Automatic C&C Server Identification and Bashlite and Mirai Malware Variant Identification
Abstract
The Internet of Things has a large number of devices distributed around the world, and the low security standard of some of these devices has been exploited by malicious agents to compose botnets. The impact of these botnets can be reduced by knowledgeable network operators by blocking access to Command and Control servers and creating defenses against new attack and spread mechanisms. In this article, we extend existing tools in a framework for CeC server detection and malware classification into similar groups. We use static and dynamic analyzes in combination with heuristics for CeC address indication, and graph theory for binary similarity grouping. In our results, the clustering algorithm can concentrate binaries into a few groups, directing network operators efforts, while the proposed analysis and heuristics broaden the identification of CeCs by mitigating countermeasures implemented by malware developers.
References
Antonakakis, M. et al. (2017). Understanding the Mirai Botnet. In Proc. of USENIX SS. CAIDA (2018). CAIDA AS Rank.
David, Y., Partush, N., and Yahav, E. (2016). Statistical Similarity of Binaries. SIGPLAN Not., 51(6).
Egele, M., Woo, M., Chapman, P., and Brumley, D. (2014). Blanket Execution: Dynamic Similarity Testing for Program Binaries and Components. In Proc. of USENIX SS.
Jacob, G., Hund, R., Kruegel, C., and Holz, T. (2011). JACKSTRAWS: Picking Command and Control Connections from Bot Traffic. In Proc. of USENIX SS.
Kolias, C., Kambourakis, G., Stavrou, A., and Voas, J. (2017). DDoS in the IoT: Mirai and other Botnets. Computer, 50(7):80–84.
Kornblum, J. (2006). Identifying Almost Identical Files Using Context Triggered Piecewise Hashing. Digital Investigation, 3:91–97.
Marzano, A., Alexander, D., Fazzion, E., Fonseca, O., Cunha, I., Hoepers, C., Steding- Jessen, K., Chaves, M. H. P. C., Guedes, D., and J´unior,W. M. (2018). Monitoramento e Caracterizac¸ ão de Botnets Bashlite em Dispositivos IoT. Anais do SBRC, 36.
M¨ullner, D. (2011). Modern hierarchical, agglomerative clustering algorithms. CoRR, abs/1109.2378.
Neustar (2017). Worldwide DDoS Attacks & Cyber Insights Research Report. Online. Silva, S. S., Silva, R. M., Pinto, R. C., and Salles, R. M. (2013). Botnets: A Survey. Computer Networks, 57(2).
Symantec (2017). Internet Security Threat Report, Volume 22. Online.
Tange, O. (2018). GNU Parallel 2018. Ole Tange.
Zand, A., Vigna, G., Yan, X., and Kruegel, C. (2014). Extracting Probable Command and Control Signatures for Detecting Botnets. In Proceedings of the 29th AACMSAC.
