fight fire with fire draft
TRANSCRIPT
Fight Fire with Fire: the ultimate active deFense
Prepared by
Nishant Agrawal
Poonam Jha
Aakruti Shah
1
Introduction• Internet threats are difficult to defend.
• Malware defensive tools use more of ‘Botnets’
• Fighting malware is asymmetric,favouring attackers.
• P2P botnets are used as its more resilent
• Using re-engineering existing malware, defenders can build antidotes to
eradicate spreading functions.
• Antidote can be used to monitor on-site activity of the malwares.
• Malware families such as Hlux, Sality, Zeus would be most effective
approach.
2
Related work• Rossow (2013) analysis of resilience of botnets by using 3 types of attacks
i. Enumeration-gathering information about the topology of the network
ii. Sinkholing-mechanism to force bots to non-existing /fake bot peers
iii. Partitioning-split the botnet in disjoint, partially unreachable sub-networks.
•. Analysis has been conducted on Storm, Waledec, Zeus ,Sality malware families.
•. Holz et al (2008) discusses Storm Botnets which exploits Social Engineering and spreads by e-
mails. Storm uses Kademlia structured P2P protocol using encrypted messages.
•. Stock et al (2009) analyses Waledec which is more decentralized. It is re-engineered to
infiltrate the botnet.
•. Bureau (2011) discussed the Hlux (Kehlios) botnet which is a successor of Waledac. It uses
strong encryption routines and is based on unstructured P2P protocol.
3
Continue….
• Ormerod et al.(2010) has analysed the first version of Zeus botnet which was based on
centralised architecture.
• Andriesse and Bos(2013) have analysed the newer P2P version(Gameover) which is based on
unstructured P2P protocol and uses strong cryptographic algorithms.
• Falliere(2011) has analysed the Sality downloader botnet which is Version 4 which uses hard
encoded repository servers URLs and missing verification of executables to install.
• Frei.et al (2008), Duebender and Frei(2009) discusses the early patch application for browsers.
• Tang et al.(2012) discusses mobile applications.
• Khouzani et.al(2012) analyses the importance of patching policies to stem the malware.
• Griffin et.al(2009) discusses signature matching for local malware techniques.
• Coskun et al.(2010) uses peer traffic for malware analysis.
4
Approach-Flowchart
5
Approach taken by the Authors• 2 fundamental basis of this approach:
i. It is not limited to the re-engineering of the targeted malware. Here general purpose antidote is
created to start the detection phase to infiltrate the infection.
ii. It must be the last resort for the defender. The threshold for decision is application dependent as its
based on the type of malware targeted.
•. Preliminary phase and re-engineering: Its initial phase where active or passive methods are used to
obtain malware binary by using reverse engineering activity. Here defenders acquires a deep
understanding of the malware protocols and functionalities. Next step is re-engineer the malware by
disabling the components and introducing new functionalities to infiltrate and sanitise.
•. Spreading: Here the defender has to consider how the targeted malware spreads. It uses 2 aspects:
6
Approach taken by the Authors
i. Exploitation vector: Malware spreads quickly like epidemics for human viruses. It uses the
below techniques
Use the same In this defender uses the same spreading tools antidote as malware to improve
the effectiveness to hit an infected host.
Take the advantage of vulnerability in the malware software: In this defender sanitizes infected
machine.
Taking the advantage of vulnerability in the victim’s host. In this, known vulnerabilities or zero-
day vulnerabilities are used by the antidote.
Using black-market services: In this defender acts as undercover and buys the downloader.
Enumeration and sink holing , If the defender knows enumerating, it can be addressed by the
antidote.
7
Continue…i. Infiltration: If the victim is detected, antidote can be used to infiltrate the malware by
overtaking the process, observing and fixing infected files. Here the defender overtakes a
running malware binary on the victim’s host and mimic its behavior.
•. Detection and Eradicating: Here the general purpose antidote is used to detect and verify a
known malware family. Here the antidote is deployed after the initial information gathering
about the host and is further checked and depends on the target.
•. Patching and Update: In this antidote fixes the known bugs and exploits vulnerabilities by
forcing updates and patches application on the victim’s machine to stop an epidemic.
