Characteristic of Malware Site and its Blocking Countermeasure
1 like290 views
This document analyzes characteristics of malware download sites and suggests countermeasures. It analyzed over 43,000 URLs over 1.5 years and categorized them as: 1) Unchanged (UNC) - Sites that distribute the same malware hash. 10% of UNC sites were active over 500 days. 2) Every-time changed (ETC) - Sites that change the malware hash with each download. ETC sites had shorter lifespans than UNC. 3) Changed occasionally (COC) - Sites that sometimes change the malware hash. 10% of COC sites revived over 15 times. COC sites had more IP addresses and variation than other categories. The document suggests blacklisting
![Suggestion - What should operators do ?
n Fully extermination of malicious site is the
most important.
n When operators received abuse reports, they
should perform concrete action until
malicious site disappear fully.
n but according to [1], about 60%(12/19)
reports were not handled properly by ISPs.
• case1: no reply.
• case2: enable to locate an abuse@domain in
WHOIS.
• case3: good case ! immediately disconnected
site.
• case4: forwarded to customer by ISP, but the
server was still alive.
26
[1] Antonio Nappa, M. Zubair Rafique, Juan Caballero. The MALICIA dataset: identification and analysis of drive-by
download operations <https://lirias.kuleuven.be/bitstream/123456789/464045/1/malicia_dataset.pdf>](https://image.slidesharecdn.com/apricot2017r121488291147-170307002703/85/Characteristic-of-Malware-Site-and-its-Blocking-Countermeasure-26-320.jpg)
Characteristic of Malware Site and its Blocking Countermeasure
- 1. Characteristic of Malware Site and its Blocking Countermeasure Apricot 2017 Yasuyuki Tanaka, CISSP Institute of Information Security (IISEC) NTT Communications Corporation 1
- 2. Todayʼs contents 1.Internet malicious activity and blocking trend 2.Our analytical results 3.Suggestion and discussion 2
- 3. Drive-by-download infection chain 3 Compromised Site Affiliate Advertising Attackerʼs ResourcesLegitimate Service HIY model Malware Owner Exploit Pack Developer Exploit as a Service model Pay Per Install model Malvertising model Victims
- 4. How to infect ? n Drive-by-download consists of three factors. • Landing site, Exploit site, Malware download site 4 Landing site Exploit site Malware download site Exploit site Landing site Landing site Landing site ① ② ③ ④ Victim PC
- 5. Characteristics of each site n existing in legitimate service n redirect to exploit site n short-lived n made of web attack toolkit n referrer from Landing site n short-lived n repeat run and stop n change malware n long-lived 5 Landing site Exploit site Malware download site In this paper we focused on Malware download Site.
- 6. OCN malware block service n In Feb. 2016, NTT communications started offering users of the internet service provider OCN a free malware blocker service, the first ISP in Japan to offer such a service. 6 Personal information, Credit card number, etc. Legitimate traffic Evil traffic DNS server Block ! User Attacker C&C Server DNS server based on FQDN blacklist Malware
- 7. FQDN Block vs URL Block 7 block method FQDN block URL block intelligence to use FQDN blacklist URL blacklist apply device example DNS, /etc/hosts L7 firewall pros lightweight simple detailed operation cons over blocking complexity high cost
- 8. Over blocking problem 8 http://www.aaa.com/111/222.php benign site http://www.aaa.com/aaa/z.php http://www.aaa.com/111/a.js http://www.aaa.com/111/222.exe http://www.aaa.com/yyy/zzz malicious site malicious site benign site benign site OVER BLOCKED OVER BLOCKED OVER BLOCKED
- 9. Todayʼs contents 1.Internet malicious activity and blocking trend 2.Our analytical results 3.Suggestion and discussion 9
- 10. Check Malware download URL status Malware Download Site Status Benign High Interaction Web crawler 10 Malicious Multi Anti-Virus software Active Stop every day check many Malware Download Site download file n In order to decide appropriate methods or period for blacklisting malware download site. n We check malware download site status everyday. n Total number of URLs : 43,034. n Observation Period : 1.5 years
- 11. Status record n status table • we recorded status of each URLs every day. • short stop span(url1), long stop span(url2,4). 11 DAY 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 url1 ✔ ✔ ✔ X ✔ ✔ X ✔ X ✔ ✔ ✔ X X ✔ ✔ ✔ ✔ ✔ ✔ url2 X ✔ X X X ✔ X X X X X X X ✔ X X ✔ X X X url3 ✔ ✔ ✔ X ✔ ✔ X X ✔ ✔ ✔ X X X ✔ X X ✔ X ✔ url4 X X ✔ ✔ ✔ X ✔ ✔ ✔ ✔ X X X X X X ✔ ✔ X ✔ ✔ active X stop
