LASTLINE WHITEPAPER. The Holy Grail: Automatically Identifying Command and Control Connections from Bot Traffic

Transcription

1 LASTLINE WHITEPAPER The Holy Grail: Automatically Identifying Command and Control Connections from Bot Traffic

2 Abstract A distinguishing characteristic of bots is their ability to establish a command and control (C&C) channel. The typical approach to build detection models for C&C traffic and to identify C&C endpoints (IP addresses and domains of C&C servers) is to execute a bot in a controlled environment and monitor its outgoing network connections. Using the bot traffic, one can then craft signatures that match C&C connections or blacklist the IP addresses or domains that the packets are sent to. Unfortunately, this process is not as easy as it seems. For example, bots often open a large number of additional connections to legitimate sites (to perform click fraud or query for the current time), and bots can deliberately produce noise bogus connections that make the analysis more difficult. Thus, before one can build a model for C&C traffic or blacklist IP addresses and domains, one first has to pick the C&C connections among all the network traffic that a bot produces. In a pioneering scientific paper presented by the researchers Gregoire Jacob, Ralf Hund, Christopher Kruegel, and Thorsten Holz at the 20th USENIX Security Symposium in San Francisco, in August 2011, the researchers presented an automated system called JACKSTRAWS that is able to identify command and control connections in network traffic. JACKSTRAWS was joint work between the University of California, Santa Barbara and the University of Bochum in Germany. Lastline is a company based in Santa Barbara, California, and some of the people who were involved in the design of JACKSTRAWS are also involved in Lastline. For a more detailed overview of the scientific prototype of JACKSTRAWS and a technical explanation of the different analysis steps in greater detail, the reader is referred to the official JACKSTRAWS publication that was presented at the USENIX Security conference in 2011: In this whitepaper, we give an executive summary of that scientific work and use excerpts from the paper. Lastline has tech transferred the concepts in JACKSTRAWS and has implemented a novel, improved production system to accurately and automatically identify C&C connections. We leverage host-based information that provides insights into which data is sent over each network connection as well as the ways in which a bot processes the information that it receives. More precisely, we associate with each network connection a behavior graph that captures the system calls that lead to this connection, as well as the system calls that operate on data that is returned. By using machine learning techniques and a training set of graphs that are associated with known C&C connections, we automatically extract and generalize graph templates that capture the core of different types of C&C activity. Later, we use these C&C templates to match against behavior graphs produced by other bots. This technique can accurately detect C&C connections, even for novel bot families that were not used for template generation.

3 Introduction Malware is a significant threat and root cause for many security problems on the Internet, such as spam, ditributed denial of service attacks, data theft, or click fraud. Arguably the most common type of malware today are bots. Compared to other types of malware, the distinguishing characteristic of bots is their ability to establish a command and control (C&C) channel that allows an attacker to remotely control and update a compromised machine. A number of bot-infected machines that are combined under the control of a single entity (called the botmaster) are referred to as a botnet. Researchers and security vendors have proposed many different host-based or networkbased techniques to detect and mitigate botnets. Host-based detectors treat bots like any other type of malware. These systems (e.g., antivirus tools) use signatures to scan programs for the presence of well-known, malicious patterns, or they monitor operating system processes for suspicious activity. Unfortunately, current tools suffer from low detection rates, and they often incur a non-negligible performance penalty on end users machines. To complement host-based techniques, researchers have explored networkbased detection approaches. Leveraging the insight that bots need to communicate with their command and control infrastructure, most network-based botnet detectors focus on identifying C&C communications. Today, most models that match command and control traffic are built manually a slow and tedious process in practice. Although some research work has led to research prototypes that generate models automatically, a main problem with existing techniques is that attackers can confuse such automated model (signature) generation systems: previous research has presented noise injection attacks in which a malware crafts additional connections with the sole purpose to thwart signature extraction techniques. A real-world example for such a behavior can be found in the Pushdo malware family, where bots, in certain versions, create junk SSL connections to more than 300 different web sites to blend in with benign traffic. Another important problem is that existing techniques do not work when the C&C traffic is encrypted. Clearly, it is not possible to extract a content signature to model encrypted traffic. However, even when the traffic is encrypted, it would be desirable to add the C&C server destinations to a blacklist or to model alternative network properties that are not content-based. For this, it is necessary to identify those encrypted malware connections that go to the C&C infrastructure and distinguish them from unrelated but possibly encrypted traffic, such as legitimate, SSL-encrypted web traffic. The root cause for these shortcomings is that existing approaches extract models directly from network traces. Moreover, they do so at a purely syntactic level. That is, model generation systems simply select elements that occur frequently in the analyzed network

