DOCSLIB.ORG

Detection of Botnet Command and Control Traffic in Enterprise Networks

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Detection of Botnet Command and Control Traffic in Enterprise Networks DETECTIONOF BOTNET COMMANDAND CONTROL TRAFFIC IN ENTERPRISE NETWORKS Pieter BURGHOUWT DETECTIONOF BOTNET COMMANDAND CONTROL TRAFFIC IN ENTERPRISE NETWORKS Proefschrift ter verkrijging van de graad van doctor aan de Technische Universiteit Delft, op gezag van de Rector Magnificus prof. ir. K. C. A. M. Luyben, voorzitter van het College voor Promoties, in het openbaar te verdedigen op 2 februari 2015 om 10:00 uur door Pieter BURGHOUWT ingenieur Elektrotechniek geboren te Voorburg, Nederland. Dit proefschrift is goedgekeurd door de promotor: Prof. dr. H. J. Sips Samenstelling promotiecommissie: Rector Magnificus, voorzitter Prof. dr. ir. H.J. Sips, Delft University of Technology, promotor Dr. M.E.M. Spruit, The Hague University of Applied Sciences Prof. dr. K.G. Langendoen, Delft University of Technology Prof. dr. ir. J. van den Berg, Delft University of Technology Prof. dr. ir. H.J. Bos, VU University of Amsterdam Prof. dr. S Etalle, Technical University of Eindhoven Dr. ir. J. Henseler, Amsterdam University of Applied Sciences Prof. dr. ir. D.H.J. Epema, Delft University of Technology Dr. M.E.W. Spruijt, heeft als begeleider in belangrijke mate aan de totstandkoming van het proefschrift bijgedragen. Keywords: botnets, network intrusion detection, command and control traffic, cybersecurity Printed by: Ipskamp Drukkers B.V Copyright © 2015 by Pieter Burghouwt Cover design: Odine Burghouwt ISBN 978-94-6186-414-7 An electronic version of this dissertation is available at http://repository.tudelft.nl/. This thesis is dedicated to my wife Carmen and my children for their love and patience. Pieter Burghouwt ACKNOWLEDGMENTS This thesis is the result of hard work over the last years. To combine PhD research with my work as a lecturer, a husband and a father was often challenging. Nevertheless, with great satisfaction I can look back at a phase of my life in which I was a student again. I enjoyed all aspects of it: from satisfying my curiosity in the research, to presenting my work at conferences in other countries. This work would not have been possible without the support of many people. I express my grateful thanks to all of them. First my thanks go to my supervisors Henk Sips and Marcel Spruit for their continu- ous and high quality support during my PhD studies. By their coaching and constructive feedback they enabled me to conduct the research and develop my research skills. I thank the PhD committee for their review and their provision of high quality feed- back that improved my thesis. I also thank my employer The Hague University of Applied Sciences who offered me the unique opportunity to conduct my PhD research. My special thanks go to: Gert de Ruiter, Ineke van der Meulen, and other members of the board who enabled and pa- tiently supported my study, to Jan Dirk Schagen who encouraged me to start the PhD research, and to all my colleagues who had to work harder because of my limited avail- ability for teaching. Finally but most importantly I thank my wife Carmen and my children for their pa- tience, moral support, and their faith in me. My mental and sometimes physical ab- sence must have been difficult for them but they never complained. I could not have completed my research without the support of all these wonderful people! Pieter Burghouwt Delft, January 2015 vii CONTENTS 1 Introduction1 1.1 Research Background............................1 1.1.1 Schematic Overview of a Botnet...................1 1.1.2 Defining Botnets and Bots......................2 1.1.3 The Evolution of Botnets.......................3 1.1.4 Botnet Countermeasures......................5 1.2 The Enterprise Network...........................6 1.3 Problem Statement.............................7 1.4 Research Objectives and subsequent research activities..........8 1.4.1 Contributions............................9 1.5 Thesis Outline............................... 10 2 Countering Botnets by the Detection of C&C Traffic in Enterprise Networks 13 2.1 Network Intrusion Detection........................ 14 2.1.1 Feature Extraction.......................... 14 2.1.2 Knowledge.............................. 15 2.2 Evaluation of Intrusion detection methods................. 19 2.2.1 Detection performance....................... 19 2.2.2 Other Evaluation Criteria...................... 