Heuristics for Detecting Botnet Coordinated Attacks

Vol. 51 No. 9 1600 1609 (Sep. 2010) 1 1 2 2 94 CCC DATAset 2009 PC Heuristics for Detecting Botnet Coordinated Attacks Kazuya Kuwabara, 1 Hiroaki Kikuchi, 1 Masato Terada 2 and Masashi Fujiwara 2 This paper studies the analysis on the CCC DataSet 2009 consisting of connection data observed by 94 decoy computers, called honeypot, for clarifying behavior of downloads of the malware and the port-scans. Based on the analysis, it is found that several malicious servers often coordinate to attack a single target hosts by sending some kinds of malware. The behavior, particularly observed in botnet, is defined as a coordinated attack. The paper proposes heuristic techniques for detection of the coordinated attack and reports the accuracy of the proposed heuristics. 1 Graduate School of Engineering, Tokai University 2 Hitachi Ltd. 2009 10 2009 2009 1. MW 10 100 PC MW DL 1 IRC 2 2) 3) 4) 5) DNS 7) 2 8) MW DL MW MW WORM_SWTYMLAI.CD WO3 MW DoS 3 MW MW PC DL 2008 6) 1. 2. IP 3. 4. 5. 5 1 1 MW 2 69 DL 1) 2 Internet Relay Chat 3 7 WO3 3 MW s4 DoS SMTP 1600 c 2010 Information Processing Society of Japan

1601 1 5 MW IP IRC CCC 94 CCC DATAset 2009 DL MW (1) (2) (3) CCC DATAset 2009 BotHunter 9) BotSniffer 10) BotHunter MW PC MW PC BotSniffer MW PC C&C 1 IRC 2 CCC DATAset 3 MW 4 2 5 1 C&C Command and Control PC 2. 2.1 MW CCC DATA set 2009 94 tcpdump libpcap 11) 1 OS Windows 2000 XP 2 OS OS 1 1 2 145 2 MW 200 24 MW 1 13 1 2 MW Table 1 List of MWs observed for two days. MW UH DL PE_VIRUT.AV PE1 8 91 18 TCP PE_BOBAX.AK PE2 1 4 4 TCP PE_VIRUT.AT PE3 1 1 TCP BKDR_POEBOT.GN BK1 1 30 TCP BKDR_MYBOT.AH BK2 1 1 6 UDP BKDR_RBOT.ASA BK3 4 5 UDP TROJ_AGENT.ARWZ TR1 1 6 TCP TROJ_BUZUS.AGB TR2 1 24 TCP WORM_ALLAPLE.IK WO1 1 1 TCP WORM_POEBOT.AX WO2 1 1 TCP WORM_SWTYMLAI.CD WO3 1 27 TCP WORM_AUTORUN.CZU WO4 1 3 TCP WORM_IRCBOT.CHZ WO5 1 1 TCP UNKNOWN UK 1 5 TCP 2 CCC DATASet Windows XP NTP NTP

1602 2 MW Table 2 Attack patterns for each single MW. MW s4 r2 DoS SMTP PE_VIRUT.AV 18 1 0 0 91 PE_BOBAX.AK 4 0 3 3 4 BKDR_POEBOT.GN 6 0 0 0 30 WORM_SWTYMLAI.CD 24 1 3 3 27 TROJ_BUZUS.AGB 24 1 0 0 24 Table 3 3 List of characteristics used to classify. slot ID(0,...,145) P I,P O [pkt] MZ MZ PE PE DOS!This program cannot be run in DOS mode. win!windows Program N, J NICK JOIN ip1 #las6 * ipscan s.s.s.s dcom2 -s ip2 #last * ipscan s.s.s.s dcom2 -s ST (s 2 s 3 s 4 r 3) DL MW UH DL PE_VIRUT.AV MW 8 MW DL MW 2 WORM_SWTYMLAI.CD MW 2.2 3 P I P O MW 4 Network Grep 12) s 4 4 1 r 3 3 IP MW 11) UNKNOWN MW CCC DATAset2009 3. 3.1 3 4 total ave 145 MW 58 5 Rule 1 5 Rule 6 8 MW Rule 9 10 5 3 3.2 2 DL 1 MW MW MW DL IP 1 S 1 S 2 S 3 3 /DL PE t 0 TROJ WORM MW t 2 Rule 1 TROJ WORM C&C S 0 IRC NICK 1 JOIN Rule 2 t 4 MW MW 1 NICK C&C

