Views
5 years ago

April 10, 2011 Salzburg, Austria - WOMBAT project

April 10, 2011 Salzburg, Austria - WOMBAT project

findabigrig.cn

findabigrig.cn .29,77.37.21.166,91.198.106.6,91.121.146.101,62.109.21.254 findabigrig.cn 15.10,87.106.242.144,91.121.146.101,77.37.21.166,62.109.21.254 findabigrig.cn .198.51.131,77.37.21.166,87.242.98.192,212.95.57.201 findabigrig.cn 1,91.82.250.52,213.251.165.29,77.37.21.166,91.121.146.101,87.242.98.116 8.58,90.156.212.26 e.cn .8.58,82.165.41.144 fe.cn .8.58,82.165.41.144 fe.cn .174.19,94.23.47.47 .176.169,78.129.242.146,94.76.235.32 findabigrig.cn 91.82.250.52,91.121.146.101,87.106.242.144,87.242.98.192,91.121.174.19 194.105.128.34,89.171.115.10,87.106.242.144,213.251.165.29,77.37.21.166,91.121.146.101,62.109.21.254 findabigrig.cn 87.106.242.144,82.165.8.58,92.51.146.237,212.95.57.201,90.156.212.26 91.82.250.52,91.82.250.135,85.25.236.236,79.170.89.217,92.51.146.237 superbetsports.cn 85.25.236.236,91.121.146.101,79.170.89.217,92.51.146.237,94.23.47.47 filmoflife.cn superbetsports.cn 91.82.250.52,85.25.236.236,91.121.146.101,79.170.89.217,94.23.47.47 filmoflife.cn superbetsports.cn superbetsports.cn 89.171.115.10,87.106.242.144,213.251.165.29,77.37.21.166,91.198.106.6,91.121.146.101,62.109.21.254 ?.?.98.192, 87.242.98.192,212.95.57.201,91.82.250.52,91.121.146.101,87.242.98.116 ?.?.57.201, ?.?.250.52, ?.?.146.101, ?.?.98.116 superbetsports.cn 87.242.98.116,62.109.21.254,77.37.21.166,212.95.57.201,87.242.98.192 superbetsports.cn 87.242.98.192,89.171.115.10,87.106.242.144,91.82.250.52,91.121.146.101,77.37.21.166,87.242.98.116 91.82.250.52,87.106.242.144,91.121.146.101,91.121.174.19,87.242.98.192 superbetsports.cn findabigrig.cn superbetsports.cn 91.82.250.135,82.165.41.144,87.106.242.144,92.51.146.237,91.82.250.52,85.25.236.236,90.156.212.26,79.170.89.217 findabigrig.cn 91.82.250.52,85.25.236.236,79.170.89.217,92.51.146.237,94.23.47.47 77.240.21.175,91.186.25.95,89.171.115.10,84.242.167.49,80.248.208.205 77.240.21.175,94.23.47.47,91.186.25.95,89.171.115.10,80.248.208.205 Figure 3: Evolution filmoflife.cn of DNS information for fast-flux networks (all superbetsports.cn IP addresses have findabigrig.cn been anonymized) cubanbigtop.cn 91.121.146.101,213.251.165.29,213.251.176.169,79.170.89.217,91.121.167.41 80.93.90.88,91.121.146.101,213.251.176.169,91.121.174.19,91.121.167.41 filmoflife.cn filmoflife.cn 87.252.2.86,213.251.176.169,79.170.89.217,89.171.115.10,91.121.167.41 79.170.89.217,78.47.25.168,91.121.146.101,78.129.242.146,80.93.90.88 shopvideocommission.cn 91.121.146.101,213.251.165.29,79.170.89.217,91.121.174.19,94.23.47.47 79.170.89.217,91.121.146.101,213.251.176.169,89.171.115.10,91.121.167.41 superbetsports.cn 82.165.8.58,82.165.41.144,212.95.57.201,87.106.242.144,85.25.236.236,90.156.212.26,79.170.89.217 superbetsports.cn 79.170.89.217,91.121.146.101,213.251.176.169,91.121.174.19,91.121.167.41 initially hosted on different servers, have migrated approxi- filmoflife.cn mately at the same time to a single server, which was also found to be malicious (time information is not represented shopvideocommission.cn for the sake of simplicity). It is important to note that these 87.252.2.86,79.170.89.217,91.121.146.101,213.251.176.169,91.121.167.41 four domains were initially thought of being completely un- filmoflife.cn shopvideocommission.cn related. It is only through their subsequent movement that 79.170.89.217,213.251.176.169,91.121.146.101,80.93.90.88,91.121.167.41 