Piotr Białczak
Last known affiliation: CERT Polska/NASK/Warsaw University of Technology
Piotr Białczak 🗣 | Adrian Korczak 🗣
Abstract (click to view)
Sandbox systems have become an efficient way to analyze malware behavior. They can provide information about malware in a quick and automatic manner. However their analysis time is usually limited only to a couple of minutes, thus preventing observation of malware behavior in the long run and noticing interesting changes. To resolve these issues, we have created a Long Term Sandboxing system (LTS), which provides means for prolonged automatic analysis of malware behavior. In our presentation we will show how we use it to track botnets – both their infrastructure and operations. Our system has been augmented with network traffic and system resources analyses, providing means for network protocols investigation, including DNS, HTTP(S) and SMTP.
Piotr Białczak 🗣
Abstract (click to view)
When we analyze malware C&C network traffic we often see that it contains HTTP protocol. Sometimes the messages are obfuscated and sometimes sent as plain text. They can be intentionally crafted to look like sent by a web browser. But in many cases they are sent using standard libraries and tools. Intuition suggests that there should be some distinct features, which can help to distinguish between malware and benign applications sending HTTP requests. In our presentation we want to present results of our analysis in search of such features.
Analyzed features include headers’ appearance (misspellings, unusual names), header values, general payload analysis (entropy, character analysis etc.) and header sequence order. In our search we have analyzed more than 35 000 pcap files from CERT Polska’s sandbox environment and Malware Capture Facility Project. They include network traffic of about 190 malware families, splitted into common categories like bankers, ransomware, downloader, spambot etc. To identify distinct features, we have compared the results against browser traffic to Alexa’s top 500 popular domains worldwide. The outcome was surprising even for us.
The presentation won’t be academic. We want to share main conclusions which can help you when dealing with malware HTTP traffic. To provide even more operational knowledge, we want to compare the results with traffic generated by popular Windows HTTP libraries and tools. Also we will present particularly interesting examples of HTTP anomalies, both in malware and benign traffic.