[ Pobierz całość w formacie PDF ]

the botmaster to it and registering the
making detection difficult. allow the malware to programmatically
domains, effectively sinkholing the
While Feederbot is optimised for one- generate domains for which it attempts
botnet).
way command and control, in most to access a command and control server.
cases the malware will need to transmit It is then up to the attacker to ensure
information back to its controller. he controls the domains that will be
Seth Bromberger, working for the generated.
Future: Protocol Mimicking
US Department of Energy, proposed A DGA will often be reliant on factors
a system for exfiltrating data from such as the current time or date, and the
One area of research that has grown
organisations by making use of DNS result should be consistent across
recently is the area of protocol
requests. In this case, the domain name multiple hosts. The malware will
mimicking. The idea is to hide certain,
that is being queried contains the data repeatedly run the algorithm to generate
noticeable communications by making
to be transmitted. The attack works as a domain and attempt to connect. The
them seem like they belong to a different
follows. The attacker sets up a domain attacker can also run the algorithm, in
protocol. The main area of focus on
name (evil.com) and makes sure advance, and register the domains when
this so far is in obfuscating Tor traffic.
that he has control of its authoritative they are required to use as a temporary
In many cases it can be dangerous to
nameserver (nameserver.evil.com). Say, command and control server.
use Tor, and it exhibits very noticeable
for example, an infected hosts wishes to The main benefit to an attacker of a DGA
communication patterns.
transmit the data  Super Secret Stuff is that they allow for a large amount of
There are a number of systems that
back to its controller. It will simply make redundancy in the command and control
attempt to make Tor traffic appear as
a DNS request for evil.com, pre-pending server. The controller, at any one time, is
Skype traffic. As Skype is a widely used,
the data to the domain (so the request short lived and so if one is taken down, a
low-latency and high bandwidth system,
will be for super.secret.stuff.evil.com. new one will be available in little time.
it is ideal to emulate. SkypeMorph [77],
The data can be encrypted before For example, the Conficker malware
for example, attempts to make Tor traffic
pre-pending to prevent the contents will generate 250 domain names every
appear as a Skype video call. Both the
of the data being identified. When the three hours, based upon the current
client and the bridge node run the Skype
request reaches the attacker controlled UTC date [94], The same domains are
client on a high numbered UDP port, and
nameserver (nameserver.evil.com), the generated every three hours (8 times
the client sends a Skype text message to
attacker can simply read off the data. per day). The malware will do an lookup
the bridge containing its IP, UDP port and
The attacker can also send commands on every generated domain, and will
public key. The bridge replies with the
back to the malware in the response, attempt to contact every domain that
same information. The client then starts
either by using the method of Feederbot, has an assigned IP address to download
a video call to the bridge, which it does
or by, for example, using specific IP binaries.
not answer. Instead, the call is dropped
responses to indicate a particular task
and instead the encrypted data is sent
to be performed. A similar approach
University of Birmingham | CPNI.gov.uk PAGE 17
Command & Control: Understanding, Denying and Detecting FEBRUARY 2014
C&C Techniques
over UDP between the ports opened for networks is starting to adopt this is to make use of the microphones and
Skype. Once data communication starts, behaviour by mimicking HTTP traffic. speakers found in most laptops in order
Skype is exited on both the client and A 2013 report from Symantec [121] to transmit data between machines
bridge. details an targeted attack against a using inaudible frequencies. Using this
A slightly different approach is taken major internet hosting provider in which channel, a data rate of approximately
by StegoTorus [131]. In this system, malware was installed on linux servers 20bit/s up to a range of 19.7m can be
Skype is not actually used, instead which opened a backdoor. The backdoor achieved. By extending the system into a
entirely new traffic is created that follows operated as a network monitor which mesh network, multi-hop communication
the traffic pattern from a previously scanned all traffic entering the system can be achieved. While 20bits/s seems
collected Skype network trace. Packets over SSH (and other protocols). The low at first, it is more than enough to
contain simulated headers that match monitor looked for a certain sequence of transmit small amounts of data such as
realistic Skype headers. The system characters, namely  :!; . If this flag was passwords, banking details or memory
also uses a similar approach with HTTP seen, the malware extracted encrypted dumps. [ Pobierz całość w formacie PDF ]