Driving in the Cloud: An Analysis of Drive-by Download Operations and Abuse Reporting

Size: px

Start display at page:

Download "Driving in the Cloud: An Analysis of Drive-by Download Operations and Abuse Reporting"

Stuart Stewart
8 years ago
Views:

1 Driving in the Cloud: An Analysis of Drive-by Download Operations and Abuse Reporting A.Nappa, M.Z.Rafique, J.Caballero IMDEA Software Institute Madrid, Spain July 18, 2013

2 Drive-by-downloads 1 Visit to a malicious page Exploit 2 Malware 3 2 / 32

3 Drive-by-downloads 1 Visit to a malicious page Exploit 2 Malware 3 3 / 32

4 Drive-by-Downloads Ecosystem Victims Traffic Sources Exploit Pack Developer Exploit Servers Malware Owners Redirection EaaS Exploit Pack Developer HIY PPI Affiliate 4 / 32

5 Drive-by Downloads Operations Operation A drive-by download operation is a group of exploit servers managed by the same entity. 5 / 32

6 Drive-by Downloads Operations Operation A drive-by download operation is a group of exploit servers managed by the same entity. 5 / 32

7 Reporting REPORTER Find Abuse Mailbox NO Found? YES Abuser Report and Monitor? ISP/Hoster 6 / 32

8 Dataset Malicia Dataset We have collected 11,000 malware from 500 servers over a period of 11 months. We are making this dataset available to the community 7 / 32

9 Contributions We propose a technique to identify drive-by operations by grouping exploit servers based on their configuration and the malware they distribute. We report on aspects of drive-by operations such as the number of servers they use, their hosting infrastructure, their lifetime, and the malware families they distribute. We analyze the abuse reporting procedure by sending reports on exploit servers. We build a dataset with the collected malware, their classification, and associated metadata. We make this dataset available to other researchers. 8 / 32

10 Table of Contents Introduction Approach Analysis Related Work Conclusion 9 / 32

Operations Summaries Features 5 Reporting URL, Landing Page, Landing IP, SHA1, Size

11 Architecture overview MDL URL Query Feeds Proxies 1 Milking Honey Milkers Clients Malware Store Exploit Servers Execution Server Binaries 2 Execution 3 Classification 4 Clustering Operations Summaries Features 5 Reporting URL, Landing Page, Landing IP, SHA1, Size Traffic Screenshots Icons Family SHA1 File Hash BH_ID ConIP Domains ICON Abuse Report DB 10 / 32

12 Milking 11 / 32

13 Milking Milking 11 / 32

14 Milking Milking Specialized Milkers. 11 / 32

15 Milking Milking Specialized Milkers. Honeyclient. 11 / 32

16 Milking Milking Specialized Milkers. Honeyclient. Periodic Milking. 11 / 32

17 Periodic Milking 12 / 32

18 Malware Classification 13 / 32

19 Malware Classification Execution in a contained environment. 13 / 32

20 Malware Classification Execution in a contained environment. Extraction of the icon from the executable. 13 / 32

21 Malware Classification Execution in a contained environment. Extraction of the icon from the executable. (a) winwebsec (b) securityshield (c) zbot 13 / 32

22 Malware Classification (2) 14 / 32

23 Malware Classification (2) Capture of the screenshot of the execution. 14 / 32

24 Malware Classification (2) Capture of the screenshot of the execution. 14 / 32

25 Malware Classification (2) Capture of the screenshot of the execution. Capture of the network traffic. 14 / 32

26 Icons and Screenshots Classification (Number of Icons = 5698) Feature Clus. Precision Recall Time I avghash % 91.3% 1.6s I phash % 89.5% 47.5s (Number of Screenshots = 9152) Feature Clus. Precision Recall Time S avghash % 65.3% 7m32s S phash % 67.2% 11m5s 15 / 32

27 Operations Clustering The features that we chose for server clustering are: Domain. 16 / 32

28 Operations Clustering The features that we chose for server clustering are: Domain. Landing URL / 32

29 Operations Clustering The features that we chose for server clustering are: Domain. Landing URL File hash. 16 / 32

30 Operations Clustering The features that we chose for server clustering are: Domain. Landing URL File hash. Icons. 16 / 32

31 Operations Clustering The features that we chose for server clustering are: Domain. Landing URL File hash. Icons. Family. 16 / 32

