monitoring command and control channels with ccspy
play

Monitoring Command-and-Control Channels with ccSpy Final - PowerPoint PPT Presentation

Oct 24, 2022 •433 likes •1.02k views

Monitoring Command-and-Control Channels with ccSpy Final Presentation Oliver Gasser Interdisciplinary Project Advisor: Lothar Braun Chair for Network Architectures and Services Faculty of Computer Science Technische Universit at M

  1. Monitoring Command-and-Control Channels with ccSpy Final Presentation Oliver Gasser Interdisciplinary Project Advisor: Lothar Braun Chair for Network Architectures and Services Faculty of Computer Science Technische Universit¨ at M¨ unchen March 22, 2013 Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 1

  2. Outline 1 Motivation Previous Work 2 Goals 3 4 Design and Implementation Evaluation 5 Summary 6 Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 2

  3. Outline 1 Motivation Previous Work 2 Goals 3 4 Design and Implementation Evaluation 5 Summary 6 Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 3

  4. Motivation Acquire knowledge about botnets in the wild Observe Learn Short-term: Take a closer look at active Command-and-Control channels Clients C&C servers Long-term: Identify botnet traffic Develop strategies Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 4

  5. Motivation Acquire knowledge about botnets in the wild Observe Learn Short-term: Take a closer look at active Command-and-Control channels Clients C&C servers Long-term: Identify botnet traffic Develop strategies Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 4

  6. Motivation Acquire knowledge about botnets in the wild Observe Learn Short-term: Take a closer look at active Command-and-Control channels Clients C&C servers Long-term: Identify botnet traffic Develop strategies Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 4

  7. Outline 1 Motivation Previous Work 2 Goals 3 4 Design and Implementation Evaluation 5 Summary 6 Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 5

  8. Previous Work Malware analysis Active botnet monitoring Passive botnet detection Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 6

  9. Previous Work Malware analysis Active botnet monitoring Passive botnet detection Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 6

  10. Previous Work Malware analysis Active botnet monitoring Passive botnet detection Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 6

  11. Malware Analysis CWSandbox file1.txt file2.txt www.evilsite.com/spam.exe bot.exe www.google.com/ Virtual Machine Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 7

  12. CWSandbox report < analysis f i l e =” c: \ bot . exe ” . . . > . . . < connection t ra ns p o rt pro t o c ol =”TCP” remoteaddr=” 173.194.69.113 ” remoteport=” 80 ” protocol=”HTTP” . . . > < http data > < http cmd method=”GET” u r l =”www. google .com/ ” h t t p v e rs i o n =”HTTP/1.1 ” > < header data > < header > Host: www. google .com < / header > . . . < / header data > < / http cmd > < / http data > < / connection > . . . < / analysis > Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 8

  13. ccSpy Botnet C&C Server A ccSpy Client 1 ccSpy Server Botnet C&C Server B ccSpy Client 2 ccSpy Developed by Philipp Lowack, TUM Distributed botnet monitoring tool Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 9

  14. ccSpy Botnet C&C Server A ccSpy Client 1 ccSpy Server Botnet C&C Server B ccSpy Client 2 ccSpy Server Assigns botnets servers to ccSpy clients Stores monitoring results Communication with clients protected by TLS Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 10

  15. ccSpy Botnet C&C Server A ccSpy Client 1 ccSpy Server Botnet C&C Server B ccSpy Client 2 ccSpy Client Receives botnet configurations from ccSpy server Monitors botnet’s command and control channel Sends results back to ccSpy server Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 11

  16. Outline 1 Motivation Previous Work 2 Goals 3 4 Design and Implementation Evaluation 5 Summary 6 Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 12

  17. Goals Automated workflow for botnet monitoring Download malware reports from CWSandbox Parse reports and create config for ccSpy Monitor C&C channels using ccSpy Evaluation of malware reports Currently active C&C servers Usability for Intrusion Detection Systems Focus: HTTP botnets Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 13

  18. Goals Automated workflow for botnet monitoring Download malware reports from CWSandbox Parse reports and create config for ccSpy Monitor C&C channels using ccSpy Evaluation of malware reports Currently active C&C servers Usability for Intrusion Detection Systems Focus: HTTP botnets Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 13

  19. Goals Automated workflow for botnet monitoring Download malware reports from CWSandbox Parse reports and create config for ccSpy Monitor C&C channels using ccSpy Evaluation of malware reports Currently active C&C servers Usability for Intrusion Detection Systems Focus: HTTP botnets Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 13

