Detecting Malicious SSL Certificates Using

BroAndrew Beard

Ajit Thyagarajan

Motivation• SSL traffic is increasing and so is malicious usage!

Motivation• SSL traffic is increasing and so is malicious usage!

• Content visibility of SSL traffic is becoming increasingly harder

Motivation• SSL traffic is increasing and so is malicious usage!

• Content visibility of SSL traffic is becoming increasingly harder

• BSides Charm talk – Using Bro IDS to Detect X509 Anomalies by Will Glodek

Direct application of cert feeds• Well known SSL cert blacklist, SSLBL by abuse.ch

• Identifies certificates via hash (SHA1)

• Averages about 10 new entries per week

• Relatively high efficacy

David Bianco’s Pyramid Triangle of Pain• Reflects the pain you

cause to an adversary

• Generating new certificates (even signed ones) causes little pain

Using cert feeds and Bro to greater effect• Use the feeds as a starting point to gather and label data

• Analyze metadata from known bad certificates as a training set

• Treat other certs resulting from other feeds as maybes

• Try to find patterns in the metadata we can use to match as many known bad and maybes as possible, verify against known (or at least, heavily biased) good traffic

Why Bro?• Content awareness

• Ability to apply patterns to live network traffic

• Symmetry on the front and the back end

I don’t have a supercomputer• I have a 7 year old Dell workstation

my wife’s IT department was throwing out

• Nothing here would be remotely considered HPC

Generating training sets• Visit every potentially malicious site you can possibly find• OSINT feeds are great for this • Don’t have a lot of context (if any)• Look for certificates that match our known bad ones• “Everything else” creates a data set that isn’t totally trustworthy, use

for testing

Feed Data(All)

Fetch Script

In Cert

Feed?

Known Bad

Maybe Bad

Yes

No

Problems with generating data sets• Expect a low response rate• Sites get taken down, not HTTPS port 443, don’t serve anything out,

unregistered DGAs, etc• Less than 1 in 5000 respond (with no guarantee those responses are

actually bad)• Number that match on the SSLBL is even worse, and that’s biased• Based entirely on what’s already labeled as bad

x509.log Fields• ts• id• version• serial• subject• issuer• not_valid_before• not_valid_after• key_alg• sig_alg• key_type

• key_length• exponent• curve• san.dns• san.uri• san.email• san.ip• basic_constraints.ca• basic_constraints.path_len

Subjects and Issuers• CN=nycards2016.com,OU=PositiveSSL,OU=Domain Control Validated• emailAddress=ha@163.com,CN=gjf,OU=comba,O=comba,L=guangzhou,ST=china,C=CN• CN=A_LifeSize_System,C=US,ST=Texas,L=Austin,emailAddress=hostmaster@lifesize.com,OU=IT,O=LifeSize Communications\\, Inc.• CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US• OU=Test,O=Peersec Networks,L=Bellevue,ST=WA,C=US,CN=MatrixSSL Sample Server CA

Splitting the Attributes• Subject and Issuer are the string representations of multiple Attribute

Value Assertions (AVAs)• Hard to compare them as big strings, but a lot more commonality

once you split them up• Not hard to parse out each attribute using something like Splunk or

Kiabana, but it makes matching on those fields harder later• Split the fields into a new Bro log based on x509.log

(x509_extended.log)

Many attributes, but we’re just using a subset• C Country• CN Common Name (Site identifier)• L Locality (City)• O Organization• OU Organizational Unit• ST State (or Province)• emailAddress• unstructuredName• serialNumber

x509_extendedtype Info: record { fuid: string &log; sha1: string &log;

subject_c: string &log &optional; subject_cn: string &log &optional; subject_l: string &log &optional; subject_o: string &log &optional; subject_ou: string &log &optional; subject_st: string &log &optional; subject_email: string &log &optional; subject_unstruct: string &log &optional; subject_serial: string &log &optional;

issuer_c: string &log &optional; …}

Need a prototyping system• Wanted to gather data, then test patterns on the same data sets over

and over

• Could do this with Bro directly, but you don’t really need to reprocess the packets and sessions over and over again