32 Table of Contents Introduction Approach Analysis Related Work Conclusion 17 / 32

33 MALICIA dataset Malware executables milked 45,646 Unique executables milked 10,600 Domains milked 596 Servers milked 488 ASes hosting servers 263 Countries hosting servers 57 Total Uptime days 338 Table: Summary of milking operation. 18 / 32

34 Exploit server lifetime The median lifetime of a server is 19 hours. 13% of exploit servers live only for an hour. 60% are dead before one day. 10% live more than a week. 5% more than two weeks. Server Lifetime CDF Days 19 / 32

35 Malware families 20 / 32

36 Operation Analysis Algorithm Feat. Clusters Largest Singletons Aggressive PAM Table: Clustering results. Results 2/3 of the operations use a single server 1/3 of the operations use multiple servers, replacing dead servers with fresh ones 21 / 32

37 Hosting Providers ASN URL/Name CC ES IPv4 Orig ovh FR , netrouting NL 18 22, awax RU 15 6, burst US , directspace US 10 8, di-net RU 9 244, lgi AT 8 9,479, leaseweb NL 8 337, softlayer US 8 1,214, infiumhost RU 8 9,728 Table: Top ASes by number of exploit servers (ES) milked compared with the number of IPv4 addresses they originate 22 / 32

38 Driving in the Cloud Turning to the cloud 60% of the monitored servers are Virtual Private Servers (VPS). 23 / 32

39 Driving in the Cloud Turning to the cloud 60% of the monitored servers are Virtual Private Servers (VPS). Why? 23 / 32

40 Driving in the Cloud Turning to the cloud 60% of the monitored servers are Virtual Private Servers (VPS). Why? Fast registration process 23 / 32

41 Driving in the Cloud Turning to the cloud 60% of the monitored servers are Virtual Private Servers (VPS). Why? Fast registration process Fairly anonymous subscription process 23 / 32

42 Driving in the Cloud Turning to the cloud 60% of the monitored servers are Virtual Private Servers (VPS). Why? Fast registration process Fairly anonymous subscription process Short leases available (i.e., daily billing) 23 / 32

43 Abuse Reporting Abuse Reporting We reported 19 long-lived servers 61% of the reports were not acknowledged. On average an exploit server lives 4.3 days after a report. Servers whose report produced a reply lived for 3.0 days. 24 / 32

44 Table of Contents Introduction Approach Analysis Related Work Conclusion 25 / 32

45 Related Work Drive-by Downloads Wang et al. (NDSS 2006) Provos et al. (HotBots 2007) Grier et al. (CCS 2012) Malware Classification Anderson et al. (USENIX Security 2007) Bayer et al. (NDSS Security 2009) Perdisci et al. (NSDI 2010) 26 / 32

46 Table of Contents Introduction Approach Analysis Related Work Conclusion 27 / 32

47 Conclusion We propose a technique to identify drive-by operations by grouping exploit servers based on their configuration and the malware they distribute. We report on aspects of drive-by operations such as the number of servers they use, their hosting infrastructure, their lifetime, and the malware families they distribute. We analyze the abuse reporting procedure by sending reports on exploit servers. We build a dataset with the collected malware, their classification, and associated metadata. We make this dataset available to other researchers. 28 / 32

48 MALICIA DATASET MALICIA DATASET Are you interested in our Dataset? 29 / 32

49 Questions MALICIA DATASET Are you interested in our Dataset? 30 / 32

50 Operation Analysis Phoenix Operations Using both PAM and aggressive all 21 Phoenix servers are grouped in the same cluster with no other (BlackHole) servers. All servers in this cluster distribute zbot. Winwebsec Operations We observe the winwebsec fake AV affiliate program distributed through 11 different servers, which both algorithms group into 8 clusters. 31 / 32

51 Operation Analysis (2) Winwebsec Operations We confirm that the winwebsec program manages their own exploit servers through external means. We found 108 executables were winwebsec executables for different affiliates. Zeroaccess Operations Zeroaccess is also an affiliate program. There are four cluster distributing zeroaccess: 3 of them distribute a single affiliate identifier, while the other distributes multiple affiliates. 32 / 32

Driving in the Cloud: An Analysis of Drive-by Download Operations and Abuse Reporting

Driving in the Cloud: An Analysis of Drive-by Download Operations and Abuse Reporting Antonio Nappa 12, M. Zubair Rafique 1, and Juan Caballero 1 1 IMDEA Software Institute 2 Universidad Politécnica de