21 2.3 Classification of Botnet Countermeasures................. 24 2.3.1 Existing Classifications........................ 24 2.3.2 Taxonomy versus Ontology-based Faceted Classification...... 26 2.3.3 A Faceted Ontology-based Classification of Botnet Countermea- sures................................. 27 2.3.4 Motivation of the Facets "counters" and "is-implementated-in" ... 29 2.3.5 Motivation of the Facet "intervenes by" ................ 30 2.3.6 Refinement of Reactive Measures.................. 32 2.3.7 Evaluation of the Ontology-based Classification........... 33 2.4 An Overview of Existing Network-based C&C Detection.......... 35 2.4.1 Classification of Existing Misused-based Detection......... 37 2.4.2 Examples of Anomaly-based Detection............... 38 2.5 Network-based C&C Detection in an Enterprise Network.......... 40 2.5.1 Enterprise-specific Characteristics.................. 40 2.5.2 Selection of Classes in the Detection Ontology............ 41 2.5.3 New Detection Approaches..................... 42 ix x CONTENTS 3 Detection of Botnet Communication by Monitoring User Activity 45 3.1 Introduction................................ 46 3.2 Related Work................................ 47 3.3 Detection Principle............................. 48 3.3.1 Detection of Botnet Traffic to Twitter.com.............. 49 3.3.2 Empirical Estimation of Optimal Time Windows........... 51 3.3.3 Theoretical Performance of the Detector............... 51 3.3.4 Experimental Evaluation of the Detection Algorithm........ 54 3.4 Special Cases of Twitter Traffic....................... 55 3.4.1 Automatic Legal Traffic....................... 55 3.4.2 Evasion by User Synchronized Botnet Traffic............ 56 3.5 Conclusions................................. 57 4 Detection of C&C Traffic by Causal Analysis of Traffic Flows 59 4.1 Introduction................................ 60 4.2 Related Work................................ 62 4.3 Causal Analysis of Flows and Anomaly Detection.............. 63 4.3.1 The Direct Cause of a Flow...................... 63 4.3.2 Optimal Selection of the Direct Cause................ 64 4.3.3 Detection Performance....................... 65 4.4 CITRIC: Practical Implementation of TFC graph Construction and Detec- tion..................................... 66 4.4.1 Implementation Issues and Solutions................ 67 4.5 Experimental Evaluation.......................... 67 4.5.1 Empirical Determination of the Optimal Windows Sizes....... 68 4.5.2 TFC Detection of Real C&C Traffic.................. 71 4.5.3 Visualization of the TFC Graphs................... 71 4.6 Evasion and Related Improvements of TFC Detection............ 73 4.6.1 Solutions against Piggybacking................... 73 4.7 Conclusions................................. 74 5 Detection of C&C Traffic by Identification of Untrusted Destinations 75 5.1 Introduction................................ 76 5.2 UDI Detection Approach.......................... 76 5.2.1 Logical Destination Identifiers.................... 78 5.2.2 Forward Reference Extraction.................... 79 5.2.3 The UDI Detection Algorithm.................... 79 5.2.4 Detection Errors........................... 80 5.3 Detector Implementation.......................... 81 5.3.1 Partial ldi-matching......................... 82 5.3.2 Name-Based Criteria......................... 82 5.4 Experimental Evaluation.......................... 82 5.4.1 Controlled Environment....................... 83 5.4.2 Evaluation of False Positives and Stage Contribution......... 84 5.4.3 Evaluation of True Positives..................... 85 CONTENTS xi 5.5 Evasion of UDI Detection and Solutions.................. 86 5.6 Related Work................................ 88 5.6.1 Work Related with Flow Analysis in Consecutive Stages....... 88 5.6.2 Work Related with Logical Destination Referencing......... 88 5.6.3 Work Related with Human Input Evaluation............. 89 5.7 Conclusions................................. 89 6 Detection of Botnet Command and Control Channels by Anomalous Degrees of DNS Domains 91 6.1 Introduction................................ 92 6.2 Related Work................................ 92 6.3 Detection by Domain Degree........................ 93 6.3.1 Distribution of the Domain Degree................. 93 6.3.2 Detection Process.......................... 95 6.3.3 Detection Evasion.......................... 96 6.4 Experimental Evaluation.......................... 98 6.4.1 Measurement and Comparison of the Degree Distribution..... 