Upload
trankhue
View
218
Download
0
Embed Size (px)
Citation preview
BumJunKwon,VirinchiSrinivas,AmolDeshpande,TudorDumitrașUniversityofMaryland—CollegePark
1
BEEWOLFCatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
Host
MalwareDeliveryCampaigns
• Businessmodel– ChargefeesfordeliveringmalwareorPUPs
2
• Keymethod– OrchestrateSilentdeliverycampaigns
Downloaders DNSDomain
Payloads
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
SilentDeliveryCampaigns
3
Host1
Host2
Host3
DownloadersPayloadsDNS
Domains
smart.exe
downloadmanager.exe
downloadmanager2.exe
2013-11-15ppdownload.com
2013-11-22greatarcadehits.com
2013-12-05download2desktop.com
mobogenie.exe
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
SilentDeliveryCampaigns
4
Host1
Host2
Host3
DownloadersPayloadsDNS
Domains
smart.exe
downloadmanager.exe
downloadmanager2.exe
2013-11-15ppdownload.com
2013-11-22greatarcadehits.com
2013-12-05download2desktop.com
mobogenie.exe
IdenJfymaliciousdomains[Antonakakis+2010]Detectmalicious
downloadersontheclientside[Kwon+2015]
Malwarefamiliesdisseminated[Invernizzi+2014]MilkPUPpayloads[Caballero+2011,Thomas+2016]
PresentaJonTitle(changeonallmasters)
LockstepBehavior
5
[Beutel+2013,Cao+2014,Jiang+2015]
DownloadersDNS
Domains
• Notdesignedforstreamingdata
• RequireinterpreWngeventsdefinedbymulWplefeatures
• Requireseednodes
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
WeIntroduceBeewolf
6
DownloadersDNS
Domains• ProposeanunsupervisedanddeterminisWctechnique
• Operateonastreamofdownloadevents
• Orthogonaltotheworkthatusemachinelearning
• RevealtheindirectrelaWonships
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
UnderstandingIndirectRelaJonships
7
DirectRelaWonship
IndirectRelaWonship
• Exposehiddendependenciesintheundergroundeconomy
• SuggestsuitableintervenWonsfordisrupWngthemalwaredelivery
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
Outline
• Systemoverview• Lockstepanalysis– A\ribuWon– ObservaWons
• EvaluaWon– Streaming
• Conclusion
8
• Systemoverview
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
SystemOverview
• Beewolf– Twomodes:offline/streaming– Input:downloadeventdata– WhitelisWng:downloadeventsfrombenigndownloaders
9
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
DataSet:DownloadAcJvityinTheWild
• DownloadacWvity– Kwonet.al.TheDropperEffectpaper(CCS’15)– Downloadevent:downloader,secondleveldomainname(domain),payload,severWmestamp
– Year2013
• Groundtruthforlabeling– VirusTotal– NSRL(NaWonalSohwareReferenceLibrary)– Undergroundforums,ReasonLabsknowledgebase
10
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
SystemOverviewCont’
• Beewolf– Detectlocksteppa`erns
• Offline:fromtheenWreinputdataset• Streaming:fromthestreamofdata
– Fourcorecomponents• StarDetecWon,Galaxygraph,FPtree,LockstepDetecWon
11
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
Goal
12
B! c b a d!
C! c b e!
A! c b a!
D! c d e!
root!DownloadersDomains
b!
c!
d!
e!
A!
B!
C!
D!
a!
Lockstep:[c,b,a][B,C,A]
Detectnear-bicliqueswithJmeconstraints
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
StarDetecJon
13
a!
b!
c!
d!
B!
e!
A!
C!
D!
B! c b a d!
C! c b e!
A! c b a!
D! c d e!
root!DownloadersDomains
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
GalaxyGraph
14
a!
b!
c!
d!
B!
e!
A!
C!
D!
B! c b a d!
C! c b e!
A! c b a!
D! c d e!
root!DownloadersDomains
a!
b!
c!
d!
e!
A!
B!
C!
D!
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
FrequentPa`ernTree
15
B! c b a d!
C! c b e!
A! c b a!
D! c d e!
a!
d!
B!
B!
B!
B!
root!
b!
c!
DownloadersDomains
a!
b!
c!
d!
e!
A!
B!
C!
D!
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
FrequentPa`ernTree
16
a!
b!
c!
d!
e!
A!
B!
C!
D!
B! c b a d!
C! c b e!
A! c b a!
D! c d e!
B, C, A, D!
B, C, A!
B, A!
B!
C!
D!
D!
root!
e!
d!
e!
c!
b!
a!
d!
DownloadersDomains
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
LockstepDetecJon
17
a!
b!
c!
d!
e!
A!
B!
C!
D!
B! c b a d!
C! c b e!
A! c b a!
D! c d e!
B, C, A, D!
B, C, A!
B, A!
B!
C!
D!
D!
root!
e!
d!
e!
c!
b!
a!
d!
CompleteBiclique:[c,b][B,C,A]
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
AddressingLimitaJons(1)
18
b!
c!
d!
e!
A!
B!
C!
D!
B! c b a d!
C! c b e!
A! c b a!
D! c d e!
B, C, A, D!
B, C, A!
B, A!
B!
C!
D!
D!
root!
e!
d!
e!
c!
b!
a!
d!
Lockstep:[c,b,a][B,C,A]
HeurisJcfordetecJngnear-bicliquesa!
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
AddressingLimitaJons(2)
19
B! c b a d!
C! c b e!
A! c b a!
D! c d e!
B, C, A, D!
B, C, A!
B, A!
B!
C!
D!
D!
root!
e!
d!
e!
c!
b!
a!
d!
a!
b!
c!
d!
e!
A!
B!
C!
D!
CompleteBiclique:[c,d,e][D]
CompleteBiclique:[c,b,e][C]
SupplementaJonphase
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
Outline
• Systemoverview• Lockstepanalysis– A\ribuWon– ObservaWons
• EvaluaWon– Streaming
• Conclusion
20
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
LockstepAnalysis
21
• Beewolfinofflinemode• Timewindow∆tof3days– ShorterthanthetypicalreacWonWmeofdomainblacklist
• Summary– Locksteps:67,094
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
LabelbyPublisher
• IdenWfytheorganizaWon
22
• RepresentaJvepublisher(rep-pub)– Apublisherthataccountsmorethan50%ofthesigneddownloadersinthelockstepex)[OutBrowse,OutBrowse,MindAdLTD]
– CannotidenWfyrep-pub:mixed
• CategorizaWon(rep-pub)– PUP,PPI,benign(BN),other,mixed,unknown(UK)
OutBrowse
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
LabelbyPublisherResult
• IdenWfied335rep-pubs• InvesWgatethetop50rep-pubs• LargeporWonofthelockstepscorrespondtotheMixedcategoryfollowedbyPUP
23
Difficulttoplaceinaspecificcategory
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
LabelbyPayload
• Understandthepurposeofthelockstep• DetecWonperformanceevaluaWon• First,labelthedownloaderbythepayloadtheydistribute– Malwaredownloader(MD)– PUPdownloader(PD)– Benigndownloader(BD)– Unknowndownloader(UD)
24
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
LabelbyPayloadCont’
• Malwaredownloaderlockstep(MDL):lockstepthatincludeatleastoneMD
• PUPdownloaderlockstep(PDL):containsPDbutnoMD• Unknowndownloaderlockstep(UDL):nosuspiciousdownloader
• Benigndownloaderlockstep(BDL):nosuspiciousdownloader,containBD
25
Suspicious
Benign
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
LabelbyPayloadResult
26
• Highersuccessrateinlabeling(2.33%UDLs)• MDLoccupymorethan80%ofthetotallockstepwhileBDLarelow(4.82%)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
OverlapBetweenMalwareandPUPDeliveryEcosystems
27
• Overlapofdownloaders– Largeoverlap
• 36.7%ofthedownloadersarepresentinbothMDLsandPDLs• Associatedwith97.8%ofallthePDLs
• Malsignblacklist– 1,926downloaderssignedby212publishersinlocksteps– Involvedin66.8%ofMDLsand37.2%ofPDLs
ManyPUPpublishersarelikelyinvolvedinmalwaredelivery
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
OverlapBetweenMalwareandPUPDeliveryEcosystemsCont’
28
• RecentmeasurementsofcommercialPPIs(Kotzias+2016,Thomas+2016)– DidnotfindsubstanWaloverlap
• KeydisWncWon– GeographicaldistribuWon
• Hostsfrom72differentcountries
– DifferentobservaWonperiod/malwareset– LockstepsdetectindirectrelaWonships
• UWlizeunsigneddownloadersformaliciouspayloads
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
BusinessRelaJonships
29
• Publishersappearingtogetherinlocksteps– UWlizethesameserversideinfrastructure
• ReflectsarelaWonshipamongthecorrespondingdistribuWonnetworks
– TwodifferentpublisherrelaWonships• Partner:downloadersindownloaded-byrelaWonship• Neighbor:NodirectdownloadrelaWonship
– OrganizaWonthatusemulWplecodesigningcerWficate– RelaWonshipswithacommonthirdparty
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
