An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections
Abstract
Although blocking samples at endpoint level is still essential to respond to newly created threats, large-scale threat blocking is only possible at network level. We propose investigating how such blocking procedures take place in actual scenarios aiming to identify and bridge existing development gaps. We considered daily analysis results of two malware datasets (representatives of the Brazilian and the World scenarios) and investigate the prevalence and the methods leveraged to make the downloaded HTTP payloads and the resolved DNS domains unavailable to the malware samples. We discovered that: (i) The servers contacted by all samples are sinkholed in similar ways, but Brazilian samples were first affected; (ii) cloud-stored samples are blocked in distinct manners than the ones stored in private servers; (iii) blocking DNS resolution of malicious domains is more efficient than blocking individual HTTP-retrieved payloads; and (iv) there is still open development gaps in network security as most samples had no contacted domain sinkholed at any time.
References
Amazon (202). How do i report abuse of aws resources? [link].
Aresu, M., Ariu, D., Ahmadi, M., Maiorca, D., and Giacinto, G. (2015). Clustering android malware families by http traffic. In 2015 10th International Conference on Malicious and Unwanted Software (MALWARE), pages 128–135.
Beppler, T., Botacin, M., Ceschin, F. J. O., Oliveira, L. E. S., and Grégio, A. (2019). L(a)ying in (test)bed. In Lin, Z., Papamanthou, C., and Polychronakis, M., editors, Information Security, pages 381–401, Cham. Springer International Publishing.
Botacin, M., Ceschin, F., de Geus, P., and Grégio, A. (2020). We need to talk about antiviruses: challenges & pitfalls of av evaluations. Computers & Security, 95:101859.
Botacin, M., Grégio, A., and de Geus, P. (2015). Uma visão geraldomalwareativo no espaço nacional da internet entre 2012 e 2015. [link].
Botacin, M., Kalysch, A., and Grégio, A. (2019). The internet banking [in]security spiral: Past, present, and future of online banking protection mechanisms based on a brazilian case study. In Proceedings of the 14th International Conference on Availability, Reliability and Security, ARES ’19, pages 49:1–49:10, New York, NY, USA. ACM.
Botacin, M. F., de Geus, P. L., and Grégio, A. R. A. (2018). The other guys: automated analysis of marginalized malware. Journal of Comp. Virology and Hacking Techniques.
Ceschin, F., Pinage, F., Castilho, M., Menotti, D., Oliveira, L. S., and Gregio, A. (2018). The need for speed: An analysis of brazilian malware classifers. IEEE Sec. & Priv.
CloudFlare (2020). What is dns filtering? | secure dns servers. https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/.
Google (2020). Report suspected abuse on google cloud platform. https://support.google.com/code/contact/cloud_platform_report.
Hao, S., Feamster, N., and Pandrangi, R. (2011). Monitoring the initial dns behavior of malicious domains. In Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference, IMC ’11, New York, NY, USA. ACM.
Hunt, R. and Zeadally, S. (2012). Network forensics: An analysis of techniques, tools, and trends. Computer, 45(12):36–43.
Khatri, V. and Abendroth, J. (2015). Mobile guard demo: Network based malware detection. In 2015 IEEE Trustcom/BigDataSE/ISPA, volume 1, pages 1177–1179.
Liu, D., Li, Z., Du, K., Wang, H., Liu, B., and Duan, H. (2017). Don’t let one rotten apple spoil the whole barrel: Towards automated detection of shadowed domains. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS ’17, pages 537–552, New York, NY, USA. ACM.
Locaweb (2019). Blacklist / lista negra. https://ajuda.locaweb.com.br/wiki/blacklist-lista-negra/.
Malshare (2018). Malshare. http://malshare.com.
McGrath, D. K., Kalafut, A., and Gupta, M. (2009). Phishing infrastructure fluxes all the way. IEEE Security Privacy, 7(5):21–28.
Parekh, J. J., Wang, K., and Stolfo, S. J. (2006). Privacy-preserving payload-based correlation for accurate malicious traffic detection. In Proceedings of the 2006 SIGCOMM Workshop on Large-scale Attack Defense, LSAD ’06, pages 99–106, New York, NY, USA. ACM.
Rossow, C., Dietrich, C., and Bos, H. (2013). Large-Scale Analysis of Malware Downloaders, pages 42–61. Springer Berlin Heidelberg, Berlin, Heidelberg.
Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., and Vigna, G. (2009). Your botnet is my botnet: Analysis of a botnet takeover. In Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS ’09, pages 635–647, New York, NY, USA. ACM.
Sucuri (2019). Website blacklist removal. [link].
Wang, T., Hu, X., Jang, J., Ji, S., Stoecklin, M., and Taylor, T. (2016). Botmeter: Charting dga-botnet landscapes in large networks. In 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS), pages 334–343.
Yousaf, S., Iqbal, U., Farooqi, S., Ahmad, R., Shafiq, Z., and Zaffar, F. (2016). Malware slums: Measurement and analysis of malware on traffic exchanges. In 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pages 572–582.
Yu, K. F. and Harang, R. E. (2017). Machine learning in malware traffic classifications. In MILCOM 2017 - 2017 IEEE Military Communications Conference (MILCOM), pages 6–10.
Aresu, M., Ariu, D., Ahmadi, M., Maiorca, D., and Giacinto, G. (2015). Clustering android malware families by http traffic. In 2015 10th International Conference on Malicious and Unwanted Software (MALWARE), pages 128–135.
Beppler, T., Botacin, M., Ceschin, F. J. O., Oliveira, L. E. S., and Grégio, A. (2019). L(a)ying in (test)bed. In Lin, Z., Papamanthou, C., and Polychronakis, M., editors, Information Security, pages 381–401, Cham. Springer International Publishing.
Botacin, M., Ceschin, F., de Geus, P., and Grégio, A. (2020). We need to talk about antiviruses: challenges & pitfalls of av evaluations. Computers & Security, 95:101859.
Botacin, M., Grégio, A., and de Geus, P. (2015). Uma visão geraldomalwareativo no espaço nacional da internet entre 2012 e 2015. [link].
Botacin, M., Kalysch, A., and Grégio, A. (2019). The internet banking [in]security spiral: Past, present, and future of online banking protection mechanisms based on a brazilian case study. In Proceedings of the 14th International Conference on Availability, Reliability and Security, ARES ’19, pages 49:1–49:10, New York, NY, USA. ACM.
Botacin, M. F., de Geus, P. L., and Grégio, A. R. A. (2018). The other guys: automated analysis of marginalized malware. Journal of Comp. Virology and Hacking Techniques.
Ceschin, F., Pinage, F., Castilho, M., Menotti, D., Oliveira, L. S., and Gregio, A. (2018). The need for speed: An analysis of brazilian malware classifers. IEEE Sec. & Priv.
CloudFlare (2020). What is dns filtering? | secure dns servers. https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/.
Google (2020). Report suspected abuse on google cloud platform. https://support.google.com/code/contact/cloud_platform_report.
Hao, S., Feamster, N., and Pandrangi, R. (2011). Monitoring the initial dns behavior of malicious domains. In Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference, IMC ’11, New York, NY, USA. ACM.
Hunt, R. and Zeadally, S. (2012). Network forensics: An analysis of techniques, tools, and trends. Computer, 45(12):36–43.
Khatri, V. and Abendroth, J. (2015). Mobile guard demo: Network based malware detection. In 2015 IEEE Trustcom/BigDataSE/ISPA, volume 1, pages 1177–1179.
Liu, D., Li, Z., Du, K., Wang, H., Liu, B., and Duan, H. (2017). Don’t let one rotten apple spoil the whole barrel: Towards automated detection of shadowed domains. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS ’17, pages 537–552, New York, NY, USA. ACM.
Locaweb (2019). Blacklist / lista negra. https://ajuda.locaweb.com.br/wiki/blacklist-lista-negra/.
Malshare (2018). Malshare. http://malshare.com.
McGrath, D. K., Kalafut, A., and Gupta, M. (2009). Phishing infrastructure fluxes all the way. IEEE Security Privacy, 7(5):21–28.
Parekh, J. J., Wang, K., and Stolfo, S. J. (2006). Privacy-preserving payload-based correlation for accurate malicious traffic detection. In Proceedings of the 2006 SIGCOMM Workshop on Large-scale Attack Defense, LSAD ’06, pages 99–106, New York, NY, USA. ACM.
Rossow, C., Dietrich, C., and Bos, H. (2013). Large-Scale Analysis of Malware Downloaders, pages 42–61. Springer Berlin Heidelberg, Berlin, Heidelberg.
Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., and Vigna, G. (2009). Your botnet is my botnet: Analysis of a botnet takeover. In Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS ’09, pages 635–647, New York, NY, USA. ACM.
Sucuri (2019). Website blacklist removal. [link].
Wang, T., Hu, X., Jang, J., Ji, S., Stoecklin, M., and Taylor, T. (2016). Botmeter: Charting dga-botnet landscapes in large networks. In 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS), pages 334–343.
Yousaf, S., Iqbal, U., Farooqi, S., Ahmad, R., Shafiq, Z., and Zaffar, F. (2016). Malware slums: Measurement and analysis of malware on traffic exchanges. In 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pages 572–582.
Yu, K. F. and Harang, R. E. (2017). Machine learning in malware traffic classifications. In MILCOM 2017 - 2017 IEEE Military Communications Conference (MILCOM), pages 6–10.
Published
2020-10-13
How to Cite
BOTACIN, Marcus; GEUS, Paulo de; GRÉGIO, André.
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Level to Counter In-The-Wild Malware Infections. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 20. , 2020, Petrópolis.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2020
.
p. 188-200.
DOI: https://doi.org/10.5753/sbseg.2020.19237.
