Comment détecter des virus inconnus en utilisant des « honey pots » et d’autres technologies (David Girard & Anthony Arrott)

Detecting Unknown Malware using Network
Behavior Correlation

Correlation Technology

• A network behavior correlation technology used to detect known and unknown
malware.

• Currently implemented in an out-of-band network sensor appliance called the “Threat
Discovery Appliance” which is bundled with a series of different service packages
known collectively as “Threat Management Services”.

• Adoption of this technology in other Trend Micro products is ongoing.

Copyright 2007 - Trend Micro Inc.
Paramount Q1 2008 - 2

Correlation Technology


How Do We Analyze Network Traffic?

Assemble packets into one stream

Extract embedded files & send to scanning engines

Extract embedded URLs and perform WRS check

Scan the traffic stream for exploits and network worms

Perform single-session correlation on the traffic stream


Protocol Support

We currently support over 40 protocols using port agnostic protocol detection to accurately
identify protocols regardless of the port used

Network Services Web Traffic
DNS HTTP
DCE-RPC SSH
Telnet AIM
RDP IRC
VNC
Supported
Protocols
File Transfer Email and Messaging
FTP SMTP
TFTP POP3
SMB Gmail
Yahoo Mail
Hotmail


What We Do
• The Threat Analysis Group is a department of the Network Content Security Group and is
responsible for the operations that utilize our correlation technology.

• Over the years we have developed and improved upon several dedicated malware
replication systems, also known as “sandboxes”. These systems are responsible for executing
malware and logging all of their activities.

• Early on, we processed current malware along with a few years backlog of older samples.
Analysis of this network traffic provided us with the data used to create a majority of our early
ruleset. These rules are generic in nature and based upon the common behavior of different
malware types.

• Due to the volatile nature of malware, we determined that older samples were not worth our
time any longer and now focus solely on brand new malware, utilizing various feeds of
malware samples. Nowadays, the majority of our new rules focus on specific malware families.


What characteristics are we looking for

Downloaders

Packed / Compressed Executables

Names of downloaded files
belong to system files
svchost.exe winlogon.exe lsass.exe

File extension do not match
expected file type
JPG extension but file is actually EXE

Unique / Unknown
HTTP user-agents

7 Copyright 2007 - Trend Micro Inc.


Spyware/Grayware

Unique / Unknown
HTTP user-agents

Names of downloaded
files belong to trademarked/copyrighted
spyware applications
Gain, Media Motor, Hotbar, SpySherrif



Backdoors

Rogue services
Un-authorized SMTP, HTTP servers
Opened ports

Loopback commands shells
Loopback command shells
DOS Shell visible at the network traffic

Non standard service ports
HTTP Traffic on non HTTP port



Mass mailers
Attachments with long filenames
(space padded)

File extensions do not match
expected file type

File inside archive attachment
contains double extension

Packed files

Suspicious URLs in message body



Bots

IRC traffic
Bad NICKs, channelnames, bot commands

Non-standard service ports
Typically HTTP or IRC
Ex. IRC traffic on port 8080 (HTTP proxy)

File transfers to
blacklisted domains


Scenario

Corporate Network

Rule 8 - Packed executable
file dropped on a network
share

C$

WORM_AGOBOT,
Admin$
PE_LOOKED


Scenario

External Mail Server

Internet

Corporate Network

Internal Mail Server
WORM_NETSKY,
WORM_MYTOB,
WORM_AGOBOT


Scenario

IRC Server

Internet

Corporate Network
Rule 26 - IRC session
Rule 7 - IRC BOT established with a known
commands found bad C&C

WORM_IRCBOT.EN


Scenario

Malicious
Website

Internet

Corporate Network
Rule 88 - HTTP requests
attempted to download known
Malware-
Malware-used filenames

TROJ_DLOADER,
TROJ_AGENT


Rule Descriptions
Monitored client is receiving email with phishing link (External)
Rule ID: 72
Scenario: SMTP server receives phishing emails
Email sender domain is in list of commonly phished domains and email contains
IP address
The email will trigger rule ID 72, direction is external

Sender: customerservice@ebay.com
URL: http://70.88.210.45:81/ebay.com/index.html

Monitored Network

Rule Descriptions
Monitored client is sending out phishing email (Internal)
Rule ID: 72
Scenario: Infected host is sending phishing emails
Email sender domain is in list of commonly phished domains and email contains
IP address
The email will trigger rule ID 72, direction is internal

Sender: customerservice@ebay.com
URL: http://70.88.210.45:81/ebay.com/index.html

Monitored Network

Rule Descriptions
Hacking attempt
Rule ID: 38 & 15
Fields of interest: username (not SMB)

• This rule is triggered when a certain threshold of failed login attempts is
reached. Below are the details of these thresholds per protocol.
• For the SMB protocol, the possible attacker is the destination IP address.