BusinessRelaJonshipsCont’
30
• BusinessrelaWonshipgraphoftop13rep-pubs– Node:publisher– Edge:businessrelaWonship
PUP,PPI,benign(BN),other
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
BusinessRelaJonshipsCont’
31
• Example– OutbrowseLTD
• AdverWsersortheaffiliatesoftheOutbrowsePPI
• Variantsoftherep-pub’scerWficate
ExposeorganizaJonsuJlizingcerJficatepolymorphism
OrganizaJonssharingthesamethirdpartyinfrastructure
PUP,PPI,benign(BN),other
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
Outline
• Systemoverview• Lockstepanalysis– A\ribuWon– ObservaWons
• EvaluaWon– Streaming
• Conclusion
32
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
StreamingSetup
33
• BatchofDownloadeventsfromtheyear2013– DownloadeventsinWmewindowΔt=3daysperbatch– 122batchintotal– CheckthecomputaWoncost(Wme)growth
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
StreamingPerformance:Serial
34
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
StreamingPerformance:Serial
35
Slowdown:7.7s/batch Upto20min
OverheadofsupplementaJonphase
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
StreamingPerformance:OpJmalParallelism
36
Slowdown:0.1s/batch
SupplementaJonprocessesareindependent=>Runinparallel
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
Outline
• Systemoverview• Lockstepanalysis– A\ribuWon– ObservaWons
• EvaluaWon– DetecWonperformance– Streaming
• Conclusion
37
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
Conclusion• WeintroduceBeewolf– UnsupervisedanddeterminisWcsystem,operatesonstreamofdata
– DiscoverindirectrelaWonships(reflectPUP/malwareoverlap)
• ImplicaWonbeyondmalwaredetecWon– BeewolfcandetectotherkindsofcoordinatedacWons(Beaconing,C&CcommucaWon,posWnginSNS)
• Datarelease– h\p://www.beewolf.org
38
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns 40
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
TheDetecJonLag
• Downloaders– Downloadingisnotasignofinherentlymaliciousintent– Signeddownloaders
41
AnJvirusDetecJonLag
Average71.6daysbeforediscovery
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
DetecJonPerformance
42
MDL 54,497(81.22%)
PDL 7,800(11.63%)
BDL 3,231(4.82%)
UDL 1,566(2.33%)
FalseposiJvefewerthan5%
TrueposiJve(suspiciouslocksteps)accountfor92.85%oflocksteps
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
DetecJonLeadTime
43
• Howearlywecandetectsuspiciousdownloadersordomainsthatarepreviouslyunknown?– Downloaders:detectunknownexecutablesinlockstepbeforetheirfirstsubmissiontoVirusTotal
mediandetecJonleadJmeof165days
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
DetecJonLeadTimeCont’
44
• Howearlywecandetectsuspiciousdownloadersordomainsthatarepreviouslyunknown?– Downloaders:detectunknownexecutablesinlockstepbeforetheirfirstsubmissiontoVirusTotal
– Domains:flagunknowndomainsinlockstepbeforelistedtopublicURLblacklists
mediandetecJonleadJmeof196days
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
FrequentPa`ernTree(1)
45
a!
b!
c!
d!
e!
A!
B!
C!
D!
2
3
4
2
2
3
4
3
3
• Pre-setup– Bipartitegraphofdownloadersandsecondleveldomainnames(domains)
Getthedegreeforthenodes
LHN RHN
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
FrequentPa`ernTree(1)
46
a!
b!
c!
d!
e!
A!
B!
C!
D!
B! c b a d!
C! c b e!
A! c b a!
D! c d e!
2
3
4
2
2
3
4
3
3
• Adjacencylist– Sortedindegree-descendingorder(FirstsortRHNs,thenforeachRHNsortitsneighborLHNs)
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
a!
d!
C!
B, C!
B,C!
B!
B!
FrequentPa`ernTree(2)
47
B! c b a d!
C! c b e!
A! c b a!
D! c d e!
B!
B!
B!
B!
root!
e!
b!
c!
CreatetherootofanFP-treePerforminserJon(node:LHN)1)Notthechild:insertaschild2)AddtheRHNtothevisitedlist
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
FrequentPa`ernTree(2)
48
B! c b a d!
C! c b e!
A! c b a!
D! c d e!
B, C, A, D!
B, C, A!
B, A!