99 6.4.2 The Effect of Filtering Popular Domains............... 100 6.5 Conclusions................................. 103 7 Concluding Remarks 105 7.1 Research Objectives, Subsequent Research Activities, and Results..... 106 7.2 Future Work................................. 110 7.2.1 Short term work........................... 110 7.2.2 Long Term work........................... 111 References 113 A Appendix: CITRIC 125 A.1 An Overview of CITRIC........................... 125 A.2 The Most Important Objects of CITRIC................... 126 A.3 The Storage of Flows, DNS Records and Events............... 127 A.4 Searching in the HTTP Payload....................... 128 A.5 Settings and Logs.............................. 130 Summary 133 Samenvatting 135 Curriculum Vitæ 137 List
Load more

Recommended publications
  • Biuletyn 2016 1.Pdf
    szkolenia badania raport zgłoszenie DBI.pl CERT.pl inicjatywy domena .pl bezpieczeństwo honeypot seminarium biometria eksperci konferencje dyżurnet.pl digitalizacja nauka BIPSE SPIS treści KONFERENCJE 5 Razem tworzymy lepszy Internet 7 Globalne wyzwanie – bezpieczny Internet dla dzieci i młodzieży 8 SECURE 2015 – Cyberpolicjanci kontra cyberprzestępcy WYDARZENIA 10 Piknik Naukowy 10 Festiwal Nauki 10 CyberPol – szkolenia dla Policji 11 Seminarium eksperckie 11 Konferencja naukowa „Nastolatki wobec internetu” 11 Sukces polskiej biometrii RAPORTY 12 Roczny raport CERT Polska za 2014 rok 13 Raport Dyżurnet.pl 15 Rekordowy III kwartał w rejestrze domeny .pl BADANIA 17 Nastolatki wobec internetu PROJEKTY 21 Malware kontra lodówka 22 Bezpieczne uwierzytelnienie we współczesnym świecie 24 Digitalizacja, cyfryzacja czyli dostępność…. BEZPIECZEńStwO 28 Cyberprzestępcy podszywają się pod Pocztę Polską 29 Dorkbot już nam nie zagraża ROZMOWA Z … 30 Senior dla kultury NR 1/2016 Redakcja: Anna Maj, Monika Gajewska-Pol Projekt okładki, skład i przygotowanie do druku: Anna Nykiel Adres: ul. Wąwozowa 18, 02-796 Warszawa, Redakcja zastrzega sobie prawo do skrótu tel. (22) 38 08 200, e-mail: [email protected] i opracowania redakcyjnego otrzymanych tekstów. Biuletyn Szanowni Państwo, Mam przyjemność zaprosić Państwa do lektury najnow- celu ochronę przed zagrożeniami najmłodszych użyt- szego numeru „Biuletynu NASK”. Prezentujemy w nim kowników internetu. W ramach realizowanego przez nasze osiągnięcia, najważniejsze wydarzenia minione- NASK projektu Safer Internet funkcjonuje zespół go roku, opisujemy ciekawe i ważne projekty oraz naj- Dyżurnet.pl, przyjmujący zgłoszenia o niebezpiecz- nowsze opracowane przez nas rozwiązania naukowe. nych treściach internetowych, które zagrażają dzie- ciom i młodzieży korzystającym z sieci. W czasie swo- NASK jest instytutem badawczym, który realizuje jej dziesięcioletniej działalności zespół przeanalizował liczne projekty naukowe oraz komercyjne, szczególnie blisko 45 tysięcy zgłoszeń.
    [Show full text]
  • Cyberaanval Op Nederland Citadel-Malwareonderzoek “Pobelka” Botnet
    Cyberaanval op Nederland Citadel-malwareonderzoek “Pobelka” botnet Cyberaanval op Nederland | Citadel-malwareonderzoek “Pobelka” botnet Pagina 1 Inhoudsopgave Inleiding ....................................................................................................................................................................................................... 3 Telegraaf.nl ............................................................................................................................................................................................ 3 Pobelka ........................................................................................................................................................................................................ 4 Doelgericht ............................................................................................................................................................................................ 4 Nederland............................................................................................................................................................................................... 5 Java exploits .......................................................................................................................................................................................... 5 Cyberincidenten ..................................................................................................................................................................................
