research-article

AUTOPROBE: Towards Automatic Active Malicious Server Probing Using Dynamic Binary Analysis

Authors:
Zhaoyan Xu

Texas A&M University, College Station, TX, USA

Texas A&M University, College Station, TX, USA
View Profile

,
Antonio Nappa

IMDEA Software Institute & Universidad Politecnica de Madrid, Mardid, Spain

IMDEA Software Institute & Universidad Politecnica de Madrid, Mardid, Spain
View Profile

,
Robert Baykov

Texas A&M University, College Station, TX, USA

Texas A&M University, College Station, TX, USA
View Profile

,
Guangliang Yang

Texas A&M University, College Station, TX, USA

Texas A&M University, College Station, TX, USA
View Profile

,
Juan Caballero

IMDEA Software Institute, Mardid, Spain

IMDEA Software Institute, Mardid, Spain
View Profile

,
Guofei Gu

Texas A&M University, College Station, TX, USA

Texas A&M University, College Station, TX, USA
View Profile

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications SecurityNovember 2014Pages 179–190https://doi.org/10.1145/2660267.2660352

Published:03 November 2014Publication History

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Pages 179–190

ABSTRACT

Malware continues to be one of the major threats to Internet security. In the battle against cybercriminals, accurately identifying the underlying malicious server infrastructure (e.g., C&C servers for botnet command and control) is of vital importance. Most existing passive monitoring approaches cannot keep up with the highly dynamic, ever-evolving malware server infrastructure. As an effective complementary technique, active probing has recently attracted attention due to its high accuracy, efficiency, and scalability (even to the Internet level). In this paper, we propose Autoprobe, a novel system to automatically generate effective and efficient fingerprints of remote malicious servers. Autoprobe addresses two fundamental limitations of existing active probing approaches: it supports pull-based C&C protocols, used by the majority of malware, and it generates fingerprints even in the common case when C&C servers are not alive during fingerprint generation. Using real-world malware samples we show that Autoprobe can successfully generate accurate C&C server fingerprints through novel applications of dynamic binary analysis techniques. By conducting Internet-scale active probing, we show that Autoprobe can successfully uncover hundreds of malicious servers on the Internet, many of them unknown to existing blacklists. We believe Autoprobe is a great complement to existing defenses, and can play a unique role in the battle against cybercriminals.

