Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences

In this survey, we first briefly review the current state of cyber attacks, highlighting significant recent changes in how and why such attacks are performed. We then investigate the mechanics of malware command and control (C2) establishment: we provide a comprehensive review of the techniques used by attackers to set up such a channel and to hide its presence from the attacked parties and the security tools they use. We then switch to the defensive side of the problem, and review approaches that have been proposed for the detection and disruption of C2 channels. We also map such techniques to widely-adopted security controls, emphasizing gaps or limitations (and success stories) in current best practices.Comment: Work commissioned by CPNI, available at c2report.org. 38 pages. Listing abstract compressed from version appearing in repor

Fast-Flux Botnet Detection Based on Traffic Response and Search Engines Credit Worthiness

Botnets are considered as the primary threats on the Internet and there have been many research efforts to detect and mitigate them. Today, Botnet uses a DNS technique fast-flux to hide malware sites behind a constantly changing network of compromised hosts. This technique is similar to trustworthy Round Robin DNS technique and Content Delivery Network (CDN). In order to distinguish the normal network traffic from Botnets different techniques are developed with more or less success. The aim of this paper is to improve Botnet detection using an Intrusion Detection System (IDS) or router. A novel classification method for online Botnet detection based on DNS traffic features that distinguish Botnet from CDN based traffic is presented. Botnet features are classified according to the possibility of usage and implementation in an embedded system. Traffic response is analysed as a strong candidate for online detection. Its disadvantage lies in specific areas where CDN acts as a Botnet. A new feature based on search engine hits is proposed to improve the false positive detection. The experimental evaluations show that proposed classification could significantly improve Botnet detection. A procedure is suggested to implement such a system as a part of IDS

X-ray, optical and infrared investigation of the candidate Supergiant Fast X-ray Transient IGR J18462-0223

We report on a broad-band X-ray study (0.5-60 keV) of the poorly known candidate Supergiant Fast X-ray Transient (SFXT) IGR J18462-0223, and on optical and near-infrared (NIR) followup observations of field objects. The out-of-outburst X-ray state has been investigated for the first time with archival INTEGRAL/IBIS, ASCA, Chandra and Swift/XRT observations. This allowed us to place stringent 3 sigma upper limits on the soft (0.5-10 keV) and hard (18-60 keV) X-ray emission of 2.9x10^-13 erg cm^-2 s^-1 and 8x10^-12 erg cm^-2 s^-1, respectively; the source was also detected during an intermediate soft X-ray state with flux equal to 1.6x10^-11 erg cm^-2 s^-1 (0.5-10 keV). In addition, we report on the INTEGRAL/IBIS discovery of three fast hard X-ray flares (18-60 keV) having a duration in the range 1-12 hours: the flaring behavior was also investigated in soft X-rays (3-10 keV) with archival INTEGRAL/JEM-X observations. The duty cycle (1.2%) and the dynamic ranges (> 1,380 and > 190 in the energy bands 0.5-10 keV and 18-60 keV, respectively) were measured for the first time. Archival UKIDSS JHK NIR data, together with our deep R-band imaging of the field, unveiled a single, very red object inside the intersection of the Swift/XRT and XMM-Newton error circles: this source has optical/NIR photometric properties compatible with a very heavily absorbed blue supergiant located at about 11 kpc, thus being a strong candidate counterpart for IGR J18462-0223. NIR spectroscopy is advised to confirm the association. Finally, a hint of a possible orbital period was found at about 2.13 days. If confirmed by further studies, this would make IGR J18462-0223 the SFXT with the shortest orbital period among the currently known systems.Comment: accepted for publication in A&A, 9 pages, 7 figures, 2 table

Atmospheric Neutrino Physics with the MACRO detector

We present the measurement of the the flux and angular distribution of atmospheric muon neutrinos using the MACRO detector. Three different event topologies are detected in two different energy ranges. High energy neutrinos (E~80 GeV) via the identification of upward throughgoing muons. Lower energy neutrinos (E~ 4 GeV) via the upgoing stopping and partially contained downgoing muons (ID+UGS), or via the partially contained upgoing muons (IU). The measured flux is reduced with respect to the predictions. For the high energy sample, globally the flux reduction is $0.74\pm 0.054_{stat+sys} \pm 0.12_{th}$ and varies with the zenith angle. The ratio of measured to expected events is almost constant with the zenith angle for the low energy events, and is $0.57 \pm 0.08_{stat+sys} \pm 0.14_{theor}$ for the IU sample, and $0.71 \pm 0.09_{stat+sys} \pm 0.17_{theor}$ for the (ID+UGS). All the data sets are consistent within a scenario of neutrino oscillations, with maximum mixing and $\Delta m^2 \sim 10^{-3}\div 10^{-2} eV^2$.Comment: 7 pages, 7 figures. Invited talk at 6th Topical Seminar on Neutrino and AstroParticle Physics, San Miniato, Italy, 17-21 May 199