How to train observe your bot! Affan Syed Associate Professor, Systems and Networking (SysNet) Lab, National University of Computer & Emerging Sciences, Islamabad, Pakistan 1 What happens at the SysNet …. Should not stay at SysNet! Broad spectrum of systems research Funded by & Computer Science Electrical Engineering *e-Energy SDN for ISP networks Sigcomm CCR Botnets DSN, *S&P, *CCS Underwater WUWNet networks Energy harvesting and transference Smart-home & Smart-Grid IPSN Distributed Systems *= poster or demo 2 What is a Bot/Zombie without connectivity? "Zombie / Botnet network" by Sophos Presseinfo http://www.youthedesigner.com/wpcontent/uploads/2011/10/Zombie-Photo-01.jpg http://howto-get-rid-of.com/wp-content/uploads/2014/03/troian-virusworm.jpg Credit: Dreamworks “Shrek 2” Network activity is the defining feature of a botnet 3 Motivation: Boot-strapping Botnet Research Credit: www.sparkfun.com Credit: http://ok.gov/osbi/Forensic_Laboratory/Forensic_Services/Latent_Prints How can hobbyist/researchers easily observe live bot behavior where it manifests its true color? 4 Industrial solutions and disclosures Proprietary and expensive Limited release of bot behavior as blogs or papers (IP reasons?) Need a non-textual, technical, report for *our fav* bot! Other academic tools? Deployment and testbed details? High deployment cost and management/operational overhead Need a system with low deployment overhead and cost! Online services? Lets look at some online systems • Anubis • Comodo • Malwr (cuckoosandbox) Limited and sketchy network details; Also can’t change the execution environment Need to trigger all responses of a bot! 7 Goals of our work  Faithfully capture all network behavior  Do so at low-cost and operational overhead  Extensibility for evolving botnet landscape Key contributions  Operational contexts  Implementation of a system to – effects these contexts – low-cost, and low- operational overhead • to bootstrap effective academic research Generating a faithful fingerprint OPERATIONAL CONTEXTS & BOTS 10 Operational contexts*: In-the-wild  Network Configuration – Public vs Private  Machine Type Public VM’s – VM vs Bare-metal  User Activity Bare-metal Private – No activity vs Specific visits *Operational Context = Environmental conditions that can impact a bot’s network fingerprint Operational contexts: Under Observation  Observation Duration (time consideration) – Boot-strapping phase vs Quiescent  Containment Policy (ethical consideration) – Conservative vs liberal (or ethical vs useful!) Faithful Network Fingerprint: Operational Contexts Attack C&C Context difference Metadata Anti Analysis Stepping stone Network connections Ports opened Information stealing Banking Social media Sample Fingerprint Generating faithful fingerprints, varying operational contexts TITAN ARCHITECTURE 15 Titan: Design decisions GOALS DECISIONS  Faithful fingerprints Multiple execution for intra-context feature extractions  Ease of management Semi-automated containment  Low-cost design and deployment Few and low-end machines for testbed Serial fingerprint generation  Provides flexibility to extend its capabilities Modularity built into its design Open Sourced and community involvement Web Frontend  Binary submission  Operational context selection –execution machine –network configuration –user activity  Configuration forwarding to system manager System Manager and Execution Network      Chooses the machine to infect Converts configurations into commands Starts and Stops the experiment Facilitates in automation of containment Setup of host machines Containment and Logging Modules  Semi-automation of traffic filtering rules  Implement containment policy  Log containment decisions and user traffic Fingerprint Generation Engine  XML fingerprint schema  Performs various operations on collected logs  Provides to the user for display Titan Architecture: Workflow Multiple iterations for a single operational context; Operational contexts to execute selected by user! 3 2 1 Selecting context 1010 0110 9 Forwarding configuration Representation of Results Web Front End Configuration of system & network Containing and forwarding traffic 4 System Manager Containment Module 6 Generation of 8 fingerprints Resetting the 