2013 the current methodologies for apt malware traffic detection

  • Published on
    14-Aug-2015

  • View
    47

  • Download
    2

Embed Size (px)

Transcript

  1. 1. The Current Methodologies for APT/Malware Traffic Detection Canaan Kao, Yu-jia Huang and Kay Kuo canaan@totoro.cs.nthu.edu.tw
  2. 2. Who am I? A programmer (). C/C++, Win32 SDK, Linux Kernel Programming. A CEH. () Anti-Botnet BoT (.) 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 2
  3. 3. Agenda 0. Detection Rate 1. 2. 3. 4. 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 3
  4. 4. 0. Detection Rate Bot/Victim Bot/Victim 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 4
  5. 5. 0. Detection Rate BoT2012 RuleGen rule set Snort rule set (community version) Malware Traffic (Snort Rule default action) ( RuleGen ) 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 5
  6. 6. 0. Detection Rate 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 6
  7. 7. 0. Detection Rate !!! () 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 7
  8. 8. 0. Detection Rate . (2012/09) 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 8
  9. 9. 0. Detection Rate barRuleGen rule set traffic Malware 100% bar Snort Rule set 68% but. rules FILE-IDENTIFY download of executable content FILE-IDENTIFY Portable Executable binary file magic detected 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 9
  10. 10. 0. Detection Rate Snort rule set 16% bar 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 10
  11. 11. 0. Detection Rate Snort 68% Malware 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 11
  12. 12. 0. Detection Rate 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 12
  13. 13. 0. Detection Rate 16% Malware Snort MIS rules () Malware 16% 68% 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 13
  14. 14. 0. Detection Rate Malware Packet Trace http://contagiodump.blogspot.tw/2 013/04/collection-of-pcap-files- from-malware.html 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 14
  15. 15. 0. Detection Rate 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 15
  16. 16. 0. Detection Rate . 2013/09/13 anti-botnet.20130708 snortrules-snapshot-2946 (SourceFire) Hit Rate:42/75=56% Hit Rate:28/75=37% Hit/Used Rule Number:62 Hit/Used Rule Number:60 The Current Methodologies for APT/Malware Traffic Detection 16
  17. 17. 0. Detection Rate Snort Rule File: malware-cnc.rules malware-cnc.rules.20130315, 657KB malware-cnc.rules.20130613, 739KB () 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 17
  18. 18. 0. Detection Rate 1. 2. training samples. . 3. . 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 18
  19. 19. 1. . 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 19
  20. 20. 1. 1. IP 2. Domain Name DGA 3. HTTP host () 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 20
  21. 21. 1. 4. HTTP User-Agent content:"User-Agent|3a| MyAgent"; 5. HTTP Check-in URI uricontent:"guid="; uricontent:"ver="; uricontent:"stat="; uricontent:"ie="; uricontent:"os="; 6. HTTP cookie content:"|0D 0A|Cookie|3a| cid="; pcre:"/^d{4}r$/Rm"; 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 21
  22. 22. 1. 7. HTTP URL (Safe Browsing) 8. Malware File (MD5-based/Pattern-based) AV 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 22
  23. 23. 1. 9. Firewall VM/Cloud. 10. Flooding/SPAM Bot 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 23
