faster c c detection strategies for finding
play

faster c&c detection - strategies for finding algorithmically - PowerPoint PPT Presentation

Oct 24, 2022 •371 likes •1.38k views

. Malgorzata Debska September 22, 2015 CERT Polska faster c&c detection - strategies for finding algorithmically generated domain names Introduction - what is DGA? Malicious usage in botnets Benign DGA - false alarms in detection

  1. . Malgorzata Debska September 22, 2015 CERT Polska faster c&c detection - strategies for finding algorithmically generated domain names

  2. Introduction - what is DGA? Malicious usage in botnets Benign DGA - false alarms in detection systems Current detection techniques - classification Challenges and conclusion list of topics

  3. . introduction - what is dga?

  4. 4 algorithmically generated domain names

  5. • randomness of characters • characters set • distribution of frequency of character usage • length of generated domains • level of domain generation • utilized set of top level domains 5 diffrencies in generated domains:

  6. • randomness of characters • characters set • distribution of frequency of character usage • length of generated domains • level of domain generation • utilized set of top level domains 5 diffrencies in generated domains:

  7. • randomness of characters • characters set • distribution of frequency of character usage • length of generated domains • level of domain generation • utilized set of top level domains 5 diffrencies in generated domains:

  8. • randomness of characters • characters set • distribution of frequency of character usage • length of generated domains • level of domain generation • utilized set of top level domains 5 diffrencies in generated domains:

  9. • randomness of characters • characters set • distribution of frequency of character usage • length of generated domains • level of domain generation • utilized set of top level domains 5 diffrencies in generated domains:

  10. • randomness of characters • characters set • distribution of frequency of character usage • length of generated domains • level of domain generation • utilized set of top level domains 5 diffrencies in generated domains:

  11. dyre gameover-zeus banjori a3f6e2d182a40304a8874e994a294ec314.cc bnmtsemitismgavenuteq.com antisemitismgavenuteq.com hlrfrsensinaix.com xjsrrsensinaix.com 5bpzt0njqbkqlbwupc8vi3yt.org 1fhvdfa1hr7na1gu9vmv6r710j.biz 1yz3uuo1yg5zmf1u7goe81sy0xy9.net 1g22l018lpt4alpeypioqq24k.com cc466dc54278d8e0fe14bdd2038b927e6f.to b5191b0ad53da1f1fa66653610e7601856.ws 6 galin.eu puzej.eu qekol.eu lykef.eu safkylboxhb.com ctskthnhq.com mhrmhuxlcvkxay.com pttthldqrdt.net qeh2p2u9pd3i1.com fg4zstnd3ftwh.net jmqvlmmbred2e.com examples tinba-dga dircrypt simda

  12. 6 qekol.eu 1yz3uuo1yg5zmf1u7goe81sy0xy9.net 1g22l018lpt4alpeypioqq24k.com xjsrrsensinaix.com cc466dc54278d8e0fe14bdd2038b927e6f.to b5191b0ad53da1f1fa66653610e7601856.ws a3f6e2d182a40304a8874e994a294ec314.cc hlrfrsensinaix.com galin.eu puzej.eu lykef.eu 5bpzt0njqbkqlbwupc8vi3yt.org antisemitismgavenuteq.com safkylboxhb.com ctskthnhq.com mhrmhuxlcvkxay.com bnmtsemitismgavenuteq.com pttthldqrdt.net qeh2p2u9pd3i1.com fg4zstnd3ftwh.net jmqvlmmbred2e.com 1fhvdfa1hr7na1gu9vmv6r710j.biz examples tinba-dga dyre gameover-zeus dircrypt simda banjori

  13. . malicious usage in botnets

  14. Every second infected host try to connect with hundreds or thousands alghoritmically generated domain name • most of domains return NX response • attacker needs to have a couple of registered domains 8 c&c server’s name example

  15. Every second infected host try to connect with hundreds or thousands alghoritmically generated domain name • most of domains return NX response • attacker needs to have a couple of registered domains 8 c&c server’s name example

  16. • DNS communication • algorithm that generates domain names • shared seed between botmaster and clients • victims search C&C server by DNS query 9 dga botnet communication

  17. • DNS communication • algorithm that generates domain names • shared seed between botmaster and clients • victims search C&C server by DNS query 9 dga botnet communication

  18. • DNS communication • algorithm that generates domain names • shared seed between botmaster and clients • victims search C&C server by DNS query 9 dga botnet communication

  19. • DNS communication • algorithm that generates domain names • shared seed between botmaster and clients • victims search C&C server by DNS query 9 dga botnet communication

  20. 10 generator’s seed Is it easy to predict and sinkhole DGA domains ahead?

