C3PO: Large-Scale Study Of Covert Monitoring of C&C Servers via Over-Permissioned Protocol Infiltration

Current techniques to monitor botnets towards disruption or takedown are likely to result in inaccurate data gathered about the botnet or be detected by C&C orchestrators. Seeking a covert and scalable solution, we look to an evolving pattern in modern malware that integrates standardized over-permissioned protocols, exposing privileged access to C&C servers. We implement techniques to detect and exploit these protocols from over-permissioned bots toward covert C&C server monitoring. Our empirical study of 200k malware captured since 2006 revealed 62,202 over-permissioned bots (nearly 1 in 3) and 443,905 C&C monitoring capabilities, with a steady increase of over-permissioned protocol use over the last 15 years. Due to their ubiquity, we conclude that even though over-permissioned protocols allow for C&C server infiltration, the efficiency and ease of use they provide continue to make them prevalent in the malware operational landscape. This paper presents C3PO, a pipeline that enables our study and empowers incident responders to automatically identify over-permissioned protocols, infiltration vectors to spoof bot-to-C&C communication, and C&C monitoring capabilities that guide covert monitoring post infiltration. Our findings suggest the over-permissioned protocol weakness provides a scalable approach to covertly monitor C&C servers, which is a fundamental enabler of botnet disruptions and takedowns.

[1]  Santosh Pande,et al.  CARVE: Practical Security-Focused Software Debloating Using Simple Feature Set Mappings , 2019, ArXiv.

[2]  Wouter Joosen,et al.  A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints , 2020, NDSS.

[3]  Zhou Li,et al.  MADE: Security Analytics for Enterprise Threat Detection , 2018, ACSAC.

[4]  Karl N. Levitt,et al.  SELECT—a formal system for testing and debugging programs by symbolic execution , 1975 .

[5]  Vinod Yegneswaran,et al.  Active Botnet Probing to Identify Obscure Command and Control Channels , 2009, 2009 Annual Computer Security Applications Conference.

[6]  Roberto Perdisci,et al.  From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware , 2012, USENIX Security Symposium.

[7]  Omar Alrawi,et al.  Forecasting Malware Capabilities From Cyber Attack Memory Images , 2021, USENIX Security Symposium.

[8]  Herbert Bos,et al.  Reliable Recon in Adversarial Peer-to-Peer Botnets , 2015, Internet Measurement Conference.

[9]  Christophe Kalt,et al.  Internet Relay Chat: Client Protocol , 2000, RFC.

[10]  Roberto Perdisci,et al.  ExecScent: Mining for New C&C Domains in Live Networks with Adaptive Control Protocol Templates , 2013, USENIX Security Symposium.

[11]  Juan Caballero,et al.  AVclass: A Tool for Massive Malware Labeling , 2016, RAID.

[12]  Stefan Savage,et al.  Unexpected means of protocol inference , 2006, IMC '06.

[13]  Helen J. Wang,et al.  Discoverer: Automatic Protocol Reverse Engineering from Network Traces , 2007, USENIX Security Symposium.

[14]  Heng Yin,et al.  DroidAPIMiner: Mining API-Level Features for Robust Malware Detection in Android , 2013, SecureComm.

[15]  Davide Balzarotti,et al.  A Lustrum of Malware Network Communication: Evolution and Insights , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[16]  M. A. Faizal,et al.  Machine Learning for HTTP Botnet Detection Using Classifier Algorithms , 2018 .

[17]  Lori A. Clarke,et al.  A System to Generate Test Data and Symbolically Execute Programs , 1976, IEEE Transactions on Software Engineering.

[18]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[19]  David Brumley,et al.  Unleashing Mayhem on Binary Code , 2012, 2012 IEEE Symposium on Security and Privacy.

[20]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[21]  Vitaly Chipounov,et al.  Selective Symbolic Execution , 2009 .

[22]  MADE , 2018, Proceedings of the 34th Annual Computer Security Applications Conference.

[23]  Zhenkai Liang,et al.  Polyglot: automatic extraction of protocol message format using dynamic binary analysis , 2007, CCS '07.

[24]  Galen C. Hunt,et al.  Detours: binary interception of Win32 functions , 1999 .

[25]  Max Mühlhäuser,et al.  SensorBuster: On Identifying Sensor Nodes in P2P Botnets , 2017, ARES.

[26]  Dawn Xiaodong Song,et al.  Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering , 2009, CCS.

[27]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[28]  Herbert Bos,et al.  SoK: P2PWNED - Modeling and Evaluating the Resilience of Peer-to-Peer Botnets , 2013, 2013 IEEE Symposium on Security and Privacy.

[29]  Zhiqiang Lin,et al.  AUTHSCOPE: Towards Automatic Discovery of Vulnerable Authorizations in Online Services , 2017, CCS.

[30]  Engin Kirda,et al.  A View on Current Malware Behaviors , 2009, LEET.

[31]  Christian Rossow,et al.  MALPITY: Automatic Identification and Exploitation of Tarpit Vulnerabilities in Malware , 2019, 2019 IEEE European Symposium on Security and Privacy (EuroS&P).

[32]  Max Mühlhäuser,et al.  On advanced monitoring in resilient and unstructured P2P botnets , 2014, 2014 IEEE International Conference on Communications (ICC).

[33]  Ruian Duan,et al.  The Betrayal At Cloud City: An Empirical Analysis Of Cloud-Based Mobile Backends , 2019, USENIX Security Symposium.

[34]  Jelena Mirkovic,et al.  Malware Analysis Through High-level Behavior , 2018, CSET @ USENIX Security Symposium.

[35]  Stefan Savage,et al.  You've Got Vulnerability: Exploring Effective Vulnerability Notifications , 2016, USENIX Security Symposium.

[36]  Christopher Krügel,et al.  Behavior-based Spyware Detection , 2006, USENIX Security Symposium.

[37]  Davide Balzarotti,et al.  SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers , 2015, 2015 IEEE Symposium on Security and Privacy.

[38]  Xiangyu Zhang,et al.  J-Force: Forced Execution on JavaScript , 2017, WWW.

[39]  Zhiqiang Lin,et al.  SMARTGEN: Exposing Server URLs of Mobile Apps With Selective Symbolic Execution , 2017, WWW.

[40]  Somesh Jha,et al.  A Layered Architecture for Detecting Malicious Behaviors , 2008, RAID.

[41]  Tudor Dumitras,et al.  The Broken Shield: Measuring Revocation Effectiveness in the Windows Code-Signing PKI , 2018, USENIX Security Symposium.

[42]  Jack W. Davidson,et al.  MalMax: Multi-Aspect Execution for Automated Dynamic Web Server Malware Analysis , 2019, CCS.

[43]  Guofei Gu,et al.  AUTOPROBE: Towards Automatic Active Malicious Server Probing Using Dynamic Binary Analysis , 2014, CCS.

[44]  Xuxian Jiang,et al.  Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution , 2008, NDSS.

[45]  Aaron J. Burstein Conducting Cybersecurity Research Legally and Ethically , 2008, LEET.

[46]  Guofei Gu,et al.  CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers , 2014, NDSS.

[47]  Dawson R. Engler,et al.  Execution Generated Test Cases: How to Make Systems Code Crash Itself , 2005, SPIN.

[48]  John C. Mitchell,et al.  Characterizing Bots' Remote Control Behavior , 2007, DIMVA.

[49]  Nick Feamster,et al.  Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces , 2010, NSDI.

[50]  B. Padmavathi,et al.  BotShark — Detection and prevention of peer-to-peer botnets by tracking conversation using CART , 2017, 2017 International conference of Electronics, Communication and Aerospace Technology (ICECA).

[51]  Christopher Krügel,et al.  SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[52]  Max Mühlhäuser,et al.  Next Generation P2P Botnets: Monitoring Under Adverse Conditions , 2018, RAID.

[53]  Fei Peng,et al.  X-Force: Force-Executing Binary Programs for Security Applications , 2014, USENIX Security Symposium.

[54]  Christopher Krügel,et al.  Effective and Efficient Malware Detection at the End Host , 2009, USENIX Security Symposium.

[55]  Leyla Bilge,et al.  Measuring PUP Prevalence and PUP Distribution through Pay-Per-Install Services , 2016, USENIX Security Symposium.

[56]  Christopher Krügel,et al.  Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries , 2010, 2010 IEEE Symposium on Security and Privacy.

[57]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[58]  Yongdae Kim,et al.  Towards complete node enumeration in a peer-to-peer botnet , 2009, ASIACCS '09.

[59]  Wenke Lee,et al.  Beheading hydras: performing effective botnet takedowns , 2013, CCS.

[60]  Dawn Xiaodong Song,et al.  Insights from the Inside: A View of Botnet Management from Infiltration , 2010, LEET.

[61]  Feng Qian,et al.  Resident Evil: Understanding Residential IP Proxy as a Dark Service , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[62]  Jianming Fu,et al.  Towards Paving the Way for Large-Scale Windows Malware Analysis: Generic Binary Unpacking with Orders-of-Magnitude Performance Boost , 2018, CCS.

[63]  Adrian Colesa,et al.  Malware Clustering Based on Called API During Runtime , 2018, IOSec@RAID.

[64]  Christopher Krügel,et al.  Prospex: Protocol Specification Extraction , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[65]  Juan Caballero,et al.  AVclass2: Massive Malware Tag Extraction from AV Labels , 2020, ACSAC.