Presentation is loading. Please wait.

Presentation is loading. Please wait.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

Published byGeorgina Bruce Modified over 8 years ago

Similar presentations

Presentation on theme: "1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do."— Presentation transcript:

1 1

2 Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do malware’s behaviors taken together provide a compelling perspective on the life cycle of web-based malware? 2

3 System Architecture  The goal of the system detect harmful URLs on the web  The brief overview of the overall system they used in their prior work machine learning techniques are used to find suspicious URLs among a large number of web pages for verification in a virtual machine  The new extended system Responders 3

4 System Architecture 4 Over system architecture o Virtual machine used o Observed features: Links to known malware distribution sites Suspicious HTML element The presence of code obfuscation. o Machine learning system Scores if the URL has a high score o Verification results used to retrain the machine learning system

5 System Architecture  They extended the system improving verification components with light-weight responders  Providing fabricated responses for protocols such as SMTP, FTP and IRC  HTTP proxy is to record all HTTP requests and scan all HTTP responses  Generic responder is to hand off connections over nonstandard ports and identify connections that use unknown protocols Responders 5

6  Network flow in the verification component 6

7 Life cycle of web-based malware o Malware’s interaction with other hosts and responders are organized into 3 categories: 1.Propagation 2.Data exfiltration 3.Remote control o They analyzed the post-infection activity and the result of these behaviors to find out the life cycle of web-based malware 7

8 Life cycle of web-based malware Data Set  In 2 months virtual machine analyzed URLs from 5,756,000 unique host names and report on unique names  At least one harmful URL in 307,000 hostnames  %49 of these websites had URLs that resulted in HTTP request initiated from process other than the web browser  %5 of the sites had URLs that activated responder session  The total number of responder sessions with transmitted data is more than 448,000  They observed that malware made network connections without transmitting data in many more cases 8

9 Life cycle of web-based malware Network characteristics  The destination ports of all outgoing connections from the virtual machine upon infection 9

10 Life cycle of web-based malware Network characteristics  They notified the number of unique hostnames for each port On these hosts at least one URL installs malware that transmitted data to that port  More than 400 different destination ports were connected This shows the diverse nature of malware’s post- infection network behavior 10

11  The exact distribution of HTTP connections destined to nonstandard ports according to the destination port number 11

12 Life cycle of web-based malware Discovery and Propagation  Malwares usually scan for other vulnerable systems either in the same lan or on the internet to propagate 12  This figure shows the network protocol distribution used by malware

13 Life cycle of web-based malware Reporting Home  To observe this activity SMTP responders are employed to capture emails  Each email captured has a subject and body 13

14 TABLE 1 Subject # Messages XP Hacked390 ProRat [...]162 Vip Passw0rds98 Log file from...82 Installation report76 Perfect Keylogger [...]47 Installation on XP succeeded12 E g y S p y KeyLogger [...]12 INFECTADO6 Mais 1: XP3 AVSXP3 C-h-e-c-k-i-n-g:XP2...:Noticia quentinha de:... XP 2  Table 1 shows that the most common email subjects SMTP Server# Messages yahoo.com436 google.com118 tvm.com.tr98 aol.com82 hotmail.com19 outblaze.com8 globo.com6 Life cycle of web-based malware Reporting Home Table 2 above shows that the common SMTP servers used by malware to send installation reports 14

15 Life cycle of web-based malware Reporting Home GET /geturl.php?version=1.1.2&fid=7493&mac=00-00-00-00-00- 00&lversion=&wversion=&day=0&name=dodolook&recent=0 HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; ) Host: loader.51edm.net:1207 Cache-Control: no-cache  The HHTP protocol is also used to report successful installations back to malware authors  The trojan example: 15

16 Life cycle of web-based malware Reporting Home  Malware also reported infections using a custom XML-like format HGZ5. 2008-01-28 12:55:30 80 _& Windows XP 5.1 XP 488 Ver1.22-0624 1 0 0.0.0.0 000...... - 25 XP English (United States) Windows XP 1024MB 2200 MHz LAN 0 - 16

17 Life cycle of web-based malware Data exfiltration  There are indications of data exfiltration in responder sessions such as browser history files and stored passwords o In their observation, they found some emails that send back stored password from a compromised machine o HTTP is also used for sending sensitive information back to data collection servers (notice the large number of POST requests on the graph on slide #11) 17

18 Life cycle of web-based malware Data exfiltration  In 2 days, one server had 4,729 files including more than 250,000 valid email addresses  They found more sensitive information in extensive logs continuously uploaded by malware Logs have victim’s IP address, DNS server, gateway, MAC address, username, URL, intercepted form and password fields of HTTP request o In 250MB logs, 500 usernames and passwords were found for over 250 web sites such as banking site, google.com, yahoo.com, etc. 18

