Enhanced Sinkhole System: Collecting System Details to Support Investigations

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10566)

Abstract

Adversaries use increasingly complex and sophisticated tactics, techniques and procedures to compromise single computer systems and complete IT environments. Most of the standard detection and prevention systems are not able to provide a decent level of protection against sophisticated attacks, because adversaries are able to bypass various detection approaches. Therefore, additional solutions are needed to improve the prevention and detection of complex attacks. DNS sinkholing is one approach that can be used to redirect known malicious connections to dedicated sinkhole systems. The objective of these sinkhole systems is to interrupt the communication of the malware and to gather details about it. Due to the fact that current sinkhole systems focus on the collection of network related information, the gathered details cannot be used to support investigations in a comprehensive way and to improve detection and prevention capabilities.

In this paper, we propose a new approach for an enhanced sinkhole system that is able collect detailed information about potentially infected systems and the corresponding malware that is executed. This system is able to gather details, such as open network connections, running processes and process memory, to provide relevant information about the malware behavior and the used methods. The approach makes use of built-in remote management capabilities and standard commands as well as functions of the operating system to gather the details. This also ensures that the footprint of the collection approach is small and therefore also difficult to recognize by a malware. For the evaluation of the proposed approach, we executed real-world malware and collected details from the infected system with a prototypically implemented enhanced sinkhole system. The gathered information shows that these details can be used to support investigations and to improve security solutions.

Keywords

DNS sinkholing Malware analysis Malware behavior Threat intelligence 

References

  1. 1.
    Avalanche (2016). http://blog.shadowserver.org/2016/12/01/avalanche/. Accessed 18 Dec 2016
  2. 2.
    DNS Response Policy Zones (2016). https://dnsrpz.info/. Accessed 02 Dec 2016
  3. 3.
    Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E., Vigna, G.: Efficient detection of split personalities in malware. In: Proceedings of the Symposium on Network and Distributed System Security (NDSS) (2010)Google Scholar
  4. 4.
    Bayer, U., Moser, A., Kruegel, C., Kirda, E.: Dynamic analysis of malicious code. J. Comput. Virol. 2(1), 67–77 (2006). doi: 10.1007/s11416-006-0012-2 CrossRefGoogle Scholar
  5. 5.
    Brengel, M., Backes, M., Rossow, C.: Detecting hardware-assisted virtualization. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 207–227. Springer, Cham (2016). doi: 10.1007/978-3-319-40667-1_11 Google Scholar
  6. 6.
    Dell Incorporated: Dell Security Annual Threat Report 2016. Technical report (2016)Google Scholar
  7. 7.
    Graeber, M.: PowerShell Script: Out-Minidump.ps1 (2013). https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Out-Minidump.ps1. Accessed 05 Aug 2016
  8. 8.
    Hsu, C.-H., Huang, C.-Y., Chen, K.-T.: Fast-flux bot detection in real time. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 464–483. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-15512-3_24 CrossRefGoogle Scholar
  9. 9.
    Jung, H.M., Lee, H.G., Choi, J.W.: Efficient malicious packet capture through advanced dns sinkhole. Wirel. Personal Commun. 93, 21–34 (2016). doi: 10.1007/s11277-016-3443-1 CrossRefGoogle Scholar
  10. 10.
    Juwono, J.T., Lim, C., Erwin, A.: A comparative study of behavior analysis sandboxes in malware detection. In: Proceedings of the International Conference on New Media (CONMEDIA) (2015)Google Scholar
  11. 11.
    Lee, H.-G., Choi, S.-S., Lee, Y.-S., Park, H.-S.: Enhanced sinkhole system by improving post-processing mechanism. In: Kim, T., Lee, Y., Kang, B.-H., Ślęzak, D. (eds.) FGIT 2010. LNCS, vol. 6485, pp. 469–480. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-17569-5_46 CrossRefGoogle Scholar
  12. 12.
    Kirat, D., Vigna, G., Kruegel, C.: BareCloud: bare-metal analysis-based evasive malware detection. In: Proceedings of the 23rd USENIX Security Symposium (USENIX Security), August 2014Google Scholar
  13. 13.
    Krebs, B.: Security firm Bit9 hacked, used to spread malware. https://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/. Accessed 03 Feb 2017
  14. 14.
    Markoff, J.: SecurID company suffers a breach of data security. http://www.nytimes.com/2011/03/18/technology/18secure.html. Accessed 03 Feb 2017
  15. 15.
    Mathews, L.: ThyssenKrupp attackers stole trade secrets in massive hack (2016). http://www.forbes.com/sites/leemathews/2016/12/08/thyssenkrupp-attackers-stole-trade-secrets-in-massive-hack/LeeMathews,Lee. Accessed 10 Dec 2016
  16. 16.
    Raiu, C.: Microsoft seizes 22 NO-IP domains, disrupts cybercriminal and nation state APT malware operations (2014). https://securelist.com/blog/events/64143/microsoft-seizes-22-no-ip-domains-disrupts-cybercriminal-and-nation-state-apt-malware-operations/. Accessed 14 Dec 2016
  17. 17.
    Raiu, C., Baumgartner, K.: Sinkholing volatile cedar DGA infrastructure (2015). https://securelist.com/blog/research/69421/sinkholing-volatile-cedar-dga-infrastructure/. Accessed 18 Dec 2016
  18. 18.
    Regalado, D., Karim, T., Jain, V., Hernandez, E.: Ghosts in the endpoint (2016). https://www.fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html. Accessed 18 Nov 2016
  19. 19.
    Rossow, C., Dietrich, C., Bos, H.: Large-scale analysis of malware downloaders. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 42–61. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-37300-8_3 CrossRefGoogle Scholar
  20. 20.
    Rossow, C., Dietrich, C.J.: ProVeX: detecting botnets with encrypted command and control channels. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 21–40. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-39235-1_2 CrossRefGoogle Scholar
  21. 21.
    Schwartz, M.J.: Lockheed martin suffers massive cyberattack. http://www.darkreading.com/risk-management/lockheed-martin-suffers-massive-cyberattack/d/d-id/1098013. Accessed 03 Feb 2017
  22. 22.
    Symantec Corporation: Internet Security Threat Report. Technical report 21 (2016)Google Scholar
  23. 23.
    Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. IEEE Secur. Priv. 5(2), 32–39 (2007). doi: 10.1109/MSP.2007.45 CrossRefGoogle Scholar
  24. 24.
    Willems, C., Hund, R., Fobian, A., Felsch, D., Holz, T., Vasudevan, A.: Down to the bare metal: using processor features for binary analysis. In: Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC). ACM (2012). doi: 10.1145/2420950.2420980

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Hasso Plattner Institute (HPI)University of PotsdamPotsdamGermany

Personalised recommendations