AUTOPROBE: Towards Automatic Active Malicious Server Probing Using Dynamic Binary Analysis

Malware continues to be one of the major threats to Internet security. In the battle against cybercriminals, accurately identifying the underlying malicious server infrastructure (e.g., C&C servers for botnet command and control) is of vital importance. Most existing passive monitoring approaches cannot keep up with the highly dynamic, ever-evolving malware server infrastructure. As an effective complementary technique, active probing has recently attracted attention due to its high accuracy, efficiency, and scalability (even to the Internet level). In this paper, we propose Autoprobe, a novel system to automatically generate effective and efficient fingerprints of remote malicious servers. Autoprobe addresses two fundamental limitations of existing active probing approaches: it supports pull-based C&C protocols, used by the majority of malware, and it generates fingerprints even in the common case when C&C servers are not alive during fingerprint generation. Using real-world malware samples we show that Autoprobe can successfully generate accurate C&C server fingerprints through novel applications of dynamic binary analysis techniques. By conducting Internet-scale active probing, we show that Autoprobe can successfully uncover hundreds of malicious servers on the Internet, many of them unknown to existing blacklists. We believe Autoprobe is a great complement to existing defenses, and can play a unique role in the battle against cybercriminals.

[1]  Niels Provos,et al.  ScanSSH: Scanning the Internet for SSH Servers , 2001, LISA.

[2]  Dawn Xiaodong Song,et al.  Fig: Automatic Fingerprint Generation , 2007, NDSS.

[3]  Christopher Krügel,et al.  Exploring Multiple Execution Paths for Malware Analysis , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[4]  Konrad Rieck,et al.  Botzilla: detecting the "phoning home" of malicious software , 2010, SAC '10.

[5]  Tzi-cker Chiueh,et al.  A Forced Sampled Execution Approach to Kernel Rootkit Identification , 2007, RAID.

[6]  Helen J. Wang,et al.  Discoverer: Automatic Protocol Reverse Engineering from Network Traces , 2007, USENIX Security Symposium.

[7]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[8]  Christopher Krügel,et al.  Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries , 2010, 2010 IEEE Symposium on Security and Privacy.

[9]  Guofei Gu,et al.  CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers , 2014, NDSS.

[10]  Xuxian Jiang,et al.  Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution , 2008, NDSS.

[11]  Christopher Krügel,et al.  Effective and Efficient Malware Detection at the End Host , 2009, USENIX Security Symposium.

[12]  Stephen McCamant,et al.  Differential Slicing: Identifying Causal Execution Differences for Security Applications , 2011, 2011 IEEE Symposium on Security and Privacy.

[13]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[14]  Vinod Yegneswaran,et al.  Active Botnet Probing to Identify Obscure Command and Control Channels , 2009, 2009 Annual Computer Security Applications Conference.

[15]  Sally Floyd,et al.  Identifying the tcp behavior of web servers , 2000, SIGCOMM 2000.

[16]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[17]  Guofei Gu,et al.  TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[18]  Zhenkai Liang,et al.  Polyglot: automatic extraction of protocol message format using dynamic binary analysis , 2007, CCS '07.

[19]  Christopher Krügel,et al.  Prospex: Protocol Specification Extraction , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[20]  Christopher Krügel,et al.  Automatic Network Protocol Analysis , 2008, NDSS.

[21]  Stephen McCamant,et al.  DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation , 2011, NDSS.

[22]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[23]  Christopher Krügel,et al.  PeerPress: utilizing enemies' P2P strength against them , 2012, CCS.

[24]  Stephen McCamant,et al.  Binary Code Extraction and Interface Identification for Security Applications , 2009, NDSS.

[25]  Niels Provos,et al.  Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority , 2008, NDSS.

[26]  Eric Wustrow,et al.  Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices , 2012, USENIX Security Symposium.

[27]  Stephen McCamant,et al.  Loop-extended symbolic execution on binary programs , 2009, ISSTA.

[28]  Dawn Xiaodong Song,et al.  Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering , 2009, CCS.

[29]  Ofir Arkin A Remote Active OS Fingerprinting Tool Using ICMP , 2002, login Usenix Mag..