Frequent Sequential Attack Patterns of Malware in Botnets Nur Rohman Rosyid.

Frequent Sequential Attack Patterns of Malware in Botnets

Nur Rohman Rosyid

Tokai UniversityKikuchi Laboratory

Outlines

1. Botnet attack

2. PrefixSpan method

3. Results and Analysis

4. Conclusion

Tokai UniversityKikuchi Laboratory

Botnet

Tokai University

Honeypots

Kikuchi Laboratory

CCC DATA set 2009 consist of the access log of attack to 94 honeypots in 1 year (may 1, 2008 – April 30 2009).

This research observes one of honeypot runs on Windows XP+SP1

Tokai UniversityKikuchi Laboratory

Coordinated attack

TROJ_QHOST.WT BKDR_POEBOT.AHP

PE_VIRUT.AV

TSPY_ONLINEG.OPJ

TSPY_KOLABC.CH TROJ_AGENT.AGSB

Tokai University

Sequential pattern

It is difficult to find sequential pattern of attacks in the access log of attacks manually.

Kikuchi Laboratory

Sequence_id Sequence

100 <PE WO TR>

101 <PE TR WO>

102 <BK PE TR TS WO>

103 <TS PE PE TR WO BK>

104 <PE WO TR WO>

Tokai University

Objective

Discover the frequent sequential attack pattern on CCC DATA set 2009

Kikuchi Laboratory

Tokai University

Method

PrefixSpan data mining algorithm1 to discover the frequent sub-sequences as patterns in a sequence database.

Example: Given a sequence database and minimum support threshold 2

Kikuchi Laboratory

1) J. Pei, et al., ``PrefixSpan: Mining Sequential Patterns by Prefix-Projected Growth'‘, in Proc. of The

17th Int'l Conf. on Data Engineering, pp.215-224, 2001.

Sequence_id Sequence

100 <PE WO TR>

101 <PE TR WO>

102 <BK PE TR TS WO>

103 <TS PE PE TR WO BK>

104 <PE WO TR WO>

Tokai University

Method (count)

Kikuchi Laboratory

Seq. DatabaseProjected Database

<PE> <PE WO> <PE TR>

<PE WO TR> <WO TR> <TR>

<PE TR WO> <TR WO> <WO>

<BK PE TR TS WO> <TR TS WO> <TS WO>

<TS PE PE TR WO BK> <PE TR WO BK> <BK> <WO BK>

<PE WO TR WO> <WO TR WO> <TR WO> <WO>

Sequential Patterns<PE>:5 <PE WO>:5 <PE WO TR>:2 <PE TR WO>:4

<PE TR>:5

<PE>:5, <WO>:5, <TR>:5, <BK>:2, and <TS>:2

Tokai University

Method (count)

Kikuchi Laboratory

Seq. DatabaseProjected Database

<PE> <PE WO> <PE TR>

<PE WO TR> <WO TR> <TR>

<PE TR WO> <TR WO> <WO>

<BK PE TR TS WO> <TR TS WO> <TS WO>

<TS PE PE TR WO BK> <PE TR WO BK> <BK> <WO BK>

<PE WO TR WO> <WO TR WO> <TR WO> <WO>

Sequential Patterns<PE>:5 <PE WO>:5 <PE WO TR>:2 <PE TR WO>:4

<PE TR>:5

<PE>:5, <WO>:5, <TR>:5, <BK>:2, and <TS>:2

Tokai University

Method (count)

Sequential Patterns

<PE WO>:5, <PE TR>:5, <PE WO TR>:2,<PE TR WO>:4

<WO TR>:2

<TR WO>:4

<TS WO>:2

Kikuchi Laboratory

Tokai University

Pre-Processing Data

Kikuchi Laboratory

Slot Sequence of Malware0 TROJ_SYSTEMHI.BQ

1 KDR_AGENT.ANHZ UNKNOWN TROJ_SYSTEMHI.BQ DR_AGENT.ANHZ UNKNOWN

2 PE_BOBAX.AH

3 PE_BOBAX.AH UNKNOWN BKDR_AGENT.ANHZ

… …

15323 PE_VIRUT.AV TROJ_IRCBRUTE.BW WORM_AUTORUN.CZU

15324 UNKNOWN PE_VIRUT.AV PE_VIRUT.AV WORM_AUTORUN.CZU TROJ_IRCBRUTE.BW

Tokai University

sequential 2-Pattern of malware attack

Kikuchi Laboratory

1270

987

519 492385

290 211 190 156 153 90

(P2.1) PE_VIRUT.AV PE_VIRUT.AV (P2.2) PE_BOBAX.AK PE_BOBAX.AK

(P2.3) PE_VIRUT.D-1 PE_VIRUT.D-1 (P2.4) PE_VIRUT.AV TSPY_KOLABC.CH

(P2.6) PE_VIRUT.AV WORM_SWTYMLAI.CD (P2.13) TROJ_QHOST.WT WORM_HAMWEQ.AP

(P2.24) PE_VIRUT.AV BKDR_SDBOT.BU (P2.28) BKDR_SCRYPT.ZHB BKDR_SDBOT.BU

(P3.36) BKDR_SCRYPT.ZHB PE_VIRUT.AV (P2.37) BKDR_RBOT.CZO WORM_HAMWEQ.AP

(P2.78) TSPY_ONLINEG.OPJ TROJ_QHOST.WT

Pattern

Fre

qu

en

cy (

slo

ts)

length serial

Tokai University

sequential 3-Pattern of malware attack

Kikuchi Laboratory

414

286

168134 119

82 74 74 73 67 57

(P3.1) PE_VIRUT.AV PE_VIRUT.AV PE_VIRUT.AV (P3.2) PE_BOBAX.AK PE_BOBAX.AK PE_BOBAX.AK

(P3.4) TROJ_QHOST.WT WORM_HAMWEQ.AP BKDR_POEBOT.AHP (P3.7) PE_VIRUT.AV WORM_SWTYMLAI.CD TSPY_KOLABC.CH

(P3.10) PE_VIRUT.AV TSPY_KOLABC.CH WORM_SWTYMLAI.CD (P3.21) PE_VIRUT.AV BKDR_SDBOT.BU BKDR_VANBOT.HI

(P3.27) BKDR_SCRYPT.ZHB BKDR_SDBOT.BU BKDR_VANBOT.HI (P3.29) TSPY_ONLINEG.OPJ TROJ_QHOST.WT BKDR_POEBOT.AHP

(P3.30) BKDR_RBOT.CZO WORM_HAMWEQ.AP TROJ_QHOST.WT (P3.37) PE_VIRUT.AV TSPY_KOLABC.CH TROJ_AGENT.AGSB

(P3.49) BKDR_SCRYPT.ZHB PE_VIRUT.AV BKDR_SDBOT.BU

Pattern

Fre

qu

en

cy (

slo

ts)

P3.1P3.2

P3.4P3.21

P3.27P3.2

9 P3.37

P3.49P3.30

P3.10P3.7

Tokai University

Distribution of attacks of duplicate 3-pattern

Kikuchi Laboratory

Tokai University

Distribution of attacks of non-duplicate 3-pattern

Kikuchi Laboratory

(P3.4) TROJ_QHOST.WT, WORM_HAMWEQ.AP, BKDR_POEBOT.AHP(P3.29) TSPY_ONLINEG.OPJ, TROJ_QHOST.WT, BKDR_POEBOT.AHP(P3.30) BKDR_RBOT.CZO, WORM_HAMWEQ.AP, TROJ_QHOST.WT

A(P3.21) PE_VIRUT.AV BKDR_SDBOT.BU BKDR_VANBOT.HI(P3.27) BKDR_SCRYPT.ZHB BKDR_SDBOT.BU BKDR_VANBOT.HI(P3.49) BKDR_SCRYPT.ZHB PE_VIRUT.AV BKDR_SDBOT.BU

B(P3.7) PE_VIRUT.AV WORM_SWTYMLAI.CD TSPY_KOLABC.CH(P3.10) PE_VIRUT.AV TSPY_KOLABC.CH WORM_SWTYMLAI.CDc (P3.37) PE_VIRUT.AV TSPY_KOLABC.CH TROJ_AGENT.AGSBD

20 days 25 days 26 days8 days

Tokai University

Distribution of time interval of the 3-pattern

Kikuchi Laboratory

Time interval is a time difference between the first and last malware infections in the same sequential pattern at the honeypot.

Tokai UniversityKikuchi Laboratory

Sequential attack pattern based on source IP address and timestamp

Pattern based on IP Address

IP pattern code IP Pattern

A1 S1 S1 S1

A2 S1 S1 S2A3 S1 S2 S1A4 S1 S2 S2

A5 S1 S2 S3

Pattern based on Timestamp

Time pattern code Time pattern

E1 T1 T1 T1E2 T1 T1 T2E3 T1 T2 T2E4 T1 T2 T3

Tokai UniversityKikuchi Laboratory

Sequential attack pattern by source IP address and timestamp (count)

A4E1 : 10%A4E4 : 90%

A5E4 : 20%A5E5 : 80%

TROJ_QHOST.WT BKDR_POEBOT.AHP

PE_VIRUT.AV

TSPY_ONLINEG.OPJ

TSPY_KOLABC.CH TROJ_AGENT.AGSB

Company Name

Confidence of sequential attack pattern

How strong the n-pattern coordinated attack, if (n-1)-pattern, a subsequence of n-pattern occur

where n is the length of pattern and m is the length of subsequence of n-pattern

www.themegallery.com

for n > 1 and m = (n-1), Conf(n-pattern) =Supp(n-pattern)Supp(m-pattern)

Tokai University

Confidence of 3-pattern

Kikuchi Laboratory

290

90

153

211190

156

385

492 492

168

74 73 82 74 57

134 119

67

2-Pattern 3-Pattern

Pattern

Fre

qu

en

cy (

slo

ts)

P2.13P3.4 P2.78

P3.29P2.37

P3.30P2.24

P3.21P2.28

P3.27P2.36

P3.49P2.6

P3.7P2.4

P3.10P2.4

P3.37

57.93%

34.81%

24.19%

38.86%38.95%

82.22%

47.71%

13.62%

36.54%

Tokai University

Conclusion

Kikuchi Laboratory

PrefixSpan method sufficiently discover all sequential attack patterns.

Coordinated attacks are performed by multiple sequential attack patterns within certain short time interval.

The sequential pattern of coordinated attack tends to change all the time.

This result gives several behaviors useful for alerting threats of botnets attacks.