When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and...
Transcript of When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and...
![Page 1: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/1.jpg)
Identifying malvertising domains using lexical clusteringWhen threat hunting fails
Tucson, January 9th, 2018
![Page 2: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/2.jpg)
2
kitty
Authors
Matt Foley David Rodriguez Dhia Mahjoub
![Page 3: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/3.jpg)
3
Agenda
Background
Ad Network Profiling and Filtering
Lexical Clustering
Hosting space and top talkers
![Page 4: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/4.jpg)
4
Background
![Page 5: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/5.jpg)
5
Exploit Kits
Compromised Site
Ad Net. Publisher Staged Site (Ad)Victim
Malvertising
Compromised Site
EK Server
Gets lander (proxy)
Step 1.
![Page 6: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/6.jpg)
6
What is Malvertising
Visitors
Publishers
Ad Networks Ad Exchanges
DSPs
Ad Agencies
Ad Servers
![Page 7: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/7.jpg)
7
![Page 8: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/8.jpg)
8
Compromised Ad Net.
Ad Campaign Flow
User visits publisher site
Publisher site includes ad network javascript
Ad network fingerprints and sends user to malvertisement
Examples:Tech support scamRig Exploit KitFake flash/java update
Publisher Site
Compromised Ad Net.
![Page 9: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/9.jpg)
9
Exploit Kits
![Page 10: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/10.jpg)
10
Tech Support Scams
![Page 11: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/11.jpg)
11
Fake Flash and Java Updates
![Page 12: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/12.jpg)
12
Ad Network Profiling and Filtering
![Page 13: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/13.jpg)
13
Filtering on non-residential IP Address
![Page 14: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/14.jpg)
14
403
Proxy Network
Rotating IPsChoice of regionSquid Proxy
![Page 15: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/15.jpg)
15
Filtering on non-residential IP Address
Ad NetworkBrowsing with DigitalOcean
proxy
GET 403Ad Network Returns a 403
![Page 16: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/16.jpg)
16
Attempts with other VPS providers
![Page 17: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/17.jpg)
17
Attempts with other VPS providers
![Page 18: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/18.jpg)
18
![Page 19: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/19.jpg)
19
![Page 20: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/20.jpg)
20
Lexical Clustering
![Page 21: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/21.jpg)
21
Attention to Details
![Page 22: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/22.jpg)
22
Fake Flash and Java Updates
![Page 23: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/23.jpg)
23
![Page 24: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/24.jpg)
24
More or Less Traveled Roads
![Page 25: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/25.jpg)
25
Consider the almighty RegeX Keywords
Known Keywords
UnKnown Keywords
safe
build
click
content
free
apple
SynonymsTypos
![Page 26: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/26.jpg)
26
Consider the almighty RegeX
grep “*.fake.*”
![Page 27: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/27.jpg)
27
Traffic Pattern of Fake Update Sites
![Page 28: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/28.jpg)
28
Traffic Pattern of Fake Update Sites
Look for burst in traffic
![Page 29: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/29.jpg)
29
For one word, many
![Page 30: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/30.jpg)
30
Shingling Fake Flash and Java Update
contentfreeandsafe4update
Trigram host name
{‘con’, ‘ont’, ‘nte’, ‘ten’, ‘ent’, …, ‘ate’}
![Page 31: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/31.jpg)
31
Shingling Fake Flash and Java Update
contentfreeandsafe4update
Trigram host name
{‘con’, ‘ont’, ‘nte’, ‘ten’, ‘ent’, …, ‘ate’}
MinHash
LSH
![Page 32: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/32.jpg)
32
Locality Sensitive Hashing Fake Flash
contentfreeandforupdate
content4freeandsafeupdate
3 Domains with a lot of shingles in common
contentfreeandsafe4update
andcon tent fre saf dat
![Page 33: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/33.jpg)
33
On to production
![Page 34: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/34.jpg)
34
Clustering Pipeline Realtime/Batch
goodnewcontentssafe.download
pipeline
hasher
Cluster DB
Count min-sketch Out pipeline
Analyst Dashboard
![Page 35: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/35.jpg)
35
Payday
![Page 36: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/36.jpg)
36
Fake Flash and Java Update Lexical Clustering
cluster_1:goodnewcontentssafe.downloadgoodnewfreecontentsload.dategoodnewfreecontentall.trade...
cluster_2:call-mlcrosoftnw-err81711102.wincall-mlcrosoftnw-err99817109.wincall-mlcrosoftnw-err81711101.win...
cluster_3:artificialintelligencesweden.seartificialintelligencechip.comartificialintelligence.net.cm...
cluster_4:mkto-sj220048.commkto-sj220146.commkto-sj220162.com...
![Page 37: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/37.jpg)
37
We need help
![Page 38: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/38.jpg)
38
Simple Flask App Dashboard
![Page 39: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/39.jpg)
39
Hosting space and top talkers
![Page 40: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/40.jpg)
40
● Take 1 week’s worth of detections and their hosting space; Jan 1-7
● Some hosters are consistently abused
AS12876, FRAS14618 Amazon AWS and moreSome IPs are actively hosting thousands of domains for months
● Some hosters are highly infested with shady, toxic content; dedicated?AS202023, LLHOST, RO; phishing, tech support scams, fake updates, porn
Where are these hosted? Any patterns?
![Page 41: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/41.jpg)
41
● Take 1 week’s worth of detections; Jan 1-7 and user IPs
● 10 busiest hours
20000+ user IPs querying 2000+ malvertising domains
● Some top talker clusters emergeSecurity companies owned ranges querying hundreds of domains
Some rogue networks querying hundreds of domains
Who is querying these domains?
![Page 42: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/42.jpg)
42
Summary
![Page 43: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/43.jpg)
43
grep “*.fake.*”
Look for burst in traffic
user IPs hosting IPs
![Page 44: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/44.jpg)
44
NLP on misspellings and common typos
Models to categorize clusters
Identifying malicious file hosts using belief propagation
Current and Future Work
![Page 45: When threat hunting fails · PDF file · 2018-01-30Ad network fingerprints and sends user to malvertisement. Examples: Tech support scam. Rig Exploit Kit. Fake flash/java update.](https://reader031.fdocuments.net/reader031/viewer/2022030417/5aa4008d7f8b9ab4788b47fb/html5/thumbnails/45.jpg)
45
Matt Foley, [email protected]
David Rodriguez, [email protected]
Dhia Mahjoub, [email protected]
Thank you
Questions?
We are hiring