TCP フィンガープリントによる 悪意のある通信の分析. 早稲田大学大学院 基幹理工学 研究科 後藤研究室 修士 2 年 5108B034-7 木佐森幸 太. 研究の背景. ボットの脅威の拡大、検出の難しさ カーネルマルウェアの増加 カーネルモードで動作するマルウェア すべての動作をカーネルモードで実行できるマルウェアを フルカーネルマルウェア (FKM) と呼ぶ FKM は既存 OS の TCP/IP 実装とは異なる独自のネットワークドライバを 実装 cf. Srizbi.trojan - PowerPoint PPT Presentation
TCP25108B034-71
(FKM) FKMOSTCP/IPcf. Srizbi.trojan
CPU OS2TCP
OS
3Passive TCP fingerprintingTCP/IP RFC OS
fingerprintingOSactiveOSnmappassiveOS
p0fPassive fingerprinting4p0fp0fSYNTTL Dont Fragment SYN TCP
NOPEOLSACK5CCC DATAsetCCC DATAset
20082009222p0fOSTTL2143MWS6MWS60352:64:0:52:M1240,N,W2,N,N,S:.:MWS:60352_160352TTL64Dont
Fragment0SYN52TCPNOPSACKOS7CCC DATAset(1)MWSSYN20092008SYNMWS
8CCC DATAset(2)IPSYNMWS
9CCC DATAsetSYNSYN(2009)
10CCC DATAsetIPIP(2009)
11CCC DATAsetMWS(2009) (1)
122009 16384_1 53760_4
12CCC DATAsetMWS(2009) (2)
13 60352_3 60352_6135139445 14332967CCC DATAset(1)AMWS
60352_6SYN
21:26:41 A:9109 -> A:135 (scan)21:26:41 A:9110 -> A:135
(rpc)21:26:43 A:9197 -> A:135 (rpc)21:26:43 A:9203 -> A:1013
()21:26:43 A:1028 -> A:3450 (malware )21:26:43 A:1028 ->
A:3450 (malware )
14CCC DATAset(2)BMWS 53760_4
00:35:11 B:56101 -> B:135 (rpc)00:35:13 B:1027 -> B:47602
(malware )00:35:13 B:1027 -> B:47602 (malware )
CCC DATAset2009-03-13 00:35:13, B,1027,
B,47602,TCP,c925531e659206849bf7********************,PE_VIRUT.AV,C:\WINNT\system32\csrs.exe15CCC
DATAset(3)CSYNMWS 16384_123SYNWindows
00:57:09 C:6000 -> B:135 (scan)00:57:13 C:3197 -> B:135
(rpc)00:57:15 C:4139 -> B:135 (rpc)16CCC
DATAsetftphttpircshellsmbsqlMWS 60352_62320055800MWS
53760_4501030700MWS 60352_338006600MWS 65535_712002100MWS
60352_20001800MWS 60352_100060017MWSftpshell
69456320216609234723DFCCC
DATAsetDF0DFMWSDF1MWS+DF6MWS_GenMWSMWS+DFMWS_Gen18MWS(1)
SYN09/12/2509/12/31SYN8.5%IP5.5%19SYN
IPMWS5.140%0.007%MWS+DF0.904%0.770%MWS
Gen2.569%4.656%UNKNOWN20.180%6.444%OS71.207%90.272%(2)MWSMWS
16384_1SYNIP
4445135 139 2967 1433 HTTP 80 8080 HTTPS443 SMTP 25
bittorent6886 6889 20smtp(1)TCP SYN09/3/109/3/31SYN3%IP4%
21SYN
IPMWS0.004%0.004%MWS+DF0.794%0.240%MWS_Gen2.107%3.500%UNKNOWN13.398%9.728%OS83.697%87.758%smtp(2)MWSMWS
16384_1SYN
MWSSYNIP22WIDE Project200611200911
SYN10%MWS 16384_1MWS+DF MWS_Gen SYN1.5% 23MAWIMWS
16384_1MAWI200911IPSYN
SYN95%6000MWS 16384_1SYNOSSYN
24 MWS 16384_1SYN IP 12,058,445166MAWI 2009 11
2,030,839106OSTCP/IP
MWSSYN252627p0fTCP28p0f (1)NNOP EEOL Wnnnnnn Mnnnnnn SSelective
ACK TT00?nn p0f29p0f (2)EEOL ZIP ID 0 IIP U0 X0 AACK 0 T0 FURGPSH
DTCP !TCP .CCC DATAsetSYNSYN(2008)
30CCC DATAsetIPIP(2008)
3153760:64:1:64:M*,N,W3,N,N,T0,N,N,S:.:MWS_Gen:53760
5808:64:1:60:M*,S,T,N,W0:.:MWS_Gen:5808
60352:64:1:52:M*,N,W2,N,N,S:.:MWS_Gen:60352
65535:64:1:52:M*,N,W2,N,N,S:.:MWS_Gen:65535_1
65535:64:1:64:M*,N,W3,N,N,T0,N,N,S:.:MWS_Gen:65535_2
8192:64:1:64:M*,N,W0,N,N,T0,N,N,S:.:MWS_Gen:819232MWS_GensmtpMWSIP65535_82900965535_52520865535_3900465535_7640616384_3250365535_4160753760_4160265535_129013334MWSSYNSYNMWS
16384_112,058,445MWS_Gen 65535_12,088,113MWS_Gen
537601,398,351MWS_Gen 603521,335,506MWS_Gen 65535_21,101,716MWS+DF
8192_1952,104MWS+DF 60352_6244,401MWS+DF 65535_13241,613MWS+DF
53760_4194,928MWS_Gen
8192136,019576,091SYN4451,827,88280120,384688948,2072105311,828808010,5662510,11966499,778285825,8224434,06968863,00936,44935(
(1)MWS_Gen
65535_1SYN445533,67780378,072688975,9962105320,479664912,7572858210,3564437,43680886,930142296,648255,00044,365MWS_Gen
65535_2SYN4451,322,03614337,660801,84325925139368135302296713466495421053516889412,09236(
(2)MWS_Gen
53760SYN4451,322,03614337,660801,84325925139368135302296713466495421053516889412,092MWS_Gen
6035237MWSSYNSMTPSYNMWS_Gen 65535_165,108MWS+DF 8192_146,206MWS_Gen
65535_240,396MWS_Gen 6035224,131MWS_Gen 5376013,004MWS_Gen
81923,726MWS+DF 65535_31,624MWS+DF 60352_31,306MWS+DF
65535_41,163MWS+DF 65535_71,0164,12638MWS SYN MAWI 1
39MWS SYN MAWI 2
40MWS 16384 1 SYN MAWI 1
41MWS 16384 1 SYN MAWI 2
42MWS 16384 1 MWS SYN MAWI 1
43MWS 16384 1 MWS SYN MAWI 2
44MWS Gen 4 SYN MAWI 1
45MWS Gen 4 SYN MAWI 2
46MWS IP MAWI 1
47MWS IP MAWI 2
48MWSSYNMAWISYNMWS 16384_146,226,393MWS_Gen
65535_23,977,229MWS_Gen 537603,709,951MWS_Gen
65535_12,844,464MWS_Gen 81922,286,077MWS+DF 8192_11,267,833MWS_Gen
60352751,435MWS+DF 53760_4463,724MWS+DF 65535_12254,946MWS+DF
65535_7209,5221,121,401SYN29675,827,79114332,968,3091351,460,9043306344,4111521223,9398088201,5108080196,78644584,127750,66849MWS
16384 1 SYN
SYN1521521,1961433502,5372967312,409135275,083445227,608330670,647808036,319312832,21852,822MAWI2009111521
Oracle 3306 MySQL