4 traffic. Unfortunately, they lack understanding of the purpose of different network connections. As a result, such systems often generate models that match irrelevant, non- C&C traffic, and they incorrectly consider decoy connections. Moreover, in the case of encrypted traffic, no frequent element can be found at all. To solve the aforementioned technical problems, the researchers behind JACKSTRAWS use a unique approach to detect the network connections that a malware program uses for command and control, and to distinguish these connections from other, unrelated traffic. This allows them to immediately consider the destination hosts/domains for inclusion in a blacklist, even when the corresponding connections are encrypted. Moreover, they can feed signature generation systems with only C&C traffic, discarding irrelevant connections and making it much more difficult for the attacker to inject noise. At Lastline, we use the same approach. The JACKSTRAWS researchers leverage the key observation that one can use host-based information to learn more about the semantics of network connections. More precisely, they use a high-definition analysis technique to monitor the execution of a malware process indepth while it communicates over the network. This allows them to determine, for each request, which data is sent over the network and where this data comes from. Moreover, they can determine how the program uses data that it receives over the network. Using this information, the researchers can build models that capture the host-based activity associated with individual network connections. The models are behavior graphs, where the nodes are system calls and the edges represent data flows between system calls. Note that industrial solutions that only monitor the execution of malware on a system call level cannot automatically determine the dependencies between the system calls. Hence, such alternative analysis approaches are blind to how a malware program uses the data that it receives over the network. In JACKSTRAWS, the researchers use machine-learning to build graph-based models that characterize malicious C&C connections (e.g., connections that download binary updates that the malware later executes, or connections in which the malware uploads stolen data to a C&C server). More precisely, starting from labeled sets of graphs that are related to both known C&C connections and other, irrelevant malware traffic, they identify those subgraphs that are most characteristic of C&C communication. In the next step, they abstract from these specific subgraphs and produce generalized graph templates. Each graph template captures the core characteristics of a different type or implementation of C&C communication. These graph templates can be used to recognize C&C connections of bots that have not been analyzed previously. Moreover, their templates possess explanatory capabilities and can help analysts to understand how a particular bot utilizes its C&C channel (e.g., for binary updates, configuration files, or information leakage).

5 System Overview Similar to JACKSTRAWS, the Lastline system monitors the execution of a malware program in Lastline s cloud-based high-resolution malware analysis environment. The goal is to identify those network connections that are used for C&C communication. To this end, the system records the activities (in this case, system calls) on the host that are related to data that is sent over and received through each network connection. These activities are modeled as behavior graphs, which are graphs that capture system call invocations and data flows between system calls. In the setting, one graph is associated with each connection. As the next step, all behavior graphs that are created during the execution of a malware sample are matched against templates that represent different types of C&C communication. When a graph matches a template sufficiently closely, the corresponding connection is reported as C&C channel. In the following paragraphs, we first discuss behavior graphs. We then provide an overview of the necessary steps to generate the C&C templates. Behavior graphs. A behavior graph G is a graph where nodes represent system calls. A directed edge e is introduced from node x to node y when the system call associated with y uses as argument some output that is produced by system call x. That is, an edge represents a data dependency between system calls x and y. Behavior graphs have been introduced in previous work as a suitable mechanism to model the host-based activity of (malware) programs. The reason is that system calls capture the interactions of a program with its environment (e.g., the operating system or the network), and data flows represent a natural dependence and ordered relationship between two system calls where the output of one call is directly used as the input to the other one. Figure 1 from the publication by Jacob et al. shows an example of a behavior graph. This graph captures the host-based activity of a bot that reads the Windows serial number (ID) from the registry and sends it to its command and control server. Frequently, bots collect a wealth of information about the infected, local system, and they send this information to their C&C servers. The graph shows the system calls that are invoked to open and read the Windows ID key from the registry. Then, the key is sent over a network connection (that was previously opened with connect). An answer is finally received from the server (recv node). While behavior graphs are not novel per se, the JACKSTRAWS team used them in a different context to solve a novel problem. In previous work, behavior graphs were used to distinguish between malicious and benign program executions. In JACKSTRAWS, the researchers link behavior graphs to network traffic and combine these two views. That is,

6 they use these graphs to identify command and control communication amidst all connections that are produced by a malware sample. C&C templates. As mentioned previously, the behavior graphs that are produced by the dynamic malware analysis system are matched against a set of C&C templates. C&C templates share many similarities with behavior graphs. In particular, nodes n carry information about system call names and arguments encoded as labels l n, and edges e represent data dependencies where the type of flow is encoded as labels l e. The main difference to behavior graphs is that the nodes of templates are divided into two classes; core and optional nodes. Core nodes capture the necessary parts of a malicious activity, while optional nodes are only sometimes present. To match a C&C template against a behavior graph G, the researchers define a similarity function δ. This function takes as input the behavior graph G and a C&C template T and produces a score that indicates how well G matches the template. All core nodes of a template must at least be present in G in order to declare a match.