• Process traffic into Bro logs, evaluate via Splunk or SQL

• May want to apply new certificate feeds to existing logs outside of Bro

Analysis• Look at data in $VISUALIZATION

• Clustering -> Pattern Synthesis

• Check for hits in the bad table

• Check for hits in the unknown table

• Confirm against a known good set

Examples

Default ValuesC ST O emailAddress

AU Some-State Internet Widgits Pty Ltd -

AU Some-State Internet Widgits Pty Ltd chmod 0600 /etc/nginx/ssl/server.key

AU Some-State Internet Widgits Pty Ltd -

openssl Command DefaultsYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (e.g. server FQDN or YOUR name) []:Email Address []:

Is it actionable?• Very strong correlation between sites that were hosting malware or

control nodes, though• Gozi, Gootkit, Shifu, others have all been identified running from

servers with “Internet Widgits Pty Ltd” certificates• Non-malicious sites mostly default server pages and sites under

development• A user visiting a site outside the network could be considered

anomalous• Default Company Ltd, Default City, also used by some OpenSSL

distributions

Copypastasha1 O L ST

1147947433f261bcd2cd8f508461e01898c3960b

Dis

Springfield

Denial

f2a61975cb541e6a62ed8ca5214020108d922a14

Dis

Springfield

Denial

368e6beb6f8d2f6049831fe25dd397287823c5e6

Dis

Springfield

Denial

a9650a4522140d42e5ca4529da54805625eebe64

Dis

Springfield

Denial• 4 cert feed matches in our original sample set• SSLBL lists all four as TorrentLocker C2 servers• 14 others were found with the same ST, L, and O fields (and other

fields not present)• 5 of those have shown up in the SSLBL feed since• So far ALL TorrentLocker C2 servers seem to use the same pattern

Where did it come from?

“Random” ValuesC CN L O ST

CN TJMauph2wkefdglVFzqmyEvM

3KLyyRWQF0IRfH91yu5frdLX

rfUvM2rqVg1P8IpFP2mJbEjD

ST

CN RJHeFQ9nCz69k5RNTTLmVCIf

gBEUDkp44OE7ihODZD4VbdDv

oLsGPV9bx43NaNg1ZjOqIGfJ

ST

CN Hcoc6tfYqmEXPnDtwJ39vBFg

N9El3p9XpqOBDcqUQxKCbw5V

OJ2vl3Vz2Tn0skdsUsLUMwFz

ST

CN X5WBo9o5AqvtVGGAVyBiNgwO

wHMhVyFMNPcbdG84Q8gKcijH

8V3jDPLZIGdNoOmKQ42ZmhlE

ST

CN rQ9YqiO7S1pgULTmD3nNahn7

OBfmruLgjF88LKyg0fVHqRzU

zs3L7avZO3gDESogMpf4HBxj

ST

• Fixed C and ST values, and exactly 24 character in the CN, L, and O fields

• Over 27 matches for the same pattern in the “maybe” set• All C2 nodes from the same malware family

Applying Patterns to Bro• Wrote collection of bro scripts that load the x509_extended module

• Hooks into an event after subject and issuer subfields have been parsed out

• Logs to notice.log

Triangle of Pain, Revisited

Recap• Bro makes it easy to extract certificate metadata• Using OSINT and Bro you can easily collect large sets of data on bad

and suspect certificates• Patterns in the certificate metadata can yield higher-value information

than the feeds alone• Hard to definitively say something is malicious with no context, but

you can get to a high level of confidence• Since Bro can operate a line speed, it can be used to match against

those patterns with live traffic

Future • Better ways of applying patterns in Bro (less hardcoding into scripts)

• Certificate analysis has potential for uncovering a lot more patterns

• Better automatic clustering

• BSides DC talk focusing on clustering and analysis (Oct 22, '16)

• Continuing to enhance our collection of good/bad certs

• Looking for collaborators - let us know if you are interested...

Thanks to:• Abuse.ch• John Bambenek and Bambenek Consulting• AlienVault and numerous OTX contributors• Ravi Pandey from University of Maryland

Questions?Andrew Beardandrew@atomicmole.com

Ajit Thyagarajanajit@atomicmole.com

Atomic Mole GitHubhttps://github.com/atomicmole/brocon2016