B!
C!
D!
D!
root!
e!
d!
e!
c!
b!
a!
d!
PerforminserJon(node:LHN)1)Notthechild:insertaschild2)AddtheRHNtothevisitedlist
C!
B,C!
B,C!
B, A!
B!
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
FrequentPa`ernTree(3)
49
B, C, A, D!
B, C, A!
B, A!
B!
C!
D!
D!
root!
e!
d!
e!
c!
b!
a!
d!Lockstep: [c,b,a] [B,A]!
Lockstep: [c,b] [B,C,A]!
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
Outline• DetecWngsilentdeliverycampaigns– Lockstepbehavior– Howtodetectlocksteps:Frequentpa\erntree– Dataset– Lockstepa\ribuWon
• System• SilentdistribuWoncampaigns– ProperWesoflocksteps– OverlapbetweenmalwareandPUPdeliveryecosystems– BusinessrelaWonships
• EvaluaWon• Conclusion
50
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
LockstepBehaviors
• Lockstepbehavior– Downloader-Domaininteraction– Temporalpattern:accessthesamedomainwithinaboundedtimeperiod∆t
– Coordinateddownloadsthatdonotexperiencerandomdelays
51
MINIBAR-!MASTER.EXE!
BI_RUN!ONCE.EXE!
At t = [0, ∆t]!
bigspeedpro.com!
BISEHUP!35464.EXE!
2013-01-06!
At t = [3δt, ∆t + 3δt]!
bispd.com!2013-01-13!
At t = [6δt,∆t + 6δt]!
2013-01-24!cloudfront.net!
Lockstep
Lockstepbehaviorexposesremotelycontrolleddownloadersandrevealsthedomainsinvolvedinsubsequentcampaigns
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
FrequentPa`ernTree(1)
52
a!
b!
c!
d!
e!
A!
B!
C!
D!
• Pre-setup– Bipartitegraphofdownloadersandsecondleveldomainnames(domains)
LHN RHN
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
FrequentPa`ernTree(1)
53
a!
b!
c!
d!
e!
A!
B!
C!
D!
B! c b a d!
C! c b e!
A! c b a!
D! c d e!
2
3
4
2
2
3
4
3
3
• Adjacencylist– Sortedindegree-descendingorder
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
a!
d!
C!
B, C!
B,C!
B!
B!
FrequentPa`ernTree(2)
54
B! c b a d!
C! c b e!
A! c b a!
D! c d e!
B!
B!
B!
B!
root!
e!
b!
c!
CreatetherootofanFP-treePerforminserJon(node:LHN)1)Notthechild:insertaschild2)AddtheRHNtothevisitedlist
VisitedListofc
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
FrequentPa`ernTree(2)
55
B! c b a d!
C! c b e!
A! c b a!
D! c d e!
B, C, A, D!
B, C, A!
B, A!
B!
C!
D!
D!
root!
e!
d!
e!
c!
b!
a!
d!
PerforminserJon(node:LHN)1)Notthechild:insertaschild2)AddtheRHNtothevisitedlist
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
FrequentPa`ernTree(3)
56
B, C, A, D!
B, C, A!
B, A!
B!
C!
D!
D!
root!
e!
d!
e!
c!
b!
a!
d!Lockstep: [c,b,a] [B,A]!
Lockstep: [c,b] [B,C,A]!
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
HowtoDetectSilentDeliveryCampaignsCont’
57
Lockstepbehavior:• Coordinateddownloadswithoutrandomdelays
• Downloaders-domainsinnear-bicliques
DownloadersDNS
Domains
Remotelycontrolleddownloadersandthedomainsinvolvedinsubsequentcampaigns
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
StarDetecJon
• DetectStars– CompletebiparWtegraphofasingledomainandatleast2downloaders
– Starcorrespondstotherowoftheadjacencylist• CollectallstarswithinWmewindow∆t– Foreachdomain,aggregatetheadjacentdownloaders
58
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
GalaxyGraph
• BiparWtegraphofsetofstars• Updatethegalaxygraphincrementally– Foreachstar,addthecentralnodeanditsadjacentnodestothegraph
– DiscardifthestarisasubsetofsomeexisWngstar
59
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
FPTree
• LimitaWons– Doesnotreturnnear-bicliques• HeurisWcfordetecWngnear-bicliques
60
– Missespartofcompletebicliques• IndependentsupplementaJonphase
CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns
LockstepDetecJon
• TraversetheFPtreefromtherootandcollectallthelocksteps
• AssignidenWfierstothedetectedlocksteps
61