Antidotes leverages silent updates, improves the resilience of the victim’s host against the
new attacks. Social engineering are difficult to sanitise Antidote can use countermeasures
such as blacklisting is known bad-domains and e-mail addresses.
8
Case-study Approach Applications
• 3 Resilient botnets are discussed in the Case study:
1) Zeus P2P & Sality P2P: It leverages the drive by download-by means of browser
vulnerabilities or other security flaws. This malware is automatically installed when user
drives by infectious website, technique to infect new machines. It uses social engineering
to spread. To keep the protocol from further spreading, the antidote can follow the
behavior of the on-site malware to remain in the malicious network and acquire
information about the infected hosts.
2) Hlux: It exploits a well known Windows vulnerability issue. It has more chances to hit an
already infected host. Here the malware doesn’t fix the issue after installing itself on the
victim.
9
Limitations
Requires lots of reverse engineering especially for access.
Even though techniques exist that are able to detect a malware,
encryption are still difficult to defeat
Current available techniques are not 100% accurate.
10
Conclusions
• Defenders need to develop more complex tools to oppose and track
down the attackers
• Active offensive security tools should be used to fight back malware
and infections
• Improvement of Sality and Zeus P2P should be used to turn a
malware binary into antidote
11
Other Cases Referred
• Ability to take over command and control functions of the Storm botnet
(was being used to engage in illegal activities worldwide)
1. Botmaster: A Botmaster is a person who controls and commands
botnet to do some illegal activities
2. Botclients: A Bot is a victim computer that installed the botnet
program by various malware spreading mechanisms.
3. C&C communication protocols: they are protocol that botnets use for
communication between botmaster and botclients
4. C&C servers: This component is the coordinator servers between
botmaster and botclients.
12
Botnet life cycle work flow
13
Continue…• Initial infection : sending email with malware attachments or URL links
that leads to a browser exploit
• Secondary injection : initiate after the first phase completed , user
opens email attachments, the infected computer will download bot
binaries from remote servers and automatically install to an exploit
machine
• Connection: Sometime the connection phase is called “Rallying”.
Although the victim machines turn to bots through different
mechanisms, finally the new bot clients must connect to the C&C server
to register or send some information of zombie machines.
14
Continue….
• Malicious commands: After connecting to C&C servers, bot clients
wait for commands which send by botmaster. If they receive the
commands, they will execute and perform the malicious activities to
attack the target machines
• Maintenance and update: Changing the pattern of malicious
activities from time period to random, or change C&C servers
addresses
15
Botnet Architectures
16
Centralized botnet
• To avoid being detected easily and hide their malicious activities from
firewall, most of the new centralized botnet are designed by using the
HTTP protocol.
• They are complexity to classify and detection, since the normal http
traffic and botnet http traffic are very similar.
• This model is simple to implement, management and control, but
there is a single point of failure problem because of C&C server. If
they are detected or destroyed, the whole bot clients will be useless
or inefficient.
17
Distributed model
18
Continue…
• This model is designed to solve a single point of failure issue of
centralized model. The peer to peer structure is applied in this model
of botnets which is more flexible
• The concept is the botmaster send commands to more bot clients,
and then they deliver the commands to other bots, and each bot
clients can act as client and server in the same time thus P2P botnets
are more difficult to disable, destroy and shut them down.
• Disadvantage of this model is difficult and complex to implement.
19
Other Papers Referred1. Trends and challenges of Botnet Architecture and Detection Techniques
-- Ritthichai Limarunothai and Mohd Amin Munlin
• They explained botnet mechanism along with its components and its life-cycle
• Apart from that they also gave botnet detection techniques
• Mainly there are two techniques:
1. Honeynet based
2. Intrusion Detection System (IDS)
• More advanced techniques are under IDS
• Anomaly based
One of the best technique to detect unknown botnet attacks compared to other techniques via
two steps:
20
Other Papers Referred• First is training phase in which normal traffic profile is created
• Second is anomaly detection phase wherein normal traffic profile is compared with
current traffic to find out anomalies.
• It identifies new botnets which are unknown.
