MALPITY: Automatic Identification and Exploitation of Tarpit Vulnerabilities in Malware

Law enforcement agencies regularly take down botnets as the ultimate defense against global malware operations. By arresting malware authors, and simultaneously infiltrating or shutting down a botnet's network infrastructures (such as C2 servers), defenders stop global threats and mitigate pending infections. In this paper, we propose malware tarpits, an orthogonal defense that does not require seizing botnet infrastructures, and at the same time can also be used to slow down malware spreading and infiltrate its monetization techniques. A tarpit is a network service that causes a client to stay busy with a network operation. Our work aims to automatically identify network operations used by malware that will block the malware either forever or for a significant amount of time. We describe how to non-intrusively exploit such tarpit vulnerabilities in malware to slow down or, ideally, even stop malware. Using dynamic malware analysis, we monitor how malware interacts with the POSIX and Winsock socket APIs. From this, we infer network operations that would have blocked when provided certain network inputs. We augment this vulnerability search with an automated generation of tarpits that exploit the identified vulnerabilities. We apply our prototype MALPITY on six popular malware families and discover 12 previously-unknown tarpit vulnerabilities, revealing that all families are susceptible to our defense. We demonstrate how to, e.g., halt Pushdo's DGA-based C2 communication, hinder SalityP2P peers from receiving commands or updates, and stop Bashlite's spreading engine.

[1]  David Brumley,et al.  BYTEWEIGHT: Learning to Recognize Functions in Binary Code , 2014, USENIX Security Symposium.

[2]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[3]  tobias. eggendorfer Reducing spam to 20 % of its original value with a SMTP tar pit simulator , 2007 .

[4]  Vitaly Shmatikov,et al.  Inputs of Coma: Static Detection of Denial-of-Service Vulnerabilities , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[5]  Koushik Sen,et al.  WISE: Automated test generation for worst-case complexity , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[6]  Zhenkai Liang,et al.  BitScope: Automatically Dissecting Malicious Binaries , 2007 .

[7]  Gianluca Stringhini,et al.  Master of Puppets: Analyzing And Attacking A Botnet For Fun And Profit , 2015, ArXiv.

[8]  Christopher Krügel,et al.  AccessMiner: using system-centric models for malware protection , 2010, CCS '10.

[9]  Christopher Krügel,et al.  Efficient Detection of Split Personalities in Malware , 2010, NDSS.

[10]  Christopher Krügel,et al.  Effective and Efficient Malware Detection at the End Host , 2009, USENIX Security Symposium.

[11]  Herbert Bos,et al.  Prudent Practices for Designing Malware Experiments: Status Quo and Outlook , 2012, 2012 IEEE Symposium on Security and Privacy.

[12]  Stefan Savage,et al.  Manufacturing compromise: the emergence of exploit-as-a-service , 2012, CCS.

[13]  Roberto Perdisci,et al.  From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware , 2012, USENIX Security Symposium.

[14]  Adrian Perrig,et al.  Remote detection of virtual machine monitors with fuzzy benchmarking , 2008, OPSR.

[15]  Tim Hunter,et al.  Distributed Tarpitting: Impeding Spam Across Multiple Servers , 2003, LISA.

[16]  Felix C. Freiling,et al.  Toward Automated Dynamic Malware Analysis Using CWSandbox , 2007, IEEE Secur. Priv..

[17]  Vinod Yegneswaran,et al.  On the Design and Use of Internet Sinks for Network Abuse Monitoring , 2004, RAID.

[18]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[19]  Christopher Krügel,et al.  Exploring Multiple Execution Paths for Malware Analysis , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[20]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[21]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[22]  Zhuoqing Morley Mao,et al.  Automated Classification and Analysis of Internet Malware , 2007, RAID.

[23]  Christian Rossow,et al.  ProVeX: Detecting Botnets with Encrypted Command and Control Channels , 2013, DIMVA.

[24]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[25]  Herbert Bos,et al.  SoK: P2PWNED - Modeling and Evaluating the Resilience of Peer-to-Peer Botnets , 2013, 2013 IEEE Symposium on Security and Privacy.

[26]  Vern Paxson,et al.  Measuring Pay-per-Install: The Commoditization of Malware Distribution , 2011, USENIX Security Symposium.

[27]  Michalis Polychronakis,et al.  Spotless Sandboxes: Evading Malware Analysis Systems Using Wear-and-Tear Artifacts , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[28]  Tsutomu Matsumoto,et al.  SandPrint: Fingerprinting Malware Sandboxes to Provide Intelligence for Sandbox Evasion , 2016, RAID.

[29]  Felix C. Freiling,et al.  Walowdac - Analysis of a Peer-to-Peer Botnet , 2009, 2009 European Conference on Computer Network Defense.

[30]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[31]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[32]  Yi Zhou,et al.  Understanding the Mirai Botnet , 2017, USENIX Security Symposium.

[33]  Christopher Krügel,et al.  JACKSTRAWS: Picking Command and Control Connections from Bot Traffic , 2011, USENIX Security Symposium.

[34]  Johannes Bader,et al.  A Comprehensive Measurement Study of Domain Generating Malware , 2016, USENIX Security Symposium.

[35]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[36]  Brent ByungHoon Kang,et al.  Tumbling Down the Rabbit Hole: Exploring the Idiosyncrasies of Botmaster Systems in a Multi-Tier Botnet Infrastructure , 2010, LEET.

[37]  Vitaly Chipounov,et al.  Selective Symbolic Execution , 2009 .

[38]  Giovanni Vigna,et al.  When Malware is Packin’ Heat , 2018 .