5 years ago

April 10, 2011 Salzburg, Austria - WOMBAT project

April 10, 2011 Salzburg, Austria - WOMBAT project

Norton SafeWeb feeds

Norton SafeWeb feeds Malicious domain lists Phishtank URL feeds to discover all the hostnames resolving to the same IP address as that of the tracked URL, therefore extracting a rather complete list of all the domains hosted on the same web server. Each of the domains discovered by the URL feeds is analyzed periodically by a set of analysis modules, aiming at retrieving information on 1) DNS associations; 2) domain registration (WHOIS) records; 3) web server status; 4) security status for the domain. In the following Sections we briefly describe the information collected by each module; the interested reader can find in Figure 4 (in Appendix) a more detailed view of the relationships among the different information entities composing the HARMUR dataset. 3.2 DNS associations For each domain name, HARMUR collects as much information as possible on its association to physical resources such as its authoritative nameservers, as well as the address of the servers associated to the hostnames known to belong to the domain. DNS information is retrieved by HARMUR by directly contacting the authoritative nameserver for each domain, avoiding the artifacts normally generated by DNS caching. When looking at DNS records for each tracked domains, HARMUR stores historical information on the association of a domain to its authoritative nameserver(s) (NS records) as well as the association of each hostname to host IP addresses (A records). 3.3 Domain registration On top of the basic DNS information, HARMUR leverages the WHOIS protocol to retrieve information on the registration information for each domain name. This includes the date in which a given domain was registered, as well as the name of the registrar and registrant. It should be noted that WHOIS information is very difficult to extract in practice. RFC 3912, describing the WHOIS DNS information HARMUR WHOIS information Server analysis (availability and version) Figure 1: HARMUR architecture 47 Security feeds (Google Safe Browsing, Norton SafeWeb) Analysis protocol specification, clearly states that the protocol delivers its content in a human-readable format. In the context of an automated retrieval and dissection of the whois information, this is a non-negligible problem: every registrar uses different notation and syntax to represent the managed registration records. HARMUR implements parsers for the most common registrars, but WHOIS information is incomplete for those domains that belong to unsupported ones. 3.4 Web server status HARMUR extracts a variety of different information on each web server known to be hosting content associated to the analyzed domain. Location. HARMUR takes advantage of the Maxmind geolocation database to collect information on the geographical location of the servers hosting the tracked content. Autonomous system. In parallel to the physical location of the servers, HARMUR maps each server to the Autonomous System (AS) it is in. As shown by FIRE [19], online criminals have been often masquerading behind disreputable Internet Service Providers known to give little or no attention to the type of activity carried out by their customers. Collection of AS information in HARMUR is possible thanks to Team Cymru’s IP to ASN mapping project 2 . To disambiguate cases in which the service provides an ambiguous answer (sometimes multiple AS numbers are returned), HARMUR cross-checks the Team Cymru’s information with that provided by the Route Views project ( Server availability and version. HARMUR was designed to be able to scale to an extremely large number of 2