  21. Figure 1: Ramnit All domains generated alghoritmically are dependent on specified seed • date (CryptoLocker, Conficker, GameOverZeus) • currently trending Twitter hashtag (Torpig) • seed hardcoded in infected file (Tinba) • ... Seeds are globally consistent - victims use the same one at the same time 11 generator’s seed

  22. Figure 1: Ramnit All domains generated alghoritmically are dependent on specified seed • date (CryptoLocker, Conficker, GameOverZeus) • currently trending Twitter hashtag (Torpig) • seed hardcoded in infected file (Tinba) • ... Seeds are globally consistent - victims use the same one at the same time 11 generator’s seed

  23. Figure 1: Ramnit All domains generated alghoritmically are dependent on specified seed • date (CryptoLocker, Conficker, GameOverZeus) • currently trending Twitter hashtag (Torpig) • seed hardcoded in infected file (Tinba) • ... Seeds are globally consistent - victims use the same one at the same time 11 generator’s seed

  24. Figure 1: Ramnit All domains generated alghoritmically are dependent on specified seed • date (CryptoLocker, Conficker, GameOverZeus) • currently trending Twitter hashtag (Torpig) • seed hardcoded in infected file (Tinba) • ... Seeds are globally consistent - victims use the same one at the same time 11 generator’s seed

  25. Figure 1: Ramnit All domains generated alghoritmically are dependent on specified seed • date (CryptoLocker, Conficker, GameOverZeus) • currently trending Twitter hashtag (Torpig) • seed hardcoded in infected file (Tinba) • ... Seeds are globally consistent - victims use the same one at the same time 11 generator’s seed

  26. Figure 1: Ramnit All domains generated alghoritmically are dependent on specified seed • date (CryptoLocker, Conficker, GameOverZeus) • currently trending Twitter hashtag (Torpig) • seed hardcoded in infected file (Tinba) • ... Seeds are globally consistent - victims use the same one at the same time 11 generator’s seed

  27. All domains generated alghoritmically are dependent on specified seed • date (CryptoLocker, Conficker, GameOverZeus) • currently trending Twitter hashtag (Torpig) • seed hardcoded in infected file (Tinba) • ... Seeds are globally consistent - victims use the same one at the same time 11 generator’s seed Figure 1: Ramnit

  28. All domains generated alghoritmically are dependent on specified seed • date (CryptoLocker, Conficker, GameOverZeus) • currently trending Twitter hashtag (Torpig) • seed hardcoded in infected file (Tinba) • ... Seeds are globally consistent - victims use the same one at the same time 11 generator’s seed Figure 1: Ramnit

  29. 12 • Cryptolocker AND MORE ... • Ramdo • Necrus • Flashback • Gozi • DirCrypt • Qakbot • BankPatch • Gozi • Emotet • Rovnix • Pykspa • Dyre • Shiotob • Necurs • Murofet • Bobax • Conficker • Ramnit • Pykpsa • Emotet • Pushdo • Matsu • Banjori • GameoverZeus is it a serious problem? what malware use dga?

  30. • domain name contains random alphanumeric characters and words from dictionary • names are builds from english syllables 13 different techinques but still dga

  31. • domain name contains random alphanumeric characters and words from dictionary • names are builds from english syllables 13 different techinques but still dga

  32. . benign dga - false alarms in detection systems

  33. 0.0.0.0.1.0.0.4e.135jg5e1pd7s4735ftrqweufm5.avqs.mcafee.com 0.0.0.0.1.0.0.4e.13cfus2drmdq3j8cafidezr8l6.avqs.mcafee.com 0.0.0.0.1.0.0.4e.13kqas3qjj46ttkdhastkrdsv6.avqs.mcafee.com 0.0.0.0.1.0.0.4e.13pq3hfpunqn1d51pmvbdkk5s6.avqs.mcafee.com 0.0.0.0.1.0.0.4e.13qh71bf782qb54uzz9uhdz4mq.avqs.mcafee.com This higher level domain contains basic information about the file, its hash, version of the McAfee system and information about the execution environment 1 DNS Noise: Measuring the Pervasiveness of Disposable Domains in Modern DNS Traffic, Yizheng Chen et al. 15 requests of av tools Example 1