    [Show full text]
  • Miscellaneous: Malware Cont'd & Start on Bitcoin
    Miscellaneous: Malware cont’d & start on Bitcoin CS 161: Computer Security Prof. Raluca Ada Popa April 19, 2018 Credit: some slides are adapted from previous offerings of this course Viruses vs. Worms VIRUS WORM Propagates By infecting Propagates automatically other programs By copying itself to target systems Usually inserted into A standalone program host code (not a standalone program) Another type of virus: Rootkits Rootkit is a ”stealthy” program designed to give access to a machine to an attacker while actively hiding its presence Q: How can it hide itself? n Create a hidden directory w /dev/.liB, /usr/src/.poop and similar w Often use invisiBle characters in directory name n Install hacked Binaries for system programs such as netstat, ps, ls, du, login Q: Why does it Become hard to detect attacker’s process? A: Can’t detect attacker’s processes, files or network connections By running standard UNIX commands! slide 3 Sony BMG copy protection rootkit scandal (2005) • Sony BMG puBlished CDs that apparently had copy protection (for DRM). • They essentially installed a rootkit which limited user’s access to the CD. • It hid processes that started with $sys$ so a user cannot disaBle them. A software engineer discovered the rootkit, it turned into a Big scandal Because it made computers more vulneraBle to malware Q: Why? A: Malware would choose names starting with $sys$ so it is hidden from antivirus programs Sony BMG pushed a patch … But that one introduced yet another vulneraBility So they recalled the CDs in the end Detecting Rootkit’s
    [Show full text]
  • Threat Landscape Report
    QUARTERLY Threat Landscape Report Q3 2020 NUSPIRE.COM THIS REPORT IS SOURCED FROM 90 BILLION TRAFFIC LOGS INGESTED FROM NUSPIRE CLIENT SITES AND ASSOCIATED WITH THOUSANDS OF DEVICES AROUND THE GLOBE. Nuspire Threat Report | Q2Q3 | 2020 Contents Introduction 4 Summary of Findings 6 Methodology and Overview 7 Quarter in Review 8 Malware 9 Botnets 15 Exploits 20 The New Normal 28 Conclusion and Recommendations 31 About Nuspire 33 3 | Contents Nuspire Threat Report | Q3 | 2020 Introduction In Q2 2020, Nuspire observed the increasing lengths threat actors were going to in order to capitalize on the pandemic and resulting crisis. New attack vectors were created; including VPN usage, home network security issues, personal device usage for business purposes and auditability of network traffic. In Q3 2020, we’ve observed threat actors become even more ruthless. Shifting focus from home networks to overburdened public entities including the education sector and the Election Assistance Commission (EAC). Many school districts were forced into 100% virtual or hybrid learning models by the pandemic. Attackers have waged ransomware attacks at learning institutions who not only have the financial resources to pay ransoms but feel a sense of urgency to do so in order to avoid disruptions during the school year. Meanwhile, the U.S. Elections have provided lures for phishers to attack. Nuspire witnessed Q3 attempts to guide victims to fake voter registration pages to harvest information while spoofing the Election Assistance Commission (EAC). Like these examples, cybercriminals taking advantage of prominent media themes are expected. We anticipate our Q4 2020 Threat Report 4 | Introduction Nuspire Threat Report | Q3 | 2020 to find campaigns leveraging more of the United report each quarter is a great step to gain that States Presidential election as well.
    [Show full text]
  • A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics
    UNIVERSIDAD POLITECNICA´ DE MADRID ESCUELA TECNICA´ SUPERIOR DE INGENIEROS INFORMATICOS´ A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics PH.D THESIS Platon Pantelis Kotzias Copyright c 2019 by Platon Pantelis Kotzias iv DEPARTAMENTAMENTO DE LENGUAJES Y SISTEMAS INFORMATICOS´ E INGENIERIA DE SOFTWARE ESCUELA TECNICA´ SUPERIOR DE INGENIEROS INFORMATICOS´ A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF: Doctor of Philosophy in Software, Systems and Computing Author: Platon Pantelis Kotzias Advisor: Dr. Juan Caballero April 2019 Chair/Presidente: Marc Dasier, Professor and Department Head, EURECOM, France Secretary/Secretario: Dario Fiore, Assistant Research Professor, IMDEA Software Institute, Spain Member/Vocal: Narseo Vallina-Rodriguez, Assistant Research Professor, IMDEA Networks Institute, Spain Member/Vocal: Juan Tapiador, Associate Professor, Universidad Carlos III, Spain Member/Vocal: Igor Santos, Associate Research Professor, Universidad de Deusto, Spain Abstract of the Dissertation Potentially unwanted programs (PUP) are a category of undesirable software that, while not outright malicious, can pose significant risks to users’ security and privacy. There exist indications that PUP prominence has quickly increased over the last years, but the prevalence of PUP on both consumer and enterprise hosts remains unknown. Moreover, many important aspects of PUP such as distribution vectors, code signing abuse, and economics also remain unknown. In this thesis, we empirically and sys- tematically analyze in both breadth and depth PUP abuse, prevalence, distribution, and economics. We make the following four contributions. First, we perform a systematic study on the abuse of Windows Authenticode code signing by PUP and malware.
