necst
play

NECST laboratory BOTNETS FUNDING ETC. . @syssecproject SysSec - PowerPoint PPT Presentation

PHOENIX & CERBERUS We haz botnets! #Honeynet2014 Stefano Schiavoni, Edoardo Colombo Federico Maggi Lorenzo Cavallaro Stefano Zanero Politecnico Di Milano & Royal Hollway, University of London NECST laboratory BOTNETS FUNDING ETC.


  1. 21 CERBERUS > FILTERING DNS Stream Filtering Filtering Detection Classifier Suspicious Domains Time Detective Bootstrap Malicious Domains Phoenix Clusters

  2. CERBERUS > FILTERING Insight a malicious domain automatically generated will not become popular. Alexa Top 1M Whitelist We whitelist the domains that appear in the Alexa Top 1M. 22

  3. CERBERUS > FILTERING Insight a malicious domain automatically generated will not belong to a CDN r4---sn-a5m7lnes.example.com . CDN Whitelist We whitelist the domains that belong to the most popular CDN networks (e.g., YouTube, Google, etc.) and advertisement services. 23

  4. CERBERUS > FILTERING Insight an attacker will register a domain with a TLD that does not require clearance. TLD Whitelist We whitelist the domains featuring a Top Level Domain that requires authorization by a third party authority before registration (e.g. .gov , .edu , .mil ). 24

  5. CERBERUS > FILTERING Insight How fast is fast? Why? To save money :-) See BH-US 2013 talk 4 . TTL We filter out all those domains featuring a Time To Live outside these bounds. 4 https://media.blackhat.com/us-13/ US-13-Xu-New-Trends-in-FastFlux-Networks-Slides.pdf 25 � 2-3 years ago: TTL < 100. � Nowadays: 80 < TTL < 300 seconds.

  6. CERBERUS > FILTERING Insight we are looking for DGA-generated domains. Phoenix's DGA Filter We filter out domains likely to be generated by humans. 26

  7. CERBERUS > FILTERING Insight the attacker will register the domain just a few days before the communication will take place. Whois We query the Whois server and discard the domains 27 that were registered more than ∆ days before the DNS query.

  8. RECAP ON FILTERING Starting with 50,000 domains: 20,000 TTL > 300 seconds; 19,000 not in the Alexa Top 1M list; 15,000 not in the most popular CDNs ; 800 likely to be DGA generated ; 700 no previous authorization ; 28 300 younger than ∆ days ← − suspicious.

  9. 29 CERBERUS > FILTERING DNS Stream Filtering Filtering Detection Classifier Suspicious Domains Time Detective Bootstrap Malicious Domains Phoenix Clusters

  10. CLASSIFIER > CLASSIFICATION … Assign 576.wap517.net to B . Train the Classifier on A, B . 69.43.161.180 576.wap517.net . . Cluster C Cluster A 340.wap517.net 251.wap517.net 391.wap517.net 69.43.161.180 Cluster B 285.ns4000wip.com 418.ns4000wip.com 379.ns4000wip.com 69.43.161.180 30

  11. CLASSIFIER > CLASSIFICATION … Assign 576.wap517.net to B . Train the Classifier on A, B . . 69.43.161.180 576.wap517.net . . Cluster C Cluster A 340.wap517.net 251.wap517.net 391.wap517.net 69.43.161.180 Cluster B 285.ns4000wip.com 418.ns4000wip.com 379.ns4000wip.com 69.43.161.180 30

  12. CLASSIFIER > CLASSIFICATION … Assign 576.wap517.net to B . Train the Classifier on A, B . . 69.43.161.180 576.wap517.net . . Cluster C Cluster A 340.wap517.net 251.wap517.net 391.wap517.net 69.43.161.180 Cluster B 285.ns4000wip.com 418.ns4000wip.com 379.ns4000wip.com 69.43.161.180 30

  13. CLASSIFIER > CLASSIFICATION … Assign 576.wap517.net to B . Train the Classifier on A, B . . 69.43.161.180 576.wap517.net . . Cluster C Cluster A 340.wap517.net 251.wap517.net 391.wap517.net 69.43.161.180 Cluster B 285.ns4000wip.com 418.ns4000wip.com 379.ns4000wip.com 69.43.161.180 30

