research-article

AUTOPROBE: Towards Automatic Active Malicious Server Probing Using Dynamic Binary Analysis

Authors:

Guangliang Yang,

Juan Caballero,

Guofei GuAuthors Info & Claims

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Pages 179 - 190

https://doi.org/10.1145/2660267.2660352

Published: 03 November 2014 Publication History

Abstract

Malware continues to be one of the major threats to Internet security. In the battle against cybercriminals, accurately identifying the underlying malicious server infrastructure (e.g., C&C servers for botnet command and control) is of vital importance. Most existing passive monitoring approaches cannot keep up with the highly dynamic, ever-evolving malware server infrastructure. As an effective complementary technique, active probing has recently attracted attention due to its high accuracy, efficiency, and scalability (even to the Internet level). In this paper, we propose Autoprobe, a novel system to automatically generate effective and efficient fingerprints of remote malicious servers. Autoprobe addresses two fundamental limitations of existing active probing approaches: it supports pull-based C&C protocols, used by the majority of malware, and it generates fingerprints even in the common case when C&C servers are not alive during fingerprint generation. Using real-world malware samples we show that Autoprobe can successfully generate accurate C&C server fingerprints through novel applications of dynamic binary analysis techniques. By conducting Internet-scale active probing, we show that Autoprobe can successfully uncover hundreds of malicious servers on the Internet, many of them unknown to existing blacklists. We believe Autoprobe is a great complement to existing defenses, and can play a unique role in the battle against cybercriminals.

References

[1]

Dirtjumper. http://www.infonomics-society.org/IJICR/DirtJumper.

[2]

Alexa Top Domains. http://www.alexa.com/.

[3]

Ofir Arkin. A remote active os fingerprinting tool using icmp. ;login: The USENIX Magazine, 27(2), November 2008.

[4]

Bamital Malware. https://now-static.norton.com/now/en/pu/images/Promotions/2013/Bamital/bamital.html.

[5]

Juan Caballero, Noah M. Johnson, Stephen McCamant, and Dawn Song. Binary code extraction and interface identification for security applications. In Network and Distributed System Security Symposium, San Diego, CA, February 2010.

[6]

Juan Caballero, Pongsin Poosankam, Christian Kreibich, and Dawn Song. Dispatcher: Enabling active botnet infiltration using automatic protocol reverse-engineering. In ACM Conference on Computer and Communications Security, Chicago, IL, November 2009.

Digital Library

[7]

Juan Caballero, Shobha Venkataraman, Pongsin Poosankam, Min G. Kang, Dawn Song, and Avrim Blum. fig: Automatic fingerprint generation. In Network and Distributed System Security Symposium, San Diego, CA, February 2007.

[8]

Juan Caballero, Heng Yin, Zhenkai Liang, and Dawn Song. Polyglot: Automatic extraction of protocol message format using dynamic binary analysis. In ACM Conference on Computer and Communications Security, Alexandria, VA, October 2007.

Digital Library

[9]

Paolo Milani Comparetti, Gilbert Wondracek, Christopher Kruegel, and Engin Kirda. Prospex: Protocol specification extraction. In IEEE Symposium on Security and Privacy, Oakland, CA, May 2009.

Digital Library

[10]

Weidong Cui, Jayanthkumar Kannan, and Helen J. Wang. Discoverer: Automatic protocol description generation from network traces. In USENIX Security Symposium, Boston, MA, August 2007.

Digital Library

[11]

David Dagon, Chris Lee, Wenke Lee, and Niels Provos. Corrupted dns resolution paths: The rise of a malicious resolution authority. In Network and Distributed System Security Symposium, San Diego, CA, February 2008.

[12]

Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. Zmap: Fast internet-wide scanning and its security applications. In Usenix Security Symposium, August 2013.

Digital Library

[13]

Nicolas Falliere. Sality: Story of a peer-to-peer viral network. Technical report, 2011.

[14]

Guofei Gu, Vinod Yegneswaran, Phillip Porras, Jennifer Stoll, and Wenke Lee. Active botnet probing to identify obscure command and control channels. In Proceedings of 2009 Annual Computer Security Applications Conference (ACSAC'09), December 2009.

Digital Library

[15]

Guofei Gu, Junjie Zhang, and Wenke Lee. BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation. InProceedings of USENIX Security'07, 2007.

Digital Library

[16]

Nadia Heninger, Zagir Durumeric, Eric Wustrow, and J.Alex Halderman. Mining your ps and qs: Detection of widespread weak keys in network devices. In USENIX Security Symposium, 2012.

Digital Library

[17]

Noah M. Johnson, Juan Caballero, Kevin Zhijie Chen, Stephen McCamant, Pongsin Poosankam, Daniel Reynaud, and Dawn Song. Differential slicing: Identifying causal execution differences for security applications. In Proceedings of the 2011 IEEE Symposium on Security and Privacy, 2011.

Digital Library

[18]

Min Gyung Kang, Stephen McCamant, Pongsin Poosankam, and Dawn Song. DTA++: Dynamic taint analysis with targeted control-flow propagation. In Proceedings of the 18th Annual Network and Distributed System Security Symposium, San Diego, CA, February 2011.

[19]

Clemens Kolbitsch, Paolo Milani Comparetti, Christopher Kruegel, Engin Kirda, Xiaoyong Zhou, and Xiaofeng Wang. Effective and efficient malware detection at the end host. In USENIX SecuritySymposium, Montréal, Canada, August 2009.

Digital Library

[20]

Clemens Kolbitsch, Thorsten Holz, Christopher Kruegel, and Engin Kirda. Inspector gadget: Automated extraction of proprietary gadgets from malware binaries. In IEEE Symposium on Security and Privacy, Oakland, CA, May 2010.

Digital Library

[21]

Zhiqiang Lin, Xuxian Jiang, Dongyan Xu, and Xiangyu Zhang. Automatic protocol format reverse engineering through context-aware monitored execution. In Network and Distributed System Security Symposium, San Diego, CA, February 2008.

[22]

Malicia. http://malicia-project.com/. http://malicia-project.com/.

[23]

Malware domain list. http://malwaredomainlist.com/.

[24]

Andreas Moser, Christopher Kruegel, and Engin Kirda. Exploring Multiple Execution Paths for Malware Analysis. In Proceedings of IEEE Symposium on Security and Privacy, 2007.

Digital Library

[25]

Antonio Nappa, Zhaoyan Xu, M. Zubair Rafique, Juan Caballero, and Guofei Gu. Cyberprobe: Towards internet-scale active detection of malicious servers. In Network and Distributed System Security Symposium, 2014.

[26]

James Newsome and Dawn Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Network and Distributed System Security Symposium, San Diego, CA, February 2005.

[27]

Offensive Computing. http://www.offensivecomputing.net/. http://www.offensivecomputing.net/.

[28]

Jitendra Padhye and Sally Floyd. Identifying the tcp behavior of web servers. In SIGCOMM Conference, San Diego, CA, August 2001.

[29]

Niels Provos and Peter Honeyman. Scanssh - scanning the internet for ssh servers. In Technical Report CITI TR 01--13, University of Michigan, October 2001.

[30]

Ramnit Malware. http://en.wikipedia.org/wiki/Ramnit.

[31]

Konrad Rieck, Guido Schwenk, Tobias Limmer, Thorsten Holz, andPavel Laskov. Botzilla: Detecting the phoning home of malicious software. In ACM Symposium on Applied Computing, 2010.

Digital Library

[32]

Prateek Saxena, Pongsin Poosankam, Stephen McCamant, and DawnSong. Loop-extended symbolic execution on binary programs. InProceedings of the ACM/SIGSOFT International Symposium on Software Testing and Analysis (ISSTA), 2009.

Digital Library

[33]

Edward J. Schwartz, Thanassis Avgerinos, and David Brumley. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In Proceedings of IEEE Symposium on Security and Privacy, 2010.

Digital Library

[34]

Taidoor Malware. Xpaj.b malware. http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf.

[35]

Urlquery. http://urlquery.net/.

[36]

Virustotal. http://www.virustotal.com/.

[37]

Tielei Wang, Tao Wei, Guofei Gu, and Wei Zou. Taintscope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection. In Proc. of IEEE S&P'10, 2010.

Digital Library

[38]

Jeffrey Wilhelm and Tzi cker Chiueh. A forced sampled execution approach to kernel rootkit identification. In Proceedings of the 10th international conference on Recent advances in intrusion detection, 2007.

Digital Library

[39]

Gilbert Wondracek, Paolo Milani Comparetti, Christopher Kruegel, and Engin Kirda. Automatic network protocol analysis. InProceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS), 2008.

[40]

James Wyke. The zeroaccess botnet: Mining and fraud for massive financial gain, September 2012. http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/zeroaccess-botnet.asp:x.

[41]

Zhaoyan Xu, Lingfeng Chen, Guofei Gu, and Christopher Kruegel. Peerpress: Utilizing enemies' p2p strength against them. In ACM Conference on Computer and Communications Security, Raleigh, NC, October 2012.