- 12. Malware hash record 12 n We found a certain characteristics. n malware hash table • we recorded which files downloaded. • unchanged (url1,2) • every-time changed (url3) • change occasionally (url4) DAY 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 url1 A A A A A A A A A A A A A A A url2 B B B B url3 C D F G H I J K L M N url4 O O O P O O O O O R big letter alphabet : malware’s hash
- 13. Category1 “unchanged” nhxxp://www.xunlei333.com/xl_28413.exe 13 only one sha1hash value number of malware time
- 14. Category2 “every-time changed” n hxxp://download.veterants.info/index.html?e=tnfd9&clsb=1&publ isher=11206&prv=TinyWallet&sfx=1&hid=169770297314061 96910&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&am p;ne=1&prs=4& 14 number of malware time every-time changed sha1hash value
- 15. Category3 “changed occasionally” n hxxp://proxy.piratenpartij.nl/web.icm.cn/vote/install_flash _player_active_x.exe 15 number of malware time most time same hash value different hash value sometimes
- 16. n In order to decide appropriate methods or period for blacklisting malware download site. n We defined three categories focusing on variation of malware. n We divided URLs on its definition. • UNC : unchanged • ETC : every-time changed • COC : changed occasionally n Total number of URLs : 43,034. n Observation Period : 1.5 years 16 Analytical purpose and procedure
- 17. nWe analyzed features in the three category UNC, ETC, and COC. • lifetime, revived activity, IP address resource, malware variation, etc. nWe considered the operation and resources of attackers and discussed how to mitigate these categories. 17 Analytical purpose and procedure
- 18. Lifetime and Active days definition n Lifetime • Period of first and last observation day. • here, we considered first and last only. n Active days • the number of active days. 18 our observation period : 1.5 year URL A Lifetime : 20 Active days : 4 URL B 40days ✔ 20days ✔ ✔✔ ✔ ✔✔✔ ✔✔ ✔ URL A Lifetime : 40 Active days : 7 URL B
- 19. Lifetime CDF 19 10% of UNC lives over 500 days Lifetime ETC < UNC, COC
- 20. Stop5, Stop10 definition nThe number of continuous stopped status • Stop5 : over 5days • Stop10 : over 10days 20 our observation priod : 1.5 year URL A 6days URL B 7days ✔ 13days 12days11days Stop5 : 2 Stop10 : 1 Stop5 : 3 Stop10 : 2 ✔✔ ✔✔ ✔✔ ✔✔✔✔✔
- 21. Stop5, Stop10 CDF 21 10% of COC revives over 15 times Revive activity ETC < UNC < COC
- 22. UniqIP CDF 22 2% of UNC used more than 180 IP
- 23. IP Entropy CDF 23 IP variation UNC < ETC < COC
- 24. 24 Characteristics UNC ETC COC Lifetime Longevity Short-lived Longevity Revive NA NA many times IP resource Substantial Fewer Substantial IP variation Fewer Substantial Substantial Activity NA Sparse Intensive Malware Known Known Unknown URL NA Long query part NA Characteristics and countermeasure Counterme- asure Blacklisting TBD Blacklisting
- 25. Todayʼs contents 1.Internet malicious activity and blocking trend 2.Our analytical results 3.Suggestion and discussion 25
- 26. Suggestion - What should operators do ? n Fully extermination of malicious site is the most important. n When operators received abuse reports, they should perform concrete action until malicious site disappear fully. n but according to [1], about 60%(12/19) reports were not handled properly by ISPs. • case1: no reply. • case2: enable to locate an abuse@domain in WHOIS. • case3: good case ! immediately disconnected site. • case4: forwarded to customer by ISP, but the server was still alive. 26 [1] Antonio Nappa, M. Zubair Rafique, Juan Caballero. The MALICIA dataset: identification and analysis of drive-by download operations <https://lirias.kuleuven.be/bitstream/123456789/464045/1/malicia_dataset.pdf>
- 27. Suggestion - What should ISPs do ? nTodayʼs increasing Internet use has become plagued by malicious activity such as exploit-as-a-service model. nItʼs import to consider IP or FQDN block service such as “malware block service” of NTTcom OCN. nIP or FQDN block have over blocking problem. So in addition to IP and FQDN block, it is desirable to use URL blocking. 27
- 28. 28 Personal information, Credit card number, etc. Legitimate traffic Evil traffic DNS server Block ! User Attacker C&C Serverbased on FQDN blacklist Suggestion - What should ISPs do ? L7 FW based on URL blacklist and Malware DNS server This is simple image. Only my opinion.
- 29. Discussion - FQDN, IP, and URL blocking nOur survey shows that URL blacklisting is effective for some malicious site. • UNC and COC, especially COC provide unknown malware. nURL blacklisting on ISP ? • high operation cost ? do you think realistic way? nHow about FQDN blacklisting on ISP ? • how about domain, IP address, AS ? • combination is important ? 29
- 30. 30 Thank you very much. Any question ?