  14. CLASSIFIER > CLASSIFICATION … Assign 576.wap517.net to B . Train the Classifier on A, B . . 69.43.161.180 576.wap517.net . . Cluster C Cluster A 340.wap517.net 251.wap517.net 391.wap517.net 69.43.161.180 Cluster B 285.ns4000wip.com 418.ns4000wip.com 379.ns4000wip.com 69.43.161.180 30

  15. CLASSIFIER > CLASSIFICATION … Assign 576.wap517.net to B . Train the Classifier on A, B . . 69.43.161.180 576.wap517.net . . Cluster C Cluster A 340.wap517.net 251.wap517.net 391.wap517.net 69.43.161.180 Cluster B 285.ns4000wip.com 418.ns4000wip.com 379.ns4000wip.com 69.43.161.180 30

  16. CLASSIFIER > SUBSEQUENCE STRING KERNEL 0 0 0 Developed at Royal Holloway in 2002, by Lodhi et al. 0 31 c-a a-r c-r a-t c-t λ 2 λ 3 λ 2 φ ( cat ) λ 2 λ 3 λ 2 φ ( car ) How many substrings of size k = 2 ? ker ( car, cat ) = λ 4 ker ( car, car ) = ker ( cat, cat ) = 2 λ 4 + λ 6 λ 4 1 ker n ( car, cat ) = (2 λ 4 + λ 6 ) = (2 + λ 2 ) ∈ [0 , 1]

  17. CLASSIFIER > SUPPORT VECTOR MACHINES SVM: find one hyperplane or a set of them that has the largest distance to the nearest training data point of any class 32

  18. RESULTS > EXPERIMENTS RESULTS on passive DNS data from https://farsightsecurity.com/Services/SIE/ 33

  19. RESULTS > CLASSIFIER . 400 . 500 . 600 . 700 800 300 . 900 . 1000 . Accuracy . Points . . . 0.91 . . 0.88 . 0.89 . 0.9 . . 200 0.92 . 0.93 . 0.94 . 0.95 . 34

  20. CLASSIFICATION > RESULTS b 3 0 6 91 a caaa89e...d4ca925b3e2.co.cc f1e01ac...51b64079d86.co.cc kdnvfyc.biz 0 wapzzwvpwq.info c jhhfghf7.tk faukiijjj25.tk d cvq.com epu.org d 98 Training 1000, Testing 100 0 a b c d a 100 0 0 0 b 1 92 6 1 c 2 35 Overall Accuracy ≃ 0.95

  21. CLASSIFICATION > PAIRWISE DISTANCES . Distance . 5,000 . 0.8 . 0.6 . 0.6 . 0.4 . 0.2 . . . 15,000 . 10,000 . 5,000 . . 36 0 . 0 .

  22. The Time Detective discovers new botnets.

  23. TIME DETECTIVE > PASSIVE DNS TRAFFIC . . . Botmaster 131.175.65.1 . Bot . spq.org 131.175.65.1 : { evq.org , akh.org , spq.org } 38 Every ∆ the bots contact the C&C Server, on a new domain .

  24. TIME DETECTIVE > PASSIVE DNS TRAFFIC . } , akh.org , spq.org 131.175.65.1 : { evq.org spq.org . evq.org Bot . 131.175.65.1 Botmaster . . . 38 Every ∆ the bots contact the C&C Server, on a new domain .

  25. TIME DETECTIVE > PASSIVE DNS TRAFFIC . } , spq.org 131.175.65.1 : { evq.org , akh.org spq.org . akh.org Bot . 131.175.65.1 Botmaster . . . 38 Every ∆ the bots contact the C&C Server, on a new domain .

  26. TIME DETECTIVE > PASSIVE DNS TRAFFIC . . . Botmaster 131.175.65.1 . Bot . spq.org 131.175.65.1 : { evq.org , akh.org , spq.org } 38 Every ∆ the bots contact the C&C Server, on a new domain .

