Abstract
Adversaries use increasingly complex and sophisticated tactics, techniques and procedures to compromise single computer systems and complete IT environments. Most of the standard detection and prevention systems are not able to provide a decent level of protection against sophisticated attacks, because adversaries are able to bypass various detection approaches. Therefore, additional solutions are needed to improve the prevention and detection of complex attacks. DNS sinkholing is one approach that can be used to redirect known malicious connections to dedicated sinkhole systems. The objective of these sinkhole systems is to interrupt the communication of the malware and to gather details about it. Due to the fact that current sinkhole systems focus on the collection of network related information, the gathered details cannot be used to support investigations in a comprehensive way and to improve detection and prevention capabilities.
In this paper, we propose a new approach for an enhanced sinkhole system that is able collect detailed information about potentially infected systems and the corresponding malware that is executed. This system is able to gather details, such as open network connections, running processes and process memory, to provide relevant information about the malware behavior and the used methods. The approach makes use of built-in remote management capabilities and standard commands as well as functions of the operating system to gather the details. This also ensures that the footprint of the collection approach is small and therefore also difficult to recognize by a malware. For the evaluation of the proposed approach, we executed real-world malware and collected details from the infected system with a prototypically implemented enhanced sinkhole system. The gathered information shows that these details can be used to support investigations and to improve security solutions.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Avalanche (2016). http://blog.shadowserver.org/2016/12/01/avalanche/. Accessed 18 Dec 2016
DNS Response Policy Zones (2016). https://dnsrpz.info/. Accessed 02 Dec 2016
Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E., Vigna, G.: Efficient detection of split personalities in malware. In: Proceedings of the Symposium on Network and Distributed System Security (NDSS) (2010)
Bayer, U., Moser, A., Kruegel, C., Kirda, E.: Dynamic analysis of malicious code. J. Comput. Virol. 2(1), 67–77 (2006). doi:10.1007/s11416-006-0012-2
Brengel, M., Backes, M., Rossow, C.: Detecting hardware-assisted virtualization. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 207–227. Springer, Cham (2016). doi:10.1007/978-3-319-40667-1_11
Dell Incorporated: Dell Security Annual Threat Report 2016. Technical report (2016)
Graeber, M.: PowerShell Script: Out-Minidump.ps1 (2013). https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Out-Minidump.ps1. Accessed 05 Aug 2016
Hsu, C.-H., Huang, C.-Y., Chen, K.-T.: Fast-flux bot detection in real time. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 464–483. Springer, Heidelberg (2010). doi:10.1007/978-3-642-15512-3_24
Jung, H.M., Lee, H.G., Choi, J.W.: Efficient malicious packet capture through advanced dns sinkhole. Wirel. Personal Commun. 93, 21–34 (2016). doi:10.1007/s11277-016-3443-1
Juwono, J.T., Lim, C., Erwin, A.: A comparative study of behavior analysis sandboxes in malware detection. In: Proceedings of the International Conference on New Media (CONMEDIA) (2015)
Lee, H.-G., Choi, S.-S., Lee, Y.-S., Park, H.-S.: Enhanced sinkhole system by improving post-processing mechanism. In: Kim, T., Lee, Y., Kang, B.-H., Ślęzak, D. (eds.) FGIT 2010. LNCS, vol. 6485, pp. 469–480. Springer, Heidelberg (2010). doi:10.1007/978-3-642-17569-5_46
Kirat, D., Vigna, G., Kruegel, C.: BareCloud: bare-metal analysis-based evasive malware detection. In: Proceedings of the 23rd USENIX Security Symposium (USENIX Security), August 2014
Krebs, B.: Security firm Bit9 hacked, used to spread malware. https://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/. Accessed 03 Feb 2017
Markoff, J.: SecurID company suffers a breach of data security. http://www.nytimes.com/2011/03/18/technology/18secure.html. Accessed 03 Feb 2017
Mathews, L.: ThyssenKrupp attackers stole trade secrets in massive hack (2016). http://www.forbes.com/sites/leemathews/2016/12/08/thyssenkrupp-attackers-stole-trade-secrets-in-massive-hack/LeeMathews,Lee. Accessed 10 Dec 2016
Raiu, C.: Microsoft seizes 22 NO-IP domains, disrupts cybercriminal and nation state APT malware operations (2014). https://securelist.com/blog/events/64143/microsoft-seizes-22-no-ip-domains-disrupts-cybercriminal-and-nation-state-apt-malware-operations/. Accessed 14 Dec 2016
Raiu, C., Baumgartner, K.: Sinkholing volatile cedar DGA infrastructure (2015). https://securelist.com/blog/research/69421/sinkholing-volatile-cedar-dga-infrastructure/. Accessed 18 Dec 2016
Regalado, D., Karim, T., Jain, V., Hernandez, E.: Ghosts in the endpoint (2016). https://www.fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html. Accessed 18 Nov 2016
Rossow, C., Dietrich, C., Bos, H.: Large-scale analysis of malware downloaders. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 42–61. Springer, Heidelberg (2013). doi:10.1007/978-3-642-37300-8_3
Rossow, C., Dietrich, C.J.: ProVeX: detecting botnets with encrypted command and control channels. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 21–40. Springer, Heidelberg (2013). doi:10.1007/978-3-642-39235-1_2
Schwartz, M.J.: Lockheed martin suffers massive cyberattack. http://www.darkreading.com/risk-management/lockheed-martin-suffers-massive-cyberattack/d/d-id/1098013. Accessed 03 Feb 2017
Symantec Corporation: Internet Security Threat Report. Technical report 21 (2016)
Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. IEEE Secur. Priv. 5(2), 32–39 (2007). doi:10.1109/MSP.2007.45
Willems, C., Hund, R., Fobian, A., Felsch, D., Holz, T., Vasudevan, A.: Down to the bare metal: using processor features for binary analysis. In: Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC). ACM (2012). doi:10.1145/2420950.2420980
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Ussath, M., Cheng, F., Meinel, C. (2017). Enhanced Sinkhole System: Collecting System Details to Support Investigations. In: Bouzefrane, S., Banerjee, S., Sailhan, F., Boumerdassi, S., Renault, E. (eds) Mobile, Secure, and Programmable Networking. MSPN 2017. Lecture Notes in Computer Science(), vol 10566. Springer, Cham. https://doi.org/10.1007/978-3-319-67807-8_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-67807-8_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-67806-1
Online ISBN: 978-3-319-67807-8
eBook Packages: Computer ScienceComputer Science (R0)