  20. Outline 1 Motivation Previous Work 2 Goals 3 4 Design and Implementation Evaluation 5 Summary 6 Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 14

  21. Monitoring HTTP Botnets Botnet C&C Server A ccSpy Client 1 ccSpy Server Botnet C&C Server B ccSpy Client 2 Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 15

  22. Monitoring HTTP Botnets IRC Botnet C&C Server A IRC module ccSpy Client 1 IRC module ccSpy Server IRC Botnet C&C Server B IRC module ccSpy Client 2 Modules for monitoring different C&C channels Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 16

  23. Monitoring HTTP Botnets IRC Botnet C&C Server A IRC module ccSpy Client 1 IRC module ccSpy Server IRC Botnet C&C Server B IRC module ccSpy Client 2 HTTP module HTTP Botnet C&C Server C New New: Develop module to monitor HTTP C&C channels Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 17

  24. ccSpy HTTP module ccSpy modules Modules for different C&C channels communication types IRC already implemented HTTP module was implemented during this project HTTP module HTTP fundamentally different than IRC HTTP retains no state, client needs to be active Complete redesign of module layout necessary Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 18

  25. ccSpy HTTP module ccSpy modules Modules for different C&C channels communication types IRC already implemented HTTP module was implemented during this project HTTP module HTTP fundamentally different than IRC HTTP retains no state, client needs to be active Complete redesign of module layout necessary Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 18

  26. Automated Workflow IRC Botnet C&C Server A IRC module ccSpy Client 1 IRC module ccSpy Server IRC Botnet C&C Server B IRC module ccSpy Client 2 HTTP module HTTP Botnet C&C Server C Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 19

  27. Automated Workflow IRC Botnet C&C Server A IRC module ccSpy Client 1 IRC module ccSpy Server IRC Botnet C&C Server B IRC module ccSpy Client 2 HTTP module HTTP Botnet C&C Server C Generate ccSpy config Malware reports CWSandbox Generate ccSpy config from CWSandbox reports Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 20

  28. Automated Workflow Retrieve malware reports from CWSandbox Parse reports to locate HTTP traffic Generate ccSpy configuration and start ccSpy HTTP module Analyze results obtained from potential C&C servers Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 21

  29. Automated Workflow Retrieve malware reports from CWSandbox Parse reports to locate HTTP traffic Generate ccSpy configuration and start ccSpy HTTP module Analyze results obtained from potential C&C servers Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 21

  30. Automated Workflow Retrieve malware reports from CWSandbox Parse reports to locate HTTP traffic Generate ccSpy configuration and start ccSpy HTTP module Analyze results obtained from potential C&C servers Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 21

  31. Automated Workflow Retrieve malware reports from CWSandbox Parse reports to locate HTTP traffic Generate ccSpy configuration and start ccSpy HTTP module Analyze results obtained from potential C&C servers Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 21

  32. Preliminary Results Tests showed that very few reports contained HTTP traffic Most of the servers were already offline ( > 95 %) Consequences Not usable for finding active C&C servers Reason: Servers go offline Timeliness of data Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie Zhang, and Wenke Lee College of Computing Georgia Institute of Technology 2008-2-25 Guofei Gu NDSS08 BotSniffer: Detecting Botnet C&amp;C

379 views • 27 slides
Static Analysis of Control-Command Systems: Floating-Point and Integer Invariants Vivien

Static Analysis of Control-Command Systems: Floating-Point and Integer Invariants Vivien

Static Analysis of Control-Command Systems: Floating-Point and Integer Invariants Vivien Maisonneuve Thesis supervisors: Olivier Hermant Franois Irigoin Thesis defense Paris, February 6, 2015 Control-Command Systems A control-command

1.17k views • 83 slides
Command and Control Command and Control Warfare Demonstrator Warfare Demonstrator (C 2 WS) (C 2

Command and Control Command and Control Warfare Demonstrator Warfare Demonstrator (C 2 WS) (C 2

Command and Control Command and Control Warfare Demonstrator Warfare Demonstrator (C 2 WS) (C 2 WS) 2005-2007 2005-2007 Magdalena Hammervik Jenny Lindoff Martin Castor Lars Tydn Purpose of this presentation Purpose of this presentation

530 views • 24 slides
A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and Control Through Tinder (Almost) $whoami Nathaniel Beckstead Interests Blue team Homelab Network Security Find Me github.com/becksteadn

