How to train observe your bot! Affan Syed Associate Professor,

How to train observe your bot!
Affan Syed
Associate Professor,
Systems and Networking (SysNet) Lab,
National University of Computer & Emerging Sciences,
Islamabad, Pakistan
1
What happens at the SysNet …. Should not stay at SysNet!
Broad spectrum of systems research
Funded by
&
Computer Science
Electrical Engineering
*e-Energy
SDN for ISP networks
Sigcomm CCR
Botnets
DSN, *S&P, *CCS
Underwater WUWNet
networks Energy harvesting
and transference
Smart-home &
Smart-Grid
IPSN
Distributed Systems
*= poster or demo
2
What is a Bot/Zombie without connectivity?
"Zombie / Botnet network" by
Sophos Presseinfo
http://www.youthedesigner.com/wpcontent/uploads/2011/10/Zombie-Photo-01.jpg
http://howto-get-rid-of.com/wp-content/uploads/2014/03/troian-virusworm.jpg
Credit: Dreamworks “Shrek 2”
Network activity is the defining feature of a botnet
3
Motivation: Boot-strapping Botnet Research
Credit: www.sparkfun.com
Credit: http://ok.gov/osbi/Forensic_Laboratory/Forensic_Services/Latent_Prints
How can hobbyist/researchers easily observe live bot behavior where it manifests
its true color?
4
Industrial solutions and disclosures
Proprietary and expensive
Limited release of bot behavior as
blogs or papers (IP reasons?)
Need a non-textual, technical, report for *our fav* bot!
Other academic tools?
Deployment and testbed details?
High deployment cost and management/operational overhead
Need a system with low deployment overhead and cost!
Online services?
Lets look at some online
systems
• Anubis
• Comodo
• Malwr
(cuckoosandbox)
Limited and sketchy network details;
Also can’t change the execution environment
Need to trigger all responses of a bot!
7
Goals of our work
 Faithfully capture all network behavior
 Do so at low-cost and operational overhead
 Extensibility for evolving botnet landscape
Key contributions
 Operational contexts
 Implementation of a system to
– effects these contexts
– low-cost, and low- operational overhead
• to bootstrap effective academic research
Generating a faithful fingerprint
OPERATIONAL CONTEXTS & BOTS
10
Operational contexts*: In-the-wild
 Network Configuration
– Public vs Private
 Machine Type
Public
VM’s
– VM vs Bare-metal
 User Activity
Bare-metal
Private
– No activity vs Specific visits
*Operational Context = Environmental conditions that can impact a bot’s network
fingerprint
Operational contexts: Under Observation
 Observation Duration (time consideration)
– Boot-strapping phase vs Quiescent
 Containment Policy (ethical consideration)
– Conservative vs liberal (or ethical vs useful!)
Faithful Network Fingerprint: Operational Contexts
Attack
C&C
Context difference
Metadata
Anti Analysis Stepping stone
Network
connections
Ports opened
Information
stealing
Banking Social
media
Sample Fingerprint
Generating faithful fingerprints, varying operational contexts
TITAN ARCHITECTURE
15
Titan: Design decisions
GOALS
DECISIONS
 Faithful fingerprints
Multiple execution for intra-context feature
extractions
 Ease of management
Semi-automated containment
 Low-cost design and deployment
Few and low-end machines for testbed
Serial fingerprint generation
 Provides flexibility to extend its
capabilities
Modularity built into its design
Open Sourced and community involvement
Web Frontend
 Binary submission
 Operational context selection
–execution machine
–network configuration
–user activity
 Configuration forwarding to system manager
System Manager and Execution Network





Chooses the machine to infect
Converts configurations into commands
Starts and Stops the experiment
Facilitates in automation of containment
Setup of host machines
Containment and Logging Modules
 Semi-automation of traffic filtering rules
 Implement containment policy
 Log containment decisions and user traffic
Fingerprint Generation Engine
 XML fingerprint schema
 Performs various operations on collected logs
 Provides to the user for display
Titan Architecture: Workflow
Multiple iterations for a single operational context;
Operational contexts to execute selected by user!
3
2
1
Selecting context
1010
0110
9
Forwarding
configuration
Representation of
Results
Web
Front
End
Configuration of system
& network
Containing and forwarding
traffic
4
System
Manager
Containment
Module
6
Generation of
8
fingerprints
Resetting the
7a
Network
Fingerprint Generation
Engine
10
Selecting rule set (optional)
Logging
traffic
Logging
5
Logging
decisions
Internet
7b
Updating rule
set
Data Traffic
Control &
Management Traffic
How we achieve low-cost, and reduce deployment complexity
IMPLEMENTATION
22
Titan Implementation
 Minimum of 2 desktop-class machines
– Three, now, with support for bare-metal execution
– Can increase machines (virtual and physical) to generate LAN connectivity and
scanning observation (TBD)
 Connected via a L2 switch
Now: Bare Metal Machine bootup and multiple 23OS
System Manager and Execution Platform
 Execution Platform: XEN hypervisor
– Clones VM from a base VM
 System manager: Python & shell scripts
– responsible for creating operational context
24
Recreating Operational contexts
 User emulation  AutoIt Scripts
 Network context  using two-stage NAT
– Fool bot into thinking it has a public IP
Public IP
Private IP
208.x.x.x
10.1.x.x
AutoIt scripts
Public IP
208.x.x.x
Containment Module
 Pox controller with Open vSwitch on the Gateway
 All traffic also passes through attack sensors
–
–
–
–
–
–
exe_detect
DoS_detect
netscan_detect
spam_detect
inject_detect
info_detect
Possible throughput hit; but who cares!
 All traffic is malicious
– More reliable attack sensors
Now: custom sensors can be added
organically to the containment module
26
Containment Methodology: First Iteration
 Allow only TCP handshakes
―Fools bot into thinking it has access but CnC not responding in the
“right” way
―Detect CnC contact mechanisms
Containment Module
C&C 1
Network Traffic
TCP sensor
Attack sensor
Bot infected machine
C&C 2
Drop attack traffic,
add to blacklist
Containment Methodology: Second Iteration
 C&C communication allowed
 Only TCP handshake for new traffic
C&C 1
Containment Module
TCP sensor
TCP handshake
Network Traffic
Other m/c
Attack sensor
Bot Infected machine
C&C 2
Drop attack traffic, add
to blacklist
Containment Methodology: Third Iteration
 Observer bot behavior for long interval
 Detect any network attacks launched
C&C 1
Containment Module
TCP sensor
Connection Establishment
Network Traffic
Other m/c
Attack sensor
Bot Infected machine
C&C 2
Drop attack traffic, add
to blacklist
Advanced users: go for 4th and beyond
If attack sensor are inaccurate, malicious traffic might leak!
Titan Implementation: Fingerprint Generation
 Process raw traffic to generate context-specific features
― attack features from logs
― C&C features from bro, nmap, google safe browsing api, MaxMind GeoIP db,
Python Requests library
 Looks at differences between fingerprints to extract the context-specific
behavior.
EVALUATION
32
Validating Effective Fingerprint Generation
 Deployed a zeus botnet infrastructure
-- our zeus bot reports network configuration
-- performed experiment in both Public & Private setting
Private Context
Public Context
Fingerprint
Cryptolocker : Then
 Fingerprint of CryptoLocker
--analyzed a binary of the CryptoLocker botnet
We detected a DGA feature
Cryptolocker: Now
Ans: DGA updated to avoid detection --exactly the information we wanted to
observe ourself!
So what happened?
Conclusion
 A tool the can recreate operational contexts that impact a bot’s
network behavior
 Is open sourced and extensible
– Some of the attack and CnC feature are raw and need update
 Lots of --- and continuous --- update need to keep the tool
relevant
– Invite people to consider hosting this and carrying the idea forward!
– The project funding (and any funneling) ends in Aug!
Acknowledgements




Osama Haq
Waqar Ahmed
Mujtaba Ahmed
Ashad
37
For more information and source code visit
http://sysnet.org.pk/w/Titan
Contact person: [email protected]
Live demo at: titan.bot.nu:8888
Questions
38
42
Fingerprint: A Taxonomy
C&C
Attack
Context difference
Metadata
Single Experiment features
Intra-context features
Command & Control Features
Attack
Context
difference
Type
HTTP
IRC
Metadata
C&C
IP
Location
Connection frequency
UR
L
Redirection
Safe browsing status
Service
Port
Evasion
Volume
IP flux
Domain flux
Attack Features
C&C
Context
difference
DoS
Metadata
Scan
Attack
Spam
Info steal
SQL Inject
Exe transfer
Experiment Metadata
Attack
C&C
Context
difference
Metadata
Binary MD5
Experiment
Info
Bot Family
Network Start time Duration
connections