1603 4 Table 4 Characteristic values for slot (snipped). P I P O MZ PE DOS N J ip1 ip2 ST(s 4) MW 0 276 17,774 9 13 3 1 1 1 PE1 TR2 WO3 1 1 61 352 0 4 0 0 2 7,488 178,491 10 16 3 1 ip2 1 1 1 WO1 PE1 TR2 WO3 1 3 350 240,148 12 10 4 1 ip2 1 1 1 PE1 TR2 WO3 PE1 1 4 2 55 0 0 0 0 5 5 59 0 0 0 0 14 354 135,725 9 10 3 1 ip1 3 1 1 BK1 TR2 WO3 2 55 822 179,581 21 16 7 1 ip1 2 1 1 BK1 WO3 TR2 BK1 4 2 46 379 791 0 0 0 1 BK2 83 571 74,286 15 15 5 1 1 1 PE1 2 TR2 WO3 1 139 450 96,211 13 18 3 1 ip2 1 1 1 PE2 WO4 WO3 3 140 691 101,877 21 24 5 1 ip2 1 1 1 PE2 WO4 WO3 3 total 44,452 3,038,276 691 966 219 60 33 28 58 200 ave 306.57 20,953.63 4.77 6.66 1.51 0.41 0.23 0.19 0.4 1.38 Table 5 5 List of rules for feature of coordinated attacks. NO. Rule 1 PE_VIRUT.AV WORM_SWTYMLAI.CD TROJ_BUZUS.AGB 1 Rule 2 WORM_SWTYMLAI.CD TROJ_BUZUS.AGB JOIN 1 Rule 3 WORM_SWTYMLAI.CD TROJ_BUZUS.AGB DL 6 8 Rule 4 PE_VIRUT.AV 5 6 Rule 5 WORM_SWTYMLAI.CD TROJ_BUZUS.AGB 80 6 Rule 6 PE_VIRUT.AV DL 1 2 9 Rule 7 IRC JOIN 5 3 Rule 8 1 256 2 Rule 9 MZ PE TCP 4 Rule 10 UDP win TFTP IRC JOIN ΔT 1 = t 2 t 1 ΔT 2 = t 4 t 2 6 PE_VIRUT.AV DL IP WORM_SWTYMLAI.CD TROJ_BUZUS.AGB DL IP Rule 3 PE_VIRUT.AV 5 Rule 4 TROJ_BUZUS.AGB WORM_SWTYMLAI.CD 80 Rule 5 MW 58 7 3

1604 Table 7 7 All patterns of coordinated attacks and statistics. ID ΔT 1 1 PE1 TR2 WO3 0 2 3 16 29 30 50 60 63 69 17 127.24 158.75 s4 135 70 71 83 94 100 130 132 2 BK1 TR2 WO3 14 55 56 124 125 126 6 176.4 147.36 s4 135 3 PE2 WO4 WO3 139 140 141 3 253.25 176.25 s4 DOS SMTP 135 4 WO1 2 1 r3 139 445 6 1 Table 6 Connections of coordinated attack pattern #1. srcip dstport MW 0 0:02:11 124.86.A1.B1 47,556 PE_VIRUT.AV 0 0:03:48 67.215.C1.D1 80 TROJ_BUZUS.AGB 0 0:03:48 72.10.E1.F1 80 WORM_SWTYMLAI.CD 2 0:36:46 124.86.A2.B2 33,258 PE_VIRUT.AV 2 0:36:52 72.10.E1.F1 80 WORM_SWTYMLAI.CD 2 0:36:52 67.215.C1.D1 80 TROJ_BUZUS.AGB 3 0:46:56 124.86.A2.B2 33,258 PE_VIRUT.AV 3 0:48:52 67.215.C1.D1 80 TROJ_BUZUS.AGB 3 0:48:52 72.10.E1.F1 80 WORM_SWTYMLAI.CD 16 5:17:25 114.145.A3.B3 15,224 PE_VIRUT.AV 16 5:18:37 67.215.C1.D1 80 TROJ_BUZUS.AGB 16 5:18:38 72.10.E1.F1 80 WORM_SWTYMLAI.CD Fig. 1 1 Time-line chart of connection in typical coordinated attacks. 8 Table 8 MW DL Unique DL servers for each MW. MW 1 7 MW 58 26 DL 1 MW ΔT 1 MW DL 1 1 8 PE_VIRUT.AV 10 TROJ WORM 1 3.3 9 DL MW DL PE_VIRUT.AV 10 TROJ_BUZUS.AGB 1 WORM_SWTYMILAI.CD 1 PC IP 3 IP 1 2 Rule 6 IP 3 4 IP 1 2 1 600 [s]

1605 9 DL IP Table 9 IP addresses of DL servers, honeypots and target networks. slot DL 0 124.86.C1.D1 124.86.E1.F 1 124.86.E1.F 1+1 2 124.86.C2.D2 124.86.E2.F 2 124.86.E2.F 2+1 3 124.86.C2.D2 124.86.E2.F 2 124.86.E2.F 2+1 16 114.145.C3.D3 114.145.E3.F 3 114.145.E3.F 3+1 29 114.164.C4.D4 114.164.E4.F 4 114.164.E4.F 4+1 A.B.C.D A.B.E.F A.B.E.F +1 3 JOIN Scan ΔT 2 Fig. 3 Distribution of time difference between begining of measure JOIN and of port-scan ΔT 2. ΔT 2 26 s 4 JOIN 5 Rule 7 3.4 MW 4 MZ PE Rule 9 3.5 UDP UDP tftp 6 MW 5 BKDR_RBOT.ASA 1 BKDR_MYBOT.AH Rule 10 2 Fig. 2 Number of inbound/outbound packets per second in time slot. 256 Rule 8 4 1 s 4 3 r 3 2 JOIN ΔT 2 3 X JOIN Y 4. 4.1 5 4 3 P I 85 DOS exe