  27. TIME DETECTIVE > STEPS . Passive DNS traffic . Grouping by AS . Clustering . Merging . Clusters 39

  28. TIME DETECTIVE > GROUPING We assume a lazy attacker behavior: If (s)he finds an obliging AS, (s)he will buy a few IPs in there. We group together the domains that point to IPs within the same AS . 40 Z Z Z

  29. TIME DETECTIVE > STEPS . Passive DNS traffic . Grouping by AS . Clustering . Merging . Clusters 41

  30. TIME DETECTIVE > CLUSTERING DBSCAN automatic tuning: SSK as the distance . noise . . . . . . . . . B A . . . . . . . . . . . . 42 � minPts domains per cluster, ε � ε distance threshold.

  31. CLUSTERING > TUNING MINPTS Observation period in days. Rationale: the bots will contact the C&C server at least once a day . 43 minPts = 7 domains per cluster

  32. CLUSTERING > THRESHOLD intra-cluster distances 44 inter-cluster distances → 0 (minimize)

  33. TIME DETECTIVE > MERGING What if a new cluster is actually a known botnet that migrated the C&C server somewhere else? 45

  34. TIME DETECTIVE > MERGING apq.org Migration . . Arrr! . What t' h3ck! . … paq.org . . … paq.org apq.org . . . 134.54.12.2 . 134.54.12.1 . 46

  35. TIME DETECTIVE > MERGING apq.org Migration . . Arrr! . What t' h3ck! . … paq.org . . … paq.org apq.org . . . 134.54.12.2 . 134.54.12.1 . 46

  36. TIME DETECTIVE > MERGING apq.org Migration . . Arrr! . What t' h3ck! . … paq.org . . … paq.org apq.org . . 134.54.12.2 . 134.54.12.1 . 46

  37. TIME DETECTIVE > MERGING apq.org Migration . . Arrr! . What t' h3ck! . … paq.org . . … paq.org apq.org . . 134.54.12.2 . 134.54.12.1 . 46

  38. TIME DETECTIVE > MERGING apq.org Migration . . Arrr! . What t' h3ck! . … paq.org . . … paq.org apq.org . . 134.54.12.2 . 134.54.12.1 . 46

  39. TIME DETECTIVE > MERGING apq.org Migration . . Arrr! . What t' h3ck! . … paq.org . . … paq.org apq.org . . . 134.54.12.2 . 134.54.12.1 . 46

  40. TIME DETECTIVE > MERGING apq.org Migration . . Arrr! . What t' h3ck! . … paq.org . . … paq.org apq.org . . . 134.54.12.2 . 134.54.12.1 . 46

  41. TIME DETECTIVE > MERGING apq.org Migration . . Arrr! . What t' h3ck! . … paq.org . . … paq.org apq.org . . . 134.54.12.2 . 134.54.12.1 . 46

  42. TIME DETECTIVE > STEPS . Passive DNS traffic . Grouping by AS . Clustering . Merging . Clusters 47

  43. TIME DETECTIVE > MERGING . . . . . . . . . . . ... . . . . ... Suppose you have cluster A and B. ... . . . . . . . . . . . . . . . 48

  44. TIME DETECTIVE > MERGING . . . . . . . ... . . . . . . . . . . . . ... . . . Suppose you have cluster A and B. 48 . . . . . . . . ... dom 1 dom m · · · d 1 , 1 d 1 ,m dom 1   · · · dom 2 d 2 , 1 d 2 ,m · · ·   A =       d m, 1 d m,m dom m · · ·

  45. TIME DETECTIVE > MERGING . . . . . . . ... . . . . . . . . . . . . ... . . . Suppose you have cluster A and B. 48 . ... . . . . . . . dom 1 dom m dom 1 dom n · · · · · · d 1 , 1 d 1 ,m d 1 , 1 d 1 ,n dom 1   dom 1   · · · · · · dom 2 d 2 , 1 d 2 ,m dom 2 d 2 , 1 d 2 ,n · · · · · ·     A = B =             d m, 1 d m,m d n, 1 d n,n dom m dom n · · · · · ·