it has been possible to link them all to a probable common shopvideocommission.cn root cause. shopvideocommission.cn An even more apparent example of the value of the dynamic 91.121.146.101,80.93.90.88,89.171.115.10,91.121.167.41,91.121.174.19 correlation possible through the HARMUR dataset is rep- 87.252.2.86,91.121.146.101,213.251.176.169,80.93.90.88,94.76.235.32 91.121.146.101,213.251.176.169,80.93.90.88,89.171.115.10,91.121.167.41 213.251.176.169,91.121.174.19,89.171.115.10,91.121.167.41,80.248.208.205 filmoflife.cn shopvideocommission.cn resented in Figure 3. The domains taken into consideration findabigrig.cn .115.10,91.121.89.185,91.121.174.19 213.251.176.169,213.246.39.135,89.171.115.10,91.121.167.41,91.121.174.19 89.171.115.10,213.251.176.169,91.205.172.118,62.109.16.28,80.248.208.205 here are hidden behind Fast Flux networks [22] to protect filmoflife.cn shopvideocommission.cn the identity and availability of the associated server. The 1.121.146.101,213.251.176.169,91.121.174.19,80.248.208.205,89.171.115.10 62.109.16.28,213.251.176.169,91.205.172.118,91.121.167.41,80.248.208.205 periodic movement of the DNS association among the pool filmoflife.cn shopvideocommission.cn of available addresses leads to long association chains, but 90.156.145.198,217.15.81.18,213.251.176.169,94.23.198.97,94.102.208.74 217.15.81.8,90.156.145.198,217.15.81.18,213.251.176.169,94.102.208.74 also to intersections among domains that are likely due to the leveraging of the same pool of infected machines. Once again, apparently unrelated domains are correlated thanks to the periodic analysis of their state. Attackers modus operandi The data collected by HAR- MUR proved to be extremely valuable in understanding the modus operandi of the attackers. For instance, by leveraging the information retrieved by the WHOIS component, we noticed that a single registrant registered 71 distinct domains exactly on the same day on ONLINENIC. The domain names were the result of the permutation of a few dictionary words associated to the name of an antivirus software, and the all the hostnames known to HARMUR as belonging to these domains resolved to a single physical web server. A more in depth analysis revealed that all these domains were ultimately used for the distribution of rogue security software [4]. 5. CONCLUSION This paper has presented HARMUR, a tool to take into consideration the evolution of the state of malicious domains to gather insights on the threat landscape dynamics. Dif- filmoflife.cn 49 87.242.98.192,212.95.57.201,91.82.250.52,77.37.21.166,87.242.98.116,62.109.21.254 91.121.174.19,212.95.57.201,91.82.250.52,91.121.146.101,87.242.98.192 findabigrig.cn cubanbigtop.cn 213.251.165.29,91.121.146.101,79.170.89.217,91.121.89.185,91.121.167.41 superbetsports.cn bigtopbrands.cn findabigrig.cn 79.170.89.217,91.121.146.101,213.251.176.169,89.171.115.10,91.121.174.19 91.121.146.101,79.170.89.217,91.121.174.19,91.121.167.41,94.23.47.47 findabigrig.cn superbetsports.cn This work has been partially94.23.198.97,217.15.81.18,213.251.176.169,94.102.208.74,90.156.145.198 supported by the European 94.23.6.43,213.251.176.169,94.23.198.97,94.75.216.155,195.88.242.83 bigtopbrands.cn bigtopbrands.cn bigtopbrands.cn superbetsports.cn 80.248.208.205,213.251.176.169,91.205.172.118,91.121.167.41,62.109.16.28 194.105.128.34,87. 213.251.165.29,93.186.171.15 87.242.98.192,212.95.57.201,87.106.242.144, 91.82.250.52,87.242.98.116,91.121.146.101,87. 