500 views • 22 slides
To TOP or NOT to TOP www.SAS.com To TOP or NOT to TOP Using the TOP command in Linux By Len van

To TOP or NOT to TOP www.SAS.com To TOP or NOT to TOP Using the TOP command in Linux By Len van

To TOP or NOT to TOP www.SAS.com To TOP or NOT to TOP Using the TOP command in Linux By Len van den Berg SAS Grid Platform Administrator Monitoring Processes in Linux By User By CPU By Size By Command By Memory By

444 views • 41 slides
Key Human System Integration Plan Elements for Command &amp; Control Acquisition Michael B.

Key Human System Integration Plan Elements for Command &amp; Control Acquisition Michael B.

2010 Command and Control Research and Technology Symposium Key Human System Integration Plan Elements for Command &amp; Control Acquisition Michael B. Cowen, Ph.D. SPAWAR Systems Center Pacific Code 53621 53560 Hull Street San Diego, CA 92152

492 views • 13 slides
The Environment in Network Centric Operations: A Framework for Command and Control Presented to

The Environment in Network Centric Operations: A Framework for Command and Control Presented to

The Environment in Network Centric Operations: A Framework for Command and Control Presented to the 12th International Command and Control Research and Technology Symposium Paper I-156 Dr. Michael R. Hieb Sean Mackay Michael Powers Martin

332 views • 19 slides
Chapter 6 Marks and Channels Vis/Visual Analytics, Chap 6 Marks/Channels 1 CGGM Lab., CS

Chapter 6 Marks and Channels Vis/Visual Analytics, Chap 6 Marks/Channels 1 CGGM Lab., CS

Chapter 6 Marks and Channels Vis/Visual Analytics, Chap 6 Marks/Channels 1 CGGM Lab., CS Dept., NCTU Jung Hong Chuang The Big Picture Marks Basic graphical elements in an image Channels Visual channels to control the

667 views • 43 slides
Response: WCC, SDC &amp; Partners Multi-Agency Command and Control - 4 Cs - Command, Control

Response: WCC, SDC &amp; Partners Multi-Agency Command and Control - 4 Cs - Command, Control

Emergency Planning in Stratford Scrutiny Committee Michael Enderby Head of Service, CSW Resilience 6 th September 2017 04/09/2017 Civil Contingencies Act 2004 THE 7 DUTIES A single framework for civil protection in the United Kingdom to

419 views • 4 slides
Swiftwater Review Swiftwater Review There are over 470 miles of flood control channels in

Swiftwater Review Swiftwater Review There are over 470 miles of flood control channels in

Swiftwater Review Swiftwater Review There are over 470 miles of flood control channels in Los Angeles County Flood channels vary in shape and composition vertical sides sloped banks natural river Swiftwater Review Water

738 views • 35 slides
C3CEN Industry Day 2018 CAPT Michael F. Nasitka Commanding Officer Command, Control, and

C3CEN Industry Day 2018 CAPT Michael F. Nasitka Commanding Officer Command, Control, and

Command, Control, and Communications Engineering Center (C3CEN) C3CEN Industry Day 2018 CAPT Michael F. Nasitka Commanding Officer Command, Control, and Communications Engineering Center Sustaining the PresentDeveloping the Future Command,

1.18k views • 49 slides
FGAN Content 1. The Development of a Formal Grammar 2. Designing a Command and Control Grammar

FGAN Content 1. The Development of a Formal Grammar 2. Designing a Command and Control Grammar

Applying A Formal Language of Command and Control for Interoperability Between Systems Presented to the AFCEA - GMU C4I Center Symposium on Critical Issues in C4I Dr. Michael Hieb Dr. Ulrich Schade George Mason University FGAN-FKIE US

562 views • 14 slides
New Control Schemes for Bilateral Teleoperation under Asymmetric Communication Channels:

New Control Schemes for Bilateral Teleoperation under Asymmetric Communication Channels:

New Control Schemes for Bilateral Teleoperation under Asymmetric Communication Channels New Control Schemes for Bilateral Teleoperation under Asymmetric Communication Channels: Stabilization and Performance under Variable Time Delays Bo Zhang

1.67k views • 117 slides
COMMAND AND CONTROL SYSTEMS zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA CRITICAL PATH

COMMAND AND CONTROL SYSTEMS zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA CRITICAL PATH