  46. TIME DETECTIVE > MERGING . . . . . Suppose you have cluster A and B. . ... . . . . . . . . . . . . ... . . . . . . . ... . . . . . 48 dom 1 dom m dom 1 dom n · · · · · · d 1 , 1 d 1 ,m d 1 , 1 d 1 ,n dom 1   dom 1   · · · · · · dom 2 d 2 , 1 d 2 ,m dom 2 d 2 , 1 d 2 ,n · · · · · ·     A = B =             d m, 1 d m,m d n, 1 d n,n dom m dom n · · · · · · dom 1 dom 2 dom n · · · d 1 , 1 d 1 , 2 d 1 ,n dom 1   · · · d 2 , 1 d 2 , 2 d 2 ,n dom 2 · · ·   A ∼ B =       d m, 1 d m, 2 d m,n dom m · · ·

  47. TIME DETECTIVE > WELCH TEST . distributions? have different intra-cluster distance and Welch test: do . . . ... . . . . . Stats to the rescue! . . . . . . ... . . . . . . 49

  48. TIME DETECTIVE > WELCH TEST . . . Stats to the rescue! . . . . . . . ... . ... . . . Welch test: do and have different intra-cluster distance distributions? . 49 . . . . . . dom 1 dom m dom 1 dom 2 dom n · · · · · · d 1 , 1 d 1 ,m d 1 , 1 d 1 , 2 d 1 ,n dom 1   dom 1   · · · · · · d 2 , 1 d 2 ,m d 2 , 1 d 2 , 2 d 2 ,n dom 2 dom 2 · · · · · ·     A = A ∼ B =             d m, 1 d m,m d m, 1 d m, 2 d m,n dom m dom m · · · · · ·

  49. TIME DETECTIVE > WELCH TEST . ... . . . Stats to the rescue! . . . . . . . . . ... . . . distributions? . 49 . . . . dom 1 dom m dom 1 dom 2 dom n · · · · · · d 1 , 1 d 1 ,m d 1 , 1 d 1 , 2 d 1 ,n dom 1   dom 1   · · · · · · d 2 , 1 d 2 ,m d 2 , 1 d 2 , 2 d 2 ,n dom 2 dom 2 · · · · · ·     A = A ∼ B =             d m, 1 d m,m d m, 1 d m, 2 d m,n dom m dom m · · · · · · Welch test: do A and A ∼ B have different intra-cluster distance

  50. TIME DETECTIVE > EXAMPLE Day 1 50 388.ns768.com 382.ns4000wip.com 391.wap517.net 383.ns4000wip.com

  51. TIME DETECTIVE > EXAMPLE Day 2 50 388.ns768.com 389.ns768.com 390.ns768.com 382.ns4000wip.com 379.ns4000wip.com 391.wap517.net 383.ns4000wip.com 391.wap517.net 384.ns4000wip.com

  52. TIME DETECTIVE > EXAMPLE Day 7 50 388.ns768.com 389.ns768.com 390.ns768.com 391.ns768.com 392.ns768.com 382.ns4000wip.com 379.ns4000wip.com 380.ns4000wip.com 381.ns4000wip.com 391.wap517.net 383.ns4000wip.com 391.wap517.net 384.ns4000wip.com 391.wap517.net 385.ns4000wip.com 386.ns4000wip.com

  53. TIME DETECTIVE > EXAMPLE AS 22489 50 Day 388.ns768.com 389.ns768.com 390.ns768.com 391.ns768.com 392.ns768.com 382.ns4000wip.com 379.ns4000wip.com 380.ns4000wip.com 381.ns4000wip.com 391.wap517.net 383.ns4000wip.com 391.wap517.net 384.ns4000wip.com 391.wap517.net 385.ns4000wip.com 386.ns4000wip.com

  54. TIME DETECTIVE > EXAMPLE Merge 50 Day 388.ns768.com 389.ns768.com 390.ns768.com 391.ns768.com 392.ns768.com 382.ns4000wip.com 379.ns4000wip.com 380.ns4000wip.com 381.ns4000wip.com 391.wap517.net 383.ns4000wip.com 391.wap517.net 384.ns4000wip.com 391.wap517.net 385.ns4000wip.com 386.ns4000wip.com