91.82.250.52,89.171.115.10,91.121.146.101,91.1 82.165.8.58,82.165.41.144,87.106.242.144,92.51.146.237,90. cubanbigtop.cn 91.82.250.52,85.25.236.236,91.82.250.135,79.170.89.217,92.51.146.237 cubanbigtop.cn ferently from traditional datasets monitoring the web for superbetsports.cn findabigrig.cn client-side threats, with HARMUR we have tried to go be- 87.252.2.86,213.251.176.169,79.170.89.217,91.121.174.19,91.121.167.41 yond the collection of information on the current state of a superbetsports.cn findabigrig.cn domain, and rebuild an approximate timeline of its history 79.170.89.217,213.251.176.169,91.121.146.101,80.93.90.88,91.121.174.19 and its evolution over time. While a large-scale analysis of findabigrig.cn superbetsports.cn the information contained in the dataset is left for future 87.252.2.86,91.121.146.101,213.251.176.169,80.93.90.88,91.121.174.19 work, we demonstrate through examples the value of look- findabigrig.cn superbetsports.cn ing at the threat dynamics to gather more in-depth insights 80.93.90.88,91.121.146.101,213.251.176.169,89.171.115.10,91.121.167.41 on the modus operandi of attackers, and on the identifica- findabigrig.cn superbetsports.cn tion of groups of domains likely to be associated to the same 89.171.115.10,91.121.146.101,213.251.176.169,91.121.174.19,80.248.208.205 root cause or campaign. Acknowledgments cubanbigtop.cn 91.121.146.101,213.251.176.169,79.170.89.217,89.171.115.10,91.121.174.1 89.108.71.177,94.23.6.43,195.88.242.83,94.23.198.97,62. c cuba cubanbigtop.cn 77.240.21.175,79.170.89.217,91.121.146.101,213.251 cuba 91.121.146.101,79.170.89.217,213.251.176.169,80. 91.121.86.130,91.121.146.101, 213.251.176.169,80.248.208.205,91.205.172.118 Commission through project FP7-ICT-216026-WOMBAT fun- bigtopbrands.cn findabigrig.cn ded by the 94.102.208.74,213.251.176.169,94.23.198.97,195.88.242.83,62.112.155.45 7th framework program. The opinions superbetsports.cn expressed shopvideocommission.cn bigtopbrands.cn in this paper are those of the authors and do not necessarily 94.23.6.43,213.251.176.169,94.23.198.97,79.174.66.214,195.88.242.83 reflect the views of the European Commission. findabigrig.cn filmoflife.cn 6. REFERENCES [1] P. Baecher, M. Koetter, T. Holz, M. Dornseif, and F. Freiling. The Nepenthes Platform: An Efficient Approach to Collect Malware. In 9th International Symposium on Recent Advances in Intrusion Detection (RAID), September 2006. [2] Caida Project. Conficker/Conflicker/Downadup as seen from the UCSD Network Telescope. [3] M. Cova, C. Kruegel, and G. Vigna. Detection and analysis of drive-by-download attacks and malicious JavaScript code. In Proceedings of the 19th international conference on World wide web, pages 281–290. ACM, 2010. [4] M. Cova, C. Leita, O. Thonnard, A. Keromytis, and M. Dacier. An analysis of rogue av campaigns. In Proc. of the 13th International Symposium on Intrusion Detection (RAID 2010), September 2010. [5] S. Ford, M. Cova, C. Kruegel, and G. Vigna. Analyzing and Detecting Malicious Flash

