Driving in the Cloud: An Analysis of Drive-by Download Operations and Abuse Reporting

Similar documents
Driving in the Cloud: An Analysis of Drive-by Download Operations and Abuse Reporting

LASTLINE WHITEPAPER. Large-Scale Detection of Malicious Web Pages

HIDING THE NETWORK BEHIND THE NETWORK. BOTNET PROXY BUSINESS MODEL Alexandru Maximciuc, Cristina Vatamanu & Razvan Benchea Bitdefender, Romania

Exostar LDAP Proxy / Secure Setup Guide. This document provides information on the following topics:

Exploring the Black Hole Exploit Kit

Advancements in Botnet Attacks and Malware Distribution

EVILSEED: A Guided Approach to Finding Malicious Web Pages

Trend Micro Incorporated Research Paper Adding Android and Mac OS X Malware to the APT Toolbox

WE KNOW IT BEFORE YOU DO: PREDICTING MALICIOUS DOMAINS Wei Xu, Kyle Sanders & Yanxin Zhang Palo Alto Networks, Inc., USA

LASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains

We Know It Before You Do: Predicting Malicious Domains

Comprehensive Understanding of Malicious Overlay Networks

F-Secure Internet Security 2014 Data Transfer Declaration

Endpoint Business Products Testing Report. Performed by AV-Test GmbH

VIDEO Intypedia013en LESSON 13: DNS SECURITY. AUTHOR: Javier Osuna García-Malo de Molina. GMV Head of Security and Process Consulting Division

Creating Custom Nameservers Contents

Real World and Vulnerability Protection, Performance and Remediation Report

Whose IP Is It Anyways: Tales of IP Reputation Failures

Analyzing Targeted Attacks through Hiryu An IOC Management and Visualization Tool. Hiroshi Soeda Incident Response Group, JPCERT/Coordination Center

W H I T E P A P E R : T E C H N I C AL

Measuring Pay-per-Install: The Commoditization of Malware Distribution

Big Data in Action: Behind the Scenes at Symantec with the World s Largest Threat Intelligence Data

An analysis of exploitation behaviors on the web and the role of web hosting providers in detecting them

UNMASKCONTENT: THE CASE STUDY

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

What s Next for Network Security - Visibility is king! Gøran Tømte March 2013

One Minute in Cyber Security

Fig. 2. The browser warns the user that the download is malicious. The intentionally discrete arrow presents an option to keep the file.

Big data security on.nl: infrastructure and one application

All about Threat Central

An Empirical Analysis of Malware Blacklists

Secure Your Mobile Workplace

WildFire Cloud File Analysis

Threat Spotlight: Angler Lurking in the Domain Shadows

End to End Security do Endpoint ao Datacenter

WildFire Features. Palo Alto Networks. PAN-OS New Features Guide Version 6.1. Copyright Palo Alto Networks


Operation Liberpy : Keyloggers and information theft in Latin America

Internet Monitoring via DNS Traffic Analysis. Wenke Lee Georgia Institute of Technology

Installation Procedure SSL Certificates in IIS 7

Integrated Approach to Network Security. Lee Klarich Senior Vice President, Product Management March 2013

How To Integrate Hosted Security With Office 365 And Microsoft Mail Flow Security With Microsoft Security (Hes)

場 次 :C-3 公 司 名 稱 :RSA, The Security Division of EMC 主 題 : 如 何 應 用 網 路 封 包 分 析 對 付 資 安 威 脅 主 講 人 :Jerry.Huang@rsa.com Sr. Technology Consultant GCR

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

Citrix XenApp-7.6 Administration Training. Course

The Police Trojan AN IN-DEPTH ANALYSIS

Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML

Decoding DNS data. Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs

Protecting DNS Query Communication against DDoS Attacks

Phishing Activity Trends Report for the Month of December, 2007

DYNAMIC DNS: DATA EXFILTRATION

HTTPS Inspection with Cisco CWS

McAfee - Overview. Anthony Albisser

Port evolution: a software to find the shady IP profiles in Netflow. Or how to reduce Netflow records efficiently.

Guidelines for Web applications protection with dedicated Web Application Firewall

The Underground Economy of the Pay-Per-Install (PPI) Business

Scaling Big Data Mining Infrastructure: The Smart Protection Network Experience

Cymon.io. Open Threat Intelligence. 29 October 2015 Copyright 2015 esentire, Inc. 1

Internet Content Distribution

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

NetFlow-Based Approach to Compare the Load Balancing Algorithms

SourceFireNext-Generation IPS

Overview. Common Internet Threats. Spear Phishing / Whaling. Phishing Sites. Virus: Pentagon Attack. Viruses & Worms

Security Intelligence Blacklisting

Microsoft Exchange Load Balancing. Unique Applied Patent Technology By XRoads Networks

How To Use Saml 2.0 Single Sign On With Qualysguard

Stanford Computer Security Lab. TrackBack Spam: Abuse and Prevention. Elie Bursztein, Peifung E. Lam, John C. Mitchell Stanford University

