catching worms, trojan horses and pups: unsupervised ... · mobogenie.exe catching worms, trojan...

BumJunKwon,VirinchiSrinivas,AmolDeshpande,TudorDumitrașUniversityofMaryland—CollegePark

1

BEEWOLFCatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns

CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns

Host

MalwareDeliveryCampaigns

•  Businessmodel–  ChargefeesfordeliveringmalwareorPUPs

2

•  Keymethod–  OrchestrateSilentdeliverycampaigns

Downloaders DNSDomain

Payloads


SilentDeliveryCampaigns

3

Host1

Host2

Host3

DownloadersPayloadsDNS

Domains

smart.exe

downloadmanager.exe

downloadmanager2.exe

2013-11-15ppdownload.com

2013-11-22greatarcadehits.com

2013-12-05download2desktop.com

mobogenie.exe


SilentDeliveryCampaigns

4

Host1

Host2

Host3

DownloadersPayloadsDNS

Domains

smart.exe

downloadmanager.exe

downloadmanager2.exe

2013-11-15ppdownload.com

2013-11-22greatarcadehits.com

2013-12-05download2desktop.com

mobogenie.exe

IdenJfymaliciousdomains[Antonakakis+2010]Detectmalicious

downloadersontheclientside[Kwon+2015]

Malwarefamiliesdisseminated[Invernizzi+2014]MilkPUPpayloads[Caballero+2011,Thomas+2016]

PresentaJonTitle(changeonallmasters)

LockstepBehavior

5

[Beutel+2013,Cao+2014,Jiang+2015]

DownloadersDNS

Domains

•  Notdesignedforstreamingdata

•  RequireinterpreWngeventsdefinedbymulWplefeatures

•  Requireseednodes


WeIntroduceBeewolf

6

DownloadersDNS

Domains•  ProposeanunsupervisedanddeterminisWctechnique

•  Operateonastreamofdownloadevents

•  Orthogonaltotheworkthatusemachinelearning

•  RevealtheindirectrelaWonships


UnderstandingIndirectRelaJonships

7

DirectRelaWonship

IndirectRelaWonship

•  Exposehiddendependenciesintheundergroundeconomy

•  SuggestsuitableintervenWonsfordisrupWngthemalwaredelivery


Outline

•  Systemoverview•  Lockstepanalysis–  A\ribuWon–  ObservaWons

•  EvaluaWon–  Streaming

•  Conclusion

8

•  Systemoverview


SystemOverview

•  Beewolf–  Twomodes:offline/streaming–  Input:downloadeventdata–  WhitelisWng:downloadeventsfrombenigndownloaders

9


DataSet:DownloadAcJvityinTheWild

•  DownloadacWvity–  Kwonet.al.TheDropperEffectpaper(CCS’15)–  Downloadevent:downloader,secondleveldomainname(domain),payload,severWmestamp

–  Year2013

•  Groundtruthforlabeling–  VirusTotal–  NSRL(NaWonalSohwareReferenceLibrary)–  Undergroundforums,ReasonLabsknowledgebase

10


SystemOverviewCont’

•  Beewolf–  Detectlocksteppa`erns

•  Offline:fromtheenWreinputdataset•  Streaming:fromthestreamofdata

–  Fourcorecomponents•  StarDetecWon,Galaxygraph,FPtree,LockstepDetecWon

11


Goal

12

B! c b a d!

C! c b e!

A! c b a!

D! c d e!

root!DownloadersDomains

b!

c!

d!

e!

A!

B!

C!

D!

a!

Lockstep:[c,b,a][B,C,A]

Detectnear-bicliqueswithJmeconstraints


StarDetecJon

13

a!

b!

c!

d!

B!

e!

A!

C!

D!

B! c b a d!

C! c b e!

A! c b a!

D! c d e!



GalaxyGraph

14

a!

b!

c!

d!

B!

e!

A!

C!

D!

B! c b a d!

C! c b e!

A! c b a!

D! c d e!


a!

b!

c!

d!

e!

A!

B!

C!

D!


FrequentPa`ernTree

15

B! c b a d!

C! c b e!

A! c b a!

D! c d e!

a!

d!

B!

B!

B!

B!

root!

b!

c!

DownloadersDomains

a!

b!

c!

d!

e!

A!

B!

C!

D!


FrequentPa`ernTree

16

a!

b!

c!

d!

e!

A!

B!

C!

D!

B! c b a d!

C! c b e!

A! c b a!

D! c d e!