Advertisements. In Proceedings of the 25th Annual Computer Security Applications Conference, 2009. [6] P. Kijewski, C. Overes, and R. Spoor. The HoneySpider Network – fighting client-side threats. In FIRST Annual Conference, 2008. [7] C. Leita and M. Dacier. SGNET: a worldwide deployable framework to support the analysis of malware threat models. In 7th European Dependable Computing Conference (EDCC 2008), May 2008. [8] K. McGrath and M. Gupta. Behind Phishing: An Examination of Phisher Modi Operandi. In Proc. of the USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2008. [9] A. Moshchuk, T. Bragin, D. Deville, S. D. Gribble, and H. M. Levy. Spyproxy: Execution-based detection of malicious web content. In Proceeding of the 16th USENIX Security Symposium, 2007. [10] J. Nazario. Phoneyc: A virtual client honeypot. In Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more, page 6. USENIX Association, 2009. [11] H. O’Dea. The Modern Rogue — Malware With a Face. In Proc. of the Virus Bulletin Conference, 2009. [12] V.-H. Pham, M. Dacier, G. Urvoy Keller, and T. En Najjary. The quest for multi-headed worms. In DIMVA 2008, 5th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, July 10-11th, 2008, Paris, France, Jul 2008. [13] G. Portokalidis, A. Slowinska, and H. Bos. Argos: an emulator for fingerprinting zero-day attacks. In ACM Sigops EuroSys, 2006. [14] N. Provos. Spybye, http://www.monkey.org/~provos/spybye. [15] N. Provos, P. Mavrommatis, M. Rajab, and F. Monrose. All Your iFRAMEs Point to Us. In Proc. of the USENIX Security Symposium, 2008. [16] N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The ghost in the browser. analysis of web-based malware. In First Workshop on Hot Topics in Understanding Botnets (HotBots 07). Google, Inc, 2007. [17] C. Seifert, I. Welch, and P. Komisarczuk. HoneyC-The Low-Interaction Client Honeypot. NZCSRCS, Hamilton, 2007, http: // www. mcs. vuw. ac. nz/ cseifert/ blog/ images/ seiferrt-honeyc. pdf , 2006. [18] B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna. Your Botnet is My Botnet: Analysis of a Botnet Takeover. In Proc. of the ACM Conference on Computer and Communications Security, 2009. [19] B. Stone-Gross, A. Moser, C. Kruegel, K. Almaroth, and E. Kirda. FIRE: FInding Rogue nEtworks. In 25th Annual Computer Security Applications Conference (ACSAC), December 2009. [20] Symantec. The trojan.hydraq incident, http://www.symantec.com/connect/blogs/ trojanhydraq-incident. [21] The Honeynet Project. Home page of Capture-HPC, https://projects.honeynet.org/capture-hpc. 50 [22] The Honeynet Project. Know your enemy: Fast-flux service networks, http://www.honeynet.org/book/export/html/130. [23] The MITRE Honeyclient Project Team. HoneyClient, http://www.honeyclient.org. [24] The WOMBAT FP7 project. Second WOMBAT workshop proceedings, http://wombat-project.eu/ 2010/02/wombat-deliverable-d10d63-seco.html. [25] VU Amsterdam. Shelia, http://www.cs.vu.nl/~herbertb/misc/shelia/. [26] Y. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, and S. King. Automated web patrol with strider honeymonkeys. In Proceedings of the 2006 Network and Distributed System Security Symposium, pages 35–49, 2006.

D06 (D3.1) Infrastructure Design - WOMBAT project
6-9 December 2012, Salzburg, Austria Social Programme
D I P L O M A R B E I T - Salzburg Research
D I P L O M A R B E I T - Salzburg Research
D I P L O M A R B E I T - Salzburg Research
ECCMID meeting Vienna, Austria 10-13 April 2010 - European ...
Communication Plan for EGU 2011 April 3-8, 2011, Vienna, Austria
8th Liquid Matter Conference September 6-10, 2011 Wien, Austria ...
8th Liquid Matter Conference September 6-10, 2011 Wien, Austria ...
April 10, 2011 - University of Cambridge
Top 10 Project Management Trends for 2011 from ESI International