Monitoring Command-and-Control Channels with ccSpy Final Presentation Oliver Gasser Interdisciplinary Project Advisor: Lothar Braun Chair for Network Architectures and Services Faculty of Computer Science Technische Universit¨ at M¨ unchen March 22, 2013 Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 1
Outline 1 Motivation Previous Work 2 Goals 3 4 Design and Implementation Evaluation 5 Summary 6 Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 2
Outline 1 Motivation Previous Work 2 Goals 3 4 Design and Implementation Evaluation 5 Summary 6 Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 3
Motivation Acquire knowledge about botnets in the wild Observe Learn Short-term: Take a closer look at active Command-and-Control channels Clients C&C servers Long-term: Identify botnet traffic Develop strategies Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 4
Motivation Acquire knowledge about botnets in the wild Observe Learn Short-term: Take a closer look at active Command-and-Control channels Clients C&C servers Long-term: Identify botnet traffic Develop strategies Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 4
Motivation Acquire knowledge about botnets in the wild Observe Learn Short-term: Take a closer look at active Command-and-Control channels Clients C&C servers Long-term: Identify botnet traffic Develop strategies Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 4
Outline 1 Motivation Previous Work 2 Goals 3 4 Design and Implementation Evaluation 5 Summary 6 Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 5
Previous Work Malware analysis Active botnet monitoring Passive botnet detection Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 6
Previous Work Malware analysis Active botnet monitoring Passive botnet detection Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 6
Previous Work Malware analysis Active botnet monitoring Passive botnet detection Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 6
Malware Analysis CWSandbox file1.txt file2.txt www.evilsite.com/spam.exe bot.exe www.google.com/ Virtual Machine Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 7
CWSandbox report < analysis f i l e =” c: \ bot . exe ” . . . > . . . < connection t ra ns p o rt pro t o c ol =”TCP” remoteaddr=” 173.194.69.113 ” remoteport=” 80 ” protocol=”HTTP” . . . > < http data > < http cmd method=”GET” u r l =”www. google .com/ ” h t t p v e rs i o n =”HTTP/1.1 ” > < header data > < header > Host: www. google .com < / header > . . . < / header data > < / http cmd > < / http data > < / connection > . . . < / analysis > Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 8
ccSpy Botnet C&C Server A ccSpy Client 1 ccSpy Server Botnet C&C Server B ccSpy Client 2 ccSpy Developed by Philipp Lowack, TUM Distributed botnet monitoring tool Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 9
ccSpy Botnet C&C Server A ccSpy Client 1 ccSpy Server Botnet C&C Server B ccSpy Client 2 ccSpy Server Assigns botnets servers to ccSpy clients Stores monitoring results Communication with clients protected by TLS Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 10
ccSpy Botnet C&C Server A ccSpy Client 1 ccSpy Server Botnet C&C Server B ccSpy Client 2 ccSpy Client Receives botnet configurations from ccSpy server Monitors botnet’s command and control channel Sends results back to ccSpy server Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 11
Outline 1 Motivation Previous Work 2 Goals 3 4 Design and Implementation Evaluation 5 Summary 6 Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 12
Goals Automated workflow for botnet monitoring Download malware reports from CWSandbox Parse reports and create config for ccSpy Monitor C&C channels using ccSpy Evaluation of malware reports Currently active C&C servers Usability for Intrusion Detection Systems Focus: HTTP botnets Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 13
Goals Automated workflow for botnet monitoring Download malware reports from CWSandbox Parse reports and create config for ccSpy Monitor C&C channels using ccSpy Evaluation of malware reports Currently active C&C servers Usability for Intrusion Detection Systems Focus: HTTP botnets Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 13
Goals Automated workflow for botnet monitoring Download malware reports from CWSandbox Parse reports and create config for ccSpy Monitor C&C channels using ccSpy Evaluation of malware reports Currently active C&C servers Usability for Intrusion Detection Systems Focus: HTTP botnets Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 13
Outline 1 Motivation Previous Work 2 Goals 3 4 Design and Implementation Evaluation 5 Summary 6 Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 14
Monitoring HTTP Botnets Botnet C&C Server A ccSpy Client 1 ccSpy Server Botnet C&C Server B ccSpy Client 2 Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 15
Monitoring HTTP Botnets IRC Botnet C&C Server A IRC module ccSpy Client 1 IRC module ccSpy Server IRC Botnet C&C Server B IRC module ccSpy Client 2 Modules for monitoring different C&C channels Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 16
Monitoring HTTP Botnets IRC Botnet C&C Server A IRC module ccSpy Client 1 IRC module ccSpy Server IRC Botnet C&C Server B IRC module ccSpy Client 2 HTTP module HTTP Botnet C&C Server C New New: Develop module to monitor HTTP C&C channels Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 17
ccSpy HTTP module ccSpy modules Modules for different C&C channels communication types IRC already implemented HTTP module was implemented during this project HTTP module HTTP fundamentally different than IRC HTTP retains no state, client needs to be active Complete redesign of module layout necessary Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 18
ccSpy HTTP module ccSpy modules Modules for different C&C channels communication types IRC already implemented HTTP module was implemented during this project HTTP module HTTP fundamentally different than IRC HTTP retains no state, client needs to be active Complete redesign of module layout necessary Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 18
Automated Workflow IRC Botnet C&C Server A IRC module ccSpy Client 1 IRC module ccSpy Server IRC Botnet C&C Server B IRC module ccSpy Client 2 HTTP module HTTP Botnet C&C Server C Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 19
Automated Workflow IRC Botnet C&C Server A IRC module ccSpy Client 1 IRC module ccSpy Server IRC Botnet C&C Server B IRC module ccSpy Client 2 HTTP module HTTP Botnet C&C Server C Generate ccSpy config Malware reports CWSandbox Generate ccSpy config from CWSandbox reports Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 20
Automated Workflow Retrieve malware reports from CWSandbox Parse reports to locate HTTP traffic Generate ccSpy configuration and start ccSpy HTTP module Analyze results obtained from potential C&C servers Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 21
Automated Workflow Retrieve malware reports from CWSandbox Parse reports to locate HTTP traffic Generate ccSpy configuration and start ccSpy HTTP module Analyze results obtained from potential C&C servers Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 21
Automated Workflow Retrieve malware reports from CWSandbox Parse reports to locate HTTP traffic Generate ccSpy configuration and start ccSpy HTTP module Analyze results obtained from potential C&C servers Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 21
Automated Workflow Retrieve malware reports from CWSandbox Parse reports to locate HTTP traffic Generate ccSpy configuration and start ccSpy HTTP module Analyze results obtained from potential C&C servers Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 21
Preliminary Results Tests showed that very few reports contained HTTP traffic Most of the servers were already offline ( > 95 %) Consequences Not usable for finding active C&C servers Reason: Servers go offline Timeliness of data Oliver Gasser (TU M¨ unchen) Monitoring C&C Channels with ccSpy 22
Recommend
More recommend