dynamic profiles for malware communication
play

Dynamic profiles for malware communication Joao Marques, Mick Cox - PowerPoint PPT Presentation

Oct 10, 2023 •222 likes •625 views

Dynamic profiles for malware communication Joao Marques, Mick Cox MSc System & Network Engineering University of Amsterdam Monday 6 February, 2017 Outline Introduction Part I - Intrusion Detection Part II: Botnets & Advanced

  1. Dynamic profiles for malware communication Joao Marques, Mick Cox MSc System & Network Engineering University of Amsterdam Monday 6 February, 2017

  2. Outline Introduction Part I - Intrusion Detection Part II: Botnets & Advanced Persistent Threats Part III: Research Outline Part IV: Intelligent Malware Part V: Possible Countermeasures Discussion, Conclusion & Future Work Joao Marques & Mick Cox Dynamic profiles for malware communication (Research Project) MSc System & Network Engineering, University of Amsterdam 2

  3. Introduction Joao Marques & Mick Cox Dynamic profiles for malware communication (Research Project) MSc System & Network Engineering, University of Amsterdam 2

  4. Some context Hosting organization Organization: • Company: Deloitte Amsterdam • Department: Cyber Risk Services • Unit: Red team Supervisor: • Cedric van Bockhaven (OS3 alumnus) Notable other: • Joey Dreijer (OS3 alumnus) Joao Marques & Mick Cox Dynamic profiles for malware communication (Research Project) MSc System & Network Engineering, University of Amsterdam 3

  5. Research Question The goal Is it possible to construct a dynamic network profile between a Command & Control server and the beacon, which is undetectable by state-of-the-art detection frameworks? Joao Marques & Mick Cox Dynamic profiles for malware communication (Research Project) MSc System & Network Engineering, University of Amsterdam 4

  6. Intrusion Detection A brief taxonomy Joao Marques & Mick Cox Dynamic profiles for malware communication (Research Project) MSc System & Network Engineering, University of Amsterdam 5

  7. Intrusion Detection Definition Intrusion Detection & Prevention Systems in short: • Collect data from the network or host • Validated by a detection engine • Reports if it suspects an intrusion • Acts (isolates, shuts down) if it supports prevention Figure 1: Simplified Snort 2 Architecture Joao Marques & Mick Cox Dynamic profiles for malware communication (Research Project) MSc System & Network Engineering, University of Amsterdam 6

  8. Intrusion Detection Network, DNS and Host-based Host Based IDS (HIDS) Network Based IDS (NIDS) • Data collection from host • Data collection from network systems (system metrics, usage) (packets) • Agent on the host to validation • Sensors in the network to engine validation engine • Few sensors can capture all • Every agent needs agent to traffic cover the network • Open source systems include • Open source systems include Snort, Suricata and Bro OSSEC, Tripwire Others proposed types include DNS based, Storage based, Wireless, Hybrid, and more. Joao Marques & Mick Cox Dynamic profiles for malware communication (Research Project) MSc System & Network Engineering, University of Amsterdam 7

  9. Intrusion Detection Methods Signature based IDS Anomaly based IDS • Based on predefined rules • Based on training set (normal (malicious usage) behavior) • Mostly pattern matching • Mostly machine learning • Generally unable to detect • Detects deviations from normal 0-days behavior (anomalies) • High true positive and false • High false positives and true negative negative Signature or anomaly based detection exists across the location (Host/Network) Joao Marques & Mick Cox Dynamic profiles for malware communication (Research Project) MSc System & Network Engineering, University of Amsterdam 8

  10. Intrusion Detection Validation engine Rule Header • Rule Actions (Alert, log, pass, activate, dynamic . . . ) • Protocols (TCP, UDP, ICMP, . . . ) • IP address / Port and direction • Activate and dynamic rules Rule Options • General (msg, classification, . . . ) • Payload (content, length, depth, distance , . . . ) • Non Payload (fragoffset, ttl, flags, . . . ) • Post-Detection (logto, react, replace, . . . ) Dynamic modules and preprocessors Joao Marques & Mick Cox Dynamic profiles for malware communication (Research Project) MSc System & Network Engineering, University of Amsterdam 9

  11. Intrusion Detection Example rule An example for matching content: alert tcp any any -> any 139 (content:"|5c 00|P|00|I|00|P|00|E|00 5c|";) Joao Marques & Mick Cox Dynamic profiles for malware communication (Research Project) MSc System & Network Engineering, University of Amsterdam 10

  12. Botnets & Advanced Persistent Threats A brief taxonomy Joao Marques & Mick Cox Dynamic profiles for malware communication (Research Project) MSc System & Network Engineering, University of Amsterdam 11

