Skip to main content
SpringerLink
Log in
Book cover

International Conference on Mobile, Secure, and Programmable Networking

MSPN 2017: Mobile, Secure, and Programmable Networking pp 18–33Cite as

Enhanced Sinkhole System: Collecting System Details to Support Investigations

  • Conference paper
  • First Online:

  • 777 Accesses

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 10566))

Abstract

Adversaries use increasingly complex and sophisticated tactics, techniques and procedures to compromise single computer systems and complete IT environments. Most of the standard detection and prevention systems are not able to provide a decent level of protection against sophisticated attacks, because adversaries are able to bypass various detection approaches. Therefore, additional solutions are needed to improve the prevention and detection of complex attacks. DNS sinkholing is one approach that can be used to redirect known malicious connections to dedicated sinkhole systems. The objective of these sinkhole systems is to interrupt the communication of the malware and to gather details about it. Due to the fact that current sinkhole systems focus on the collection of network related information, the gathered details cannot be used to support investigations in a comprehensive way and to improve detection and prevention capabilities.

In this paper, we propose a new approach for an enhanced sinkhole system that is able collect detailed information about potentially infected systems and the corresponding malware that is executed. This system is able to gather details, such as open network connections, running processes and process memory, to provide relevant information about the malware behavior and the used methods. The approach makes use of built-in remote management capabilities and standard commands as well as functions of the operating system to gather the details. This also ensures that the footprint of the collection approach is small and therefore also difficult to recognize by a malware. For the evaluation of the proposed approach, we executed real-world malware and collected details from the infected system with a prototypically implemented enhanced sinkhole system. The gathered information shows that these details can be used to support investigations and to improve security solutions.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Avalanche (2016). http://blog.shadowserver.org/2016/12/01/avalanche/. Accessed 18 Dec 2016

  2. DNS Response Policy Zones (2016). https://dnsrpz.info/. Accessed 02 Dec 2016

  3. Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E., Vigna, G.: Efficient detection of split personalities in malware. In: Proceedings of the Symposium on Network and Distributed System Security (NDSS) (2010)

    Google Scholar 

  4. Bayer, U., Moser, A., Kruegel, C., Kirda, E.: Dynamic analysis of malicious code. J. Comput. Virol. 2(1), 67–77 (2006). doi:10.1007/s11416-006-0012-2

    Article  Google Scholar 

  5. Brengel, M., Backes, M., Rossow, C.: Detecting hardware-assisted virtualization. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 207–227. Springer, Cham (2016). doi:10.1007/978-3-319-40667-1_11

    Google Scholar 

  6. Dell Incorporated: Dell Security Annual Threat Report 2016. Technical report (2016)

    Google Scholar 

  7. Graeber, M.: PowerShell Script: Out-Minidump.ps1 (2013). https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Out-Minidump.ps1. Accessed 05 Aug 2016

  8. Hsu, C.-H., Huang, C.-Y., Chen, K.-T.: Fast-flux bot detection in real time. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 464–483. Springer, Heidelberg (2010). doi:10.1007/978-3-642-15512-3_24

    Chapter  Google Scholar 

  9. Jung, H.M., Lee, H.G., Choi, J.W.: Efficient malicious packet capture through advanced dns sinkhole. Wirel. Personal Commun. 93, 21–34 (2016). doi:10.1007/s11277-016-3443-1

    Article  Google Scholar 

  10. Juwono, J.T., Lim, C., Erwin, A.: A comparative study of behavior analysis sandboxes in malware detection. In: Proceedings of the International Conference on New Media (CONMEDIA) (2015)

    Google Scholar 

  11. Lee, H.-G., Choi, S.-S., Lee, Y.-S., Park, H.-S.: Enhanced sinkhole system by improving post-processing mechanism. In: Kim, T., Lee, Y., Kang, B.-H., Ślęzak, D. (eds.) FGIT 2010. LNCS, vol. 6485, pp. 469–480. Springer, Heidelberg (2010). doi:10.1007/978-3-642-17569-5_46

    Chapter  Google Scholar 

  12. Kirat, D., Vigna, G., Kruegel, C.: BareCloud: bare-metal analysis-based evasive malware detection. In: Proceedings of the 23rd USENIX Security Symposium (USENIX Security), August 2014

    Google Scholar 

  13. Krebs, B.: Security firm Bit9 hacked, used to spread malware. https://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/. Accessed 03 Feb 2017

  14. Markoff, J.: SecurID company suffers a breach of data security. http://www.nytimes.com/2011/03/18/technology/18secure.html. Accessed 03 Feb 2017

  15. Mathews, L.: ThyssenKrupp attackers stole trade secrets in massive hack (2016). http://www.forbes.com/sites/leemathews/2016/12/08/thyssenkrupp-attackers-stole-trade-secrets-in-massive-hack/LeeMathews,Lee. Accessed 10 Dec 2016

  16. Raiu, C.: Microsoft seizes 22 NO-IP domains, disrupts cybercriminal and nation state APT malware operations (2014). https://securelist.com/blog/events/64143/microsoft-seizes-22-no-ip-domains-disrupts-cybercriminal-and-nation-state-apt-malware-operations/. Accessed 14 Dec 2016

  17. Raiu, C., Baumgartner, K.: Sinkholing volatile cedar DGA infrastructure (2015). https://securelist.com/blog/research/69421/sinkholing-volatile-cedar-dga-infrastructure/. Accessed 18 Dec 2016

  18. Regalado, D., Karim, T., Jain, V., Hernandez, E.: Ghosts in the endpoint (2016). https://www.fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html. Accessed 18 Nov 2016

  19. Rossow, C., Dietrich, C., Bos, H.: Large-scale analysis of malware downloaders. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 42–61. Springer, Heidelberg (2013). doi:10.1007/978-3-642-37300-8_3

    Chapter  Google Scholar 

  20. Rossow, C., Dietrich, C.J.: ProVeX: detecting botnets with encrypted command and control channels. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 21–40. Springer, Heidelberg (2013). doi:10.1007/978-3-642-39235-1_2

    Chapter  Google Scholar 

  21. Schwartz, M.J.: Lockheed martin suffers massive cyberattack. http://www.darkreading.com/risk-management/lockheed-martin-suffers-massive-cyberattack/d/d-id/1098013. Accessed 03 Feb 2017

  22. Symantec Corporation: Internet Security Threat Report. Technical report 21 (2016)

    Google Scholar 

  23. Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. IEEE Secur. Priv. 5(2), 32–39 (2007). doi:10.1109/MSP.2007.45

    Article  Google Scholar 

  24. Willems, C., Hund, R., Fobian, A., Felsch, D., Holz, T., Vasudevan, A.: Down to the bare metal: using processor features for binary analysis. In: Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC). ACM (2012). doi:10.1145/2420950.2420980

Download references

Author information

Authors and Affiliations

  1. Hasso Plattner Institute (HPI), University of Potsdam, 14482, Potsdam, Germany

    Martin Ussath, Feng Cheng & Christoph Meinel

Authors
  1. Martin Ussath
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Feng Cheng
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Christoph Meinel
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Martin Ussath .

Editor information

Editors and Affiliations

  1. Conservatoire National des Arts et Métiers, Paris, France

    Samia Bouzefrane

  2. Birla Institute of Technology, Mesra, India

    Soumya Banerjee

  3. Conservatoire National des Arts et Métiers, Paris, France

    Françoise Sailhan

  4. Conservatoire National des Arts et Métiers, Paris, France

    Selma Boumerdassi

  5. Institut Mines-Télécom, Evry, France

    Eric Renault

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Ussath, M., Cheng, F., Meinel, C. (2017). Enhanced Sinkhole System: Collecting System Details to Support Investigations. In: Bouzefrane, S., Banerjee, S., Sailhan, F., Boumerdassi, S., Renault, E. (eds) Mobile, Secure, and Programmable Networking. MSPN 2017. Lecture Notes in Computer Science(), vol 10566. Springer, Cham. https://doi.org/10.1007/978-3-319-67807-8_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-67807-8_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-67806-1

  • Online ISBN: 978-3-319-67807-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation