ephane Vialette LIGM Universit e Paris-Est Marne-la-Vall ee, France DIMI Universit degli Studi di Udine, Italy. June 2010 Consecutive ones

471 views • 26 slides
Faster Region-based Hotspot Detection Ran Chen 1 , Wei Zhong 2 , Haoyu Yang 1 , Hao Geng 1 , Xuan

Faster Region-based Hotspot Detection Ran Chen 1 , Wei Zhong 2 , Haoyu Yang 1 , Hao Geng 1 , Xuan

Faster Region-based Hotspot Detection Ran Chen 1 , Wei Zhong 2 , Haoyu Yang 1 , Hao Geng 1 , Xuan Zeng 3 , Bei Yu 1 1 The Chinese University of Hong Kong 2 Dalian University of Technology 3 Fudan University 1 / 16 Lithography Hotspot Detection

641 views • 16 slides
Class 4: Finding facts faster Class Outline 4.1 Search-by-image 4.2 Search features 4.3

Class 4: Finding facts faster Class Outline 4.1 Search-by-image 4.2 Search features 4.3

Class 4: Finding facts faster Class Outline 4.1 Search-by-image 4.2 Search features 4.3 Conversions and calculator 4.4 Left-hand panel and date range limiting 4.5 Foreign pages and "translate" * Lesson 4.1 : Search-by-image

408 views • 5 slides
Unsupervised scene adaptation for faster multi-scale pedestrian detection Speaker Federico

Unsupervised scene adaptation for faster multi-scale pedestrian detection Speaker Federico

Unsupervised scene adaptation for faster multi-scale pedestrian detection Speaker Federico Bartoli 1 Giuseppe Lisanti 1 , Svebor Karaman 1 , Andrew D. Bagdanov 2 and Alberto Del Bimbo 1 1 MICC (Media Integration and Communication Center) -

311 views • 19 slides
Yet a Faster Motion Estimation Algorithm with Directional Search Strategies Speaker: Prof. W.C.

Yet a Faster Motion Estimation Algorithm with Directional Search Strategies Speaker: Prof. W.C.

15 th International Conference on Digital Signal Processing (DSP2007), July 2007, Cardiff, UK. Yet a Faster Motion Estimation Algorithm with Directional Search Strategies Speaker: Prof. W.C. Siu Ying Zhang+*, Wan-Chi Siu* and Tingzhi Shen+*

348 views • 12 slides
CS7015 (Deep Learning) : Lecture 12 Object Detection: R-CNN, Fast R-CNN, Faster R-CNN, You Only

CS7015 (Deep Learning) : Lecture 12 Object Detection: R-CNN, Fast R-CNN, Faster R-CNN, You Only

CS7015 (Deep Learning) : Lecture 12 Object Detection: R-CNN, Fast R-CNN, Faster R-CNN, You Only Look Once (YOLO) Mitesh M. Khapra Department of Computer Science and Engineering Indian Institute of Technology Madras 1/47 Mitesh M. Khapra

1.17k views • 47 slides
Detection and Estimation Theory Lecture 7 Mojtaba Soltanalian- UIC msol@uic.edu

Detection and Estimation Theory Lecture 7 Mojtaba Soltanalian- UIC msol@uic.edu

Detection and Estimation Theory Lecture 7 Mojtaba Soltanalian- UIC msol@uic.edu http://msol.people.uic.edu Based on ECE 531 Slides- 2011 (Prof. Natasha Devroye) Finding MVUE- what we discussed Finding MVUE- what we discussed Finding MVUE-

763 views • 17 slides
Detection and Estimation Theory Lecture 8 Mojtaba Soltanalian- UIC msol@uic.edu

Detection and Estimation Theory Lecture 8 Mojtaba Soltanalian- UIC msol@uic.edu

Detection and Estimation Theory Lecture 8 Mojtaba Soltanalian- UIC msol@uic.edu http://msol.people.uic.edu Based on ECE 531 Slides- 2011 (Prof. Natasha Devroye) Finding MVUE- what we discussed Finding MVUE- what we discussed Finding MVUE-

380 views • 19 slides
CS6501: Deep Learning for Visual Recognition Object Detection: RCNN, Fast-RCNN, Faster-RCNN

CS6501: Deep Learning for Visual Recognition Object Detection: RCNN, Fast-RCNN, Faster-RCNN

CS6501: Deep Learning for Visual Recognition Object Detection: RCNN, Fast-RCNN, Faster-RCNN Todays Class Object Detection The RCNN Object Detector (2014) The Fast RCNN Object Detector (2015) The Faster RCNN Object Detector

747 views • 29 slides
Strategies for the Detection of Dark Matter What do we know? What have we achieved so far?

Strategies for the Detection of Dark Matter What do we know? What have we achieved so far?