  13. Botnets & Advanced Persistent Threats Botnets in short: • A botnet is a network of infected computers, called bots • Bots communicate with a Command & Control server, mostly over: • Communication is common over HTTP(S), IRC or P2P systems • Communication system on the bot is called a beacon Advanced Persistent Threats in short: • Targeted attack by a determined attacker • Government or organizational funding • Often utilizing botnets Joao Marques & Mick Cox Dynamic profiles for malware communication (Research Project) MSc System & Network Engineering, University of Amsterdam 12

  14. Botnets Architecture Different architectures between C&C’s to bots exist: • Centralized: fast convergence, single point of failure • Decentralized: resilient but slow convergence • Hybrid: best of both Joao Marques & Mick Cox Dynamic profiles for malware communication (Research Project) MSc System & Network Engineering, University of Amsterdam 13

  15. Botnets The whole process In summarization: most attacks do follow the following process. 1. Malware is distributed, often over multiple channels 2. Host gets infected by exploiting a vulnerability and downloading the malware as a result - Downloads the main executable/script - Main script downloads necessary libraries 3. Reports to C&C 4. Communicates frequent keepalive to C&C 5. Execution of commands 6. Self replicates (optional) 7. Self destructs (optional) Joao Marques & Mick Cox Dynamic profiles for malware communication (Research Project) MSc System & Network Engineering, University of Amsterdam 14

  16. Botnets Detection techniques Figure 2: Botnet detection techniques Joao Marques & Mick Cox Dynamic profiles for malware communication (Research Project) MSc System & Network Engineering, University of Amsterdam 15

  17. Botnets Hiding mechanisms Some of the reported hiding mechanisms include: 1 • Multi-hopping (Usage of multiple proxies / gateways) • Network traffic encryption • Binary obfuscation • Code polymorphism • Fast flux networks (Quickly change DNS) • E-mail spoofing (for spam) 1 Survey and taxonomy of botnet res. thr. life-cycle, Rodr´ ıguez-G´ omez et al. (2013) Joao Marques & Mick Cox Dynamic profiles for malware communication (Research Project) MSc System & Network Engineering, University of Amsterdam 16

  18. Research Outline Initial plan & the pivot Joao Marques & Mick Cox Dynamic profiles for malware communication (Research Project) MSc System & Network Engineering, University of Amsterdam 17

  19. Initial plan Start with exploiting signature based detection. 1. In dept research of signatures & signature based IDS 2. Find a weakness in the Snort 3 engine 3. Does it hold up against anomaly based techniques Joao Marques & Mick Cox Dynamic profiles for malware communication (Research Project) MSc System & Network Engineering, University of Amsterdam 18

  20. Setup & Experiment VMware EXSi server at reims.studlab.os3.nl contains a virtual test environment as seen in the figure bellow: Figure 3: Test environment Joao Marques & Mick Cox Dynamic profiles for malware communication (Research Project) MSc System & Network Engineering, University of Amsterdam 19

  21. Some considerations Leading to the pivot • Signature are by definition deterministic • No existing signatures for new malwares, evasion by default • Due to modular design, shortcomings can be patched • Anomalies are by definition not normal • Normal behavior is defined by a representative data training set. • Training set context dependent & difficult to collect • If normal exists = ⇒ not normal exists, for every area. • Mostly theoretical frameworks described in literature • Mostly machine learning . . . Joao Marques & Mick Cox Dynamic profiles for malware communication (Research Project) MSc System & Network Engineering, University of Amsterdam 20

  22. Intelligent Malware A proposed framework Joao Marques & Mick Cox Dynamic profiles for malware communication (Research Project) MSc System & Network Engineering, University of Amsterdam 21

  23. Intelligent Malware The concept Malware that can make an educated guess prior to starting communication with the C&C, to avoid using anomalous methods of communication that could end up in the detection of the infection. Joao Marques & Mick Cox Dynamic profiles for malware communication (Research Project) MSc System & Network Engineering, University of Amsterdam 22

  24. Intelligent Malware The objective The objective of this degree of ”intelligence” is to: • Hide in plain sight • Frustrate signature making • Frustrate anomaly detection Joao Marques & Mick Cox Dynamic profiles for malware communication (Research Project) MSc System & Network Engineering, University of Amsterdam 23

Recommend

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web Alexei Bulazel & Blent Yener River Loop Security Rensselaer Polytechnic Institute (RPI) Introduction Automated dynamic malware analysis is

684 views • 33 slides
GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie

GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie

Introduction Malware analysis Visualization Conclusion GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie Viet Triem Tong GraMSec 2020 CIDRE team June 22th 2020 Introduction Malware analysis

530 views • 28 slides
Tien Phan Malware Manipulation 2019-08-26 2 Pokemon Fusion Con - Fusion Malicious Malware

Tien Phan Malware Manipulation 2019-08-26 2 Pokemon Fusion Con - Fusion Malicious Malware

Tien Phan Malware Manipulation 2019-08-26 2 Pokemon Fusion Con - Fusion Malicious Malware + = Softicious X Software Tien Phan Malware Manipulation 2019-08-26 3 Reverse Engineering More time consuming Dynamic Analysis

