Monitoring Command-and-Control Channels with ccSpy Final - - PowerPoint PPT Presentation
Monitoring Command-and-Control Channels with ccSpy Final Presentation Oliver Gasser Interdisciplinary Project Advisor: Lothar Braun Chair for Network Architectures and Services Faculty of Computer Science Technische Universit at M
Final Presentation Oliver Gasser
Interdisciplinary Project Advisor: Lothar Braun Chair for Network Architectures and Services Faculty of Computer Science Technische Universit¨ at M¨ unchen
March 22, 2013
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 1
Outline
1
Motivation
2
Previous Work
3
Goals
4
Design and Implementation
5
Evaluation
6
Summary
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 2
Outline
1
Motivation
2
Previous Work
3
Goals
4
Design and Implementation
5
Evaluation
6
Summary
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 3
Motivation
Acquire knowledge about botnets in the wild Observe Learn Short-term: Take a closer look at active Command-and-Control channels Clients C&C servers Long-term: Identify botnet traffic Develop strategies
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 4
Motivation
Acquire knowledge about botnets in the wild Observe Learn Short-term: Take a closer look at active Command-and-Control channels Clients C&C servers Long-term: Identify botnet traffic Develop strategies
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 4
Motivation
Acquire knowledge about botnets in the wild Observe Learn Short-term: Take a closer look at active Command-and-Control channels Clients C&C servers Long-term: Identify botnet traffic Develop strategies
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 4
Outline
1
Motivation
2
Previous Work
3
Goals
4
Design and Implementation
5
Evaluation
6
Summary
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 5
Previous Work
Malware analysis Active botnet monitoring Passive botnet detection
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 6
Previous Work
Malware analysis Active botnet monitoring Passive botnet detection
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 6
Previous Work
Malware analysis Active botnet monitoring Passive botnet detection
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 6
Malware Analysis
CWSandbox
Virtual Machine
bot.exe
file1.txt file2.txt
www.evilsite.com/spam.exe www.google.com/
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 7
CWSandbox report
<analysis f i l e =” c:\bot . exe ” . . .> . . . <connection t ra ns p o rt pro t o c ol =”TCP” remoteaddr=” 173.194.69.113 ” remoteport=” 80 ” protocol=”HTTP” . . .> <http data> <http cmd method=”GET” u r l =”www. google .com/ ” h t t p v e rs i o n =”HTTP/1.1 ”> <header data> <header >Host: www. google .com </ header > . . . </ header data> </ http cmd> </ http data> </ connection> . . . </ analysis> Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 8
ccSpy
ccSpy Server ccSpy Client 1 ccSpy Client 2 Botnet C&C Server A Botnet C&C Server B
ccSpy Developed by Philipp Lowack, TUM Distributed botnet monitoring tool
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 9
ccSpy
ccSpy Server ccSpy Client 1 ccSpy Client 2 Botnet C&C Server A Botnet C&C Server B
ccSpy Server Assigns botnets servers to ccSpy clients Stores monitoring results Communication with clients protected by TLS
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 10
ccSpy
ccSpy Server ccSpy Client 1 ccSpy Client 2 Botnet C&C Server A Botnet C&C Server B
ccSpy Client Receives botnet configurations from ccSpy server Monitors botnet’s command and control channel Sends results back to ccSpy server
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 11
Outline
1
Motivation
2
Previous Work
3
Goals
4
Design and Implementation
5
Evaluation
6
Summary
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 12
Goals
Automated workflow for botnet monitoring Download malware reports from CWSandbox Parse reports and create config for ccSpy Monitor C&C channels using ccSpy Evaluation of malware reports Currently active C&C servers Usability for Intrusion Detection Systems Focus: HTTP botnets
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 13
Goals
Automated workflow for botnet monitoring Download malware reports from CWSandbox Parse reports and create config for ccSpy Monitor C&C channels using ccSpy Evaluation of malware reports Currently active C&C servers Usability for Intrusion Detection Systems Focus: HTTP botnets
