Investigating Survivability of Configuration Management Tools in Unreliable and Hostile Networks

A configuration management system (CMS) can control large networks of computers. A modern CMS is idempotent and describes infrastructure as code, so that it uses a description of the desired state of a system to automatically correct any deviations from a defined goal. As this requires both complete control of the slave systems and unquestioned ability to provide new instructions to slaves, the CMS is highly valuable target for attackers. Criminal malware networks already survive in hostile, heterogeneous networks, and therefore, the concepts from those systems could be applied to benign enterprise CMSs. We describe one such concept, the hidden master architecture, and compare its survivability to existing systems using attack trees

On the Reverse Engineering of the Citadel Botnet

Citadel is an advanced information-stealing malware which targets financial information. This malware poses a real threat against the confidentiality and integrity of personal and business data. A joint operation was recently conducted by the FBI and the Microsoft Digital Crimes Unit in order to take down Citadel command-and-control servers. The operation caused some disruption in the botnet but has not stopped it completely. Due to the complex structure and advanced anti-reverse engineering techniques, the Citadel malware analysis process is both challenging and time-consuming. This allows cyber criminals to carry on with their attacks while the analysis is still in progress. In this paper, we present the results of the Citadel reverse engineering and provide additional insight into the functionality, inner workings, and open source components of the malware. In order to accelerate the reverse engineering process, we propose a clone-based analysis methodology. Citadel is an offspring of a previously analyzed malware called Zeus; thus, using the former as a reference, we can measure and quantify the similarities and differences of the new variant. Two types of code analysis techniques are provided in the methodology, namely assembly to source code matching and binary clone detection. The methodology can help reduce the number of functions requiring manual analysis. The analysis results prove that the approach is promising in Citadel malware analysis. Furthermore, the same approach is applicable to similar malware analysis scenarios.Comment: 10 pages, 17 figures. This is an updated / edited version of a paper appeared in FPS 201

Machine learning based botnet identification traffic

The continued growth of the Internet has resulted in the increasing sophistication of toolkit and methods to conduct computer attacks and intrusions that are easy to use and publicly available to download, such as Zeus botnet toolkit. Botnets are responsible for many cyber-attacks, such as spam, distributed denial-of-service (DDoS), identity theft, and phishing. Most of existence botnet toolkits release updates for new features, development and support. This presents challenges in the detection and prevention of bots. Current botnet detection approaches mostly ineffective as botnets change their Command and Control (C&C) server structures, centralized (e.g., IRC, HTTP), distributed (e.g., P2P), and encryption deterrent. In this paper, based on real world data sets we present our preliminary research on predicting the new bots before they launch their attack. We propose a rich set of features of network traffic using Classification of Network Information Flow Analysis (CONIFA) framework to capture regularities in C&C communication channels and malicious traffic. We present a case study of applying the approach to a popular botnet toolkit, Zeus. The experimental evaluation suggest that it is possible to detect effectively botnets during the botnet C&C communication generated from new updated Zeus botnet toolkit by building the classifier using machine learning from an earlier version and before they launch their attacks using traffic behaviors. Also, show that there is similarity in C&C structures various Botnet toolkit versions and that the network characteristics of botnet C&C traffic is different from legitimate network traffic. Such methods could reduce many different resources needed to identify C&C communication channels and malicious traffic

Machine learning based botnet identification traffic

The continued growth of the Internet has resulted in the increasing sophistication of toolkit and methods to conduct computer attacks and intrusions that are easy to use and publicly available to download, such as Zeus botnet toolkit. Botnets are responsible for many cyber-attacks, such as spam, distributed denial-of-service (DDoS), identity theft, and phishing. Most of existence botnet toolkits release updates for new features, development and support. This presents challenges in the detection and prevention of bots. Current botnet detection approaches mostly ineffective as botnets change their Command and Control (C&C) server structures, centralized (e.g., IRC, HTTP), distributed (e.g., P2P), and encryption deterrent. In this paper, based on real world data sets we present our preliminary research on predicting the new bots before they launch their attack. We propose a rich set of features of network traffic using Classification of Network Information Flow Analysis (CONIFA) framework to capture regularities in C&C communication channels and malicious traffic. We present a case study of applying the approach to a popular botnet toolkit, Zeus. The experimental evaluation suggest that it is possible to detect effectively botnets during the botnet C&C communication generated from new updated Zeus botnet toolkit by building the classifier using machine learning from an earlier version and before they launch their attacks using traffic behaviors. Also, show that there is similarity in C&C structures various Botnet toolkit versions and that the network characteristics of botnet C&C traffic is different from legitimate network traffic. Such methods could reduce many different resources needed to identify C&C communication channels and malicious traffic

Behavioral Analysis Of Malicious Code Through Network Traffic And System Call Monitoring

