monitoring command and control channels with ccspy
play

Monitoring Command-and-Control Channels with ccSpy Final - PowerPoint PPT Presentation

Monitoring Command-and-Control Channels with ccSpy Final Presentation Oliver Gasser Interdisciplinary Project Advisor: Lothar Braun Chair for Network Architectures and Services Faculty of Computer Science Technische Universit at M


  1. Monitoring Command-and-Control Channels with ccSpy Final Presentation Oliver Gasser Interdisciplinary Project Advisor: Lothar Braun Chair for Network Architectures and Services Faculty of Computer Science Technische Universit¨ at M¨ unchen March 22, 2013 Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 1

  2. Outline 1 Motivation Previous Work 2 Goals 3 4 Design and Implementation Evaluation 5 Summary 6 Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 2

  3. Outline 1 Motivation Previous Work 2 Goals 3 4 Design and Implementation Evaluation 5 Summary 6 Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 3

  4. Motivation Acquire knowledge about botnets in the wild Observe Learn Short-term: Take a closer look at active Command-and-Control channels Clients C&C servers Long-term: Identify botnet traffic Develop strategies Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 4

  5. Motivation Acquire knowledge about botnets in the wild Observe Learn Short-term: Take a closer look at active Command-and-Control channels Clients C&C servers Long-term: Identify botnet traffic Develop strategies Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 4

  6. Motivation Acquire knowledge about botnets in the wild Observe Learn Short-term: Take a closer look at active Command-and-Control channels Clients C&C servers Long-term: Identify botnet traffic Develop strategies Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 4

  7. Outline 1 Motivation Previous Work 2 Goals 3 4 Design and Implementation Evaluation 5 Summary 6 Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 5

  8. Previous Work Malware analysis Active botnet monitoring Passive botnet detection Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 6

  9. Previous Work Malware analysis Active botnet monitoring Passive botnet detection Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 6

  10. Previous Work Malware analysis Active botnet monitoring Passive botnet detection Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 6

  11. Malware Analysis CWSandbox file1.txt file2.txt www.evilsite.com/spam.exe bot.exe www.google.com/ Virtual Machine Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 7

  12. CWSandbox report < analysis f i l e =” c: \ bot . exe ” . . . > . . . < connection t ra ns p o rt pro t o c ol =”TCP” remoteaddr=” 173.194.69.113 ” remoteport=” 80 ” protocol=”HTTP” . . . > < http data > < http cmd method=”GET” u r l =”www. google .com/ ” h t t p v e rs i o n =”HTTP/1.1 ” > < header data > < header > Host: www. google .com < / header > . . . < / header data > < / http cmd > < / http data > < / connection > . . . < / analysis > Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 8

  13. ccSpy Botnet C&C Server A ccSpy Client 1 ccSpy Server Botnet C&C Server B ccSpy Client 2 ccSpy Developed by Philipp Lowack, TUM Distributed botnet monitoring tool Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 9

  14. ccSpy Botnet C&C Server A ccSpy Client 1 ccSpy Server Botnet C&C Server B ccSpy Client 2 ccSpy Server Assigns botnets servers to ccSpy clients Stores monitoring results Communication with clients protected by TLS Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 10

  15. ccSpy Botnet C&C Server A ccSpy Client 1 ccSpy Server Botnet C&C Server B ccSpy Client 2 ccSpy Client Receives botnet configurations from ccSpy server Monitors botnet’s command and control channel Sends results back to ccSpy server Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 11

  16. Outline 1 Motivation Previous Work 2 Goals 3 4 Design and Implementation Evaluation 5 Summary 6 Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 12

  17. Goals Automated workflow for botnet monitoring Download malware reports from CWSandbox Parse reports and create config for ccSpy Monitor C&C channels using ccSpy Evaluation of malware reports Currently active C&C servers Usability for Intrusion Detection Systems Focus: HTTP botnets Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 13

  18. Goals Automated workflow for botnet monitoring Download malware reports from CWSandbox Parse reports and create config for ccSpy Monitor C&C channels using ccSpy Evaluation of malware reports Currently active C&C servers Usability for Intrusion Detection Systems Focus: HTTP botnets Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 13

  19. Goals Automated workflow for botnet monitoring Download malware reports from CWSandbox Parse reports and create config for ccSpy Monitor C&C channels using ccSpy Evaluation of malware reports Currently active C&C servers Usability for Intrusion Detection Systems Focus: HTTP botnets Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 13

  20. Outline 1 Motivation Previous Work 2 Goals 3 4 Design and Implementation Evaluation 5 Summary 6 Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 14

  21. Monitoring HTTP Botnets Botnet C&C Server A ccSpy Client 1 ccSpy Server Botnet C&C Server B ccSpy Client 2 Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 15

  22. Monitoring HTTP Botnets IRC Botnet C&C Server A IRC module ccSpy Client 1 IRC module ccSpy Server IRC Botnet C&C Server B IRC module ccSpy Client 2 Modules for monitoring different C&C channels Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 16

  23. Monitoring HTTP Botnets IRC Botnet C&C Server A IRC module ccSpy Client 1 IRC module ccSpy Server IRC Botnet C&C Server B IRC module ccSpy Client 2 HTTP module HTTP Botnet C&C Server C New New: Develop module to monitor HTTP C&C channels Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 17

  24. ccSpy HTTP module ccSpy modules Modules for different C&C channels communication types IRC already implemented HTTP module was implemented during this project HTTP module HTTP fundamentally different than IRC HTTP retains no state, client needs to be active Complete redesign of module layout necessary Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 18

  25. ccSpy HTTP module ccSpy modules Modules for different C&C channels communication types IRC already implemented HTTP module was implemented during this project HTTP module HTTP fundamentally different than IRC HTTP retains no state, client needs to be active Complete redesign of module layout necessary Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 18

  26. Automated Workflow IRC Botnet C&C Server A IRC module ccSpy Client 1 IRC module ccSpy Server IRC Botnet C&C Server B IRC module ccSpy Client 2 HTTP module HTTP Botnet C&C Server C Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 19

  27. Automated Workflow IRC Botnet C&C Server A IRC module ccSpy Client 1 IRC module ccSpy Server IRC Botnet C&C Server B IRC module ccSpy Client 2 HTTP module HTTP Botnet C&C Server C Generate ccSpy config Malware reports CWSandbox Generate ccSpy config from CWSandbox reports Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 20

  28. Automated Workflow Retrieve malware reports from CWSandbox Parse reports to locate HTTP traffic Generate ccSpy configuration and start ccSpy HTTP module Analyze results obtained from potential C&C servers Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 21

  29. Automated Workflow Retrieve malware reports from CWSandbox Parse reports to locate HTTP traffic Generate ccSpy configuration and start ccSpy HTTP module Analyze results obtained from potential C&C servers Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 21

  30. Automated Workflow Retrieve malware reports from CWSandbox Parse reports to locate HTTP traffic Generate ccSpy configuration and start ccSpy HTTP module Analyze results obtained from potential C&C servers Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 21

  31. Automated Workflow Retrieve malware reports from CWSandbox Parse reports to locate HTTP traffic Generate ccSpy configuration and start ccSpy HTTP module Analyze results obtained from potential C&C servers Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 21

  32. Preliminary Results Tests showed that very few reports contained HTTP traffic Most of the servers were already offline ( > 95 %) Consequences Not usable for finding active C&C servers Reason: Servers go offline Timeliness of data Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 22

Recommend


More recommend