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 13
Goals
Automated workflow for botnet monitoring Download malware reports from CWSandbox Parse reports and create config for ccSpy Monitor C&C channels using ccSpy Evaluation of malware reports Currently active C&C servers Usability for Intrusion Detection Systems Focus: HTTP botnets
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 13
Outline
1
Motivation
2
Previous Work
3
Goals
4
Design and Implementation
5
Evaluation
6
Summary
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 14
Monitoring HTTP Botnets
ccSpy Server ccSpy Client 1 ccSpy Client 2 Botnet C&C Server A Botnet C&C Server B
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 15
Monitoring HTTP Botnets
ccSpy Server ccSpy Client 1 ccSpy Client 2 IRC Botnet C&C Server A IRC Botnet C&C Server B
IRC module IRC module IRC module
Modules for monitoring different C&C channels
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 16
Monitoring HTTP Botnets
ccSpy Server ccSpy Client 1 ccSpy Client 2 IRC Botnet C&C Server A IRC Botnet C&C Server B HTTP Botnet C&C Server C
IRC module IRC module IRC module HTTP module
New
New: Develop module to monitor HTTP C&C channels
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 17
ccSpy HTTP module
ccSpy modules Modules for different C&C channels communication types IRC already implemented HTTP module was implemented during this project HTTP module HTTP fundamentally different than IRC HTTP retains no state, client needs to be active Complete redesign of module layout necessary
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 18
ccSpy HTTP module
ccSpy modules Modules for different C&C channels communication types IRC already implemented HTTP module was implemented during this project HTTP module HTTP fundamentally different than IRC HTTP retains no state, client needs to be active Complete redesign of module layout necessary
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 18
Automated Workflow
ccSpy Server ccSpy Client 1 ccSpy Client 2 IRC Botnet C&C Server A IRC Botnet C&C Server B HTTP Botnet C&C Server C
IRC module IRC module IRC module HTTP module Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 19
Automated Workflow
ccSpy Server ccSpy Client 1 ccSpy Client 2 IRC Botnet C&C Server A IRC Botnet C&C Server B HTTP Botnet C&C Server C
IRC module IRC module IRC module HTTP module
Generate ccSpy config Malware reports CWSandbox
Generate ccSpy config from CWSandbox reports
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 20
Automated Workflow
Retrieve malware reports from CWSandbox Parse reports to locate HTTP traffic Generate ccSpy configuration and start ccSpy HTTP module Analyze results obtained from potential C&C servers
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 21
Automated Workflow
Retrieve malware reports from CWSandbox Parse reports to locate HTTP traffic Generate ccSpy configuration and start ccSpy HTTP module Analyze results obtained from potential C&C servers
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 21
Automated Workflow
Retrieve malware reports from CWSandbox Parse reports to locate HTTP traffic Generate ccSpy configuration and start ccSpy HTTP module Analyze results obtained from potential C&C servers
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 21
Automated Workflow
Retrieve malware reports from CWSandbox Parse reports to locate HTTP traffic Generate ccSpy configuration and start ccSpy HTTP module Analyze results obtained from potential C&C servers
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 21
Preliminary Results
Tests showed that very few reports contained HTTP traffic Most of the servers were already offline (> 95 %) Consequences Not usable for finding active C&C servers Reason: Servers go offline Timeliness of data
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 22
Preliminary Results
Tests showed that very few reports contained HTTP traffic Most of the servers were already offline (> 95 %) Consequences Not usable for finding active C&C servers Reason: Servers go offline Timeliness of data
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 22
Preliminary Results
Tests showed that very few reports contained HTTP traffic Most of the servers were already offline (> 95 %) Consequences Not usable for finding active C&C servers Reason: Servers go offline Timeliness of data