1606 Fig. 5 5 C4.5 Decision tree to detect arbtrary infections generated by C4.5. Fig. 4 Table 10 4 Decision tree classifying arbitrary infections (including coordinated attacks). 10 Accuracy of decision tree to detect infection (including coordinated attack). \ total slot 58 0 58 0 87 87 6 0 6 0 14 14!This program cannot be run in DOS mode. Y N 2009 10 Windows XP Windows 2000 C4.5 13),14) 5 4 1 (49/0) 49 1 0 4 4 Out_pkt < 338 7 False Positive 1 4.2 4.1 3 i Rule j x ij =1 i S i = 9 xij j 2 11 3 3 6 12 2 1 66 7 3 4 PE2 WO4 WO3 1 1 CCC 1 7 7

1607 11 12 Table 11 Relationship between Heuristics score and coordinated attacks (snipped). Table 12 Accuracy of heuristics to detect coordinated attacks. Rule i 1 2 3 4 5 6 7 8 9 S i 0 1 1 1 1 1 1 1 1 1 9 1 1 0 0 0 0 0 0 0 0 0 0 0 2 1 1 1 1 1 1 1 1 1 9 1 3 1 1 1 1 1 1 1 1 1 9 1 14 0 1 1 0 1 0 1 1 1 6 1 15 0 0 0 0 0 0 0 0 1 1 0 139 0 0 0 0 0 0 1 1 1 3 1 total 17 24 24 17 24 17 28 28 56 170 28 \ FP FN 26 0 2 119 2/28 0/117 2 0 1 7 1/3 0/7 Table 13 13 Rule Freaquency and ratio of satisfication for each rule. [ ] [ ](%) Rule 1 17/145 17/38 (45%) Rule 2 17/145 17/27 (89%) Rule 3 22/145 22/27 (81%) Rule 4 17/145 17/17 (100%) Rule 5 17/145 17/17 (100%) Rule 6 17/145 17/17 (100%) Rule 7 28/145 28/28 (100%) Rule 8 28/145 26/28 (93%) Rule 9 55/145 55/63 (87%) Rule 10 6/145 6/6 (100%) 13 Rule 1 145 17 PE_VIRUT.AV 38 WORM TROJ 17 145 58 26 6 Fig. 6 Distribution of heuristics scores. DATAset 2009 1 12 145 58 1 5. CCC DATAset 2009 UDP MW 2/28 7% FP FN MW 2.2

1608 DNS 1) 2008 MWS2008 pp.49 54 (2008). 2) 2008 MWS2008 pp.25 30 (2008). 3) 2008 MWS2008 pp.97 102 (2008). 4) 2008 MWS2008 pp.55 59 (2008). 5) pp.177 182 (2008). 6) 2008 MWS2008 pp.37 42 (2008). 7) DNS 2008 MWS2008 pp.13 18 (2008). 8) 2008 MWS2008 pp.31 36 (2008). 9) Gu, G., Zhang, J. and Lee, W.: Botsniffer: Detecting botnet command and control channel, Proc. Network and Distributed System Security Symposium (NDSS 2008 ), Internet Society (Feb. 2008). 10) Gu, G., Porras, P., Yegneswaran, V., Fong, M. and Lee, W.: BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation, Proc. 16th USENIX Security Symposium, USENIX (2007). 11) 2009 MWS2009 pp.1 8 (2009). 12) Network Grep. http://ngrep.sourceforge.net/ (2009 10 ) 13) Quinlan, J.R.: C4.5 Progarams for Machine Learning, Morgan Kaufmann, San Mateo, California. 14) GUI ID3E 67 Vol.w-8, No.3, pp.249 250 (2005). 15) tcpflow. http://www.circlemud.org/ jelson/software/tcpflow/ (2009 11 ) 16) 2008 MWS2008 pp.87 92 (2008). 17) C&C FIT2007, L-033, pp.77 78 (2007). ( 21 11 30 ) ( 22 6 3 ) CCC DATAset 2009 1 PC 2009 A.1 MW tcpflow 15) MW 14 MW HTTP UDP

1609 14 MW Table 14 Identification of MW name. MW TCP 192/194 192/192 UDP 6/6 6/6 / MW / 2010 2009 MWS 1986 2004 Hitachi Incident Response Team 2004 4 JPCERT 2004 4 2007 2004 8 2008 Hitachi Incident Response Team 1988 1990 1994 1990 1994 1995 1999 2000 2006 2008 1997 1998 2009 CSEC WIDE FJPEM ICAT IPA 1990 1993 1996 SCIS 2010 JIP Outstanding Paper Award IEEE ACM