References

Dirtjumper. http://www.infonomics-society.org/IJICR/DirtJumper.Google Scholar
Alexa Top Domains. http://www.alexa.com/.Google Scholar
Ofir Arkin. A remote active os fingerprinting tool using icmp. ;login: The USENIX Magazine, 27(2), November 2008.Google Scholar
Bamital Malware. https://now-static.norton.com/now/en/pu/images/Promotions/2013/Bamital/bamital.html.Google Scholar
Juan Caballero, Noah M. Johnson, Stephen McCamant, and Dawn Song. Binary code extraction and interface identification for security applications. In Network and Distributed System Security Symposium, San Diego, CA, February 2010.Google Scholar
Juan Caballero, Pongsin Poosankam, Christian Kreibich, and Dawn Song. Dispatcher: Enabling active botnet infiltration using automatic protocol reverse-engineering. In ACM Conference on Computer and Communications Security, Chicago, IL, November 2009. Google ScholarDigital Library
Juan Caballero, Shobha Venkataraman, Pongsin Poosankam, Min G. Kang, Dawn Song, and Avrim Blum. fig: Automatic fingerprint generation. In Network and Distributed System Security Symposium, San Diego, CA, February 2007.Google Scholar
Juan Caballero, Heng Yin, Zhenkai Liang, and Dawn Song. Polyglot: Automatic extraction of protocol message format using dynamic binary analysis. In ACM Conference on Computer and Communications Security, Alexandria, VA, October 2007. Google ScholarDigital Library
Paolo Milani Comparetti, Gilbert Wondracek, Christopher Kruegel, and Engin Kirda. Prospex: Protocol specification extraction. In IEEE Symposium on Security and Privacy, Oakland, CA, May 2009. Google ScholarDigital Library
Weidong Cui, Jayanthkumar Kannan, and Helen J. Wang. Discoverer: Automatic protocol description generation from network traces. In USENIX Security Symposium, Boston, MA, August 2007. Google ScholarDigital Library
David Dagon, Chris Lee, Wenke Lee, and Niels Provos. Corrupted dns resolution paths: The rise of a malicious resolution authority. In Network and Distributed System Security Symposium, San Diego, CA, February 2008.Google Scholar
Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. Zmap: Fast internet-wide scanning and its security applications. In Usenix Security Symposium, August 2013. Google ScholarDigital Library
Nicolas Falliere. Sality: Story of a peer-to-peer viral network. Technical report, 2011.Google Scholar
Guofei Gu, Vinod Yegneswaran, Phillip Porras, Jennifer Stoll, and Wenke Lee. Active botnet probing to identify obscure command and control channels. In Proceedings of 2009 Annual Computer Security Applications Conference (ACSAC'09), December 2009. Google ScholarDigital Library
Guofei Gu, Junjie Zhang, and Wenke Lee. BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation. InProceedings of USENIX Security'07, 2007. Google ScholarDigital Library
Nadia Heninger, Zagir Durumeric, Eric Wustrow, and J.Alex Halderman. Mining your ps and qs: Detection of widespread weak keys in network devices. In USENIX Security Symposium, 2012. Google ScholarDigital Library
Noah M. Johnson, Juan Caballero, Kevin Zhijie Chen, Stephen McCamant, Pongsin Poosankam, Daniel Reynaud, and Dawn Song. Differential slicing: Identifying causal execution differences for security applications. In Proceedings of the 2011 IEEE Symposium on Security and Privacy, 2011. Google ScholarDigital Library
Min Gyung Kang, Stephen McCamant, Pongsin Poosankam, and Dawn Song. DTA++: Dynamic taint analysis with targeted control-flow propagation. In Proceedings of the 18th Annual Network and Distributed System Security Symposium, San Diego, CA, February 2011.Google Scholar
Clemens Kolbitsch, Paolo Milani Comparetti, Christopher Kruegel, Engin Kirda, Xiaoyong Zhou, and Xiaofeng Wang. Effective and efficient malware detection at the end host. In USENIX SecuritySymposium, Montréal, Canada, August 2009. Google ScholarDigital Library
Clemens Kolbitsch, Thorsten Holz, Christopher Kruegel, and Engin Kirda. Inspector gadget: Automated extraction of proprietary gadgets from malware binaries. In IEEE Symposium on Security and Privacy, Oakland, CA, May 2010. Google ScholarDigital Library
Zhiqiang Lin, Xuxian Jiang, Dongyan Xu, and Xiangyu Zhang. Automatic protocol format reverse engineering through context-aware monitored execution. In Network and Distributed System Security Symposium, San Diego, CA, February 2008.Google Scholar
Malicia. http://malicia-project.com/. http://malicia-project.com/.Google Scholar
Malware domain list. http://malwaredomainlist.com/.Google Scholar
Andreas Moser, Christopher Kruegel, and Engin Kirda. Exploring Multiple Execution Paths for Malware Analysis. In Proceedings of IEEE Symposium on Security and Privacy, 2007. Google ScholarDigital Library
Antonio Nappa, Zhaoyan Xu, M. Zubair Rafique, Juan Caballero, and Guofei Gu. Cyberprobe: Towards internet-scale active detection of malicious servers. In Network and Distributed System Security Symposium, 2014.Google ScholarCross Ref
James Newsome and Dawn Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Network and Distributed System Security Symposium, San Diego, CA, February 2005.Google Scholar
Offensive Computing. http://www.offensivecomputing.net/. http://www.offensivecomputing.net/.Google Scholar
Jitendra Padhye and Sally Floyd. Identifying the tcp behavior of web servers. In SIGCOMM Conference, San Diego, CA, August 2001.Google Scholar
Niels Provos and Peter Honeyman. Scanssh - scanning the internet for ssh servers. In Technical Report CITI TR 01--13, University of Michigan, October 2001.Google Scholar
Ramnit Malware. http://en.wikipedia.org/wiki/Ramnit.Google Scholar
Konrad Rieck, Guido Schwenk, Tobias Limmer, Thorsten Holz, andPavel Laskov. Botzilla: Detecting the phoning home of malicious software. In ACM Symposium on Applied Computing, 2010. Google ScholarDigital Library
Prateek Saxena, Pongsin Poosankam, Stephen McCamant, and DawnSong. Loop-extended symbolic execution on binary programs. InProceedings of the ACM/SIGSOFT International Symposium on Software Testing and Analysis (ISSTA), 2009. Google ScholarDigital Library
Edward J. Schwartz, Thanassis Avgerinos, and David Brumley. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In Proceedings of IEEE Symposium on Security and Privacy, 2010. Google ScholarDigital Library
Taidoor Malware. Xpaj.b malware. http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf.Google Scholar
Urlquery. http://urlquery.net/.Google Scholar
Virustotal. http://www.virustotal.com/.Google Scholar
Tielei Wang, Tao Wei, Guofei Gu, and Wei Zou. Taintscope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection. In Proc. of IEEE S&P'10, 2010. Google ScholarDigital Library
Jeffrey Wilhelm and Tzi cker Chiueh. A forced sampled execution approach to kernel rootkit identification. In Proceedings of the 10th international conference on Recent advances in intrusion detection, 2007. Google ScholarDigital Library
Gilbert Wondracek, Paolo Milani Comparetti, Christopher Kruegel, and Engin Kirda. Automatic network protocol analysis. InProceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS), 2008.Google Scholar
James Wyke. The zeroaccess botnet: Mining and fraud for massive financial gain, September 2012. http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/zeroaccess-botnet.asp:x.Google Scholar
Zhaoyan Xu, Lingfeng Chen, Guofei Gu, and Christopher Kruegel. Peerpress: Utilizing enemies' p2p strength against them. In ACM Conference on Computer and Communications Security, Raleigh, NC, October 2012. Google ScholarDigital Library