WHEN THE HUNTER BECOMES THE HUNTED HUNTING DOWN BOTNETS USING NETWORK TRAFFIC ANALYSIS

Please evaluate this documentation on the following site:

Actuality of SMBRelay in Modern Windows Networks

Kuluoz: Malware and botnet analysis

How To Detect An Advanced Persistent Threat Through Big Data And Network Analysis

Anti-Malware Technologies

SIE, PassiveDNS, and data combining

Cloud computing security

REGULATORY OPTIONS TO FACILITATE THE ADOPTION OF INTERNET PARENTAL CONTROLS PUBLIC CONSULTATION RESPONSE FROM NETSWEEPER INC.

dotmailer for Dynamics Frequently Asked Questions v 6,0

Zscaler Internet Security Frequently Asked Questions

Removing Web Spam Links from Search Engine Results

Uncover security risks on your enterprise network

Symantec RuleSpace Data Sheet

Application Note. Onsight Connect Network Requirements v6.3

Transcription:

Driving in the Cloud: An Analysis of Drive-by Download Operations and Abuse Reporting A.Nappa, M.Z.Rafique, J.Caballero IMDEA Software Institute Madrid, Spain July 18, 2013

Drive-by-downloads 1 Visit to a malicious page Exploit 2 Malware 3 2 / 32

Drive-by-downloads 1 Visit to a malicious page Exploit 2 Malware 3 3 / 32

Drive-by-Downloads Ecosystem Victims Traffic Sources Exploit Pack Developer Exploit Servers Malware Owners Redirection EaaS Exploit Pack Developer HIY PPI Affiliate 4 / 32

Drive-by Downloads Operations Operation A drive-by download operation is a group of exploit servers managed by the same entity. 5 / 32

Drive-by Downloads Operations Operation A drive-by download operation is a group of exploit servers managed by the same entity. 5 / 32

Reporting REPORTER Find Abuse Mailbox NO Found? YES Abuser Report and Monitor? ISP/Hoster 6 / 32

Dataset Malicia Dataset We have collected 11,000 malware from 500 servers over a period of 11 months. We are making this dataset available to the community http://malicia-project.com 7 / 32

Contributions We propose a technique to identify drive-by operations by grouping exploit servers based on their configuration and the malware they distribute. We report on aspects of drive-by operations such as the number of servers they use, their hosting infrastructure, their lifetime, and the malware families they distribute. We analyze the abuse reporting procedure by sending reports on exploit servers. We build a dataset with the collected malware, their classification, and associated metadata. We make this dataset available to other researchers. 8 / 32

Table of Contents Introduction Approach Analysis Related Work Conclusion 9 / 32

Architecture overview MDL URL Query Feeds Proxies 1 Milking Honey Milkers Clients Malware Store Exploit Servers Execution Server Binaries 2 Execution 3 Classification 4 Clustering Operations Summaries Features 5 Reporting URL, Landing Page, Landing IP, SHA1, Size Traffic Screenshots Icons Family SHA1 File Hash BH_ID ConIP Domains ICON Abuse Report DB 10 / 32

Milking 11 / 32

Milking Milking 11 / 32

Milking Milking Specialized Milkers. 11 / 32

Milking Milking Specialized Milkers. Honeyclient. 11 / 32

Milking Milking Specialized Milkers. Honeyclient. Periodic Milking. 11 / 32

Periodic Milking 12 / 32

Malware Classification 13 / 32

Malware Classification Execution in a contained environment. 13 / 32

Malware Classification Execution in a contained environment. Extraction of the icon from the executable. 13 / 32

Malware Classification Execution in a contained environment. Extraction of the icon from the executable. (a) winwebsec (b) securityshield (c) zbot 13 / 32

Malware Classification (2) 14 / 32

Malware Classification (2) Capture of the screenshot of the execution. 14 / 32

Malware Classification (2) Capture of the screenshot of the execution. 14 / 32

Malware Classification (2) Capture of the screenshot of the execution. Capture of the network traffic. 14 / 32

Icons and Screenshots Classification (Number of Icons = 5698) Feature Clus. Precision Recall Time I avghash 126 99.7% 91.3% 1.6s I phash 135 99.8% 89.5% 47.5s (Number of Screenshots = 9152) Feature Clus. Precision Recall Time S avghash 60 99.1% 65.3% 7m32s S phash 51 98.2% 67.2% 11m5s 15 / 32

Operations Clustering The features that we chose for server clustering are: Domain. 16 / 32

Operations Clustering The features that we chose for server clustering are: Domain. Landing URL http://liordooanleg.com/index.php?tp=001e4bb7b4d7333d http://oisdrculor.com/index.php?tp=001e4bb7b4d7333d. 16 / 32

Operations Clustering The features that we chose for server clustering are: Domain. Landing URL http://liordooanleg.com/index.php?tp=001e4bb7b4d7333d http://oisdrculor.com/index.php?tp=001e4bb7b4d7333d. File hash. 16 / 32

Operations Clustering The features that we chose for server clustering are: Domain. Landing URL http://liordooanleg.com/index.php?tp=001e4bb7b4d7333d http://oisdrculor.com/index.php?tp=001e4bb7b4d7333d. File hash. Icons. 16 / 32

Operations Clustering The features that we chose for server clustering are: Domain. Landing URL http://liordooanleg.com/index.php?tp=001e4bb7b4d7333d http://oisdrculor.com/index.php?tp=001e4bb7b4d7333d. File hash. Icons. Family. 16 / 32

Table of Contents Introduction Approach Analysis Related Work Conclusion 17 / 32

MALICIA dataset Malware executables milked 45,646 Unique executables milked 10,600 Domains milked 596 Servers milked 488 ASes hosting servers 263 Countries hosting servers 57 Total Uptime days 338 Table: Summary of milking operation. 18 / 32

Exploit server lifetime The median lifetime of a server is 19 hours. 13% of exploit servers live only for an hour. 60% are dead before one day. 10% live more than a week. 5% more than two weeks. Server Lifetime CDF 1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 0 4 8 16 24 32 40 48 56 64 72 80 Days 19 / 32

Malware families 20 / 32

Operation Analysis Algorithm Feat. Clusters Largest Singletons Aggressive 5 106 87 66 PAM 5 185 31 130 Table: Clustering results. Results 2/3 of the operations use a single server 1/3 of the operations use multiple servers, replacing dead servers with fresh ones 21 / 32

Hosting Providers ASN URL/Name CC ES IPv4 Orig. 16276 ovh FR 19 944,896 47869 netrouting NL 18 22,016 28762 awax RU 15 6,400 21788 burst US 11 286,976 46816 directspace US 10 8,192 12695 di-net RU 9 244,480 6830 lgi AT 8 9,479,936 16265 leaseweb NL 8 337,408 36351 softlayer US 8 1,214,976 197145 infiumhost RU 8 9,728 Table: Top ASes by number of exploit servers (ES) milked compared with the number of IPv4 addresses they originate 22 / 32

Driving in the Cloud Turning to the cloud 60% of the monitored servers are Virtual Private Servers (VPS). 23 / 32

Driving in the Cloud Turning to the cloud 60% of the monitored servers are Virtual Private Servers (VPS). Why? 23 / 32

Driving in the Cloud Turning to the cloud 60% of the monitored servers are Virtual Private Servers (VPS). Why? Fast registration process 23 / 32

Driving in the Cloud Turning to the cloud 60% of the monitored servers are Virtual Private Servers (VPS). Why? Fast registration process Fairly anonymous subscription process 23 / 32

Driving in the Cloud Turning to the cloud 60% of the monitored servers are Virtual Private Servers (VPS). Why? Fast registration process Fairly anonymous subscription process Short leases available (i.e., daily billing) 23 / 32

Abuse Reporting Abuse Reporting We reported 19 long-lived servers 61% of the reports were not acknowledged. On average an exploit server lives 4.3 days after a report. Servers whose report produced a reply lived for 3.0 days. 24 / 32

Table of Contents Introduction Approach Analysis Related Work Conclusion 25 / 32

Related Work Drive-by Downloads Wang et al. (NDSS 2006) Provos et al. (HotBots 2007) Grier et al. (CCS 2012) Malware Classification Anderson et al. (USENIX Security 2007) Bayer et al. (NDSS Security 2009) Perdisci et al. (NSDI 2010) 26 / 32

Table of Contents Introduction Approach Analysis Related Work Conclusion 27 / 32

Conclusion We propose a technique to identify drive-by operations by grouping exploit servers based on their configuration and the malware they distribute. We report on aspects of drive-by operations such as the number of servers they use, their hosting infrastructure, their lifetime, and the malware families they distribute. We analyze the abuse reporting procedure by sending reports on exploit servers. We build a dataset with the collected malware, their classification, and associated metadata. We make this dataset available to other researchers. 28 / 32

MALICIA DATASET MALICIA DATASET Are you interested in our Dataset? http://malicia-project.com 29 / 32

Questions MALICIA DATASET Are you interested in our Dataset? http://malicia-project.com 30 / 32

Operation Analysis Phoenix Operations Using both PAM and aggressive all 21 Phoenix servers are grouped in the same cluster with no other (BlackHole) servers. All servers in this cluster distribute zbot. Winwebsec Operations We observe the winwebsec fake AV affiliate program distributed through 11 different servers, which both algorithms group into 8 clusters. 31 / 32

Operation Analysis (2) Winwebsec Operations We confirm that the winwebsec program manages their own exploit servers through external means. We found 108 executables were winwebsec executables for different affiliates. Zeroaccess Operations Zeroaccess is also an affiliate program. There are four cluster distributing zeroaccess: 3 of them distribute a single affiliate identifier, while the other distributes multiple affiliates. 32 / 32

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information