Introduction HIVE Conclusions HIVE: an Open Infrastructure for Malware Collection and Analysis Davide Cavalca 1 Emanuele Goldoni 2 University of Pavia, Italy 1 Department of Computer Engineering and Systems Science 2 Department of Electronics 1 st Workshop on Open Source Software for Computer and Network Forensics 2008 Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
27
Embed
HIVE: an Open Infrastructure for Malware Collection and ...netlab-mn.unipv.it/hive/ossconf_presentation.pdf · Introduction HIVE Conclusions HIVE: an Open Infrastructure for Malware
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
IntroductionHIVE
Conclusions
HIVE: an Open Infrastructure for MalwareCollection and Analysis
Davide Cavalca1 Emanuele Goldoni2
University of Pavia, Italy1Department of Computer Engineering and Systems Science
2Department of Electronics
1st Workshop on Open Source Softwarefor Computer and Network Forensics
2008
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
IntroductionHIVE
Conclusions
Goals
a forensics approach to Internet malware and botnetsself-spreading malware study and classificationmonitoring of attack trends and targetsbotnets behavior, structure and evolution
To achieve these goals we built an automated infrastructurefor malware collection and analysis.
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
IntroductionHIVE
Conclusions
MalwareHoneypot
Malware
Malware = malicious softwareunwanted software with an agenda
viruswormtrojan horsespyware..
malware spreadsautomatically, relying on software bugs to self-replicate itselfon new computer systemsmanually, employing social engineering techniques againstthe users
malware typesstrictly destructivefor profit
SPAM and phishingransom requestsbotnet construction
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
IntroductionHIVE
Conclusions
MalwareHoneypot
Botnet
distributed network of autonomous programs (bot)created spreading ad hoc malware
infected computers turn into zombie systemsstealth behavior
the attacker (botherder) remotely controls its botnetusing IRC or HTTP (centralized botnet)using peer-to-peer protocols (distributed botnet)
...and rents its services to the best offercriminal organizationsSPAM and advertisementphishingDistributed DoS attacks“data mining”
self-sustaining and reliable source of income
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
IntroductionHIVE
Conclusions
MalwareHoneypot
Honeypot
decoy computer system designed to attract external attackshuman: study attacker behaviorautomated: collect the malware binary code
no valuable data (fake data sometimes used as bait)used to study attacks dynamics and attacker’s toolssits on an otherwise unused IP space (darknet)honeynet = a network of honeypots
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
IntroductionHIVE
Conclusions
MalwareHoneypot
Honeypot: types
Low interaction honeypot
software simulation of a computer systemefficient: a single machine can simulate a large networknot so effective: attack can fail due to simulation mishapsquick and easy to deploy, low TCO
High interaction honeypot
a real vulnerable computer systemvery effective: the attacker compromises an actual systemexpensive to deploy and maintain, higher TCOlegal liability issues
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis
IntroductionHIVE
Conclusions
MalwareHoneypot
State of the art
We currently have:several low-interaction honeypot implementations
but there is no standardized framework for high-interactionhoneypotsmost works on the subject tend to reinvent the wheel
a number of analysis services for malware samplesWhat we lack is an integrated framework encompassing thecollection of samples, the analysis of malware and themonitoring of detected threats.
Davide Cavalca, Emanuele Goldoni HIVE: an Open Infrastructure for Malware Collection and Analysis