B, C, A, D!

B, C, A!

B, A!

B!

C!

D!

D!

root!

e!

d!

e!

c!

b!

a!

d!

DownloadersDomains


LockstepDetecJon

17

a!

b!

c!

d!

e!

A!

B!

C!

D!

B! c b a d!

C! c b e!

A! c b a!

D! c d e!

B, C, A, D!

B, C, A!

B, A!

B!

C!

D!

D!

root!

e!

d!

e!

c!

b!

a!

d!

CompleteBiclique:[c,b][B,C,A]


AddressingLimitaJons(1)

18

b!

c!

d!

e!

A!

B!

C!

D!

B! c b a d!

C! c b e!

A! c b a!

D! c d e!

B, C, A, D!

B, C, A!

B, A!

B!

C!

D!

D!

root!

e!

d!

e!

c!

b!

a!

d!

Lockstep:[c,b,a][B,C,A]

HeurisJcfordetecJngnear-bicliquesa!


AddressingLimitaJons(2)

19

B! c b a d!

C! c b e!

A! c b a!

D! c d e!

B, C, A, D!

B, C, A!

B, A!

B!

C!

D!

D!

root!

e!

d!

e!

c!

b!

a!

d!

a!

b!

c!

d!

e!

A!

B!

C!

D!

CompleteBiclique:[c,d,e][D]

CompleteBiclique:[c,b,e][C]

SupplementaJonphase


Outline



•  Conclusion

20


LockstepAnalysis

21

•  Beewolfinofflinemode•  Timewindow∆tof3days–  ShorterthanthetypicalreacWonWmeofdomainblacklist

•  Summary–  Locksteps:67,094


LabelbyPublisher

•  IdenWfytheorganizaWon

22

•  RepresentaJvepublisher(rep-pub)–  Apublisherthataccountsmorethan50%ofthesigneddownloadersinthelockstepex)[OutBrowse,OutBrowse,MindAdLTD]

–  CannotidenWfyrep-pub:mixed

•  CategorizaWon(rep-pub)–  PUP,PPI,benign(BN),other,mixed,unknown(UK)

OutBrowse


LabelbyPublisherResult

•  IdenWfied335rep-pubs•  InvesWgatethetop50rep-pubs•  LargeporWonofthelockstepscorrespondtotheMixedcategoryfollowedbyPUP

23

Difficulttoplaceinaspecificcategory


LabelbyPayload

•  Understandthepurposeofthelockstep•  DetecWonperformanceevaluaWon•  First,labelthedownloaderbythepayloadtheydistribute–  Malwaredownloader(MD)–  PUPdownloader(PD)–  Benigndownloader(BD)–  Unknowndownloader(UD)

24


LabelbyPayloadCont’

•  Malwaredownloaderlockstep(MDL):lockstepthatincludeatleastoneMD

•  PUPdownloaderlockstep(PDL):containsPDbutnoMD•  Unknowndownloaderlockstep(UDL):nosuspiciousdownloader

•  Benigndownloaderlockstep(BDL):nosuspiciousdownloader,containBD

25

Suspicious

Benign


LabelbyPayloadResult

26

•  Highersuccessrateinlabeling(2.33%UDLs)•  MDLoccupymorethan80%ofthetotallockstepwhileBDLarelow(4.82%)


OverlapBetweenMalwareandPUPDeliveryEcosystems

27

•  Overlapofdownloaders–  Largeoverlap

•  36.7%ofthedownloadersarepresentinbothMDLsandPDLs•  Associatedwith97.8%ofallthePDLs

•  Malsignblacklist–  1,926downloaderssignedby212publishersinlocksteps–  Involvedin66.8%ofMDLsand37.2%ofPDLs

ManyPUPpublishersarelikelyinvolvedinmalwaredelivery


OverlapBetweenMalwareandPUPDeliveryEcosystemsCont’

28

•  RecentmeasurementsofcommercialPPIs(Kotzias+2016,Thomas+2016)–  DidnotfindsubstanWaloverlap

•  KeydisWncWon–  GeographicaldistribuWon

•  Hostsfrom72differentcountries

–  DifferentobservaWonperiod/malwareset–  LockstepsdetectindirectrelaWonships

•  UWlizeunsigneddownloadersformaliciouspayloads


BusinessRelaJonships

29

•  Publishersappearingtogetherinlocksteps–  UWlizethesameserversideinfrastructure