    [Show full text]
  • Use of Botnets for Mining Cryptocurrencies
    Use of Botnets for Mining Cryptocurrencies December 2020 Renita Murimi Associate Professor of Cybersecurity University of Dallas In this talk… • History of botnet-inspired threats • Operational mechanisms of botnets • In-depth look at significant botnets that have attacked cryptocurrencies • Countermeasures • Implications for the future Market capitalization Energy Consumption Index Comparison Footprints Rising popularity • Distributed nature of currency generation • Anonymity • Low barrier to entry • Browser-based mining software Botnet core • Command and Control (C&C) architectures: backbone of botnet operations • Aided by the IRC protocol C&C server sends commands to malware-infected machines, which are then capable of launching DDoS attacks, data manipulation, and malware propagation. • IRC protocol: text-based protocol that allows clients in various topology configurations to connect to a server over communication • Can also use the HTTP protocol for C&C communication Push and pull frameworks • Two frameworks for C&C communications • Push Bots wait for commands from the C&C server, i.e., the server pushes the commands to bots in real time. IRC-based bots fall into the push category. • Pull Servers store commands in a file Bots check back at later times to retrieve and execute the commands, i.e., the bots pull the commands from a file stored in the C&C server. Most HTTP-based bots fall into this category of botnets that do not adhere to real- time botmaster control. The appeal of botnets for cryptomining • Distributed nature of both botnets and cryptocurrency mining • Anonymity in cryptocurrency Each node is identified only by its IP address Contrast to fiat currencies • Botnets – initially used for spam In 2019 ransomware from phishing emails increased 109% over 2017.
    [Show full text]
  • Coordinating Across Chaos: the Practice of Transnational Internet Security Collaboration
    COORDINATING ACROSS CHAOS: THE PRACTICE OF TRANSNATIONAL INTERNET SECURITY COLLABORATION A Dissertation Presented to The Academic Faculty by Tarun Chaudhary In Partial Fulfillment of the Requirements for the Degree International Affairs, Science, and Technology in the Sam Nunn School of International Affairs Georgia Institute of Technology May 2019 COPYRIGHT © 2019 BY TARUN CHAUDHARY COORDINATING ACROSS CHAOS: THE PRACTICE OF TRANSNATIONAL INTERNET SECURITY COLLABORATION Approved by: Dr. Adam N. Stulberg Dr. Peter K. Brecke School of International Affairs School of International Affairs Georgia Institute of Technology Georgia Institute of Technology Dr. Michael D. Salomone Dr. Milton L. Mueller School of International Affairs School of Public Policy Georgia Institute of Technology Georgia Institute of Technology Dr. Jennifer Jordan School of International Affairs Georgia Institute of Technology Date Approved: March 11, 2019 ACKNOWLEDGEMENTS I was once told that writing a dissertation is lonely experience. This is only partially true. The experience of researching and writing this work has been supported and encouraged by a small army of individuals I am forever grateful toward. My wife Jamie, who has been a truly patient soul and encouraging beyond measure while also being my intellectual sounding board always helping guide me to deeper insight. I have benefited from an abundance of truly wonderful teachers over the course of my academic life. Dr. Michael Salomone who steered me toward the world of international security studies since I was an undergraduate, I am thankful for his wisdom and the tremendous amount of support he has given me over the past two decades. The rest of my committee has been equally as encouraging and provided me with countless insights as this work has been gestating and evolving.
