Malware Mitigation and Remediation Strategies

In today’s Internet connected environment, there is no doubt that the web is the main vector of attacks for cybercriminals, and the huge amount of everyday new threats suggests this situation isn’t going to change anytime soon. Many of the most malicious attacks start as an apparently innocuous spam message with few words of text with bad spelling and a single URL. These messages often fool classical spam engines that probably simply look for keywords. All it takes is one distracted or curious click of the mouse and the site is visited: web attack is launched or the malicious payload is downloaded, probably providing remote access to the user’s computer, and maybe to the internal network. Criminals through Internet control networks of such compromised computers, called botnets, and use them to commit a multitude of frauds and thefts. Furthermore, botnets provide bandwidth which is used to launch distributed denial-of-service attacks (DDoS) and to send unsolicited email (spam), as well as IP address diversity to make IP address-based blocking strategy ineffective. Spam emails sent during those attacks are themselves vectors of attacks, used to deceive people into entering login credentials (phishing), installing malicious software (malware), or sharing bank account information (scams). And so the cycle repeats: email related threats create new botnet hordes, which are able to launch a flood of spam to drown our mailboxes. Recently botnets, through the adoption of particular techniques, become more resistant to discovery and counter-measures, and one of these new technique is named fast-flux. This dissertation presents FluXOR, the system we developed to detect and monitor fast-flux service networks. FluXOR monitoring and detection strategies entirely rely on the analysis of a set of features observable from the point of view of a victim of the scams perpetrated through the botnets. The

[1]  Somesh Jha,et al.  Testing malware detectors , 2004, ISSTA '04.

[2]  Hao Chen,et al.  Back to the Future: A Framework for Automatic Malware Removal and System Repair , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[3]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[4]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[5]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[6]  P. Flajolet,et al.  HyperLogLog: the analysis of a near-optimal cardinality estimation algorithm , 2007 .

[7]  Jeffrey D. Ullman,et al.  Introduction to Automata Theory, Languages and Computation , 1979 .

[8]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.

[9]  Somesh Jha,et al.  A Layered Architecture for Detecting Malicious Behaviors , 2008, RAID.

[10]  Michael D. Ernst Static and dynamic analysis: synergy and duality , 2003 .

[11]  Lorenzo Martignoni,et al.  How Good Are Malware Detectors at Remediating Infected Systems? , 2009, DIMVA.

[12]  Thorsten Holz,et al.  Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation , 2007, HotBots.

[13]  Ming-Yang Kao,et al.  Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[14]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[15]  Paul V. Mockapetris,et al.  Domain names: Concepts and facilities , 1983, RFC.

[16]  Pat Langley,et al.  Estimating Continuous Distributions in Bayesian Classifiers , 1995, UAI.

[17]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[18]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[19]  John C. Mitchell,et al.  Characterizing Bots' Remote Control Behavior , 2007, DIMVA.

[20]  Christopher Krügel,et al.  Precise alias analysis for static detection of web application vulnerabilities , 2006, PLAS '06.

[21]  Wenke Lee,et al.  Modeling Botnet Propagation Using Time Zones , 2006, NDSS.

[22]  Yinglian Xie,et al.  How dynamic are IP addresses , 2007, SIGCOMM 2007.

[23]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[24]  Joseph Robert Horgan,et al.  Dynamic program slicing , 1990, PLDI '90.

[25]  Nick Feamster,et al.  Revealing Botnet Membership Using DNSBL Counter-Intelligence , 2006, SRUTI.

[26]  Farnam Jahanian,et al.  The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.

[27]  Felix C. Freiling,et al.  Measuring and Detecting Fast-Flux Service Networks , 2008, NDSS.

[28]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[29]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[30]  Farnam Jahanian,et al.  PolyPack: an automated online packing service for optimal antivirus evasion , 2009 .

[31]  Andrei Z. Broder,et al.  Identifying and Filtering Near-Duplicate Documents , 2000, CPM.

[32]  Jason Bruce THE CHALLENGE OF DETECTING AND REMOVING INSTALLED THREATS , 2006 .

[33]  Andreas Terzis,et al.  My Botnet Is Bigger Than Yours (Maybe, Better Than Yours): Why Size Estimates Remain Challenging , 2007, HotBots.

[34]  Farnam Jahanian,et al.  CloudAV: N-Version Antivirus in the Network Cloud , 2008, USENIX Security Symposium.