Malicious code (malware) that spreads through the Internet-such as viruses, worms and trojans-is a major threat to information security nowadays and a profitable business for criminals. There are several approaches to analyze malware by monitoring its actions while it is running in a controlled environment, which helps to identify malicious behaviors. In this article we propose a tool to analyze malware behavior in a non-intrusive and effective way, extending the analysis possibilities to cover malware samples that bypass current approaches and also fixes some issues with these approaches. © 2011 SPIE.8059The Society of Photo-Optical Instrumentation Engineers (SPIE)Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E., Vigna, G., Efficient detection of split personalities in malware (2010) 17th Annual Network and Distributed System Security SymposiumBayer, U., Habibi, I., Balzarotti, D., Kirda, E., Kruegel, C., A view on current malware behaviors (2009) Usenix Workshop on Large-scale Exploits and Emergent Threats (LEET)Bayer, U., Kruegel, C., Kirda, E., TTanalyze: A tool for analyzing malware (2006) Proc. 15th Ann. Conf. European Inst. for Computer Antivirus Research (EICAR), pp. 180-192Bellard, F., QEMU, a fast and portable dynamic translator (2005) Proc. of the Annual Conference on USENIX Annual Technical Conference, pp. 41-41. , USENIX AssociationBinsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M., Wang, L., On the analysis of the zeus botnet crimeware toolkit (2010) Proc. of the Eighth Annual Conference on Privacy, Security and Trust, PST'2010Blunden, B., (2009) The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, , Jones and Bartlett Publishers, Inc, 1th editionChoi, Y., Kim, I., Oh, J., Ryou, J., PE file header analysis-based packed pe file detection technique (PHAD) (2008) Proc of the International Symposium on Computer Science and Its Applications, pp. 28-31Dinaburg, A., Royal, P., Sharif, M., Lee, W., Ether: Malware analysis via hardware virtualization extensions (2008) Proc. Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS 2008), , OctoberFather, H., Hooking windows API-technics of hooking API functions on windows (2004) CodeBreakers J., 1 (2)Franklin, J., Paxson, V., Perrig, A., Savage, S., An inquiry into the nature and causes of the wealth of internet miscreants (2007) Conference on Computer and Communications Security (CCS)Garfinkel, T., Rosenblum, M., A virtual machine introspection based architecture for intrusion detection (2003) Proc. Network and Distributed Systems Security Symposium, pp. 191-206Hoglund, G., Butler, J., (2005) Rootkits: Subverting the Windows Kernel, , Addison- Wesley Professional, 1th editionHolz, T., Engelberth, M., Freiling, F., Learning more about the underground economy: A case-study of keyloggers and dropzones (2008) Reihe Informatik TR-2008-006, , University of Mannheimhttp://www.joebox.org/Kang, M.G., Poosankam, P., Yin, H., Renovo: A hidden code extractor for packed exe-cutables (2007) Proc. of the 2007 ACM Workshop on Recurring Malcode (WORM 2007)Kong, J., (2007) Designing BSD Rootkits, , No Starch Press, 1th editionLeder, F., Werner, T., Know your enemy: Containing conficker (2009) The Honeynet Project & Research AllianceMartignoni, L., Christodorescu, M., Jha, S., Omniunpack: Fast, generic, and safe unpack-ing of malware (2007) Proc. of the Annual Computer Security Applications Conference (ACSAC)http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde- d599bac8184a/pecoff_v8.docxMoser, A., Kruegel, C., Kirda, E., Limits of static analysis for malware detection (2007) ACSAC, pp. 421-430. , IEEE Computer Societyhttp://www.securelist.com/en/descriptions/old145521http://www.softpanorama.org/Malware/Malware_defense_history/ Malware_gallery/Network_worms/allaple_rahack.shtmlSong, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M.G., Liang, Z., Saxena, P., BitBlaze: A new approach to computer security via binary analysis (2008) Proc. of the 4th International Conference on Information Systems SecurityWillems, G., Holz, T., Freiling, F., Toward automated dynamic malware analysis using CWSandbox (2007) IEEE Security and Privacy, 5 (2), pp. 32-39. , DOI 10.1109/MSP.2007.45Yegneswaran, V., Saidi, H., Porras, P., Eureka: A framework for enabling static analysis on malware (2008) Technical Report SRI-CSL-08-01 Computer Science Laboratory and College of Computing, , Georgia Institute of Technolog

Mitigating Botnet Attack Using Encapsulated Detection Mechanism (EDM)

Botnet as it is popularly called became fashionable in recent times owing to it embedded force on network servers. Botnet has an exponential growth of about 170, 000 within network server and client infrastructures per day. The networking environment on monthly basis battle over 5 million bots. Nigeria as a country loses above one hundred and twenty five (N125) billion naira to network fraud annually, end users such as Banks and other financial institutions battle daily the botnet threats.Comment: This paper addresses critical area of networ

HF-Blocker: Detection of Distributed Denial of Service Attacks Based On Botnets

Abstract—Today, botnets have become a serious threat to enterprise networks. By creation of network of bots, they launch several attacks, distributed denial of service attacks (DDoS) on networks is a sample of such attacks. Such attacks with the occupation of system resources, have proven to be an effective method of denying network services. Botnets that launch HTTP packet flood attacks against Web servers are one of the newest and most troublesome threats in networks. In this paper, we present a system called HF-Blocker that detects and prevents the HTTP flood attacks. The proposed system, by checking at the HTTP request in three stages, a Java-based test, check cookies and then check the user agent, detects legitimate source of communication from malicios source, such as botnets. If it is proved the source of connection to be bot, HF-Blocker blocks the request and denies it to access to resources of the web server and thereby prevent a denial of service attack. Performance analysis showed that HF-Blocker, detects and prevents the HTTP-based attacks of botnets with high probability

From ZeuS to Zitmo : trends in banking malware

In the crimeware world, financial botnets are a global threat to banking organizations. Such malware purposely performs financial fraud and steals critical information from clients' computers. A common example of banking malware is the ZeuS botnet. Recently, variants of this malware have targeted mobile platforms, as The-ZeuS-in-the-Mobile or Zitmo. With the rise in mobile systems, platform security is becoming a major concern across the mobile world, with rising incidence of compromising Android devices. In similar vein, there have been mobile botnet attacks on iPhones, Blackberry and Symbian devices. In this setting, we report on trends and developments of ZeuS and its variants