    [Show full text]
  • Defending Against Cybercrime: Advances in the Detection of Malicious Servers and the Analysis of Client-Side Vulnerabilities
    UNIVERSIDAD POLITECNICA´ DE MADRID ESCUELA TECNICA´ SUPERIOR DE INGENIEROS INFORMATICOS´ Defending Against Cybercrime: Advances in the Detection of Malicious Servers and the Analysis of Client-Side Vulnerabilities PH.D THESIS Antonio Nappa Copyright c February 2016 by Antonio Nappa DEPARTAMENTAMENTO DE LENGUAJES Y SISTEMAS INFORMATICOS´ E INGENIERIA DE SOFTWARE ESCUELA TECNICA´ SUPERIOR DE INGENIEROS INFORMATICOS´ Defending Against Cybercrime: Advances in the Detection of Malicious Servers and the Analysis of Client-Side Vulnerabilities SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF: Doctor en Inform´atica Author: Antonio Nappa Advisor Dr. Juan Caballero February 2016 Jury: Somesh Jha, Professor of Computer Sciences - University of Wisconsin-Madison Lorenzo Cavallaro, Senior Lecturer of Computer Sciences - Royal Holloway University of London Juan Manuel Est´evez Tapiador, Profesor Titular de Universidad - Universi- dad Carlos III de Madrid Victor A. Villagr´a, Profesor Titular de Universidad - Universidad Polit´ecnica de Madrid Boris K¨opf, Assistant Research Professor - IMDEA Software Institute Carmela Troncoso, Researcher - IMDEA Software Institute Manuel Carro, Profesor Titular de Universidad - Universidad Polit´ecnica de Madrid Resumen de la tesis Esta tesis se centra en el an´alisisde dos aspectos complementarios de la ciberdelin- cuencia (es decir, el crimen perpetrado a trav´esde la red para ganar dinero). Estos dos aspectos son las m´aquinasinfectadas utilizadas para obtener beneficios econ´omicosde la delincuencia a trav´esde diferentes acciones (como por ejemplo, clickfraud, DDoS, correo no deseado) y la infraestructura de servidores utiliza- dos para gestionar estas m´aquinas(por ejemplo, C & C, servidores explotadores, servidores de monetizaci´on,redirectores). En la primera parte se investiga la exposici´ona las amenazas de los orde- nadores victimas.
    [Show full text]
  • Malware Primer Malware Primer
    Malware Primer Malware Primer Table of Contents Introduction Introduction ...........................................................................................................................................................................2 In The Art of War, Sun Tzu wrote, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” This certainly applies Chapter 1: A Brief History of Malware—Its Evolution and Impact ..............................3 to cyberwarfare. This primer will help you get to know cybercriminals by providing you with a solid foundation in one of their principle weapons: Chapter 2: Malware Types and Classifications ....................................................................................8 malware. Chapter 3: How Malware Works—Malicious Strategies and Tactics ........................11 Our objective here is to provide a baseline of knowledge about the different types of malware, what malware is capable of, and how it’s distributed. Chapter 4: Polymorphic Malware—Real Life Transformers .............................................14 Because effectively protecting your network, users, data, and company from Chapter 5: Keyloggers and Other Password Snatching Malware ...............................16 malware-based attacks requires an understanding of the various ways that the enemy is coming at you. Chapter 6: Account and Identity Theft Malware ...........................................................................19 Keep in mind, however, that we’re only able here
    [Show full text]
  • Slide Credit: Vitaly Shmatikov
    Malware: Botnets, Viruses, and Worms Damon McCoy Slide Credit: Vitaly Shmatikov slide 1 Malware u Malicious code often masquerades as good software or attaches itself to good software u Some malicious programs need host programs • Trojan horses (malicious code hidden in a useful program), logic bombs, backdoors u Others can exist and propagate independently • Worms, automated viruses u Many infection vectors and propagation methods u Modern malware often combines trojan, rootkit, and worm functionality slide 2 PUP u Potentially unwanted programs • Software the user agreed to install or was installed with another wanted program but is, spyware, adware slide 3 Viruses vs. Worms VIRUS WORM u Propagates by u Propagates infecting other automatically by programs copying itself to target systems u Usually inserted into u A standalone program host code (not a standalone program) slide 5 “Reflections on Trusting Trust” u Ken Thompson’s 1983 Turing Award lecture 1. Added a backdoor-opening Trojan to login program 2. Anyone looking at source code would see this, so changed the compiler to add backdoor at compile- time 3. Anyone looking at compiler source code would see this, so changed the compiler to recognize when it’s compiling a new compiler and to insert Trojan into it u “The moral is obvious. You can’t trust code you did not totally create yourself. (Especially code from companies that employ people like me).” slide 6 Viruses u Virus propagates by infecting other programs • Automatically creates copies of itself, but to propagate, a human