Rule ID 38 Rule ID 15
Protocol (threshold trigger) (threshold trigger)
FTP =4x =20x
POP3 =4x =20x
*Cisco Telnet =3x =6x
**SMB =12x =18x


Rule Descriptions
Hacking attempt
Rule ID: 38 & 15
Scenario: Infected Host brute force attacks other hosts within monitored network
There are a high number of failed login attempts on each attacked host
The attacks will trigger rule IDs 38 & 15, direction is internal for both

15 failed SMB logins

21 failed SMB logins

Monitored Network

Rule Descriptions
Monitored client is downloading a suspicious file.
Rule ID: 66
Scenario: Host downloads an executable file from web site
Web server reports content type as image/gif
This event will trigger rule ID 66, direction is external

HTTP Response reports
content type as: image/gif
But file is actually executable

Monitored Network


Rule Descriptions
Monitored client is using a protocol on a non-standard port.
Rule ID: 33
Fields of interest: nickname, channelname
• The Internet Relay Chat (IRC) protocol typically uses a port in the
range of 6665-6669. It is common for malicious IRC bots to use non-
standard ports for their communication.
• This rule is triggered when an incoming or outgoing connection is
detected using the IRC protocol on a port outside of this range. There
is still a chance this is legitimate IRC traffic, but more likely it is a “bot”
communication.


Rule Descriptions
Monitored client has a malware that is communicating to an external
party.
Rule ID: 33
Scenario: Infected host is communicating with an IRC C&C server using the IRC
protocol, but using port 8080 instead of one of the standard ports in the range
of 6665-6669.
This communication will trigger rule ID 33, direction is internal but could just as
well be external if the response was captured instead.

Port: 8080

Monitored Network

Relevance Rules
How It Works (Zeus)

Create a profile based Relevance Pattern! differences
Group the packet captures of the same family
Create the on similarities and


Relevance Rules
Possible Relevance Rule for Hupigon

MD5: 5e3831266f8d68bc3713c35963a39f75

MD5: fbdc7c613fb23527929c18eb55fad5f0

GET /*.txt HTTP/1.0rnUser-Agent: *rnHost: *rnPragma: no-cachern
MD5: 5e5c3e7cbc5ca7ecb48964494519068d
Note: * wildcard for any

MD5: 46fd78ea03e2e8a6a07196f791fbb03c


Relevance Rules
• With the power and flexibility of the scripting language we use to create rules,
we are able to perform calculations and bitwise operations in order to validate
custom malware protocols such as the one used by the Palevo
(Mariposa/Butterfly) bot.


Rule Correlation
• We are limited to correlating only the data within a single
session, and in a single direction. For example, we can
correlate the data within an HTTP request or an HTTP
response, but not between the two.
• To address this issue, further correlation is performed in a
separate process on these initial events generated.
• With this approach, any type of correlation is possible, and the
results are quite powerful. Reports are delivered that can
pinpoint confirmed malware infections so the customer does not
have to analyze logs and make his own determinations.


Our Threat Assessment Results
Despite having the most current industry standard security
technology…
• 100% of companies had active malware
• 72% of companies had one or more IRC bots
• 56% of companies had information stealing malware
• 50% of companies had 4 or more IRC bots
• 80% of companies had malware web downloads
• 42% of companies had a network worm (1)

• $6M = average total cost of a major data breach in 2008 (2)

1 Based on 130 assessments worldwide at company’s averaging over 7,484
employees and included representatives from the manufacturing, government,
education, financial services, retail, and healthcare industries.
2 Ponemon Institute

27

Detection Samples
Virut propagating via brute force login attempts and open shares


Detection Samples
IRC bot communicating with its C&C server


Detection Samples
Bot sending spam


Detection Samples
Drive-by download and downloaders


Detection Samples
Stuxnet!!


Comment détecter des virus inconnus en utilisant des « honey pots » et d’autres technologies (David Girard & Anthony Arrott)

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (13)

En vedette

En vedette (20)

Similaire à Comment détecter des virus inconnus en utilisant des « honey pots » et d’autres technologies (David Girard & Anthony Arrott)

Similaire à Comment détecter des virus inconnus en utilisant des « honey pots » et d’autres technologies (David Girard & Anthony Arrott) (20)

Plus de Hackfest Communication

Plus de Hackfest Communication (14)

Dernier

Dernier (20)

Comment détecter des virus inconnus en utilisant des « honey pots » et d’autres technologies (David Girard & Anthony Arrott)