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 22
Alternative Workflow
Different use of malware reports Assumption: Reports contain malware’s behavior Ideas Monitoring of live-traffic for botnet channel communication Look for behavior in online passive monitoring Approach: Use malware reports to generate Snort rules Monitor traffic on 10 Gbps MWN link
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 23
Alternative Workflow
Different use of malware reports Assumption: Reports contain malware’s behavior Ideas Monitoring of live-traffic for botnet channel communication Look for behavior in online passive monitoring Approach: Use malware reports to generate Snort rules Monitor traffic on 10 Gbps MWN link
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 23
Alternative Workflow
Different use of malware reports Assumption: Reports contain malware’s behavior Ideas Monitoring of live-traffic for botnet channel communication Look for behavior in online passive monitoring Approach: Use malware reports to generate Snort rules Monitor traffic on 10 Gbps MWN link
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 23
Alternative Workflow
Different use of malware reports Assumption: Reports contain malware’s behavior Ideas Monitoring of live-traffic for botnet channel communication Look for behavior in online passive monitoring Approach: Use malware reports to generate Snort rules Monitor traffic on 10 Gbps MWN link
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 23
Alternative Workflow
Different use of malware reports Assumption: Reports contain malware’s behavior Ideas Monitoring of live-traffic for botnet channel communication Look for behavior in online passive monitoring Approach: Use malware reports to generate Snort rules Monitor traffic on 10 Gbps MWN link
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 23
Automated Workflow: Snort
Snort
Snort rules Malware reports CWSandbox
Download reports Generate HTTP Snort rules Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 24
Outline
1
Motivation
2
Previous Work
3
Goals
4
Design and Implementation
5
Evaluation
6
Summary
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 25
Monitoring Results
Monitoring 10 Gbps MWN link for HTTP C&C channels Snort Snort ran for 3 days and 6 hours Sampling: 20 kB of each connection 14.8 billion packets were processed > 50 k packets per second About 790 million TCP sessions HTTP Traffic 5.4 billion packets containing HTTP traffic 300 million GETs, 26 million POSTs Rules created by extracting URLs from malware reports 2.4 million alerts were triggered, 0.7 % of all GETs and POSTs
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 26
Monitoring Results
Monitoring 10 Gbps MWN link for HTTP C&C channels Snort Snort ran for 3 days and 6 hours Sampling: 20 kB of each connection 14.8 billion packets were processed > 50 k packets per second About 790 million TCP sessions HTTP Traffic 5.4 billion packets containing HTTP traffic 300 million GETs, 26 million POSTs Rules created by extracting URLs from malware reports 2.4 million alerts were triggered, 0.7 % of all GETs and POSTs
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 26
Monitoring Results
Monitoring 10 Gbps MWN link for HTTP C&C channels Snort Snort ran for 3 days and 6 hours Sampling: 20 kB of each connection 14.8 billion packets were processed > 50 k packets per second About 790 million TCP sessions HTTP Traffic 5.4 billion packets containing HTTP traffic 300 million GETs, 26 million POSTs Rules created by extracting URLs from malware reports 2.4 million alerts were triggered, 0.7 % of all GETs and POSTs
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 26
HTTP Botnet Traffic Analysis
Most common IP addresses IP address Domain Occurrences 141.84.149.211 uni-muenchen.de 174,142 173.194.69.94 1e100.net 130,642 129.187.164.90 uni-muenchen.de 96,319 173.194.69.139 1e100.net 61,129 173.194.69.132 1e100.net 59,828 173.194.69.100 1e100.net 58,477 173.194.69.101 1e100.net 58,251 173.194.69.113 1e100.net 57,938 173.194.69.102 1e100.net 57,937 173.194.69.138 1e100.net 57,528 Total: 115 k distinct IP addresses
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 27
HTTP Botnet Traffic Analysis
Most common URLs