COMMAND AND CONTROL SYSTEMS zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA CRITICAL PATH APPROACH TO BY D. J. LAMB AND P. F. O'NEILL OPERATIONAL RESEARCH AND ANALYSIS NATIONAL DEFENCE HEADQUARTERS OTTAWA, CANADA OUTLINE OF PRESENTATION

680 views • 45 slides
Lafros MaCS: an experimental Scala monitoring and control API Rob Dickens Introduction The

Lafros MaCS: an experimental Scala monitoring and control API Rob Dickens Introduction The

Lafros MaCS: an experimental Scala monitoring and control API Rob Dickens Introduction The Lafros MaCS (Monitoring and Control System) API is designed to help facilitate the local or remote, interactive and programmatic, monitoring and control

249 views • 12 slides
Between Fluffy Bunnies and Command &amp; Control Agile Adop8on

Between Fluffy Bunnies and Command &amp; Control Agile Adop8on

Between Fluffy Bunnies and Command &amp; Control Agile Adop8on in Prac8ce 5493 Benjamin Mitchell Independent Consultant @benjaminm Mixed Messages &amp;

964 views • 48 slides
Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be bad Anomaly intrusion detection Try to detect deviations from normal behavior Specification intrusion detection Try to detect

627 views • 15 slides
CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers a. nappa , z. xu, m.z.

CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers a. nappa , z. xu, m.z.

CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers a. nappa , z. xu, m.z. rafique, j.caballero, g.gu imdea software institute success lab, texas a&amp;m univeristy Cybercriminals use geographically distributed servers to

652 views • 24 slides
C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS Dimitrios A. Glynos

C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS Dimitrios A. Glynos

C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS Dimitrios A. Glynos dimitris at census-labs.com Census, Inc. Athens IT Security Conference (AthCon 2010) C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G

315 views • 30 slides
Understanding Linux Malware Emanuele Cozzi 1 , Mariano Graziano 2 , Yanick Fratantonio 1 , Davide

Understanding Linux Malware Emanuele Cozzi 1 , Mariano Graziano 2 , Yanick Fratantonio 1 , Davide

Understanding Linux Malware Emanuele Cozzi 1 , Mariano Graziano 2 , Yanick Fratantonio 1 , Davide Balzarotti 1 1 EURECOM 2 Cisco Systems, Inc. IEEE Symposium on Security &amp; Privacy, May 2018 Malware and operating systems Malware and operating

690 views • 57 slides
Small is Beautiful: the design of Lua Roberto Ierusalimschy PUC-Rio Language design many

Small is Beautiful: the design of Lua Roberto Ierusalimschy PUC-Rio Language design many

Small is Beautiful: the design of Lua Roberto Ierusalimschy PUC-Rio Language design many tradeoffs similar to any other design process designers seldom talk about them what a language is not good for Typical tradeoffs

724 views • 49 slides
Generalized Pattern Matching Micro-Engine Yuanwei Fang*, Raihan Rasool , Dilip Vasudevan*,

Generalized Pattern Matching Micro-Engine Yuanwei Fang*, Raihan Rasool , Dilip Vasudevan*,

Generalized Pattern Matching Micro-Engine Yuanwei Fang*, Raihan Rasool , Dilip Vasudevan*, Andrew A. Chien* Argonne National Laboratory King Faisal University University of Chicago * Big Data Applications Deep Packet

275 views • 26 slides
Discourse BSc Artificial Intelligence, Spring 2011 Raquel Fernndez Institute for Logic,

Discourse BSc Artificial Intelligence, Spring 2011 Raquel Fernndez Institute for Logic,

Discourse BSc Artificial Intelligence, Spring 2011 Raquel Fernndez Institute for Logic, Language &amp; Computation University of Amsterdam Raquel Fernndez Discourse BSc AI 2011 1 / 21 Plan for Today Discussion of HW#2 and

812 views • 21 slides
Operational Practices Internet Security [1] VU Engin Kirda engin@infosys.tuwien.ac.at

Operational Practices Internet Security [1] VU Engin Kirda engin@infosys.tuwien.ac.at

Operational Practices Internet Security [1] VU Engin Kirda engin@infosys.tuwien.ac.at Christopher Kruegel chris@auto.tuwien.ac.at Admin Issues and News Reminder: Exam on the 28th, registration required You will only be allowed to take

599 views • 40 slides

More recommend