3. First Goal (1)
To create an automated method of detecting
unusual connections and/or anomalies with
netflows, thereby finding compromised hosts
3
4. Top Down Method Works Well With
IDS
4
N=100
P2P BitTorrent transfer „Deviation“
(total traffic)
5. Netflow Anomaly Detection
Top Down Strategy
Analyzing the total traffic down to individual hosts
by detecting behavioral deviations.
Been there and done that with netflows (2008).
The problem:
Even though a malicious traffic event is usually
an anomaly, an anomaly is not always a malicious
event
5
6. With an automated method, finding the
correlating netflows of incidents regardless of
source of information (IDS, Switch, AV, User,
Admin, Netflows)
New Goal (2)
6
12. Pros and Cons With This Method
Pro: It is automatic and indeed sometimes
successfull
Con: It may take a long time to run
Again:
All anomalies are not malicious.
The potential problem is when the individual host is
generating harmless but very diverse unusal traffic.
Both pros and cons:
It is possible to automatically sort the connections
based on how usual/unusal they are
12
14. A Real Example (Switch)
[SWITCH-CERT #22814x ]
Most likely compromised system
[129.132.208.10x]
[Botnet]
Based on received information about a
‘malicious IRC command master at
183.203.15.205
2013-08-14 17:40:08.070 14
15. ./analyzerdynamic2.sh 129.132.208.10x 20130814 1800
Enter Comment. End it with ^D
Subject: [SWITCH-CERT #228144] Most likely compromised system [129.132.208.10x ...]
[Botnet]
Done. Comment stored in -rw-r--r-- 1 hall nsg 93 Aug 22 18:05 comment
DEBUG: starthour:201308141700 endhour:201308141800 startday:201308131800
port:-1
First DYNAMIC STAGE *************************************
nfdump -M /nfsen -R nfcapd.201308141700:nfcapd.201308141800 '( host
129.132.208.10x )' | grep ^2013 | awk '{ print $7 }' | sed s/:/ /g | awk '{ print $1 }' | grep -v
"129.132.208.10x:" | sort -u > ./analyzer_129.132.208.10x.outp Debug dnumber:41 Second
DYNAMIC STAGE *************************************
107.21.234.205
112 107.21.234.205 (40)
108.160.162.53
1938 108.160.162.53 (39)
108.160.163.46
229 108.160.163.46 (38)
12.130.131.80
120 12.130.131.80 (37)
... 15
19. The Concept in a Nutshell
1. Find all connections around the investigated
IP over a 60 minute period
2. Take those connections and rate how usual
(or unusal) these are in the general
population over a 24hr period
19
20. Find All Connections Around the Investigated
IP Over a 60 Minute Period
20
Time point
of interest
for the
investigated
ip
Internet
Investigated
IP at ETH
network
21. Take Those Connections and Rate How Usual
(or Unusal) These are in the General
Population Over a 24hr Period
InternetETH network
22. Another Real Example (IDS)
IDS Event with destination google:
EVENT:
ET TROJAN Zeus Bot Get to Google checking Internet connectivity
Date: 08/24-13:13:01.713666
SOURCE: 129.132.211.21x:50086
DEST: 173.194.112.210.80
22
23. ./analyzerdynamic2.sh 129.132.211.21x 20130824 1320
Enter Comment. End it with ^D
EVENT: ET TROJAN Zeus Bot Get to Google checking Internet connectivity DATE: 08/24-
13:13:01.713666 SOURCE: 129.132.211.21x:50086 DEST: 173.194.112.210:80
Done. Comment stored in -rw-r--r-- 1 hall nsg 124 Aug 28 15:41 comment
DEBUG: starthour:201308241220 endhour:201308241320 startday:201308231320
port:-1
First DYNAMIC STAGE *************************************
nfdump -M /nfsen -R nfcapd.201308241220:nfcapd.201308241320 '( host
129.132.211.215 )' | grep ^2013 | awk '{ print $7 }' | sed s/:/ /g | awk '{ print $1 }' | grep -v
"129.132.211.21x:" | sort -u > ./analyzer_129.132.211.21x.outp Debug dnumber:90 Second
DYNAMIC STAGE *************************************
108.160.162.111
133 108.160.162.111 (89)
108.160.162.99
118 108.160.162.99 (88)
111.111.111.111
19 111.111.111.111 (87)
12.161.242.20
...
23
26. Black List SBL Reference
http://www.spamhaus.org/sbl/query/SBL193024
Ref: SBL193024
140.116.72.75/32 is listed on the Spamhaus Block List - SBL
140.116.72.75/32 is listed on the Spamhaus Botnet C&C List - BGPCC
2013-08-26 15:56:50 GMT | edu.tw
Citadel botnet controller @140.116.72.75
Update Aug 26, 2013
Problem still exists, Citadel botnet controller located here:
http://dashuxmaecrme.com/wel/file.php
http://dashuxmaecrme.com/wel/qwrt.php
http://frontrunnings.com/fdet/file.php
http://joyrideengend.net/wel/file.php
http://spottingculde.com/wel/file.php
http://eenyellowredpf.su/wel/file.php
http://stabilitymess.net/wel/file.php
http://systemlevelge.com/wel/file.php
…
26
27. Possible to do’s
• Include (dest) Port in the analysis
• Automatically track compromised Ips
• Automatically analyse compromised Ips
• Automatically build and update CC lists
• Automatically correlation check between CC-
clusters and malware
27