Stealthy malware traffic - Not as innocent as it looks

Malware is constantly evolving. Although existing countermeasures have success in malware detection, corresponding counter-countermeasures are always emerging. In this study, a counter-countermeasure that avoids network-based detection approaches by camouflaging malicious traffic as an innocuous protocol is presented. The approach includes two steps: Traffic format transformation and side-channel massage (SCM). Formattransforming encryption (FTE) translates protocol syntax to mimic another innocuous protocol while SCM obscures traffic side-channels. The proposed approach is illustrated by transforming Zeus botnet (Zbot) Command and Control (C&C) traffic into smart grid Phasor Measurement Unit (PMU) data. The experimental results show that the transformed traffic is identified by Wireshark as synchrophasor protocol, and the transformed protocol fools current side-channel attacks. Moreover, it is shown that a real smart grid Phasor Data Concentrator (PDC) accepts the false PMU data.

[1]  Jason M. Schwier,et al.  Inferring Statistically Significant Hidden Markov Models , 2013, IEEE Transactions on Knowledge and Data Engineering.

[2]  Philipp Winter,et al.  ScrambleSuit: a polymorphic network protocol to circumvent censorship , 2013, WPES.

[3]  Jason M. Schwier,et al.  Behavior Detection Using Confidence Intervals of Hidden Markov Models , 2009, IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics).

[4]  Chen Lu,et al.  Botnet traffic detection using hidden Markov models , 2011, CSIIRW '11.

[5]  Chen Lu,et al.  Network Traffic Analysis Using Stochastic Grammars , 2012 .

[6]  John N. Stewart,et al.  Synchrophasor Security Practices , 2015 .

[7]  Richard R. Brooks,et al.  Side-Channels in Electric Power Synchrophasor Network Data Traffic , 2015, CISR.

[8]  Amr M. Youssef,et al.  On the analysis of the Zeus botnet crimeware toolkit , 2010, 2010 Eighth International Conference on Privacy, Security and Trust.

[9]  Chen Lu,et al.  A Normalized Statistical Metric Space for Hidden Markov Models , 2013, IEEE Transactions on Cybernetics.

[10]  Ganesh Kumar Venayagamoorthy,et al.  Side channel analysis of multiple PMU data in electric power systems , 2015, 2015 Clemson University Power Systems Conference (PSC).

[11]  Thomas Ristenpart,et al.  Protocol misidentification made easy with format-transforming encryption , 2013, CCS.

[12]  Ryan Craven,et al.  Traffic analysis of anonymity systems , 2010 .

[13]  Satish T. S. Bukkapatnam,et al.  Zero knowledge hidden Markov model inference , 2009, Pattern Recognit. Lett..

[14]  Stefan Lindskog,et al.  How China Is Blocking Tor , 2012, ArXiv.

[15]  Paul F. Syverson,et al.  Anonymous connections and onion routing , 1998, IEEE J. Sel. Areas Commun..

[16]  Ian Goldberg,et al.  SkypeMorph: protocol obfuscation for Tor bridges , 2012, CCS.

[17]  Dan Boneh,et al.  Evading Censorship with Browser-Based Proxies , 2012, Privacy Enhancing Technologies.

[18]  Roberto Perdisci,et al.  Early Detection of Malicious Flux Networks via Large-Scale Passive DNS Traffic Analysis , 2012, IEEE Transactions on Dependable and Secure Computing.

[19]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[20]  Vinod Yegneswaran,et al.  StegoTorus: a camouflage proxy for the Tor anonymity system , 2012, CCS.

[21]  Suresh Singh,et al.  An Algorithm for Anomaly-based Botnet Detection , 2006, SRUTI.

[22]  Richard Brooks,et al.  A survey of electric power synchrophasor network cyber security , 2014, IEEE PES Innovative Smart Grid Technologies, Europe.

[23]  Lawrence R. Rabiner,et al.  A tutorial on hidden Markov models and selected applications in speech recognition , 1989, Proc. IEEE.