[35]  Stefan Savage,et al.  An inquiry into the nature and causes of the wealth of internet miscreants , 2007, CCS '07.

[36]  U. Bayer,et al.  TTAnalyze: A Tool for Analyzing Malware , 2006 .

[37]  Helen J. Wang,et al.  Characterizing Botnets from Email Spam Records , 2008, LEET.

[38]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[39]  Brian Rexroad,et al.  Wide-Scale Botnet Detection and Characterization , 2007, HotBots.

[40]  Steven Myers,et al.  A Case Study on Asprox Infection Dynamics , 2009, DIMVA.

[41]  Claude Castelluccia,et al.  Geolocalization of proxied services and its application to fast-flux hidden servers , 2009, IMC '09.

[42]  Zhenkai Liang,et al.  Isolated program execution: an application transparent approach for executing untrusted programs , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[43]  Guofei Gu,et al.  A Taxonomy of Botnet Structures , 2007, ACSAC.

[44]  J. MacQueen Some methods for classification and analysis of multivariate observations , 1967 .

[45]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[46]  Christopher Krügel,et al.  Exploring Multiple Execution Paths for Malware Analysis , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[47]  Peter Szor,et al.  The Art of Computer Virus Research and Defense , 2005 .

[48]  David W. Binkley,et al.  Interprocedural slicing using dependence graphs , 1988, SIGP.

[49]  Stefan Savage,et al.  Spamscatter: Characterizing Internet Scam Hosting Infrastructure , 2007, USENIX Security Symposium.

[50]  Christopher Krügel,et al.  Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[51]  Y. Namestnikov,et al.  The economics of botnets , 2009 .

[52]  Thorsten Holz,et al.  As the net churns: Fast-flux botnet observations , 2008, 2008 3rd International Conference on Malicious and Unwanted Software (MALWARE).

[53]  John Markoff,et al.  Attack of the Zombie Computers Is Growing Threat , 2007 .

[54]  Somesh Jha,et al.  An architecture for generating semantics-aware signatures , 2005 .

[55]  Wenke Lee,et al.  Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces , 2009, 2009 Annual Computer Security Applications Conference.

[56]  Peter Andreae,et al.  A beam search algorithm for PFSA inference , 1998, Pattern Analysis and Applications.

[57]  Thomas Lavergne,et al.  Tracking Web Spam with Hidden Style Similarity , 2006, AIRWeb.

[58]  Zhendong Su,et al.  Sound and precise analysis of web applications for injection vulnerabilities , 2007, PLDI '07.

[59]  Philippe Flajolet,et al.  Loglog Counting of Large Cardinalities (Extended Abstract) , 2003, ESA.

[60]  Nick Feamster,et al.  Dynamics of Online Scam Hosting Infrastructure , 2009, PAM.

[61]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[62]  Frances E. Allen,et al.  Control-flow analysis , 2022 .

[63]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[64]  Thomas P. Brisco DNS Support for Load Balancing , 1995, RFC.

[65]  Phillip A. Porras,et al.  A Multi-perspective Analysis of the Storm ( Peacomm ) Worm , 2007 .

[66]  Neil Daswani,et al.  The Anatomy of Clickbot.A , 2007, HotBots.

[67]  K. Pingali,et al.  Finding Regions Fast: Single Entry Single Exit and Control Regions in Linear Time , 1993 .

[68]  Mark Weiser,et al.  Program Slicing , 1981, IEEE Transactions on Software Engineering.

[69]  Leyla Bilge,et al.  Automatically Generating Models for Botnet Detection , 2009, ESORICS.

[70]  Ken Chiang,et al.  A Case Study of the Rustock Rootkit and Spam Bot , 2007, HotBots.

[71]  Maik Morgenstern CLEANING : GETTING RID OF MALWARE FROM INFECTED PCS , 2008 .

[72]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[73]  Felix C. Freiling,et al.  Toward Automated Dynamic Malware Analysis Using CWSandbox , 2007, IEEE Secur. Priv..

[74]  Ron Kohavi,et al.  A Study of Cross-Validation and Bootstrap for Accuracy Estimation and Model Selection , 1995, IJCAI.

[75]  Tony Bates,et al.  Guidelines for creation, selection, and registration of an Autonomous System (AS) , 1996, RFC.

[76]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.