  34. 0.0.0.0.1.0.0.4e.135jg5e1pd7s4735ftrqweufm5.avqs.mcafee.com 0.0.0.0.1.0.0.4e.13cfus2drmdq3j8cafidezr8l6.avqs.mcafee.com 0.0.0.0.1.0.0.4e.13kqas3qjj46ttkdhastkrdsv6.avqs.mcafee.com 0.0.0.0.1.0.0.4e.13pq3hfpunqn1d51pmvbdkk5s6.avqs.mcafee.com 0.0.0.0.1.0.0.4e.13qh71bf782qb54uzz9uhdz4mq.avqs.mcafee.com This higher level domain contains basic information about the file, its hash, version of the McAfee system and information about the execution environment 1 DNS Noise: Measuring the Pervasiveness of Disposable Domains in Modern DNS Traffic, Yizheng Chen et al. 15 requests of av tools Example 1

  35. • Now, IDNs are also used for malicious purposes • IDNs always begin with ’xn–’ prefix 16 internationalized domain name

  36. • Now, IDNs are also used for malicious purposes • IDNs always begin with ’xn–’ prefix 16 internationalized domain name

Recommend

Gene Finding Strategies to find gene structures on the web Swiss Institute of Bioinformatics

Gene Finding Strategies to find gene structures on the web Swiss Institute of Bioinformatics

Gene Finding Strategies to find gene structures on the web Swiss Institute of Bioinformatics (SIB) 26-30 November 2001 Course 2001 Gene finding Introduction Gene finding is about detecting coding regions and infer gene structure Gene finding

647 views • 36 slides
Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences J.

Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences J.

Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences J. Bi, J-S. Coron, J-C. Faug` ere, P . Nguyen, G. Renault, R. Zeitoun Public Key Cryptography 2014 26-28 March, 2014 - Buenos Aires, Argentina

613 views • 36 slides
A Faster Algorithm for Finding Minimum Tucker Submatrices Guillaume Blin Romeo Rizzi St

A Faster Algorithm for Finding Minimum Tucker Submatrices Guillaume Blin Romeo Rizzi St

A Faster Algorithm for Finding Minimum Tucker Submatrices Guillaume Blin Romeo Rizzi St ephane Vialette LIGM Universit e Paris-Est Marne-la-Vall ee, France DIMI Universit degli Studi di Udine, Italy. June 2010 Consecutive ones

471 views • 26 slides
Faster Region-based Hotspot Detection Ran Chen 1 , Wei Zhong 2 , Haoyu Yang 1 , Hao Geng 1 , Xuan

Faster Region-based Hotspot Detection Ran Chen 1 , Wei Zhong 2 , Haoyu Yang 1 , Hao Geng 1 , Xuan

Faster Region-based Hotspot Detection Ran Chen 1 , Wei Zhong 2 , Haoyu Yang 1 , Hao Geng 1 , Xuan Zeng 3 , Bei Yu 1 1 The Chinese University of Hong Kong 2 Dalian University of Technology 3 Fudan University 1 / 16 Lithography Hotspot Detection

641 views • 16 slides
Class 4: Finding facts faster Class Outline 4.1 Search-by-image 4.2 Search features 4.3

Class 4: Finding facts faster Class Outline 4.1 Search-by-image 4.2 Search features 4.3

Class 4: Finding facts faster Class Outline 4.1 Search-by-image 4.2 Search features 4.3 Conversions and calculator 4.4 Left-hand panel and date range limiting 4.5 Foreign pages and "translate" * Lesson 4.1 : Search-by-image

408 views • 5 slides
Unsupervised scene adaptation for faster multi-scale pedestrian detection Speaker Federico

Unsupervised scene adaptation for faster multi-scale pedestrian detection Speaker Federico

Unsupervised scene adaptation for faster multi-scale pedestrian detection Speaker Federico Bartoli 1 Giuseppe Lisanti 1 , Svebor Karaman 1 , Andrew D. Bagdanov 2 and Alberto Del Bimbo 1 1 MICC (Media Integration and Communication Center) -

311 views • 19 slides
Yet a Faster Motion Estimation Algorithm with Directional Search Strategies Speaker: Prof. W.C.