Bernard Sadoulet Dept. of Physics /LBNL UC Berkeley UC Institute for Nuclear and Particle Astrophysics and Cosmology (INPAC) Strategies for the Detection of Dark Matter What do we know? What have we achieved so far? Entering interesting

341 views • 22 slides
Early Detection of Aquatic Invasive Species finding the needle in the haystack Jim Grazio,

Early Detection of Aquatic Invasive Species finding the needle in the haystack Jim Grazio,

Early Detection of Aquatic Invasive Species finding the needle in the haystack Jim Grazio, Ph.D. PA DEP- Office of the Great Lakes 19 March 2019 Presentation Outline Share current AIS monitoring research Discuss regional AIS

623 views • 24 slides
Finding Optimal Mixed Finding Optimal Mixed Strategies to Commit to in g Security Games

Finding Optimal Mixed Finding Optimal Mixed Strategies to Commit to in g Security Games

Finding Optimal Mixed Finding Optimal Mixed Strategies to Commit to in g Security Games Vincent Conitzer Departments of Computer Science and Economics Departments of Computer Science and Economics Duke University Co-authors on various

1.24k views • 74 slides
Finding Camoufmaged Needle in a Haystack? Pornographic Products Detection via Berrypicking Tree

Finding Camoufmaged Needle in a Haystack? Pornographic Products Detection via Berrypicking Tree

. Zhuoren Jiang 3 . . . . . . . Finding Camoufmaged Needle in a Haystack? Pornographic Products Detection via Berrypicking Tree Model Guoxiu He 1,2 Yangyang Kang 2 Zhe Gao 2 Changlong Sun 2 . Xiaozhong Liu *4,2 Wei Lu *1 Qiong Zhang 2 Luo

489 views • 19 slides
How To Ramp Your Reps In Q4 & Start 2020 Off Right 5 killer strategies to onboard reps faster

How To Ramp Your Reps In Q4 & Start 2020 Off Right 5 killer strategies to onboard reps faster

How To Ramp Your Reps In Q4 & Start 2020 Off Right 5 killer strategies to onboard reps faster and crush your sales targets. You should be hearing my melodious voice - if not, let us know in the chat. Drop your questions in the chat

652 views • 32 slides
MEETING OCTOBER 11, 2017 OCTOBER AGENDA Call to Order 12:00 Roll Call and Introductions,

MEETING OCTOBER 11, 2017 OCTOBER AGENDA Call to Order 12:00 Roll Call and Introductions,

EHEALTH COMMISSION MEETING OCTOBER 11, 2017 OCTOBER AGENDA Call to Order 12:00 Roll Call and Introductions, Approval of September Minutes, October Agenda and Objectives Announcements 12:05 OeHI Updates State Agency and SIM HIT Updates

408 views • 21 slides
ITCC January 11, 2017 Room 438 - ITD Agenda 1:00 Update on EA Activity Jeff Quast 1:15

ITCC January 11, 2017 Room 438 - ITD Agenda 1:00 Update on EA Activity Jeff Quast 1:15

ITCC January 11, 2017 Room 438 - ITD Agenda 1:00 Update on EA Activity Jeff Quast 1:15 Update on ITD Activity Gary Vetter 1:30 Update on Agency Activities Jeff Quast Waiver Tobacco Domain Name 1:45 Jeff Quast 2:15 Standards

481 views • 11 slides
The B e Bigges est Ob Obstacle f e for Innovating with Ne New TLDs Ds ROW#9 - June 16,

The B e Bigges est Ob Obstacle f e for Innovating with Ne New TLDs Ds ROW#9 - June 16,

Domain Name Registrar The B e Bigges est Ob Obstacle f e for Innovating with Ne New TLDs Ds ROW#9 - June 16, 2020 Thomas Barrett EnCirca President EnCirca Presentation: ROW#9 - June 2020 6/16/2020 1 Domain Name Registrar Abou out

358 views • 14 slides
I N V E S T O R P R E S E N T A T I O N / / J u l y 2 0 1 4 LEGAL DISCLAIMER This overview

I N V E S T O R P R E S E N T A T I O N / / J u l y 2 0 1 4 LEGAL DISCLAIMER This overview

I N V E S T O R P R E S E N T A T I O N / / J u l y 2 0 1 4 LEGAL DISCLAIMER This overview is furnished solely for the purpose of providing you information about Rightside Group, Ltd. (the Company). The overview is only intended for the

1k views • 50 slides
DNS Session 3: Configuration of Authoritative Nameservice TENET NSRC -2013

DNS Session 3: Configuration of Authoritative Nameservice TENET NSRC -2013

DNS Session 3: Configuration of Authoritative Nameservice TENET NSRC -2013 Recap DNS is a distributed database Resolver asks Cache for information Cache traverses the DNS delegation tree to find Authoritative

630 views • 39 slides
The .it Registry: a short overview Delegated to CNR on December 23rd, 1987 More than

The .it Registry: a short overview Delegated to CNR on December 23rd, 1987 More than

The .it Registry: a short overview Delegated to CNR on December 23rd, 1987 More than 1,860,000 domain names New synchronous registration system from September 28 th , 2009 Coexistence of the two systems until June 2011 About

626 views • 40 slides
Statewide High Speed Network networkMaryland Advisory Group Meeting March 20, 2007 Annapolis,

Statewide High Speed Network networkMaryland Advisory Group Meeting March 20, 2007 Annapolis,

Statewide High Speed Network networkMaryland Advisory Group Meeting March 20, 2007 Annapolis, Maryland MEETING AGENDA Welcome & Introductions State of the Network Status of Project Other Business 2 Welcome

781 views • 28 slides
Investor Presentation July 2018 Legal Disclosure This presentation contains forward-looking

Investor Presentation July 2018 Legal Disclosure This presentation contains forward-looking

Investor Presentation July 2018 Legal Disclosure This presentation contains forward-looking statements within the meaning of the federal securities laws, including statements regarding future financial performance, business strategy and

719 views • 39 slides

More recommend