    [Show full text]
  • Threat Landscape Report
    QUARTERLY Threat Landscape Report Q4 2020 AND 2020 YEAR IN REVIEW NUSPIRE.COM THIS REPORT IS SOURCED FROM 90 BILLION TRAFFIC LOGS INGESTED FROM NUSPIRE CLIENT SITES AND ASSOCIATED WITH THOUSANDS OF DEVICES AROUND THE GLOBE. Nuspire Threat Report | Q2Q4 | 2020 Contents Introduction 4 Summary of Findings 6 Methodology and Overview 7 Malware 9 Botnets 16 Exploits 23 Targeted Ransomware Campaign 30 Conclusion and Recommendations 34 3 | Contents Nuspire Threat Report | Q4 | 2020 Introduction In Q4 2020, we came to the end of what proved to be a volatile year that shifted the threat landscape and changed the way organizations perform business operations. COVID-19 taught us that regardless of what is happening around us, some security tools are not optional — specifically incident response testing and endpoint protection. The supply-chain attack against SolarWinds in Q4 incited organizations to evaluate if they were affected, while government organizations moved swiftly to isolate and patch critical national infrastructure. “The volume of sophisticated attacks seen throughout 2020 highlight the criticality of business intelligence and cybersecurity detection and response to improving organizational cyber readiness,” said Craig Robinson, Program Director, Security Services at IDC. “Nuspire’s latest report puts into perspective the changing nature of cyberattacks. Security leaders must be ready for unexpected situations, consistently revisiting and revamping their cybersecurity strategies.” In this report, Nuspire summarizes Q4 and 2020 activity. A Q4 timeline of significant events sets the stage for sections on malware, botnets 4 | Introduction Nuspire Threat Report | Q4 | 2020 and exploits. Highlights of each section include: • Activity statistics • The top five variants • Need-to-know information about high-priority threats • Expert recommendations to detect and mitigate attacks The report closes with a spotlight on a key industry with close attention to Q4 and 2020 year in review with recommendations and 2021 predictions.
    [Show full text]
  • Scalable Encryption Fingerprinting in Dynamic Malware Traces
    KALI: Scalable Encryption Fingerprinting in Dynamic Malware Traces Lorenzo De Carli1 Ruben Torres2 Gaspar Modelo-Howard2 Alok Tongaonkar3 Somesh Jha4 1Colorado State University 2Symantec 3RedLock Inc. 4University of Wisconsin, Madison Abstract—Binary analysis of malware to determine uses of based on dynamic analysis of malware execution traces, which encryption is an important primitive with many critical applica- allows it to sidestep hurdles that are traditionally deployed tions, such as reverse-engineering of malware network commu- against static binary analysis, such as obfuscation and packing. nications and decryption of files encrypted by ransomware. The state of the art for encryption fingerprinting in dynamic execution Also, it works in a largely automated fashion, only requiring traces, the ALIGOT algorithm—while effective in identifying a access to a malware machine-level instruction trace, and can range of known ciphers—suffers from significant scalability limi- extract encryption keys and cleartexts. Internally, ALIGOT is tations: in certain cases, even analyzing traces of a few thousands based on the insight that loops are recurring structures in of machine instructions may require prohibitive time/space. In cipher implementations, therefore searching execution traces this work, we propose KALI, an enhanced algorithm based on ALIGOT which significantly reduces time/space complexity and for chains of dynamic loops. Once such chains have been increases scalability. Moreover, we propose a technique to focalize identified, each candidate chain is validated by comparing the analysis on encryption used for specific purposes, further its inputs and outputs against those of known ciphers. At improving efficiency. Results show that KALI achieves orders of the end of the process, each candidate is either discarded or magnitude reduction in execution time and memory utilization successfully matched to a known cipher.
    [Show full text]