Yet a Faster Motion Estimation Algorithm with Directional Search Strategies Speaker: Prof. W.C.

15 th International Conference on Digital Signal Processing (DSP2007), July 2007, Cardiff, UK. Yet a Faster Motion Estimation Algorithm with Directional Search Strategies Speaker: Prof. W.C. Siu Ying Zhang+*, Wan-Chi Siu* and Tingzhi Shen+*

348 views • 12 slides
CS7015 (Deep Learning) : Lecture 12 Object Detection: R-CNN, Fast R-CNN, Faster R-CNN, You Only

CS7015 (Deep Learning) : Lecture 12 Object Detection: R-CNN, Fast R-CNN, Faster R-CNN, You Only

CS7015 (Deep Learning) : Lecture 12 Object Detection: R-CNN, Fast R-CNN, Faster R-CNN, You Only Look Once (YOLO) Mitesh M. Khapra Department of Computer Science and Engineering Indian Institute of Technology Madras 1/47 Mitesh M. Khapra

1.17k views • 47 slides
Detection and Estimation Theory Lecture 7 Mojtaba Soltanalian- UIC msol@uic.edu

Detection and Estimation Theory Lecture 7 Mojtaba Soltanalian- UIC msol@uic.edu

Detection and Estimation Theory Lecture 7 Mojtaba Soltanalian- UIC msol@uic.edu http://msol.people.uic.edu Based on ECE 531 Slides- 2011 (Prof. Natasha Devroye) Finding MVUE- what we discussed Finding MVUE- what we discussed Finding MVUE-

763 views • 17 slides
Detection and Estimation Theory Lecture 8 Mojtaba Soltanalian- UIC msol@uic.edu

Detection and Estimation Theory Lecture 8 Mojtaba Soltanalian- UIC msol@uic.edu

Detection and Estimation Theory Lecture 8 Mojtaba Soltanalian- UIC msol@uic.edu http://msol.people.uic.edu Based on ECE 531 Slides- 2011 (Prof. Natasha Devroye) Finding MVUE- what we discussed Finding MVUE- what we discussed Finding MVUE-

380 views • 19 slides
CS6501: Deep Learning for Visual Recognition Object Detection: RCNN, Fast-RCNN, Faster-RCNN

CS6501: Deep Learning for Visual Recognition Object Detection: RCNN, Fast-RCNN, Faster-RCNN

CS6501: Deep Learning for Visual Recognition Object Detection: RCNN, Fast-RCNN, Faster-RCNN Todays Class Object Detection The RCNN Object Detector (2014) The Fast RCNN Object Detector (2015) The Faster RCNN Object Detector

747 views • 29 slides
Strategies for the Detection of Dark Matter What do we know? What have we achieved so far?

Strategies for the Detection of Dark Matter What do we know? What have we achieved so far?

Bernard Sadoulet Dept. of Physics /LBNL UC Berkeley UC Institute for Nuclear and Particle Astrophysics and Cosmology (INPAC) Strategies for the Detection of Dark Matter What do we know? What have we achieved so far? Entering interesting

341 views • 22 slides
Early Detection of Aquatic Invasive Species finding the needle in the haystack Jim Grazio,

Early Detection of Aquatic Invasive Species finding the needle in the haystack Jim Grazio,

Early Detection of Aquatic Invasive Species finding the needle in the haystack Jim Grazio, Ph.D. PA DEP- Office of the Great Lakes 19 March 2019 Presentation Outline Share current AIS monitoring research Discuss regional AIS

623 views • 24 slides
Finding Optimal Mixed Finding Optimal Mixed Strategies to Commit to in g Security Games

Finding Optimal Mixed Finding Optimal Mixed Strategies to Commit to in g Security Games

Finding Optimal Mixed Finding Optimal Mixed Strategies to Commit to in g Security Games Vincent Conitzer Departments of Computer Science and Economics Departments of Computer Science and Economics Duke University Co-authors on various

1.24k views • 74 slides
Finding Camoufmaged Needle in a Haystack? Pornographic Products Detection via Berrypicking Tree

Finding Camoufmaged Needle in a Haystack? Pornographic Products Detection via Berrypicking Tree