  55. TIME DETECTIVE > EXAMPLE Cluster 50 Day 388.ns768.com 382.ns4000wip.com 391.wap517.net 379.ns4000wip.com 391.wap517.net 389.ns768.com 380.ns4000wip.com 391.wap517.net 390.ns768.com 381.ns4000wip.com 391.ns768.com 392.ns768.com 383.ns4000wip.com 384.ns4000wip.com 385.ns4000wip.com 386.ns4000wip.com

  56. TIME DETECTIVE > EXAMPLE New clusters 50 Day produced Cluster 1 Cluster 2 Cluster 3 388.ns768.com 382.ns4000wip.com 391.wap517.net 379.ns4000wip.com 391.wap517.net 389.ns768.com 380.ns4000wip.com 391.wap517.net 390.ns768.com 381.ns4000wip.com 391.ns768.com 392.ns768.com 383.ns4000wip.com 384.ns4000wip.com 385.ns4000wip.com 386.ns4000wip.com

  57. RESULTS > EXPERIMENTS RESULTS on passive DNS data from https://farsightsecurity.com/Services/SIE/ 51

  58. TIME DETECTIVE > LABELING (1 WEEK) 187 domains classified as malicious and labeled . Labeled 07e21 Botnet: Conficker Domains: hhdboqazof.biz poxqmrfj.biz hcsddszzzc.ws tnoucgrje.biz gwizoxej.biz jnmuoiki.biz 52

  59. TIME DETECTIVE > CLUSTERING 3,576 domains were considered suspicious by Cerberus and stored , together with their IP address. Then we ran the clustering routine to discover new botnets . 53

  60. TIME DETECTIVE > CLUSTERING Jusabli 22489 69.43.161.167 24 Palevo 47846 82.98.86.171 82.98.86.176 82.98.86.175 142 30069 47 69.58.188.49 73 Generic Trojan 12306 82.98.86.169 82.98.86.162 82.98.86.178 82.98.86.163 57 Hiloti 69.43.161.167 Botnet 199.59.243.118 AS IPs Size Sality 15456 62.116.181.25 26 Palevo 53665 40 22489 Jadtre* 22489 69.43.161.180 69.43.161.174 173 Jadtre** 22489 69.43.161.180 37 Jadtre*** 54

  61. TIME DETECTIVE > CLUSTERING 69.43.161.180 296.ns768.com 353.ns768.com 388.ns768.com 69.43.161.167 Jadtre*** 340.wap517.net 251.wap517.net 391.wap517.net Jadtre** Cluster 285.ns4000wip.com 418.ns4000wip.com 379.ns4000wip.com 69.43.161.174 69.43.161.180 Jadtre* Sample Domains IP 55

  62. TIME DETECTIVE > MERGING 82.98.86.176 Both belonging to the Palevo botnet . ydt.info nhy.org rrg.info knw.info Domains 82.98.86.165 82.98.86.168 82.98.86.167 82.98.86.175 82.98.86.171 Cluster a (Old) IPs: Cluster b (New) lxx.net bwn.org epu.org cvq.com Domains 208.87.35.107 176.74.76.175 IPs: 56

  63. TIME DETECTIVE > MERGING 82.98.86.176 Both belonging to the Palevo botnet . ydt.info nhy.org rrg.info knw.info Domains 82.98.86.165 82.98.86.168 82.98.86.167 82.98.86.175 82.98.86.171 Cluster a (Old) IPs: Cluster b (New) lxx.net bwn.org epu.org cvq.com Domains 208.87.35.107 176.74.76.175 IPs: 56

  64. TIME DETECTIVE > RECAP 3,576 suspicious domains collected 47 clusters of DGA-generated domains discovered 319 new domains detected in the next 24 hours 57 � 187 malicious domains detected and labeled

  65. TIME DETECTIVE > RECAP 47 clusters of DGA-generated domains discovered 319 new domains detected in the next 24 hours 57 � 187 malicious domains detected and labeled � 3,576 suspicious domains collected

  66. TIME DETECTIVE > RECAP 319 new domains detected in the next 24 hours 57 � 187 malicious domains detected and labeled � 3,576 suspicious domains collected � 47 clusters of DGA-generated domains discovered

More recommend