555 views • 22 slides
NEEDLES IN A HAYSTACK: MINING INFORMATION FROM PUBLIC DYNAMIC SANDBOXES FOR MALWARE INTELLIGENCE

NEEDLES IN A HAYSTACK: MINING INFORMATION FROM PUBLIC DYNAMIC SANDBOXES FOR MALWARE INTELLIGENCE

NEEDLES IN A HAYSTACK: MINING INFORMATION FROM PUBLIC DYNAMIC SANDBOXES FOR MALWARE INTELLIGENCE Mariano Graziano, Davide Canali, Leyla Bilge, Andrea Lanzi and Davide Balzarotti Eurecom Symantec Research Labs Universit degli Studi di

695 views • 34 slides
Communication Principles and Practices for Dynamic NPCs Autumn Boyer, PhD Communication

Communication Principles and Practices for Dynamic NPCs Autumn Boyer, PhD Communication

NAVREF Annual Conference 2019 Hilton Palacio del Rio Hotel, San Antonio, TX 10:30-11:45am, September 17, 2019 Communication Principles and Practices for Dynamic NPCs Autumn Boyer, PhD Communication Consultant Institute for Medical Research,

219 views • 7 slides
Dynamic Binary Instrumentation-based Framework for Malware Defense Najwa Aaraj , Anand

Dynamic Binary Instrumentation-based Framework for Malware Defense Najwa Aaraj , Anand

Dynamic Binary Instrumentation-based Framework for Malware Defense Najwa Aaraj , Anand Raghunathan , and Niraj K. Jha Department of Electrical Engineering, Princeton University, Princeton, NJ 08544, USA NEC Labs America,

410 views • 25 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

570 views • 22 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
Improving Malware Classification: Bridging the Static/Dynamic Gap Authors: Blake Anderson, Curtis

Improving Malware Classification: Bridging the Static/Dynamic Gap Authors: Blake Anderson, Curtis

Improving Malware Classification: Bridging the Static/Dynamic Gap Authors: Blake Anderson, Curtis Storlie, Terran Lane Vinit Singh 18 th April 2017 CISC850 Cyber Analytics CISC850 Cyber Analytics INTRODUCTION Why is there a need for

192 views • 16 slides
Communication Principles and Practices for Dynamic NPCs NAVREF Annual Conference 2019 Autumn R.

Communication Principles and Practices for Dynamic NPCs NAVREF Annual Conference 2019 Autumn R.

Communication Principles and Practices for Dynamic NPCs NAVREF Annual Conference 2019 Autumn R. Boyer, Ph.D. autumnboyer7@gmail.com Goals For This Session u Models of communication u Outline the elements of a communication plan u Attention to

725 views • 60 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
Hiding in Plain Sight Advances in Malware Covert Communication Channels Pierre-Marc Bureau

Hiding in Plain Sight Advances in Malware Covert Communication Channels Pierre-Marc Bureau

Hiding in Plain Sight Advances in Malware Covert Communication Channels Pierre-Marc Bureau Christian Dietrich Outline 1. Covert Channels 2. Steganography a. Lurk b. Gozi c. Stegoloader 3. Inconspicuous Carrier Protocols a.

674 views • 49 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
SK Telecom 1 U U U U U U U- U - - communication - - - - - communication

SK Telecom 1 U U U U U U U- U - - communication - - - - - communication

U U U U U U U- U - - communication - - - - - communication communication communication communication communication communication communication Korea Mobile Market Trend for Convergence & Ubiquitous Communication 2004.

400 views • 16 slides
Project 2: Dynamic DNS EE122: Introduction to Communication Networks (Fall 2008) University of

Project 2: Dynamic DNS EE122: Introduction to Communication Networks (Fall 2008) University of

Project 2: Dynamic DNS EE122: Introduction to Communication Networks (Fall 2008) University of California, Berkeley Ion Stoica Ganesh Ananthanarayanan, Brighten Godfrey, Lucian Popa, David Zats project 2 part A Dynamic DNS server and

83 views • 5 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides
Detecting the behavioral relationships of malware connections (slides) Conference Paper August

Detecting the behavioral relationships of malware connections (slides) Conference Paper August

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/307638742 Detecting the behavioral relationships of malware connections (slides) Conference Paper August 2016 CITATIONS READS 0

380 views • 17 slides
Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

DeepSec IDSC Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware Adventures Agenda INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 2 1 2 3 4 Android Malware

1.01k views • 64 slides
Assemblages: Modules with Interfaces for Dynamic Linking and Communication Yu David Liu and

Assemblages: Modules with Interfaces for Dynamic Linking and Communication Yu David Liu and

Assemblages: Modules with Interfaces for Dynamic Linking and Communication Yu David Liu and Scott F. Smith The Johns Hopkins University Assemblages:Modules with InterfacesforDynamic Linking and Communication p.1 The Main Design Principle

652 views • 40 slides

More recommend