7a Network Fingerprint Generation Engine 10 Selecting rule set (optional) Logging traffic Logging 5 Logging decisions Internet 7b Updating rule set Data Traffic Control & Management Traffic How we achieve low-cost, and reduce deployment complexity IMPLEMENTATION 22 Titan Implementation  Minimum of 2 desktop-class machines – Three, now, with support for bare-metal execution – Can increase machines (virtual and physical) to generate LAN connectivity and scanning observation (TBD)  Connected via a L2 switch Now: Bare Metal Machine bootup and multiple 23OS System Manager and Execution Platform  Execution Platform: XEN hypervisor – Clones VM from a base VM  System manager: Python & shell scripts – responsible for creating operational context 24 Recreating Operational contexts  User emulation  AutoIt Scripts  Network context  using two-stage NAT – Fool bot into thinking it has a public IP Public IP Private IP 208.x.x.x 10.1.x.x AutoIt scripts Public IP 208.x.x.x Containment Module  Pox controller with Open vSwitch on the Gateway  All traffic also passes through attack sensors – – – – – – exe_detect DoS_detect netscan_detect spam_detect inject_detect info_detect Possible throughput hit; but who cares!  All traffic is malicious – More reliable attack sensors Now: custom sensors can be added organically to the containment module 26 Containment Methodology: First Iteration  Allow only TCP handshakes ―Fools bot into thinking it has access but CnC not responding in the “right” way ―Detect CnC contact mechanisms Containment Module C&C 1 Network Traffic TCP sensor Attack sensor Bot infected machine C&C 2 Drop attack traffic, add to blacklist Containment Methodology: Second Iteration  C&C communication allowed  Only TCP handshake for new traffic C&C 1 Containment Module TCP sensor TCP handshake Network Traffic Other m/c Attack sensor Bot Infected machine C&C 2 Drop attack traffic, add to blacklist Containment Methodology: Third Iteration  Observer bot behavior for long interval  Detect any network attacks launched C&C 1 Containment Module TCP sensor Connection Establishment Network Traffic Other m/c Attack sensor Bot Infected machine C&C 2 Drop attack traffic, add to blacklist Advanced users: go for 4th and beyond If attack sensor are inaccurate, malicious traffic might leak! Titan Implementation: Fingerprint Generation  Process raw traffic to generate context-specific features ― attack features from logs ― C&C features from bro, nmap, google safe browsing api, MaxMind GeoIP db, Python Requests library  Looks at differences between fingerprints to extract the context-specific behavior. EVALUATION 32 Validating Effective Fingerprint Generation  Deployed a zeus botnet infrastructure -- our zeus bot reports network configuration -- performed experiment in both Public & Private setting Private Context Public Context Fingerprint Cryptolocker : Then  Fingerprint of CryptoLocker --analyzed a binary of the CryptoLocker botnet We detected a DGA feature Cryptolocker: Now Ans: DGA updated to avoid detection --exactly the information we wanted to observe ourself! So what happened? Conclusion  A tool the can recreate operational contexts that impact a bot’s network behavior  Is open sourced and extensible – Some of the attack and CnC feature are raw and need update  Lots of --- and continuous --- update need to keep the tool relevant – Invite people to consider hosting this and carrying the idea forward! – The project funding (and any funneling) ends in Aug! Acknowledgements     Osama Haq Waqar Ahmed Mujtaba Ahmed Ashad 37 For more information and source code visit http://sysnet.org.pk/w/Titan Contact person: [email protected] Live demo at: titan.bot.nu:8888 Questions 38 42 Fingerprint: A Taxonomy C&C Attack Context difference Metadata Single Experiment features Intra-context features Command & Control Features Attack Context difference Type HTTP IRC Metadata C&C IP Location Connection frequency UR L Redirection Safe browsing status Service Port Evasion Volume IP flux Domain flux Attack Features C&C Context difference DoS Metadata Scan Attack Spam Info steal SQL Inject Exe transfer Experiment Metadata Attack C&C Context difference Metadata Binary MD5 Experiment Info Bot Family Network Start time Duration connections