  24. 24. 2. 1. C&C protocol . FTP Control Connection DNS Query payload. HTTP Request Header. SMTP Mail Body MIME (: Malware base64) SMTP MIME 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 24
  25. 25. 2. FTP Control Connection 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 25
  26. 26. 2. SMTP Mail Body MIME 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 26
  27. 27. 2. 2. SSL/TLS SSL-Proxy 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 27
  28. 28. 2. 3. Data Leaking Detection data 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 28
  29. 29. 2. 4. IE6 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 29
  30. 30. 2. 5. pdf . ( IE 5.0.2?) 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 30
  31. 31. 2. 6. / PCREpattern matching 7. DNS monitoring in run time Fast-Flux DGA (run time ) 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 31
  32. 32. : APT . Mila pcap files () 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 32
  33. 33. : VirusTotal . 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 33
  34. 34. 3. 1. Malware/APT 2. 3. IDS engine rule set Malware/APT 4. 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 34
  35. 35. 4. 1. http://contagiodump.blogspot.tw/2013/04/collection- of-pcap-files-from-malware.html 2. http://www.snort.org/ 3. http://www.anti-botnet.edu.tw/ 4. http://www.wireshark.org/ 5. http://www.openinfosecfoundation.org/ 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 35
  36. 36. Thanks for your attention Q&A As the host of heaven cannot be numbered, neither the sand of the sea measured. Jer33:22 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 36
  37. 37. 5 Anti-Botnet 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 37
  38. 38. 5 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 38
  39. 39. 5 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 39
  40. 40. 5 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 40
  41. 41. 5 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 41
  42. 42. 5 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 42
  43. 43. BoT2014? In case I don't see you, good afternoon, good evening, and good night. 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 43
  44. 44. 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 44
  45. 45. 2013 packet trace 1. BIN_Andromeda_85F908A5BD0ADA2D72D138E038AECC7D_2013-04.pcap 2. BIN_ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.pcap 3. BIN_Bitcoinminer_12E717293715939C5196E604591A97DF-2013-05-12.pcap 4. BIN_CitadelPacked_2012-05.pcap 5. BIN_CitadelUnpacked_2012-05.pcap 6. BIN_Cutwail_284Fb18Fab33C93Bc69Ce392D08Fd250_2012-10.pcap 7. BIN_Cutwail-Pushdo(1)_582DE032477E099EB1024D84C73E98C1.pcap 8. BIN_Cutwail-Pushdo(2)_582DE032477E099EB1024D84C73E98C1.pcap 9. BIN_Darkmegi_2012-04.pcap 10. BIN_DarknessDDoS_v8g_F03Bc8Dcc090607F38Ffb3A36Ccacf48_2011-01.pcap 11. BIN_dirtjumper_2011-10.pcap 12. BIN_DNSChanger_2011-12.pcap 13. BIN_DNSWatch_protux_4F8A44EF66384CCFAB737C8D7ADB4BB8_2012-11.pcap 14. BIN_Drowor_worm_0f015bb8e2f93fd7076f8d178df2450d_2013-04.pcap 15. BIN_Enfal_Lurid_0fb1b0833f723682346041d72ed112f9_2013-01.pcap 16. BIN_GameThief_ECBA0FEB36F9EF975EE96D1694C8164C_2013-03.pcap 17. BIN_Gh0st_variant-v2010_B1D09374006E20FA795B2E70BF566C6D_2012-08.pcap 18. BIN_Googledocs_macadocs_2012-12.pcap 19. BIN_Gypthoy_3EE49121300384FF3C82EB9A1F06F288.pcap 20. BIN_Hupigon_8F90057AB244BD8B612CD09F566EAC0C.pcap 21. BIN_Imaut_823e9bab188ad8cb30c14adc7e67066d.pcap 22. BIN_IRCbot_c6716a417f82ccedf0f860b735ac0187_2013-04.pcap 23. BIN_IXESHE_0F88D9B0D237B5FCDC0F985A548254F2-2013-05.pcap 24. BIN_Kelihos_aka_Nap_0feaaa4adc31728e54b006ab9a7e6afa.pcap 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 45
