Detecting the Cyclic Behavior of Malware with graph theory. The Cerber ransomware case

InBot2016

Sebastian Garcia

sebastian.garcia@agents.fel.cvut.cz

@eldracote

Live Slides: bit.ly/Inbot16

The Machine Discussion

Is it working?
Amount of Data
Validation/Results
Time
Adversaries, Coupled System
Are humans not working?

The Network Detection Issue

IoC are the best we have.
IoC are not enough, specially for new malware. Not to mention how malware evolves.
Payloads are usually not available (crowdsource).
Flows usually are. But what can we do from them?

The Markov's Problem

Stratosphere IPS Project.
- Machine Learning to help protect NGO's network.
Model each connection as a string of letters and apply Markov Chains to model the behavior.
Works, but some connections looks exactly the same as normal ones. We can not differentiate them.

https://stratosphereips.org

The Proximity Controversy

Maybe, we are looking too closely.
TCP Behavior of Cerber Ransomware

https://mcfp.felk.cvut.cz/publicDatasets/CTU-Malware-Capture-Botnet-184-1/

The Proximity Controversy

Maybe, we are looking too closely.
UDP Behavior of Cerber Ransomware

The Cerber Internalization

Only suspicious connection, 31.184.234.0/24 range, UDP port 6892
- hi0072895
- ffc44638ecb00072870150ba
- ffc44638ecb00d
In our capture, some Adobe legit update connection:
- 104.127.48.56 80/tcp
  - 99,i,i,i,i,i,i,i,i,i,i,i,i,i,i,I,I,i,i,i,i,i,i,i,i,i,i,i,i,h,z,Z000Z,i,i,i,i,i,i

The Graph Idealization

Given that the malware connections are generated by an algorithm, they are related. We hypothesize that the relationship can be modeled.
Our model is a graph for each srcIP, where:
- Each node is the tuple DstIP, DstPort, Proto.
- The sequence of flows from one node to another in the network are the edges.

The Graph Idealization

Made by Daniel Šmolík, from the Stratosphere team
The more times an edge is found, the thicker it is.
The more times a node is repeated, the bigger it is.
The more times a node loops with it self, the color gets darker.

The Normal Behavior I

The Normal Behavior II

The Cerber Ransomware Contraption

The Simple Analytic Analysis

# of nodes.
# of edges.
# of times a node loops with itself.
# of times an edge is repeated.
The percentage of repeating edges from the total edges.

Analyzing the Behavior of a Host

Cerber Ransomware
- Nodes: 566, Edges: 702
- Autolooping nodes: 20
- Repeating edges: 590 (84%)
Normal I
- Nodes: 98, Edges: 263
- Autolooping nodes: 47
- Repeating edges: 6 (2.2%)
Normal II
- Nodes: 1072, Edges: 1881
- Autolooping nodes: 95
- Repeating edges: 4 (0.21%)

The Extreme Normality Case

Analyzing the Behavior of a Host

Extreme Normal
- Nodes: 2,499, Edges: 32,023
- Autolooping nodes: 219
- Repeating edges: 318 (0.99%)
Other Normals
- 1.1%, 1%, 0.9%, 0.9%
Other Malware
- Ctu179, Barys: 100%
- Ctu186, Normal+Cerber: 99.75%
- Ctu183, Locky: 97.95%

The Sality Case

(6.2%)

Conclusion and Thanks!

The relationships seem to be consistent.
The behavior of the malware can be modeled and used for detection.
We always need better experiments. Now working this approach with our NGOs.
Thanks Daniel Smolík for his work.

Sebastian Garcia

sebastian.garcia@agents.fel.cvut.cz

@eldracote

Detecting the Cyclic Behavior of Malware with graph theory. The Cerber ransomware case

By eldraco

Detecting the Cyclic Behavior of Malware with graph theory. The Cerber ransomware case

We still have problems to solve when it comes to detecting malware in the network. If the malware is new, there are not signatures, no IoCs, no threat information. If you have thousands of hosts you can not even analyze the payloads, or you don't have payloads and have to resort to NetFlows. In this limited context is where we developed a new idea to detect the behavioral patterns of how a computer works in the network by analyzing its communications as a cyclic graph. Our technique applies new concepts to reduce the information being analyzed while retaining and graphing the major features. We test our concept on dozens of Normal and Malware traffic, which gives significance to the work. In particular we will show a demo with the analysis of a Cerber ransomware capture. The takeaway is: the way you use your computer leaves traces in the network, and those traces can be used to detect when you are infected.

1,846

Detecting the Cyclic Behavior of Malware with graph theory. The Cerber ransomware case

Sebastian Garcia

sebastian.garcia@agents.fel.cvut.cz

@eldracote

Live Slides: bit.ly/Inbot16

The Machine Discussion

Is it working?

Amount of Data

Validation/Results

Time

Adversaries, Coupled System

Are humans not working?

The Network Detection Issue

IoC are the best we have.

IoC are not enough, specially for new malware. Not to mention how malware evolves.

Payloads are usually not available (crowdsource).

Flows usually are. But what can we do from them?

The Markov's Problem

Stratosphere IPS Project.

Machine Learning to help protect NGO's network.

Model each connection as a string of letters and apply Markov Chains to model the behavior.

Works, but some connections looks exactly the same as normal ones. We can not differentiate them.

https://stratosphereips.org

The Proximity Controversy

Maybe, we are looking too closely.

TCP Behavior of Cerber Ransomware

https://mcfp.felk.cvut.cz/publicDatasets/CTU-Malware-Capture-Botnet-184-1/

The Proximity Controversy

Maybe, we are looking too closely.

UDP Behavior of Cerber Ransomware

The Cerber Internalization

Only suspicious connection, 31.184.234.0/24 range, UDP port 6892

hi0072895

ffc44638ecb00072870150ba

ffc44638ecb00d

In our capture, some Adobe legit update connection:

104.127.48.56 80/tcp

99,i,i,i,i,i,i,i,i,i,i,i,i,i,i,I,I,i,i,i,i,i,i,i,i,i,i,i,i,h,z,Z000Z,i,i,i,i,i,i

The Graph Idealization

Given that the malware connections are generated by an algorithm, they are related. We hypothesize that the relationship can be modeled.

Our model is a graph for each srcIP, where:

Each node is the tuple DstIP, DstPort, Proto.

The sequence of flows from one node to another in the network are the edges.

The Graph Idealization

Made by Daniel Šmolík, from the Stratosphere team

The more times an edge is found, the thicker it is.

The more times a node is repeated, the bigger it is.

The more times a node loops with it self, the color gets darker.

The Normal Behavior I

The Normal Behavior II

The Cerber Ransomware Contraption

The Cerber Ransomware Contraption

The Simple Analytic Analysis

# of nodes.

# of edges.

# of times a node loops with itself.

# of times an edge is repeated.

The percentage of repeating edges from the total edges.

Analyzing the Behavior of a Host

Cerber Ransomware

Nodes: 566, Edges: 702

Autolooping nodes: 20

Repeating edges: 590 (84%)

Normal I

Nodes: 98, Edges: 263

Autolooping nodes: 47

Repeating edges: 6 (2.2%)

Normal II

Nodes: 1072, Edges: 1881

Autolooping nodes: 95

Repeating edges: 4 (0.21%)

The Extreme Normality Case

Analyzing the Behavior of a Host

Extreme Normal

Nodes: 2,499, Edges: 32,023

Autolooping nodes: 219

Repeating edges: 318 (0.99%)

Other Normals

​1.1%, 1%, 0.9%, 0.9%

Other Malware

1.1%, 1%, 0.9%, 0.9%

Ctu179, Barys: 100%