•  ReflectsarelaWonshipamongthecorrespondingdistribuWonnetworks

–  TwodifferentpublisherrelaWonships•  Partner:downloadersindownloaded-byrelaWonship•  Neighbor:NodirectdownloadrelaWonship

–  OrganizaWonthatusemulWplecodesigningcerWficate–  RelaWonshipswithacommonthirdparty


BusinessRelaJonshipsCont’

30

•  BusinessrelaWonshipgraphoftop13rep-pubs–  Node:publisher–  Edge:businessrelaWonship

PUP,PPI,benign(BN),other


BusinessRelaJonshipsCont’

31

•  Example–  OutbrowseLTD

•  AdverWsersortheaffiliatesoftheOutbrowsePPI

•  Variantsoftherep-pub’scerWficate

ExposeorganizaJonsuJlizingcerJficatepolymorphism

OrganizaJonssharingthesamethirdpartyinfrastructure

PUP,PPI,benign(BN),other


Outline



•  Conclusion

32


StreamingSetup

33

•  BatchofDownloadeventsfromtheyear2013–  DownloadeventsinWmewindowΔt=3daysperbatch–  122batchintotal–  CheckthecomputaWoncost(Wme)growth


StreamingPerformance:Serial

34


StreamingPerformance:Serial

35

Slowdown:7.7s/batch Upto20min

OverheadofsupplementaJonphase


StreamingPerformance:OpJmalParallelism

36

Slowdown:0.1s/batch

SupplementaJonprocessesareindependent=>Runinparallel


Outline


•  EvaluaWon–  DetecWonperformance–  Streaming

•  Conclusion

37


Conclusion•  WeintroduceBeewolf–  UnsupervisedanddeterminisWcsystem,operatesonstreamofdata

–  DiscoverindirectrelaWonships(reflectPUP/malwareoverlap)

•  ImplicaWonbeyondmalwaredetecWon–  BeewolfcandetectotherkindsofcoordinatedacWons(Beaconing,C&CcommucaWon,posWnginSNS)

•  Datarelease–  h\p://www.beewolf.org

38

Thankyou!

PresentaJonTitle(changeonallmasters)

[email protected]\p://www.beewolf.org

39

CatchingWorms,TrojanHorsesandPUPs:UnsupervisedDetecJonofSilentDeliveryCampaigns 40


TheDetecJonLag

•  Downloaders–  Downloadingisnotasignofinherentlymaliciousintent–  Signeddownloaders

41

AnJvirusDetecJonLag

Average71.6daysbeforediscovery


DetecJonPerformance

42

MDL 54,497(81.22%)

PDL 7,800(11.63%)

BDL 3,231(4.82%)

UDL 1,566(2.33%)

FalseposiJvefewerthan5%

TrueposiJve(suspiciouslocksteps)accountfor92.85%oflocksteps


DetecJonLeadTime

43

•  Howearlywecandetectsuspiciousdownloadersordomainsthatarepreviouslyunknown?–  Downloaders:detectunknownexecutablesinlockstepbeforetheirfirstsubmissiontoVirusTotal

mediandetecJonleadJmeof165days


DetecJonLeadTimeCont’

44

•  Howearlywecandetectsuspiciousdownloadersordomainsthatarepreviouslyunknown?–  Downloaders:detectunknownexecutablesinlockstepbeforetheirfirstsubmissiontoVirusTotal

–  Domains:flagunknowndomainsinlockstepbeforelistedtopublicURLblacklists

mediandetecJonleadJmeof196days


FrequentPa`ernTree(1)

45

a!

b!

c!

d!

e!

A!

B!

C!

D!

2

3

4

2

2

3

4

3

3

•  Pre-setup–  Bipartitegraphofdownloadersandsecondleveldomainnames(domains)

Getthedegreeforthenodes

LHN RHN



46

a!

b!

c!

d!

e!

A!

B!

C!

D!

B! c b a d!

C! c b e!

A! c b a!

D! c d e!

2

3

4

2

2

3

4

3

3

•  Adjacencylist–  Sortedindegree-descendingorder(FirstsortRHNs,thenforeachRHNsortitsneighborLHNs)


a!

d!

C!

B, C!

B,C!

B!

B!


47

B! c b a d!

C! c b e!

A! c b a!

D! c d e!

B!

B!

B!

B!

root!

e!

b!

c!

CreatetherootofanFP-treePerforminserJon(node:LHN)1)Notthechild:insertaschild2)AddtheRHNtothevisitedlist



48

B! c b a d!

C! c b e!

A! c b a!

D! c d e!

B, C, A, D!

