HIVE: an Open Infrastructure for Malware Collection and...
Transcript of HIVE: an Open Infrastructure for Malware Collection and...
IntroductionHIVE
Conclusions
HIVE: an Open Infrastructure for MalwareCollection and Analysis
Davide Cavalca1 Emanuele Goldoni2
University of Pavia, Italy1Department of Computer Engineering and Systems Science
2Department of Electronics
1st Workshop on Open Source Softwarefor Computer and Network Forensics
2008
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
IntroductionHIVE
Conclusions
Goals
a forensics approach to Internet malware and botnetsself-spreading malware study and classificationmonitoring of attack trends and targetsbotnets behavior, structure and evolution
To achieve these goals we built an automated infrastructurefor malware collection and analysis.
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
IntroductionHIVE
Conclusions
Outline
1 IntroductionMalwareHoneypot
2 HIVEArchitectural designExperimental setupPreliminary results
3 Conclusions
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
IntroductionHIVE
Conclusions
MalwareHoneypot
Outline
1 IntroductionMalwareHoneypot
2 HIVEArchitectural designExperimental setupPreliminary results
3 Conclusions
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
IntroductionHIVE
Conclusions
MalwareHoneypot
Malware
Malware = malicious softwareunwanted software with an agenda
viruswormtrojan horsespyware..
malware spreadsautomatically, relying on software bugs to self-replicate itselfon new computer systemsmanually, employing social engineering techniques againstthe users
malware typesstrictly destructivefor profit
SPAM and phishingransom requestsbotnet construction
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
IntroductionHIVE
Conclusions
MalwareHoneypot
Botnet
distributed network of autonomous programs (bot)created spreading ad hoc malware
infected computers turn into zombie systemsstealth behavior
the attacker (botherder) remotely controls its botnetusing IRC or HTTP (centralized botnet)using peer-to-peer protocols (distributed botnet)
...and rents its services to the best offercriminal organizationsSPAM and advertisementphishingDistributed DoS attacks“data mining”
self-sustaining and reliable source of income
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
IntroductionHIVE
Conclusions
MalwareHoneypot
Honeypot
decoy computer system designed to attract external attackshuman: study attacker behaviorautomated: collect the malware binary code
no valuable data (fake data sometimes used as bait)used to study attacks dynamics and attacker’s toolssits on an otherwise unused IP space (darknet)honeynet = a network of honeypots
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
IntroductionHIVE
Conclusions
MalwareHoneypot
Honeypot: types
Low interaction honeypot
software simulation of a computer systemefficient: a single machine can simulate a large networknot so effective: attack can fail due to simulation mishapsquick and easy to deploy, low TCO
High interaction honeypot
a real vulnerable computer systemvery effective: the attacker compromises an actual systemexpensive to deploy and maintain, higher TCOlegal liability issues
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
IntroductionHIVE
Conclusions
MalwareHoneypot
State of the art
We currently have:several low-interaction honeypot implementations
but there is no standardized framework for high-interactionhoneypotsmost works on the subject tend to reinvent the wheel
a number of analysis services for malware samplesWhat we lack is an integrated framework encompassing thecollection of samples, the analysis of malware and themonitoring of detected threats.
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
IntroductionHIVE
Conclusions
Architectural designExperimental setupPreliminary results
Outline
1 IntroductionMalwareHoneypot
2 HIVEArchitectural designExperimental setupPreliminary results
3 Conclusions
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
IntroductionHIVE
Conclusions
Architectural designExperimental setupPreliminary results
HIVE
HIVE = Honeypot Infrastructure in Virtualized Environmentintegrated infrastructure for malware collection and analysisfully automatedopen architecture
easy to interact witheasy to extend with new tools
based on proven Open Source software
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
IntroductionHIVE
Conclusions
Architectural designExperimental setupPreliminary results
HIVE: architecture
three-layeredarchitecture
sensors(honeypot)gatewaydata storage andanalysis
layers are fullydecoupledextensible andscalable
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
IntroductionHIVE
Conclusions
Architectural designExperimental setupPreliminary results
HIVE: honeynet
a combination of low and high interaction systemsextensive use of virtualization techniques (VirtualBox)automated self-maintenance
malware samples collectionhoneypot systems rebuild
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
IntroductionHIVE
Conclusions
Architectural designExperimental setupPreliminary results
HIVE: database
use of a relational DBMS(PostgreSQL)
malware samplesstoragecentral repository forall acquired datadatabase views allowaggregate high-leveldata reporting
automated samples analysisstatic analysis: antivirusbehavioral analysis
CWSandboxAnubis
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
IntroductionHIVE
Conclusions
Architectural designExperimental setupPreliminary results
HIVE: monitoring facilities
Malware analysis provides information on botnetsC&C address locationbotnet login information
Computer programs disguised as zombies can then infiltrate thebotnets
zombie activity monitoringattacks issuedbotnet size and expansionattacker behavior and targets
Tools developedinfiltrator (originally by Göbel) for IRC botnetshttpmole for HTTP botnets
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
IntroductionHIVE
Conclusions
Architectural designExperimental setupPreliminary results
Experimental setup
three-systems virtual honeynetWindows XPWindows 2000 ServerNepenthes (low interaction)deployed on a single physical machine
darknet: three contiguous IPs on an unprotected commercialnetwork
perimetral defense systems can dramatically lower thehoneynet efficency
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
IntroductionHIVE
Conclusions
Architectural designExperimental setupPreliminary results
HIVE: honeynet
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
IntroductionHIVE
Conclusions
Architectural designExperimental setupPreliminary results
Results: collected malware
during a month ofoperation
we collected more than14k malware samples...with 13k unique samplesover 50 centralizedbotnets were monitored
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
IntroductionHIVE
Conclusions
Architectural designExperimental setupPreliminary results
Results: botnets monitoring
Commands detected on the IRC botnets control channels
7440
91
98
374612
193
privnoticequitjoinmodetopic
1342
17
14814
bot_scanbot_loginbot_updatedata_mining
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
IntroductionHIVE
Conclusions
Outline
1 IntroductionMalwareHoneypot
2 HIVEArchitectural designExperimental setupPreliminary results
3 Conclusions
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
IntroductionHIVE
Conclusions
Conclusions and future works
To summarizebotnets are an actual and widespread menaceHIVE has proved to be an efficient tool for malwarecollection and analysis
In the futurereporting engineHoneyWall integrationpeer-to-peer botnet study
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
IntroductionHIVE
Conclusions
Availability
The HIVE software and this presentation can be downloadedfrom
http://netlab-mn.unipv.it/hive
Future updates will be published at the same location.
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
IntroductionHIVE
Conclusions
Questions?
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
Simplified Entity-Relationship diagram
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
Botnets C&C map
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
Chart: sightings
1 2 3 4 5 6 7 8 9 10 11
0
500
1000
1500
2000
2500
3000
3500
4000
4500
Avvistamenti per settimana
http_botsirc_botsworms
Settimana
Cam
pion
i
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
Chart: malware advance
Q1 2005 Q2 2005 Q3 2005 Q4 2005 Q1 2006 Q2 2006 Q3 2006 Q4 2006 Q1 2007 Q2 2007 Q3 2007 Q4 20070
200
400
600
800
1000
1200
1400
1600
1800
Periodo
Incr
emen
to p
erce
ntua
le
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis