Top Banner
THE RIPPLE EFFECT CONTAINING CRYPTOLOCKER & VISUALIZING KNOWLEDGE BayThreat 2013 Ping Yan & Thibault Reuille
31

Baythreat Cryptolocker Presentation

Jan 14, 2015

Download

Technology

OpenDNS

OpenDNS Security Labs Team members Ping Yan and Thibault Reuille presented this talk at BayThreat 2013.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Baythreat Cryptolocker Presentation

THE RIPPLE EFFECT CONTAINING CRYPTOLOCKER

& VISUALIZING KNOWLEDGE

BayThreat 2013 !

Ping Yan & Thibault Reuille

Page 2: Baythreat Cryptolocker Presentation

PING

!Chinese

!University of Arizona Graduate School

!Data Mining, Machine Learning

!Info Sec

Page 3: Baythreat Cryptolocker Presentation

THIBAULT

Parisian, moved to Cali in 2010 !!

Security and Visualization ? !!

Knowledge base visualization

Page 4: Baythreat Cryptolocker Presentation

AGENDA!

Introduction !

OpenDNS Security Graph !

Cryptolocker !

Impact !

Conclusion

Page 5: Baythreat Cryptolocker Presentation
Page 6: Baythreat Cryptolocker Presentation
Page 7: Baythreat Cryptolocker Presentation
Page 8: Baythreat Cryptolocker Presentation

DEMO

craigslist.com neighborhood

Page 9: Baythreat Cryptolocker Presentation

KNOWLEDGELet’s step back ! !Periodic jobs insert metrics / entities / relationships in graph model ~ 35 000 000 names per day ~ 62 000 000 related domains per day ~ 21 000 spiking domains per day !Higher level of abstraction : Graph = Set of nodes + Set of edges Semantic graph applied to DNS problematics !Exploration and classification Dig into knowledge base to discover malicious clusters Use our indicators to perform machine learning Knowledge-based threat detection Ontology : Model of the model Pattern detection : Identification of hidden rules Prediction = Anticipation !

Page 10: Baythreat Cryptolocker Presentation

3D ENGINEWhat did you just see ? !!From data to 3D space Nodes are 3D vertices Edges are 3D lines Security Graph Attributes interpreted as color / size / width / activity !Force-directed physics engine Inspired by electrical forces model (Attraction / Repulsion defined by edges) Molecular structure Dynamic and auto-adapting layout !!Visual scripts Python scripts to hilight features of the model !

Page 11: Baythreat Cryptolocker Presentation

WHY ?Shape Algorithms populate our knowledge graph Creation is understood, output is complex Layout defined by model structure Closer to the “natural shape” of data Take advantage of the GPU to untangle information !Evolution Security Graph is dynamic, constantly changing Monitoring evolution over time !Investigation Humans are better at processing shapes than numbers Solid tool to build hypothesis / heuristics !Detection Semantic-based threat detection Action applied to graph pattern Multi-agent algorithms Decentralize / Parallelize pattern detection !

Page 12: Baythreat Cryptolocker Presentation

SCENARIO

Domain (Yellow) - IP (purple) graph of spiking domains

Page 13: Baythreat Cryptolocker Presentation

SCENARIO

Mining information from seeds

Page 14: Baythreat Cryptolocker Presentation

SCENARIO

What do we already know ?

Page 15: Baythreat Cryptolocker Presentation

SCENARIO

Classification

Page 16: Baythreat Cryptolocker Presentation

SCENARIO

Investigation

Page 17: Baythreat Cryptolocker Presentation

The process of searching the newer and the unknown ... starting from the seeding intelligence

Page 18: Baythreat Cryptolocker Presentation
Page 19: Baythreat Cryptolocker Presentation

1. Infection 2. Retrieve encryption key from CnC 3. Encrypt data files 4. Collect money !IP CnC fails quickly ! DGA kicks in !

Page 20: Baythreat Cryptolocker Presentation
Page 21: Baythreat Cryptolocker Presentation
Page 22: Baythreat Cryptolocker Presentation

The DGA algorithm wasn’t revealed until several weeks later and only shared within enclosed security communities. !!It hasn’t changed since.

Page 23: Baythreat Cryptolocker Presentation

CO-OCCURRENCES

Page 24: Baythreat Cryptolocker Presentation

ALGORITHM

Page 25: Baythreat Cryptolocker Presentation

DEMO !!

Interactive expanding in 3D from a Cryptolocker domain !

Use Gif if internet doesn’t work (Put gif in slides) !

+ !

Show CL domain level 4 dataset !

Page 26: Baythreat Cryptolocker Presentation

7.3M

19.1M

24.6M 22.3M

18.1M 19.6M

28.7M 26.9M

17.6M

21.7M 20.1M

20-Oct 21-Oct 22-Oct 23-Oct 24-Oct 25-Oct 26-Oct 27-Oct 28-Oct 29-Oct 30-Oct

Cryptolocker DNS Requests Acquired per Day

20-Oct 21-Oct 22-Oct 23-Oct 24-Oct 25-Oct 26-Oct 27-Oct 28-Oct 29-Oct 30-Oct

paspmnbspwijo.ru

lfdicecqjetfqrm.com

shocdnhyfmdfsoj.co.uk

ftamfiaivpdw.biz

dctqynvenluf.biz

ixslpslobkddytp.info

byeixyixhmse.biz

ohjvagaptmlffn.info

ljllkfudrvggepm.com

dblekuaonugn.biz

lcynqebqetamnmb.net

Page 27: Baythreat Cryptolocker Presentation

DOMAINS RESOLVED DAILY TO SEVERAL IP ADDRESSES THAT ROTATE IN AND OUT

2-O

ct

3-O

ct

4-O

ct

5-O

ct

6-O

ct

7-O

ct

8-O

ct

9-O

ct

10-O

ct

11-O

ct

12-O

ct

13-O

ct

14-O

ct

15-O

ct

16-O

ct

17-O

ct

18-O

ct

19-O

ct

20-O

ct

21-O

ct

22-O

ct

23-O

ct

24-O

ct

25-O

ct

26-O

ct

27-O

ct

28-O

ct

29-O

ct

30-O

ct

166.78.144.80 96.43.141.186 93.189.44.187

91.234.33.198 87.255.51.229 86.124.164.25

81.177.170.166 74.91.124.113 69.61.18.148

173.193.197.194 62.76.191.48 50.116.8.191

195.22.26.231 195.2.77.48 194.28.174.119

192.210.230.39 188.65.211.137 176.119.0.216

25 Unique Domains Over 9 Days Resolved to 81.177.170.166

On 11-Oct, 39 Domains Resolved (and not sinkholed)

6

2 2

10

4 3

6 6

39

26

5

2

6 6 7

3 3 3 3 2

4 4 6

12 10

Page 28: Baythreat Cryptolocker Presentation
Page 29: Baythreat Cryptolocker Presentation

IP WORLD MAP

Cryptolocker client IP addresses over 3 days.

Page 30: Baythreat Cryptolocker Presentation

IP INFECTION MAPS

World

Crypto locker

Page 31: Baythreat Cryptolocker Presentation

CONCLUSIONRun 3D Cryptolocker

(LIVE DEMO) !

(MV) http://vimeo.com/79840833