Views
5 years ago

April 10, 2011 Salzburg, Austria - WOMBAT project

April 10, 2011 Salzburg, Austria - WOMBAT project

(a) Statistics of AV

(a) Statistics of AV detected sessions (b) Distribution of AV alerts Figure 4. Statistics of AV detected sessions and distribution of AV alerts. (a) Statistics of shellcode detected sessions (b) Distribution of Shellcodes Figure 5. Statistics of shellcode detected sessions and distribution of shellcodes. Finally, we examined the total number of each IDS alert and Figure 3(b) shows the distribution of IDS alerts. From Figure 3(b), we can see that top 3 IDS alerts (i.e., MSSQL StackOverflow, SMB Large Return Field and Too Many SYNs for a TCP Connection) occupy about 60% of the all IDS alerts. In our further investigation, we observed that the first two IDS alerts are aiming to exploit the very old vulnerabilities (i.e., CAN-2002-0649[9] and CAN-2005-1206[10]) of MSSQL and Windows SMB, respectively. Furthermore, they are still popular in 2011. However, it is unnatural to consider that attackers really tried to exploit these vulnerabilities, because in most cases, they will fail due to the oldness of them. Therefore, this situation could be said that attackers intentionally triggered these old IDS alerts before they try to attack their real targets, so that they can trick IDS operators. Because, if IDS operators observe a large number of these old IDS alerts caused by a certain host, they will regard its all IDS alerts as usual false positives, and consequently they will fail to recognize a real attack which was hidden in the stack of usual false positives. This attack scenario was also introduced in [11]. 3.3 Statistical Analysis of AV Detected Sessions In this section, we describe the analysis results of honeypot data according to AV alerts. Figure 4 shows statistical infor- 31 mation of AV detected sessions and the distribution of AV alerts. Figure 4(a) shows the number of sessions (i.e., blue lines) detected by Clam AntiVirus software, the number of unique AV alerts in each day (i.e., brown lines) and the accumulation number of unique AV alerts (i.e., red lines). In our investigation, we observed that among the all of 43,043,255 attack sessions, 165,717 sessions triggered AV alerts and the average number of AV detected sessions in each day was 166. Also, there were 5.5 unique AV alerts in each day on average and the total number of unique AV alerts was 832. From Figure 4(a), we can see that the number of AV detected sessions in the green area (i.e., from Sep. 4th 2008 to Oct. 4th 2008) is extremely larger than the other days. Through our examination, we discovered that a large number of Trojan and Phishing attacks happened during this period. Specifically, 5 different types of malwares shown in Table 5 were detected by Clam AV software and most AV alerts related with them were concentrated on only this period. We also counted the total number of each AV alert and Figure 4(b) shows the distribution of AV alerts. From Figure 4(b), we can see that top 10 AV alerts occupy about 50% of the all AV alerts. In addition, it is easily seen that most AV alerts are related to Trojan, Worm, Phishing and Email. The reason why there are many email related AV alerts is that we

(a) Statistics of Source IP addresses and Destination Ports (b) Distribution of Destination Ports Figure 6. Statistics of source IP addresses and destination ports, and distribution of destination ports. deployed a mail server for generating normal traffic data as well as several honeypots for collecting spam emails. 3.4 Statistical Analysis of Shellcode Detected Sessions Figure 5 shows statistical information of shellcode detected sessions and the distribution of shellcodes. Figure 5(a) shows the number of sessions (i.e., blue lines) detected by Ashula, the number of unique shellcodes in each day (i.e., brown lines) and the accumulation number of unique shellcodes (i.e., red lines). In our investigation, we observed that among the all of 43,043,255 attack sessions, 2,818,133 sessions contained shellcodes and the average number of shellcode detected sessions in each day was 2,835. Also, there were 9 unique shellcodes in each day on average and the total number of unique shellcodes was 231. From Figure 5(a), we can see that the accumulation number of unique shellcodes are rapidly increasing from Oct. 29th 2008 to Nov. 21st 2008 ( 1○). This means that lots of new shellcodes were suddenly emerged during this period. As a result of our investigation, we discovered that it was caused by a famous malware, Win32/Conficker worm (also known as Kido and Downadup) which was aiming to exploit a new vulnerability of Windows OSes, i.e., MS08-067[12]. In fact, the new vulnerability was published in Oct. 23rd 2008 for the first time and in our honeypots, we observed the first attack which contains a shellcode for exploiting the vulnerability in Oct. 29th 2008. Since the first observation, we observed 27 new types of shellcodes associated with Win32/Conficker worm until Nov. 21st 2008. On Nov. 21st, the first version of the worm got in the wild. In addition, it is easily seen that the number of shellcode detected sessions is dramatically increasing from Aug. 4th 2009 (( 2○). This is because we have deployed a part of our honeypots in that they can make a communication with Win32/Conficker worm. In other words, we could get high quality shellcodes which are sent from attackers only after session establishment. Finally, we counted the total number of each shellcode and Figure 5(b) shows the distribution of shellcodes. From Figure 5(b), we can see that shellcode ID 58 occupies about 32 88% of the all shellcodes. Actually, this shellcode is used for exploiting the vulnerability of MS02-039[13] or CAN-2002- 0649[9] and its malware name is MS-SQL Slammer[14]. 3.5 Statistical Analysis of Source IP Addresses and Destination Ports In this section, we present the analysis results of attack data according to source IP addresses and destination ports. Figure 6 shows statistical information of source IP addresses and destinations ports, and the distribution of destination ports. Figure 6(a) shows the number of unique source IP addresses (i.e., blue lines) and unique destination ports (i.e., brown lines) in each day, and the accumulation number of unique source IP addresses (i.e., red lines) and unique destination ports (i.e., purple lines). In our investigation, we observed that the total number of unique source IP addresses and unique destination ports is 4,420,971 and 61,942, respectively. Also, the average number of unique source IP addresses and unique destination ports in each day was 5,851 and 557 on average, respectively. From Figure 6(a), we can see that the number of unique destination ports are tremendously large in Mar. 10th 2009 ( 1○). In our investigation, we identified that an attacker compromised a single honeypot (Solaris) through ssh and he/she carried out UDP flooding attacks 1 . In fact, the number of 1 All the attacks were blocked by our IDS and L3 filtering. Figure 7. Trend of the most popular destination ports.

D06 (D3.1) Infrastructure Design - WOMBAT project
6-9 December 2012, Salzburg, Austria Social Programme
D I P L O M A R B E I T - Salzburg Research
D I P L O M A R B E I T - Salzburg Research
D I P L O M A R B E I T - Salzburg Research
Communication Plan for EGU 2011 April 3-8, 2011, Vienna, Austria
ECCMID meeting Vienna, Austria 10-13 April 2010 - European ...
8th Liquid Matter Conference September 6-10, 2011 Wien, Austria ...
8th Liquid Matter Conference September 6-10, 2011 Wien, Austria ...
April 10, 2011 - University of Cambridge
Top 10 Project Management Trends for 2011 from ESI International