Detecting the Cyclic Behavior of Malware with graph theory. The Cerber ransomware case

InBot2016

Sebastian Garcia

sebastian.garcia@agents.fel.cvut.cz

@eldracote

Live Slides: bit.ly/Inbot16

The Machine Discussion

  • Is it working?

  • Amount of Data

  • Validation/Results

  • Time

  • Adversaries, Coupled System

  • Are humans not working? 

The Network Detection Issue

  • IoC are the best we have.

  • IoC are not enough, specially for new malware. Not to mention how malware evolves.

  • Payloads are usually not available (crowdsource).

  • Flows usually are. But what can we do from them?

The Markov's Problem

  • Stratosphere IPS Project.

    • Machine Learning to help protect NGO's network.

  • Model each connection as a string of letters and apply Markov Chains to model the behavior.

  • Works, but some connections looks exactly the same as normal ones. We can not differentiate them.

https://stratosphereips.org

The Proximity Controversy

  • Maybe, we are looking too closely.

  • TCP Behavior of Cerber Ransomware

https://mcfp.felk.cvut.cz/publicDatasets/CTU-Malware-Capture-Botnet-184-1/

The Proximity Controversy

  • Maybe, we are looking too closely.

  • UDP Behavior of Cerber Ransomware

The Cerber Internalization

  • Only suspicious connection, 31.184.234.0/24 range, UDP port 6892

    • hi0072895

    • ffc44638ecb00072870150ba

    • ffc44638ecb00d

  • In our capture, some Adobe legit update connection:

    •  104.127.48.56 80/tcp

      • 99,i,i,i,i,i,i,i,i,i,i,i,i,i,i,I,I,i,i,i,i,i,i,i,i,i,i,i,i,h,z,Z000Z,i,i,i,i,i,i

The Graph Idealization

  • Given that the malware connections are generated by an algorithm, they are related. We hypothesize that the relationship can be modeled.

  • Our model is a graph for each srcIP, where:

    • Each node is the tuple DstIP, DstPort, Proto.

    • The sequence of flows from one node to another in the network are the edges.

The Graph Idealization

  • Made by Daniel Šmolík, from the Stratosphere team

  • The more times an edge is found, the thicker it is.

  • The more times a node is repeated, the bigger it is.

  • The more times a node loops with it self, the color gets darker.

The Normal Behavior I

The Normal Behavior II

The Cerber Ransomware Contraption

The Cerber Ransomware Contraption

The Simple Analytic Analysis

  • # of nodes.

  • # of edges.

  • # of times a node loops with itself.

  • # of times an edge is repeated.

  • The percentage of repeating edges from the total edges.

Analyzing the Behavior of a Host

  • Cerber Ransomware

    • Nodes: 566, Edges: 702

    • Autolooping nodes: 20

    • Repeating edges: 590 (84%)

  • Normal I

    • Nodes: 98, Edges: 263

    • Autolooping nodes: 47

    • Repeating edges: 6 (2.2%)

  • Normal II

    • Nodes: 1072, Edges: 1881

    • Autolooping nodes: 95

    • Repeating edges: 4 (0.21%)

The Extreme Normality Case

Analyzing the Behavior of a Host

  • Extreme Normal

    • Nodes: 2,499, Edges: 32,023

    • Autolooping nodes: 219

    • Repeating edges: 318 (0.99%)

  • Other Normals

    • 1.1%, 1%, 0.9%, 0.9%

  • Other Malware

    • ​Ctu179, Barys: 100%

    • Ctu186, Normal+Cerber: 99.75%

    • Ctu183, Locky: 97.95%

The Sality Case

(6.2%)

Conclusion and Thanks!

  • The relationships seem to be consistent.

  • The behavior of the malware can be modeled and used for detection.

  • We always need better experiments. Now working this approach with our NGOs.

  • Thanks Daniel Smolík for his work.

 

Sebastian Garcia

sebastian.garcia@agents.fel.cvut.cz

@eldracote