domains, and is therefore, by design, incapable of performing expensive analyses on the tracked domains. Still, it is possible to retrieve from web servers very valuable information through simple HTTP interactions. HARMUR probes each server with an HTTP HEAD request for the root page of the hosted site. By parsing the associated answer, HARMUR collects information on the availability of the server, but also on the server configuration as advertised in the HTTP headers. This information can be valuable for the discovery of popular configurations that may be indicative of “deployment campaigns”, in which the very same setup is replicated on a large number of servers. 3.5 Security state Currently HARMUR offers analysis modules for the collection of security data from two information sources commonly used in web browsers for blocking users from visiting malicious domains: Google Safe Browsing (integrated in popular browsers such as Chrome, Safari and Firefox) and Norton Safeweb 3 , part of the Norton Antivirus security suite. The information generated by these two analysis modules determines the current color of a domain. The two feeds have very different characteristics: Google Safe Browsing is designed as a simple blacklist, and provides no distinction between unknown and safe domains. This peculiarity is handled within HARMUR through the assignment of only two colors: red for blacklisted websites, and gray for all the others. Norton Safeweb provides instead a more detailed report, that associates a specific domain to a specific color, as well as to a list of URLs and associated threat categories. 4. USE CASES This paper has described at length the characteristics of the HARMUR framework and of the associated dataset. The current HARMUR prototype has been written entirely in python and has been running for more than two years on a quad-core Xeon 2.66 GHz CPU with 8GB of RAM. HAR- MUR is currently tracking 91,561 red domains, 106,303 orange domains, 643,308 black domains, and more than 2 million domains whose security state is either benign or unknown (gray). The analysis of these domains over a period of two years has led to the identification of 1.2M web servers that have been witnessed as active by HARMUR at least once throughout its activity, and has led to associate 5M distinct URLs to at least one threat. This considerable amount of data has been continuously tracked by the analysis modules, that were configured to reconsider the state of domains associated to “interesting” colors on a weekly basis. Looking at the last year of operation, each analysis module has been able to process an average of 16k domains per day, although this number may be easily increased through implementation refinements and better parallelization of the code. While a large scale analysis of the dataset content is left for future work, important lessons have been learned through the analysis of specific cases that underline the importance and the potential of the collected data. 3 48 2009-08-07 12:28:14 red ... 2009-09-04 23:50:33 red 2009-09-21 10:03:02 gray ... 2009-12-05 03:53:31 gray 2009-12-13 09:07:03 red 2009-12-24 20:49:19 gray ... 2010-03-22 18:24:46 gray 2010-04-07 03:04:39 red ... 2010-04-14 19:18:19 red 2010-04-18 06:11:49 gray ... Table 1: Security evolution for a specific domain. ������������� A.B.232.83 �������������� A.B.232.157 �������������� A.B.232.235 C.D.146.156 ������������� �������������� ��������������� ���������������� ������������� E.F.60.20 ������������� Figure 2: Rogue site dynamics (all IP addresses have been anonymized) Infection history. Table 1 shows the evolution over time of a specific domain. This domain, hosted in United Kingdom, is currently ranked as benign in all security information feeds. However, its past shows us a different scenario. Looking at Google Safe Browsing information, we can see that the domain has been flagged as malicious three times since August 2009. Looking more in-depth at the information provided by Norton Safeweb, we discover that this domain had been infected multiple times with an exploit toolkit widely used as part of the Mebroot/Torpig campaign [18], in which websites having poor administrator passwords were being modified by attackers to serve as landing pages for the malware infection. While currently benign, we can infer from the domain history that the likelihood for this domain to be malicious in the future is higher than that of a domain having a “clean past”. The dynamics associated to the hosting infrastructure can also give us important hints on the structure and the modus operandi of a specific malicious campaign. Malware campaigns. The HARMUR data collection mechanism aims at generating information on the evolution of the tracked domains. All the features previously described are therefore repeatedly extracted throughout the lifetime of a malicious domain. For instance, Figure 2 shows an example of “domain movement”. The boxes in the graph represent sets of IP addresses associated to a domain at a given point in time, and the edges connecting the boxes graphically represent the transition of a domain to a new set of addresses. In Figure 2 we can see how four distinct domains, all associated to the distribution of rogue security software and

D06 (D3.1) Infrastructure Design - WOMBAT project
6-9 December 2012, Salzburg, Austria Social Programme
Communication Plan for EGU 2011 April 3-8, 2011, Vienna, Austria
ECCMID meeting Vienna, Austria 10-13 April 2010 - European ...
8th Liquid Matter Conference September 6-10, 2011 Wien, Austria ...
8th Liquid Matter Conference September 6-10, 2011 Wien, Austria ...
April 10, 2011 - University of Cambridge
Top 10 Project Management Trends for 2011 from ESI International