Index Terms

AUTOPROBE: Towards Automatic Active Malicious Server Probing Using Dynamic Binary Analysis
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems

The fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the ...
Read More
Filtering False Positives Based on Server-Side Behaviors

Reducing the rate of false positives is of vital importance in enhancing the usefulness of signature-based network intrusion detection systems (NIDSs). To reduce the number of false positives, a network administrator must thoroughly investigate a ...
Read More
On detection of current and next-generation botnets
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security
November 2014
1592 pages
ISBN:9781450329576
DOI:10.1145/2660267
General Chair:
Gail-Joon Ahn
Arizona State University, USA
,
Program Chairs:
Moti Yung
Google -- Columbia University, USA
,
Ninghui Li
Purdue University, USA
Copyright © 2014 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 3 November 2014
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
active probing malware fingerprint generation c&c server
Qualifiers
- research-article
Conference

Acceptance Rates
CCS '14 Paper Acceptance Rate114of585submissions,19%Overall Acceptance Rate1,261of6,999submissions,18%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 22
  Total Citations
  View Citations
- 711
  Total Downloads
- Downloads (Last 12 months)34
- Downloads (Last 6 weeks)3
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

AUTOPROBE: Towards Automatic Active Malicious Server Probing Using Dynamic Binary Analysis

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

WormTerminator: an effective containment of unknown and polymorphic fast spreading worms

Filtering False Positives Based on Server-Side Behaviors

On detection of current and next-generation botnets