7 Figure 1 (from Jacob et al): Example of behavior graph that shows information leakage. Underneath, the network log shows that the Windows ID was leaked via the GET parameter id. Template generation. Each C&C template represents a certain type of command and control activity. The researchers use the following four steps to generate C&C templates: In the first step, they run malware executables in an analysis environment, and extract the behavior graphs for their network connections. These connections can be benign or related to C&C traffic. Similarly, at Lastline, we run the samples in our high-resolution, cloud-based malware analysis environment. The system requires that some of these connections are labeled as either malicious or benign (for training). In the prototype system, the researchers apply a set of signatures to all connections to find (i) known C&C communication and (ii) traffic that is known to be unrelated to C&C. Note that they have signatures that explicitly identify benign connections as such. By matching the signatures against the network traffic, they find a set of behavior graphs that are associated with known C&C connections (called malicious graph set) and a set of behavior graphs associated with non-c&c traffic (called benign graph set). These sets serve as the basis for the subsequent steps. It is important to observe that the general approach only requires labeled connections, without considering the payload of network connections. Thus, one could use other means to generate the two graph sets. For example, one can add a graph to the malicious set if the network connection corresponding to this graph contacted a known blacklisted C&C domain. This allows to create suitable graph sets even for encrypted C&C connections. One could also manually label connections. Of course, there are also graphs for which one does not have a classification (that is, neither a C&C signature nor a benign signature has matched). These unknown graphs could be related to either malicious or benign traffic, and one does not consider them in the subsequent steps. The second step uses the malicious and the benign graph sets as inputs and performs graph mining. More precisely, graph mining techniques are used, previously presented by researchers Yan and Han, to identify subgraphs that frequently appear in the malicious graph set. These frequent subgraphs are likely to constitute the core activity linked to C&C connections. Some post-processing is then applied to compact the set of mined subgraphs. Finally, the set difference is computed between the mined, malicious subgraphs and the benign graph set. Only subgraphs that never appear by subgraph isomorphism in the benign graph set are selected. The assumption is that the selected subgraphs represent

8 some host- and network-level activity that is only characteristic of particular C&C connections, but not benign traffic. As a third step, the researchers cluster the graphs previously mined. The goal of this step is to group together graphs that correspond to a similar type of command and control activity. That is, when one has observed different instances of one particular behavior, one combines the corresponding graphs into one cluster. As an example, consider different instances of a malware family where each sample downloads data from the network via HTTP, decodes it in some way, stores the data on disk, and finally executes that file. All instances of this behavior are examples for typical bot update mechanisms (download and execute), and one wishes to group all of them into one cluster. As a result of this step, one obtains different clusters, where each cluster contains a set of graphs that correspond to a particular C&C activity. In the fourth step, the idea is to produce a single C&C template for each cluster. The goal of a template is to capture the common core of the graphs in a cluster; with the assumption that this common core represents the key activities for a particular behavior. The C&C templates are generated by iteratively computing the weighted minimal common supergraph (WMCS) between the graphs in a cluster. The nodes and edges in the supergraph that are present in all individual graphs become part of the core. The remaining ones become optional. At the end of this step, one has extracted templates that match the core of the program activities for different types of commands, taking into account optional operations that are frequently (but not always) present. This allows to match variants of C&C traffic that might be different (to a certain degree) from the exact graphs that were used to generate the C&C templates. Conclusion In this whitepaper based on the scientific paper by Jacob et al., we discussed the problem of identifying actual C&C traffic when analyzing binary samples. During a dynamic analysis run, bots do not only communicate with their C&C infrastructure, but they often open also a large number of benign network connections. We discussed the similar concepts to JACKSTRAWS that Lastline uses that can identify C&C traffic in a sound way. This is achieved by correlating network traffic with the associated host behavior. In contrast to existing analysis systems, Lastline s engine uses a PC emulator. A PC emulator is a piece of software that emulates a personal computer, including its processor, graphic card, hard disk, and other resources, with the purpose of running an unmodified operating system. It is important to differentiate emulators from virtual machines such as

9 VMware. The key difference is that a virtual machine executes most of the instructions (a statistically dominant subset) directly on the real CPU. This is in contrast to PC emulators, which simulate all instructions in software. Because all instructions are emulated in software, an emulator has complete control over the sample program. This means that an emulator-based analysis system cannot only record the system calls and the Windows API calls that a malware program executes (like a virtual machine), but also perform a much finer-grained analysis that operates on individual instructions. The ability to inspect each individual instruction that a malware binary executes provides two crucial advantages for Lastline s analysis. The first key advantage is that the system can perform dynamic data flow analysis, so called taint analysis in scientific literature. Using taint analysis, Lastline is able to label certain inputs of interest to the program and dynamically track their propagation during execution. Unlike competing analysis engines, this allows Lastline to determine logic connections between different operations that the malware performs. For example, we can determine that a certain piece of information was read from file A, encrypted, and then sent over the network to host B. Looking only at the inputs/outputs of the program (without fine-grained analysis such as in competing products), this connection cannot be made (because the data that is sent over the network is encrypted). Taint information enables us to obtain a number of novel, important features that better capture the behavior of a malware program. The high-definition malware analysis is one of the principle elements of Lastline s approach. Lastline s execution code visibility allows for the detection of dangerous malware elements not detectable with system-call only approaches. About Lastline Lastline is a technology pioneer dedicated to stopping advanced malware, zero-day attacks, drive-by downloads and sophisticated Advanced Persistent Threats. Lastline s flexible Previct platform provides high-resolution analysis and protection; the required network security foundational layer capable of providing exacting security legacy APT, IPS, AV and next generation firewalls simply cannot see. The Santa Barbara based company is dedicated to providing the most accurate malware detection and defense available to our customers.