Views
5 years ago

April 10, 2011 Salzburg, Austria - WOMBAT project

April 10, 2011 Salzburg, Austria - WOMBAT project

ysis. Especially, we

ysis. Especially, we focus on W32.Downadup that has strong infectability and induced a serious symptom of a pandemic in Oct, 2008. 4.1 Study of W32.Downadup W32.Downadup is equipped with multiple routes of infection such as a global network, a local network and removable media. A computer infected by W32.Downadup scans on 445/TCP of multiple global IP addresses in the Internet and then tries to exploit the vulnerability of Windows Server Service (MS08-067 [18]). In order to avoid being detected, the number of scan packets per unit time is automatically limited according to the condition of the computer. It also has capabilities to infect via the Windows Network and removable media such as USB memory. W32.Downadup computes domain names using a time-seeded random domain name generator and attempts to resolve these addresses, then downloads an update file of itself, so that it can autonomously update itself without rendezvous point. Additionally, W32.Downadup.C and latter variants construct a P2P network for updating itself. The bootstrap IP address and port number are also generated using a time-seeded information, therefore it does not require any static rendezvous point. Thus, W32.Downadup induced a pandemic because of its strong infectability described above as a result. 4.2 Detail of Darknet Sensors As we mentioned in Sect 3.1, we have several sensors that monitor various types of darknet such as /24, /16 of network address, and totally we are monitoring more than 140,000 darknet IP addresses. In the following sections, we introduce several case studies observed in four main sensors that are deployed in geographically distributed areas in Japan (Fig. 5). The sensor I is monitoring /24 unused IP addresses (i.e., darknet) allocated from a bunch of /16 used IP address range in which client and server computers are deployed (i.e., livenet). The two /16 networks monitored by sensor III and IV, consist of some darknet areas and used areas in a same fashion with the sensor I. In contrast, the sensor II is monitoring /16 darknet IP addresses that are fully unused. In terms of the location of network address, sensor II and IV belong to same /8 network while networks of sensor I and III belong to different /8 networks each other. 4.3 Case Studies Outbreak of W32.Downadup Fig. 6 shows the moving average (duration : 10 days) of the number of hosts observed on each sensor from 2005 to 2011. In Sep, 2008, we observed a rapid increase of the number of hosts that send at least one TCP packet to our darknet sensors. At that time, the number of hosts increased approximately eleven times of the previous period, although the number was decreasing until that time. As a further analysis, we found that hosts 39 Sensor I Sensor II Sensor III /24 /16 Sensor IV : Livenet (Used) /16 Figure 5. Detail of Darknet Sensors : Darknet (Unused) that access to port 445 of TCP (Fig. 7) are dominant in the hosts in Fig. 6. This port is widely used for the server service of Windows OS family, while critical vulnerability has been discovered frequently. 700000 600000 500000 400000 300000 200000 100000 0 Sensor�(le� axis) Sensor�(le� axis) Sensor�(right axis) Sensor�(right axis) 2005/01/01 2005/04/01 2005/07/01 2005/10/01 2006/01/01 2006/04/01 2006/07/01 2006/10/01 2007/01/01 2007/04/01 2007/07/01 2007/10/01 2008/01/01 2008/04/01 2008/07/01 2008/10/01 2009/01/01 2009/04/01 2009/07/01 2009/10/01 2010/01/01 2010/04/01 2010/07/01 2010/10/01 2011/01/01 Figure 6. Number of Hosts on TCP 40000 35000 30000 25000 20000 15000 10000 Triggered by this report, we conducted a further analysis in order to reveal the malware that induced this phenomenon. At first, as shown in Fig. 8, we profiled the scan behavior of one of attacking hosts which is illustrated by the Tiles [17]. Its scan behavior is translated into a macro profile as follows. ✓ ✏ Protocol: TCP TCP flag: SYN Destination port: Single (445) Source port: Multiple (2) Destination IP Address: Multiple (4 addresses) Scan type: Network scan Number of packets: 4 packets (4 packets/30 seconds) ✒ ✑ This host sent two scan packets to an IP address and scanned 445/TCP of two IP addresses during 30 seconds. In our further investigation, we discovered that there exist a tremendous number of attack hosts whose scan behavior is the similar to that of this host. With this profile, the Nemesys, the correlation analysis system explored the mal- 5000 0