. Zhuoren Jiang 3 . . . . . . . Finding Camoufmaged Needle in a Haystack? Pornographic Products Detection via Berrypicking Tree Model Guoxiu He 1,2 Yangyang Kang 2 Zhe Gao 2 Changlong Sun 2 . Xiaozhong Liu *4,2 Wei Lu *1 Qiong Zhang 2 Luo

489 views • 19 slides
How To Ramp Your Reps In Q4 & Start 2020 Off Right 5 killer strategies to onboard reps faster

How To Ramp Your Reps In Q4 & Start 2020 Off Right 5 killer strategies to onboard reps faster

How To Ramp Your Reps In Q4 & Start 2020 Off Right 5 killer strategies to onboard reps faster and crush your sales targets. You should be hearing my melodious voice - if not, let us know in the chat. Drop your questions in the chat

652 views • 32 slides
Finding Their Strengths: Strategies for Helping Individuals with Criminal Convictions Find and

Finding Their Strengths: Strategies for Helping Individuals with Criminal Convictions Find and

Finding Their Strengths: Strategies for Helping Individuals with Criminal Convictions Find and Sustain Employment Fort Worth Reentry in a Nutshell Over 740,905 inmates in prisons in Texas Over 7,000 prisoners reenter Tarrant County each year

315 views • 12 slides
Scholarships: Tips and Strategies for Finding and Being Competitive for Winning Them Tania

Scholarships: Tips and Strategies for Finding and Being Competitive for Winning Them Tania

Scholarships: Tips and Strategies for Finding and Being Competitive for Winning Them Tania Rachkoskie NACAC Real Deal or No Deal Are you the next American idol? Write and submit an original song with lyrics and music. Win a contest as

786 views • 42 slides
Gnocchi and Collectd for Title faster fault detection and maintenance Julien Danjou, Red Hat

Gnocchi and Collectd for Title faster fault detection and maintenance Julien Danjou, Red Hat

Gnocchi and Collectd for Title faster fault detection and maintenance Julien Danjou, Red Hat Emma Foley, Intel Whats this all about? What is Gnocchi? What is collectd? How do they work together? What can I do with this?

549 views • 16 slides
High-Performance Outlier Detection Algorithm for Finding Blob-Filaments in Plasma Lingfei Wu 1 ,

High-Performance Outlier Detection Algorithm for Finding Blob-Filaments in Plasma Lingfei Wu 1 ,

High-Performance Outlier Detection Algorithm for Finding Blob-Filaments in Plasma Lingfei Wu 1 , Kesheng Wu 2 , Alex Sim 2 , Michael Churchill 3 , Jong Y. Choi 4 , Andreas Stathopoulos 1 , CS Chang 3 , and Scott Klasky 4 1 College of William and

1.14k views • 20 slides
Finding the Signal: Strategies for achieving participant-centric trials in the face of

Finding the Signal: Strategies for achieving participant-centric trials in the face of

Finding the Signal: Strategies for achieving participant-centric trials in the face of participant-introduced validity challenges Chairs: Tim Mariano, MD, PhD, MSc Medical Director, Sage Therapeutics; Instructor, Dept. of Psychiatry,

733 views • 11 slides
Outside the Closed World: On Finding Intrusions with Anomaly Detection Robin Sommer

Outside the Closed World: On Finding Intrusions with Anomaly Detection Robin Sommer

Outside the Closed World: On Finding Intrusions with Anomaly Detection Robin Sommer International Computer Science Institute, & Lawrence Berkeley National Laboratory robin@icsi.berkeley.edu http://www.icir.org Advanced Topics in Computer

1.35k views • 99 slides
Strategies for the detection of adverse drug reactions comparison of a hospital

Strategies for the detection of adverse drug reactions comparison of a hospital

Strategies for the detection of adverse drug reactions comparison of a hospital clinical-adminstrative database and spontaneous reporting Joana Marques, Teresa Herdeiro, Ana Silva, Fernando Lopes, Alberto Freitas Northern Pharmacovigilance

330 views • 16 slides
Training R-CNNs of various velocities Slow, fast, and faster

Training R-CNNs of various velocities Slow, fast, and faster

Training R-CNNs of various velocities Slow, fast, and faster Ross Girshick Facebook AI Research (FAIR) Tools for Efficient Object Detection, ICCV 2015 Tutorial Section

641 views • 51 slides

More recommend