• Data mining based
• Anomaly technique can not detect and differentiate between legitimate and benign
traffic
• Use of data mining based detection technique such as machine learning (ML) is an
efficient approach and easily identify botnet traffic.
• Combination of anomaly based and data mining based technique would remove their
weaknesses and increase their performance.
21
Questionnaire
What is the problem and/or purpose of the research study?
• Due to (increasing malware epidemics on internet) / (to wide spread of malicious
software on internet), the research proposes to study different malware families,
to analyse and evaluate spreading of botnet and its resilience and to develop
more intrusive approaches to disrupt them.
What significance of the problem, if any, has the investigator identified?
• Investigator feels that fighting malware is an asymmetric fight between attackers
and defenders. He/she feels that defender should fight with more active and
defensive techniques to reduce the threat.
22
Continue…
• Does the paper present a theoretical model?
• Yes. The investigator has developed a structured technique General-
Purpose Antidote to fight against a botnet.
• What concepts are included in the review?
• Rossow (2013) Analyses the flexibility of botnets Holz et al. (2008) study e-
mails that trick the u ser in installing the malicious software. Holz et al.
(2008) present the weakness of protocol, namely, the lack of authentication,
used to disrupt the botnet. Stock et al. (2009) analyze this new malware.
propagation mechanism is the same, but the architecture changes, in favor
of a more decentralized one.
23
• What are the limitations that discussed in the paper?
• The approach discussed by the researcher to fight against malware requires lot of
reengineering. He/she feels that detection of malware is simple but to defeat is
even more difficult. Currently available techniques do not even show 100 percent
accuracy in detection.
• What recommendations for future research are stated or implied ?
• Attackers can easily develop simple and compact codes to obtain their illegal
intents. So defenders have to develop significantly more complex tools to oppose
and track down these attackers. Moreover, attackers are improving their malicious
software and architectures to be significantly more resilient to take down
attempts. For this reasons, in the future, defenders will need active defense and
offensive security tools to fight back malware and infections
24
• Are there other studies with similar findings?
Yes. Ritthichai limarunothai and mohd.Amin munlin (2015) , Joseph and Shishir (2016) etc
has similar studies.
• What are the key results?
The use of active defence by the defenders to moderate malware. how botnet works
and give an idea to develop the efficient botnet detection system. behavior of real Intel
enterprise end-host background traffic and contrast it to real botnet C&C channel activity
• Are the results interpreted in the context of the problem/purpose, hypothesis, and
theoretical framework/literature reviewed?
Yes result are interpreted in the context of the problem and theoretical
framework/literature
25
References
• Deibert, R., & Crete-Nishihata, M. (2011). Blurred boundaries: Probing the ethics of
cyberspace research. Review of Policy Research, 28(5), 531-537.
• Danchev, D. (2009, January 16). Legal concerns stop researchers from disrupting the
Storm Worm botnet. ZD Net.
• E. Pilli, P. Sharma, S. Tiwari, A Bijalwan, “ Botnet Detection Framework,” International
Journal of Computer Applications, Vol. 93, May 2014
• M. A. Rajab, J. Zarfoss, F. Monrose, A. Terzis, “A multifaceted approach to
understanding the botnet phenomenon,” Internet Measurement Conference, pp. 41–
52, 2006
• M. Yang, G. Ren, J. Zhang,“ Talk about botnets,” The community communications
conference, pp. 629-633, 2006. [4] R. S. Abdullah , M. F. Abdollah, Z. A. Muhamad Noh,
M. Z.
26
Continue…
• Limarunothai, R., & Munlin, M. (2015). Trends and Challenges of Botnet
Architectures and Detection Techniques. Journal of Information Science &
Technology
• Mas'ud, S. R. Selamat,R. Yusof, “Revealing the Criterion on Botnet Detection
Technique,” IJCSI International Journal of Computer Science, Vol. 10, pp. 208-
215, March 2013
• Rossow, C. (2013), “Using malware analysis to evaluate botnet resilience”, PhD
thesis, VU Amsterdam
• Stock, B., Goebel, J., Engelberth, M., Freiling, F.C. and Holz, T. (2009), “Walowdac
– analysis of a peer-to-peer Botnet”, EC2ND ’09, IEEE, Washington, DC
27
28