700000 600000 500000 400000 300000 200000 100000 Source Port Number 0 2005/01/01 2005/04/01 2005/07/01 2005/10/01 2006/01/01 2006/04/01 2006/07/01 2006/10/01 2007/01/01 2007/04/01 2007/07/01 2007/10/01 2008/01/01 2008/04/01 2008/07/01 2008/10/01 2009/01/01 2009/04/01 2009/07/01 2009/10/01 2010/01/01 2010/04/01 2010/07/01 2010/10/01 2011/01/01 4873 3118 Sensor�(le� axis) Sensor�(right axis) Sensor�(right axis) Sensor�(right axis) Figure 7. Number of Hosts on 445/TCP Source Destination Start End Time Min Max Destination IP Address Figure 8. Scan Behavior Illustrated by Tiles 45000 40000 35000 30000 25000 20000 15000 10000 ware samples, which were captured by the honeypots around the same time of the attacks and have similar scan behavior with the attackers. As a result, the Nemesys could identified the emerging malware (i.e., W32.Downadup) that induced the phenomenon. As an interesting fact, the number of hosts in the sensor II did not increase at the period of Sep, 2008. We assume that this is because the original specimen of W32.Downadup scans only neighboring IP addresses, namely, it scans only a class C (/24) block where the infected computer belongs and the previous ten /24 blocks [19]. As we mentioned before, there were no any computers in the /16 network observed by sensor II, therefore this darknet was not targeted by W32.Downadup. Indeed, we can confirm that the sensor II in Fig. 7 does not indicate any increase of hosts to 445/TCP at all. Emergence of Variant of W32.Downadup On March 2009, four months after the emergence of the original 5000 0 Max 445 Min Destination Port Number 40 W32.Downadup, the sensor II observed increase of the number of hosts (in Fig. 6) that scan random port numbers of TCP. Most of these hosts also sent multiple UDP packets although that is not illustrated in Fig. 6. According to the further analysis result of the Nemesys, this event was assumed to be caused by an emergence of a variant of W32.Downadup (i.e., W32.Downadup.C) which uses various port numbers for rendezvous of P2P connections with other infected hosts. These two cases indicate that we can observe various types of events that depend on characteristics of darknet, namely a pure darknet such as the sensor II or a darknet neighboring livenet such as the other sensors. Attacks from Botnets The diversity of IP address range of observed darknet is an important factor of global trend analysis. As we mentioned in Sect. 4.2, the nicter is monitoring several darknet segments that belong to different /8 networks. Fig. 9 depicts a typical event in that each sensor shows different characteristics according to the differences of network address. In February, 2010, we observed a short-term spike of the number of hosts that scan 139/TCP. Since their scanning behavior is identical and their activities were observed almost simultaneously, we determined this event was induced by a botnet. As an interesting fact, this event was observed by only the sensor II and IV that belong to the same /8 network. From this fact, we can assume they were controlled to scan a specific /8 network address where sensor II and IV were monitoring. Indeed, most of the source IP addresses of attacking hosts in sensor II were same as the one in sensor IV. 180 160 140 120 100 80 60 40 20 0 Sensor�(le� axis) Sensor�(le� axis) Sensor�(right axis) Sensor�(right axis) 01/31 02/07 02/14 02/21 02/28 03/07 03/14 03/21 03/28 Figure 9. Attacks from Botnets to 139/TCP observed in 2010 A Global Trend If the all sensors observe the same characteristics of scans, we can assume that the event is a global trend as mentioned in [20]. In Sep, 2010, we found a rapid increase of scan packets to 5060/UDP observed by all the sensors as shown in Fig. 10. We could assume that this attack has arisen all over the world, indeed, from this time, the 4000 3500 3000 2500 2000 1500 1000 500 0

D06 (D3.1) Infrastructure Design - WOMBAT project
6-9 December 2012, Salzburg, Austria Social Programme
D I P L O M A R B E I T - Salzburg Research
D I P L O M A R B E I T - Salzburg Research
D I P L O M A R B E I T - Salzburg Research
ECCMID meeting Vienna, Austria 10-13 April 2010 - European ...
Communication Plan for EGU 2011 April 3-8, 2011, Vienna, Austria
8th Liquid Matter Conference September 6-10, 2011 Wien, Austria ...
8th Liquid Matter Conference September 6-10, 2011 Wien, Austria ...
April 10, 2011 - University of Cambridge
Top 10 Project Management Trends for 2011 from ESI International