Digital Library

Cited By

Dara NShankar PArvind PSingh V(2024)Intelligent Insight into IoT Threats: Leveraging Advanced Analytics with Honeypots for Anomaly Detection2024 IEEE 9th International Conference for Convergence in Technology (I2CT)10.1109/I2CT61223.2024.10543511(1-6)Online publication date: 5-Apr-2024
https://doi.org/10.1109/I2CT61223.2024.10543511
Yuan SLiu CShi JZhang KPu WLiu XYang L(2024)Research on Vulnerability Detection Techniques Based on Static Analysis and Program Slice2024 6th International Conference on Electronic Engineering and Informatics (EEI)10.1109/EEI63073.2024.10696068(965-969)Online publication date: 28-Jun-2024
https://doi.org/10.1109/EEI63073.2024.10696068
Meng JYang ZZhang ZGeng YDeng RCheng PChen JZhou J(2023)SePanner: Analyzing Semantics of Controller Variables in Industrial Control Systems based on Network TrafficProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627179(310-323)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627179
Show More Cited By

Index Terms

AUTOPROBE: Towards Automatic Active Malicious Server Probing Using Dynamic Binary Analysis
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems

The fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the ...
Filtering False Positives Based on Server-Side Behaviors

Reducing the rate of false positives is of vital importance in enhancing the usefulness of signature-based network intrusion detection systems (NIDSs). To reduce the number of false positives, a network administrator must thoroughly investigate a ...
On detection of current and next-generation botnets

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

November 2014

1592 pages

ISBN:9781450329576

DOI:10.1145/2660267

General Chair:
Gail-Joon Ahn
Arizona State University, USA
,
Program Chairs:
Moti Yung
Google -- Columbia University, USA
,
Ninghui Li
Purdue University, USA

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 November 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tag

active probing malware fingerprint generation c&c server

Qualifiers

Research-article

Funding Sources

Conference

CCS'14

Sponsor:

SIGSAC

CCS'14: 2014 ACM SIGSAC Conference on Computer and Communications Security

November 3 - 7, 2014

Arizona, Scottsdale, USA

Acceptance Rates

CCS '14 Paper Acceptance Rate 114 of 585 submissions, 19%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

24
Total Citations
View Citations
723
Total Downloads

Downloads (Last 12 months)19
Downloads (Last 6 weeks)4

Reflects downloads up to 25 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Dara NShankar PArvind PSingh V(2024)Intelligent Insight into IoT Threats: Leveraging Advanced Analytics with Honeypots for Anomaly Detection2024 IEEE 9th International Conference for Convergence in Technology (I2CT)10.1109/I2CT61223.2024.10543511(1-6)Online publication date: 5-Apr-2024
https://doi.org/10.1109/I2CT61223.2024.10543511
Yuan SLiu CShi JZhang KPu WLiu XYang L(2024)Research on Vulnerability Detection Techniques Based on Static Analysis and Program Slice2024 6th International Conference on Electronic Engineering and Informatics (EEI)10.1109/EEI63073.2024.10696068(965-969)Online publication date: 28-Jun-2024
https://doi.org/10.1109/EEI63073.2024.10696068
Meng JYang ZZhang ZGeng YDeng RCheng PChen JZhou J(2023)SePanner: Analyzing Semantics of Controller Variables in Industrial Control Systems based on Network TrafficProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627179(310-323)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627179
Wang JWang LDong FWang HMontpetit MLeivadeas AUhlig SJaved M(2023)Re-measuring the Label Dynamics of Online Anti-Malware Engines from Millions of SamplesProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624800(253-267)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624800
Nappa AÚbeda-Portugués APapadopoulos PVarvello MTapiador JLanzi A(2022)Scramblesuit: An effective timing side-channels framework for malware sandbox evasion1Journal of Computer Security10.3233/JCS-22000530:6(851-876)Online publication date: 23-Nov-2022
https://doi.org/10.3233/JCS-220005
Faulkenberry AAvgetidis AMa ZAlrawi OLever CKintis PMonrose FKeromytis AAntonakakis M(2022)View from Above: Exploring the Malware Ecosystem from the Upper DNS HierarchyProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3564646(240-250)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3564646
Usui TOtsuki YKawakoya YIwamura MMatsuura K(2022)Script Tainting Was Doomed From The Start (By Type Conversion): Converting Script Engines into Dynamic Taint Analysis FrameworksProceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3545948.3545969(380-394)Online publication date: 26-Oct-2022
https://dl.acm.org/doi/10.1145/3545948.3545969
Bux KYousaf MJalbani ABatool K(2021)Detection of Malicious Servers for Preventing Client-Side AttacksMehran University Research Journal of Engineering and Technology10.22581/muet1982.2101.2040:1(230-240)Online publication date: 1-Jan-2021
https://doi.org/10.22581/muet1982.2101.20
Nappa APapadopoulos PVarvello MGomez DTapiador JLanzi A(2021)PoW-How: An Enduring Timing Side-Channel to Evade Online Malware SandboxesComputer Security – ESORICS 202110.1007/978-3-030-88418-5_5(86-109)Online publication date: 30-Sep-2021
https://doi.org/10.1007/978-3-030-88418-5_5
Zhu JJang-Jaccard JWatters P(2020)Multi-Loss Siamese Neural Network With Batch Normalization Layer for Malware DetectionIEEE Access10.1109/ACCESS.2020.30249918(171542-171550)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.3024991
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents