Large-scale detection and measurement of malicious content [Elektronische Ressource] / vorgelegt von Jan Gerrit Göbel

icon

218

pages

icon

English

icon

Documents

2011

Le téléchargement nécessite un accès à la bibliothèque YouScribe Tout savoir sur nos offres

icon

218

pages

icon

English

icon

Documents

2011

Le téléchargement nécessite un accès à la bibliothèque YouScribe Tout savoir sur nos offres

Large-Scale Detection and Measurement ofMalicious ContentInauguraldissertationzur Erlangung des akademischen Gradeseines Doktors der Naturwissenschaftender Universität Mannheimvorgelegt vonJan Gerrit Göbelaus Köln, DeutschlandMannheim, 2011Dekan: Professor Dr. Wolfgang Effelsberg, Universität MannheimReferent: Dr. Felix Christoph Freiling, UniversitätKorreferent: Professor Dr. Christopher Kruegel, University of California, Santa BarbaraTag der mündlichen Prüfung: 27. April 2011Abstract Many different network and host-based security solutions have been developed inthe past to counter the threat of autonomously spreading malware. Among the most commondetection techniques for such attacks are network traffic analysis and the so-called honeypots. Inthis thesis, we introduce two new malware detection sensors that make use of the above mentionedtechniques. The first sensor called Rishi, passively monitors network traffic to automatically detectbot infected machines. The second sensor called Amun follows the concept of honeypots anddetects malware through the emulation of vulnerabilities in network services that are commonlyexploited. Both sensors were operated for two years and collected valuable data on autonomouslyspreading malware in the Internet. From this data we were able to, for example, study the changein exploit behavior and derive predictions about preferred targets of todays’ malware.
Voir icon arrow

Publié par

Publié le

01 janvier 2011

Langue

English

Poids de l'ouvrage

6 Mo

Large-Scale Detection and Measurement of
Malicious Content
Inauguraldissertation
zur Erlangung des akademischen Grades
eines Doktors der Naturwissenschaften
der Universität Mannheim
vorgelegt von
Jan Gerrit Göbel
aus Köln, Deutschland
Mannheim, 2011Dekan: Professor Dr. Wolfgang Effelsberg, Universität Mannheim
Referent: Dr. Felix Christoph Freiling, Universität
Korreferent: Professor Dr. Christopher Kruegel, University of California, Santa Barbara
Tag der mündlichen Prüfung: 27. April 2011Abstract Many different network and host-based security solutions have been developed in
the past to counter the threat of autonomously spreading malware. Among the most common
detection techniques for such attacks are network traffic analysis and the so-called honeypots. In
this thesis, we introduce two new malware detection sensors that make use of the above mentioned
techniques. The first sensor called Rishi, passively monitors network traffic to automatically detect
bot infected machines. The second sensor called Amun follows the concept of honeypots and
detects malware through the emulation of vulnerabilities in network services that are commonly
exploited. Both sensors were operated for two years and collected valuable data on autonomously
spreading malware in the Internet. From this data we were able to, for example, study the change
in exploit behavior and derive predictions about preferred targets of todays’ malware.Zusammenfassung In der Vergangenheit wurden viele Sicherheitslösungen zur Bekämpfung
von sich autonom verbreitenden Schadprogrammen entwickelt. Einige von diesen Lösungen set-
zen lokal an einem Rechner an, andere hingegen an Netzen und deren Datenverkehr. Zu den
bekanntesten Erkennungstechniken gehören die Analyse des Netzverkehrs und sogenannte Hon-
eypots. In dieser Arbeit stellen wir zwei neue Sensoren zur Erkennung von Schadprogrammen vor,
die die eben genannten Techniken verwenden. Der erste Sensor, genannt Rishi, lauscht passiv an
einem Netz und erkennt durch die Analyse des Datenverkehrs Rechner, die mit einem Bot infiziert
sind. Der zweite Sensor ist Amun. Dies ist ein Honeypot und erkennt Schadprogramme durch
die Emulation von oft ausgenutzten Schwachstellen in Netzwerkdiensten. Beide Sensoren wur-
den über zwei Jahre hinweg betrieben und haben in dieser Zeit wertvolle Informationen über sich
autonom verbreitende Schadprogramme im Internet gesammelt. Zum Beispiel konnten wir Verän-
derungen im Exploit-Verhalten feststellen und Aussagen über zukünftige Angriffsziele ableiten.“A spoonful of honey will catch more flies than a gallon of vinegar.”
Benjamin Franklin [Hal04]Acknowledgements
First of all, I would like to thank my advisor Prof. Dr. Freiling, who gave me the opportu-
nity to work in this exciting area of computer science and supported my research in every way.
Throughout this thesis, he always provided me with valuable feedback and I never had a question
unanswered. Thank you for this excellent guidance.
Furthermore, I would like to thank Prof. Dr. Christopher Krügel for accepting to be my co-
advisor. Although, we have never really met in person his name and work is well-known in the
context of malware detection and analysis. Thus, i am honoured that he accepted to be my co-
advisor.
I would also like to thank all members of the Network Operations Center (NOC) at RWTH
Aachen University, especially Jens Hektor, who allowed me to deploy and maintain one of the
biggest Honeynets in Germany. Without the information collected at this network during the last
years all the work presented in this thesis would not have been possible. In this context, I would
also like to thank Jens Syckor from TU Dresden, Matteo Cantoni from Italy, and Eric Chio from
China, who all thankfully provided me with their honeypot sensor data and thus enabled me to
make predictions about optimal sensor placement strategies with respect to geographical distant
sensors.
There are also many other people I would like to thank for supporting me in the development
of various aspects of my work. First of all, I would like to thank Philipp Trinius for writing some
interesting papers with me and providing me with valuable feedback and suggestions, but also for
being an uncomplicated co-worker and friend. This last statement holds actually true for all people
working at the Laboratory for Dependable Distributed Systems of Mannheim University that I met
during this time. Without the assistance of Michael Becher, Zina Benenson, Andreas Dewald,
Markus Engelberth, Christian Gorecki, Thorsten Holz, Philipp Trinius, and Carsten Willems it
would not have been so much fun. Part of this work also benefited from the valuable feedback
and enhancements of Stefan Vömel who volunteered proof-reading one of the chapters. I would
also like to thank all diploma/bachelor students and student workers, who helped over the years to
implement some parts of the work presented in this thesis. In particular, Ben Stock and Matthias
Luft helped a lot to develop and implement tools to evaluate the large amount of Honeynet data
we have collected.
Both the atmosphere and cheerfulness at the Laboratory for Dependable Distributed Systems of
the University of Mannheim, as well as the great cooperation with the Center for Computing and
Communication of RWTH Aachen University was amazing and tremendously contributed to the
viioutcome of this thesis. It was a pleasure working with all of you.
Finally, I have to express my gratitude to my wife and my son. Without her doing most of the
work at home I could not have spent so much time working on this thesis. But they both were also
very helpful in distracting me and helping me not to forget that there is an everyday life next to
work.Contents
Acknowledgements
List of Figures v
List of Tables ix
List of Listings xi
1 Introduction 1
1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3.1 Malware Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3.2 Large-Scale Data Evaluation . . . . . . . . . . . . . . . . . . . . . . . . 3
1.4 Thesis Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.5 List of Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2 Background 7
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2 Internet Relay Chat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.3 Bots and Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.4 Honeypots and Honeynets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.4.1 Honeypot Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.4.2 Low- and High-Interaction Honeypots . . . . . . . . . . . . . . . . . . . 12
2.4.3 Physical and Virtual Honeypots . . . . . . . . . . . . . . . . . . . . . . 16
2.4.4 Client and Server Honeypots . . . . . . . . . . . . . . . . . . . . . . . . 17
2.5 Exploits and Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.5.1 Buffer Overflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.5.2 Shellcode Obfuscation Techniques . . . . . . . . . . . . . . . . . . . . . 21
2.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3 Related Work 27
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
i

Voir icon more
Alternate Text