URL Meaning Occurrences /favicon.ico Favicon 1,320,234 /generate 204 HTTP Code 204: No Content 292,292 /ga.js Google Analytics JavaScript 214,919 /style.css Style sheet 119,922 /index.php Index 114,457 /index.html Index 110,511 /pki/crl/products/CodeSignPCA2.crl Microsoft’s CRL 55,724 /pki/crl/products/CodeSignPCA.crl Microsoft’s CRL 20,524 /update/idx/master.idx AntiVir Update 18,030 /inputtools/images/tia.png Google’s Keyboard Icon 15,744
Total: 186 distinct URLs
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 28
Possible Botnet Traffic
/logo.gif: Disguised config file
<Error> <Code >NoSuchBucket </ Code > <Message >The specified bucket does not e x i s t</ Message > <BucketName >logo . g i f</ BucketName > <RequestId >D4394C0A37CD808F </ RequestId > <HostId>nfPPXyYUhOKNPMVrzslQ35aNierX17TBcfuNOaMD9k5jP+/iMPq1pH81g3OqwNt9 </ HostId> </ Error>
/api/ping: Online check Answer: {"pong":true} /update.php: Additional domains and time
<response > <t d t : d t =” i n t ”>1363944457 </ t> <srv>amonisto . org , amonitiser .com, hamonetizer .com </ srv> <del− comp /> <add− comp > <name >updater</name > </ add− comp > <upd− comp /> <present− comp /> </ response > Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 29
Possible Botnet Traffic
/logo.gif: Disguised config file
<Error> <Code >NoSuchBucket </ Code > <Message >The specified bucket does not e x i s t</ Message > <BucketName >logo . g i f</ BucketName > <RequestId >D4394C0A37CD808F </ RequestId > <HostId>nfPPXyYUhOKNPMVrzslQ35aNierX17TBcfuNOaMD9k5jP+/iMPq1pH81g3OqwNt9 </ HostId> </ Error>
/api/ping: Online check Answer: {"pong":true} /update.php: Additional domains and time
<response > <t d t : d t =” i n t ”>1363944457 </ t> <srv>amonisto . org , amonitiser .com, hamonetizer .com </ srv> <del− comp /> <add− comp > <name >updater</name > </ add− comp > <upd− comp /> <present− comp /> </ response > Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 29
Possible Botnet Traffic
/logo.gif: Disguised config file
<Error> <Code >NoSuchBucket </ Code > <Message >The specified bucket does not e x i s t</ Message > <BucketName >logo . g i f</ BucketName > <RequestId >D4394C0A37CD808F </ RequestId > <HostId>nfPPXyYUhOKNPMVrzslQ35aNierX17TBcfuNOaMD9k5jP+/iMPq1pH81g3OqwNt9 </ HostId> </ Error>
/api/ping: Online check Answer: {"pong":true} /update.php: Additional domains and time
<response > <t d t : d t =” i n t ”>1363944457 </ t> <srv>amonisto . org , amonitiser .com, hamonetizer .com </ srv> <del− comp /> <add− comp > <name >updater</name > </ add− comp > <upd− comp /> <present− comp /> </ response > Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 29
Results
Many benign matches Reasons No distinction between
system traffic, online checks,. . . botnet control traffic
Automation is difficult Important High-quality malware reports Pre-filter results
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 30
Results
Many benign matches Reasons No distinction between
system traffic, online checks,. . . botnet control traffic
Automation is difficult Important High-quality malware reports Pre-filter results
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 30
Results
Many benign matches Reasons No distinction between
system traffic, online checks,. . . botnet control traffic
Automation is difficult Important High-quality malware reports Pre-filter results
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 30
Outline
1
Motivation
2
Previous Work
3
Goals
4
Design and Implementation
5
Evaluation
6
Summary
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 31
Summary & Future Work
Summary Developed HTTP module for ccSpy Monitoring showed most of servers unreachable Adapted to monitoring live traffic with Snort Automated workflow from CWSanbox reports to Snort rules Benign traffic in malware reports Future work Malware reports from SASER project More recent and accurate reports from RUB
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 32
Summary & Future Work
Summary Developed HTTP module for ccSpy Monitoring showed most of servers unreachable Adapted to monitoring live traffic with Snort Automated workflow from CWSanbox reports to Snort rules Benign traffic in malware reports Future work Malware reports from SASER project More recent and accurate reports from RUB
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 32
The End. . .
Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 33