  46. 46. 2013 packet trace 25. BIN_Kuluoz-Asprox_9F842AD20C50AD1AAB41F20B321BF84B.pcap 26. BIN_LetsGo_yahoosb_b21ba443726385c11802a8ad731771c0_2011-07-19.pcap 27. BIN_Likseput_E019E37F19040059AB5662563F06B609_2012-10.pcap 28. BIN_LoadMoney_MailRu_dl_4e801b46068b31b82dac65885a58ed9e_2013-04 .pcap 29. BIN_LURK_AF4E8D4BE4481D0420CCF1C00792F484_20120-10.pcap 30. BIN_MatsnuMBRwiping_1B2D2A4B97C7C2727D571BBF9376F54F.pcap 31. BIN_Mediana_0AE47E3261EA0A2DBCE471B28DFFE007_2012-10.pcap 32. BIN_Nettravler_1f26e5f9b44c28b37b6cd13283838366.pcap 33. BIN_Nettravler_DA5832657877514306EDD211DEF61AFE_2012-10.pcap 34. BIN_Ponyloader-Zeus_B10393BE747143F3B4622E9E5277FFCE.pcap 35. BIN_PowerLoader_4497A231DA9BD0EEA327DDEC4B31DA12_2013-05.pcap 36. BIN_Ramnitpcap_2012-01.pcap 37. BIN_Reedum_0ca4f93a848cf01348336a8c6ff22daf_2013-03.pcap 38. BIN_RssFeeder_68EE5FDA371E4AC48DAD7FCB2C94BAC7-2012-06.pcap 39. BIN_Sanny-Daws_338D0B855421867732E05399A2D56670_2012-10.pcap 40. BIN_SpyEye_2010-02.pcap 41. BIN_Stabuniq_F31B797831B36A4877AA0FD173A7A4A2_2012-12.pcap 42. BIN_Taidoor_40D79D1120638688AC7D9497CC819462_2012-10.pcap 43. BIN_Tapaoux_60AF79FB0BD2C9F33375035609C931CB_winver_2011-08-23.pcap 44. BIN_Tbot_23AAB9C1C462F3FDFDDD98181E963230_2012-12.pcap 45. BIN_Tbot_2E1814CCCF0C3BB2CC32E0A0671C0891_2012-12.pcap 46. BIN_Tbot_5375FB5E867680FFB8E72D29DB9ABBD5_2012-12.pcap 47. BIN_Tbot_A0552D1BC1A4897141CFA56F75C04857_2012-12.pcap 48. BIN_Tbot_FC7C3E087789824F34A9309DA2388CE5_2012-12.pcap 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 46
  47. 47. 2013 packet trace 49. BIN_Tinba_2012-06.pcap 50. BIN_TrojanCookies_840BD11343D140916F45223BA05ABACB_2012_01.pcap 51. BIN_UStealD_2b796f11f15e8c73f8f69180cf74b39d.pcap 52. BIN_Vobfus_634AA845F5B0B519B6D8A8670B994906_2012-12.pcap 53. BIN_Wordpress_Mutopy_Symmi_20A6EBF61243B760DD65F897236B6AD3-DeepEndR.pcap 54. BIN_Wordpress_Mutopy_Symmi_20A6EBF61243B760DD65F897236B6AD3-ShortRun.pcap 55. BIN_Xpaj_2012-05.pcap 56. BIN_ZeroAccess_3169969E91F5FE5446909BBAB6E14D5D_2012-10.pcap 57. BIN_ZeroAccess_Sirefef_29A35124ABEAD63CD8DB2BBB469CBC7A_2013-05.pcap 58. BIN_Zeus_b1551c676a54e9127cd0e7ea283b92cc-2012-04.pcap 59. BIN_ZeusGameover_2012-02.pcap 60. Citadel_3D6046E1218FB525805E5D8FDC605361-2013-04.pcap 61. EK_BIN_Blackhole_leadingto_Medfos_0512E73000BCCCE5AFD2E9329972208A_2013-04.pcap 62. EK_Blackhole_55A60EBB5EC6079C52CEDB6CB1DC48AD.pcap 63. EK_Blackhole_Java_CVE-2012-4681_2012-08.pcap 64. EK_Blackholev1_2012-03.pcap 65. EK_Blackholev1_2012-08.pcap 66. EK_Blackholev2_2012-09.pcap 67. EK_Smokekt150(Malwaredontneedcoffee)_2012-09.pcap 68. HorstProxy_EFE5529D697174914938F4ABF115F762-2013-05-13.pcap 69. Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03.pcap 70. OSX_DocksterTrojan.pcap 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 47
  48. 48. 2013 packet trace 71. PassAlert_B4A1368515C6C39ACEF63A4BC368EDB2-2013-05-13.pcap 72. PDF_CVE-2011-2462_Pdf_2011-12.pcap 73. purplehaze.pcap 74. RTF_Mongall_Dropper_Cve-2012-0158_C6F01A6AD70DA7A554D48BDBF7C7E065_2013-01.pcap 75. XTremeRAT_DAEBFDED736903D234214ED4821EAF99_2013-04-13.pcap 2013/09/13 The Current Methodologies for APT/Malware Traffic Detection 48

Recommended

View more >