Social Networks as Command & Control Channels for Botnets

The weakest link in detecting Botnets is typically the communication channel. What if there was a possibility to leverage existing high volume communication channels such as social networks for the command and control traffic of a botnet? Utilizing a social network such as Twitter, has many advantages over alternative methods, when done properly it is easier to hide in plain site due to the high volume of normal chatter, the protocol and traffic is already established as a known protocol to many security systems and antivirus software, and it is highly available across the globe. Twitter is aware of their potential for people using their network for nefarious purposes so they have developed a series of advanced protection mechanisms that need to be bypassed. The simplest solution would be to acquire an API key for access to programmatically post and fetch messages to Twitter but that would introduce a substantial weakness to the system. In the event that the traffic was identified once, Twitter could withdraw the API key and effectively shut down the botnet. To avoid this weakness we utilized web scraping technology and the mobile web site of twitter, which has a smaller set of protection mechanisms. The system is implemented in Python utilizing an open source library, Mechanize to scrape the mobile web site. There were challenges encountered in successfully accessing Twitter\u27s web site that are shown. New social networks are being built everyday and the opportunity for utilizing these types of networks for communications of botnets presents a large opportunity and ultimately an urgent need for these network owners to become aware of the potential uses of their systems

トラヒック特徴量の網羅的評価に基づく未知マルウェアの検知

近年，仕事や生活等さまざまな場面でインターネットが必要不可欠な存在となっている．具体的にはインターネットを中心に，イントラネット，モバイルネット，センサーネット，携帯電話網等が重層的に結合し，社会の隅々まで行き届いている．そして，これらのネットワーク上で，行政や金融，流通からコミュニケーション，エンターテインメントに至る多様なサービスが稼働し，人々の生活を支えている．ネットワークがなくては一日も生活できないと言って過言ではない．インターネットが普及し，ユーザの利便性が向上する一方で，それらを悪用した活動の被害が拡大している．これらの活動に用いられる悪意のあるソフトウェア（Malicious Software）の略称からマルウェアと呼ばれている．マルウェアに感染すると，感染したPC のデータ破壊や乗っ取り，個人情報の流出等の被害を受ける可能性があるため，我々の日常生活を脅かす存在となっている．新種（未知）のマルウェア発生数は，2012 年で一日あたり20 万個（年間7,300 万），2013 年においては一日あたり31 万5000 個（年間約1.15 億）発生し，依然として増加している．これに対し，コード等のパターンに基づいてマルウェアの検知，駆除を行うマルウェア対策ソフトがセキュリティベンダによって開発されている．しかしこれらのマルウェア対策ソフトの検知手法は，あらかじめ既知のマルウェアを事前に解析しなければならないため，短期間で大量に出現する未知のマルウェアには対応できない．そのため，未知のマルウェアに感染してしまうことを前提として，感染後にマルウェアの動作だけで早期に検知できる感染検知が必要である．本研究では，ペイロード情報に基づいて感染検知を行う既存研究を分析した．その結果既存研究では，検知手法の検討がメインで，どの特徴量が正常と感染を区別しやすいかという観点からの検討が十分に行われていないことがわかった．個々の特徴量の有効性を明確にできれば，複数の有効な特徴量を組み合わせることで，より正確に正常と感染を識別できる可能性があると考えられる．そこで本研究では，感染時通信としてCCCDATAset，D3M2012 を, 正常時通信として2 種類のイントラネットのトラヒックデータを用いた評価実験を行った．また，マルウェアは，種類毎に異なった通信を行うので，マルウェアを3 種類（ワーム，トロイの木馬，ファイル感染型ウイルス）に分類した．そして，ペイロードの個々の特徴量について，マルウェアの種類毎の検知の有効性を識別指標True Positive Rate （以下TPR）・True Negative Rate （以下TNR）に基づき，明らかにした．具体的には，261 個の特徴，3 種類14 検体のマルウェアを用いた実例分析により，ワームで3 個，トロイの木馬で15 個，ウイルスで5 個の，正常/感染かを区別しやすい有効な通信パターンの特徴量（計20 個）を示す事ができた．また，ワームでは「インターネット接続確認」等，トロイの木馬では「攻撃通信を行うためのマルウェアのダウンロード」等，ファイル感染型ウイルスでは「IRC 接続」等，の感染活動に，マルウェアの種類毎でペイロード情報に特定の文字列を含んでいる事が確認でき，有効だと判断された特徴量との有効性を確認できた．さらに，有効だと判断した20 個の有効な特徴量を用い，2 つの特徴量の組み合わせ，3 つの特徴量の組み合わせにおいて，最適な組み合わせを評価した．その結果，2 つの特徴量の組み合わせでは，正常時通信と感染時通信を分類する境界線において3 つ（ASCII 文字コード「e」+「o」（「e」：99.0% → 100%，「o」：99.0% → 100%）など），感染時通信を正常時通信と誤検知した感染時通信を分類する境界線において17 つ（ASCII 文字コード「0」+「i」（「0」：97.5% → 99.4%，「i」：98.5% → 99.4%）など）の組み合わせが，7 章で有効だと判断した特徴量の識別率よりも，識別率が2 つとも高くなった．また，3 つの特徴量の組み合わせでは，感染時通信を正常時通信と誤検知した感染時通信を分類する境界線において，7 つ（ASCII 文字コード「e」+「i」+「o」（「e」：99.0% → 99.5%，「i」：98.5% → 99.5%，「o」：97.0% → 99.5%））の組み合わせが，7章で有効だと判断した特徴量の識別率よりも，識別率が3 つとも高くなった．これらを用いることで，より正確に正常と感染を識別できる可能性があることを示した．電気通信大学201

Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences

In this survey, we first briefly review the current state of cyber attacks, highlighting significant recent changes in how and why such attacks are performed. We then investigate the mechanics of malware command and control (C2) establishment: we provide a comprehensive review of the techniques used by attackers to set up such a channel and to hide its presence from the attacked parties and the security tools they use. We then switch to the defensive side of the problem, and review approaches that have been proposed for the detection and disruption of C2 channels. We also map such techniques to widely-adopted security controls, emphasizing gaps or limitations (and success stories) in current best practices.Comment: Work commissioned by CPNI, available at c2report.org. 38 pages. Listing abstract compressed from version appearing in repor

Hijacking User Uploads to Online Persistent Data Repositories for Covert Data Exfiltration

As malware has evolved over the years, it has gone from harmless programs that copy themselves into other executables to modern day botnets that perform bank fraud and identity theft. Modern malware often has a need to communicate back to the author, or other machines that are also infected. Several techniques for transmitting this data covertly have been developed over the years which vary significantly in their level of sophistication. This research creates a new covert channel technique for stealing information from a network by piggybacking on user-generated network traffic. Specifically, steganography drop boxes and passive covert channels are merged to create a novel covert data exfiltration technique. This technique revolves around altering user supplied data being uploaded to online repositories such as image hosting websites. It specifically targets devices that are often used to generate and upload content to the Internet, such as smartphones. The reliability of this technique is tested by creating a simulated version of Flickr as well as simulating how smartphone users interact with the service. Two different algorithms for recovering the exfiltrated data are compared. The results show a clear improvement for algorithms that are user-aware. The results continue on to compare performance for varying rates of infection of mobile devices and show that performance is proportional to the infection rate

Network Traffic Analysis Using Stochastic Grammars

Network traffic analysis is widely used to infer information from Internet traffic. This is possible even if the traffic is encrypted. Previous work uses traffic characteristics, such as port numbers, packet sizes, and frequency, without looking for more subtle patterns in the network traffic. In this work, we use stochastic grammars, hidden Markov models (HMMs) and probabilistic context-free grammars (PCFGs), as pattern recognition tools for traffic analysis. HMMs are widely used for pattern recognition and detection. We use a HMM inference approach. With inferred HMMs, we use confidence intervals (CI) to detect if a data sequence matches the HMM. To compare HMMs, we define a normalized Markov metric. A statistical test is used to determine model equivalence. Our metric systematically removes the least likely events from both HMMs until the remaining models are statistically equivalent. This defines the distance between models. We extend the use of HMMs to PCFGs, which have more expressive power. We estimate PCFG production probabilities from data. A statistical test is used for detection. We present three applications of HMM and PCFG detection to network traffic analysis. First, we infer the presence of protocol tunneling through Tor (the onion router) anonymization network. The Markov metric quantifies the similarity of network traffic HMMs in Tor to identify the protocol. It also measures communication noise in Tor network. We use HMMs to detect centralized botnet traffic. We infer HMMs from botnet traffic data and detect botnet infections. Experimental results show that HMMs can accurately detect Zeus botnet traffic. To hide their locations better, newer botnets have P2P control structures. Hierarchical P2P botnets contain recursive and hierarchical patterns. We use PCFGs to detect P2P botnet traffic. Experimentation on real-world traffic data shows that PCFGs can accurately differentiate between P2P botnet traffic and normal Internet traffic