19 Life cycle of web-based malware Joining Botnets  Botnets  They encountered 2 types of botnets in their work: 1.IRC Botnets 2.HTTP Botnets 19

20 Life cycle of web-based malware IRC Botnets  IRC and C&C communication  IRC sessions to 90 servers were observed using 1587 different nicknames in 95 channels 20

21 Life cycle of web-based malware IRC Botnets  Some malwares use regular nicknames and channels, but some of them use artificial nicknames such as [0]USA|XP[P]152102 or Inject-2l087876 21

22 Life cycle of web-based malware HTTP Botnets  Organize large-scale spam campaigns  To participate in spam campaigns each bot repeatedly downloaded ZIP-archives with instructions using HTTP requests  Each response has a ZIP-archive with instructions on how to participate in spam campaigns 22

23 Life cycle of web-based malware HTTP Botnets  Some example instructions:  000_data22 - a list of domains and their authoritative name severs used to form the sender's email address  001_ncommall - a list of common first names used as part of the sender's email address  002_otkogo_r - a list of possible ``from'' names related to the subject of the spam campaign  003_subj_rep - a list of possible email subjects,  004_outlook - the template of the spam email,  config - a configuration file that instructs the bot how to construct emails from the data files, how many emails to sent in total, and how many connections are allowed at a given time,  message - the message body of the spam campaign,  mlist - a list of email addresses to which to send the spam,  andmxdata - a binary file containing information about the mail- exchange servers for the email addresses in mlist 23

24 Life cycle of web-based malware HTTP Botnets Top domains out of 700,000 email addresses collected from a spam- sending botnet. Email DomainFrequency yahoo.com28899 sbcglobal.net14417 yahoo.co.uk8939 shaw.ca8321 hotmail.com6985 korea.com6041 yahoo.co.jp5215 striker.ottawa.on.ca4415 web.de4276 yahoo.co.in 4200 o The most frequent domains captured in an hour didn’t entirely overlap with the larger data set 24

25 Summary and Conclusion 25

Download ppt "1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do."

Similar presentations

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Communicating Information: Web Design. It’s a big net HTTP FTP TCP/IP SMTP protocols The Internet The Internet is a network of networks… It connects millions.

Communicating Information: Web Design. It’s a big net HTTP FTP TCP/IP SMTP protocols The Internet The Internet is a network of networks… It connects millions.
Content  Overview of Computer Networks (Wireless and Wired)  IP Address, MAC Address and Workgroups  LAN Setup and Creating Workgroup  Concept on.

Content  Overview of Computer Networks (Wireless and Wired)  IP Address, MAC Address and Workgroups  LAN Setup and Creating Workgroup  Concept on.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Application Layer  We will learn about protocols by examining popular application-level protocols  HTTP  FTP  SMTP / POP3 / IMAP  Focus on client-server.

Application Layer  We will learn about protocols by examining popular application-level protocols  HTTP  FTP  SMTP / POP3 / IMAP  Focus on client-server.
The Internet Useful Definitions and Concepts About the Internet.

The Internet Useful Definitions and Concepts About the Internet.
Layer 7- Application Layer

Layer 7- Application Layer
Internet…issues Managing the Internet

Internet…issues Managing the Internet
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
INTRODUCTION TO WEB DATABASE PROGRAMMING

INTRODUCTION TO WEB DATABASE PROGRAMMING
Computer Concepts 2014 Chapter 7 The Web and E-mail.

Computer Concepts 2014 Chapter 7 The Web and .
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 12 Electronic Mail.

Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 12 Electronic Mail.
Networking Basics TCP/IP TRANSPORT and APPLICATION LAYER Version 3.0 Cisco Regional Networking Academy.

Networking Basics TCP/IP TRANSPORT and APPLICATION LAYER Version 3.0 Cisco Regional Networking Academy.
 TCP/IP is the communication protocol for the Internet  TCP/IP defines how electronic devices should be connected to the Internet, and how data should.

 TCP/IP is the communication protocol for the Internet  TCP/IP defines how electronic devices should be connected to the Internet, and how data should.
FTP (File Transfer Protocol) & Telnet

FTP (File Transfer Protocol) & Telnet
The Internet Writer’s Handbook 2/e Introduction to World Wide Web Terms Writing for the Web.

The Internet Writer’s Handbook 2/e Introduction to World Wide Web Terms Writing for the Web.
Lesson 2 — The Internet and the World Wide Web

Lesson 2 — The Internet and the World Wide Web
The Internet in Education Objectives Introduction Overview –The World Wide Web –Web Page v. Web Site v. Portal Unique and Compelling Characteristics Navigation.

The Internet in Education Objectives Introduction Overview –The World Wide Web –Web Page v. Web Site v. Portal Unique and Compelling Characteristics Navigation.

Similar presentations

Ads by Google