B, C, A!

B, A!

B!

C!

D!

D!

root!

e!

d!

e!

c!

b!

a!

d!

PerforminserJon(node:LHN)1)Notthechild:insertaschild2)AddtheRHNtothevisitedlist

C!

B,C!

B,C!

B, A!

B!



49

B, C, A, D!

B, C, A!

B, A!

B!

C!

D!

D!

root!

e!

d!

e!

c!

b!

a!

d!Lockstep: [c,b,a] [B,A]!

Lockstep: [c,b] [B,C,A]!


Outline•  DetecWngsilentdeliverycampaigns–  Lockstepbehavior–  Howtodetectlocksteps:Frequentpa\erntree–  Dataset–  Lockstepa\ribuWon

•  System•  SilentdistribuWoncampaigns–  ProperWesoflocksteps–  OverlapbetweenmalwareandPUPdeliveryecosystems–  BusinessrelaWonships

•  EvaluaWon•  Conclusion

50


LockstepBehaviors

•  Lockstepbehavior–  Downloader-Domaininteraction–  Temporalpattern:accessthesamedomainwithinaboundedtimeperiod∆t

–  Coordinateddownloadsthatdonotexperiencerandomdelays

51

MINIBAR-!MASTER.EXE!

BI_RUN!ONCE.EXE!

At t = [0, ∆t]!

bigspeedpro.com!

BISEHUP!35464.EXE!

2013-01-06!

At t = [3δt, ∆t + 3δt]!

bispd.com!2013-01-13!

At t = [6δt,∆t + 6δt]!

2013-01-24!cloudfront.net!

Lockstep

Lockstepbehaviorexposesremotelycontrolleddownloadersandrevealsthedomainsinvolvedinsubsequentcampaigns



52

a!

b!

c!

d!

e!

A!

B!

C!

D!

•  Pre-setup–  Bipartitegraphofdownloadersandsecondleveldomainnames(domains)

LHN RHN



53

a!

b!

c!

d!

e!

A!

B!

C!

D!

B! c b a d!

C! c b e!

A! c b a!

D! c d e!

2

3

4

2

2

3

4

3

3

•  Adjacencylist–  Sortedindegree-descendingorder


a!

d!

C!

B, C!

B,C!

B!

B!


54

B! c b a d!

C! c b e!

A! c b a!

D! c d e!

B!

B!

B!

B!

root!

e!

b!

c!

CreatetherootofanFP-treePerforminserJon(node:LHN)1)Notthechild:insertaschild2)AddtheRHNtothevisitedlist

VisitedListofc



55

B! c b a d!

C! c b e!

A! c b a!

D! c d e!

B, C, A, D!

B, C, A!

B, A!

B!

C!

D!

D!

root!

e!

d!

e!

c!

b!

a!

d!

PerforminserJon(node:LHN)1)Notthechild:insertaschild2)AddtheRHNtothevisitedlist



56

B, C, A, D!

B, C, A!

B, A!

B!

C!

D!

D!

root!

e!

d!

e!

c!

b!

a!

d!Lockstep: [c,b,a] [B,A]!

Lockstep: [c,b] [B,C,A]!


HowtoDetectSilentDeliveryCampaignsCont’

57

Lockstepbehavior:•  Coordinateddownloadswithoutrandomdelays

•  Downloaders-domainsinnear-bicliques

DownloadersDNS

Domains

Remotelycontrolleddownloadersandthedomainsinvolvedinsubsequentcampaigns


StarDetecJon

•  DetectStars–  CompletebiparWtegraphofasingledomainandatleast2downloaders

–  Starcorrespondstotherowoftheadjacencylist•  CollectallstarswithinWmewindow∆t–  Foreachdomain,aggregatetheadjacentdownloaders

58


GalaxyGraph

•  BiparWtegraphofsetofstars•  Updatethegalaxygraphincrementally–  Foreachstar,addthecentralnodeanditsadjacentnodestothegraph

–  DiscardifthestarisasubsetofsomeexisWngstar

59


FPTree

•  LimitaWons–  Doesnotreturnnear-bicliques•  HeurisWcfordetecWngnear-bicliques

60

–  Missespartofcompletebicliques•  IndependentsupplementaJonphase


LockstepDetecJon

•  TraversetheFPtreefromtherootandcollectallthelocksteps

•  AssignidenWfierstothedetectedlocksteps

61

catching worms, trojan horses and pups: unsupervised ... · mobogenie.exe catching worms, trojan...

Documents