Example of Using STF for Detecting C&C channels. An analysis of a Pushdo Malware

This blog post is a step by step analysis of a the traffic of a Pushdo malware variant (MD5 9926b031C7e7dcd2a35786aa78534be8) using the stf program. Its purpose is to show how easy it is to find the C&C channels if we look at the behavioral models.

Pushdo Malware

The capture we are going to analyze is called ‘CTU-Malware-Capture-Botnet-35’ in our Malware Capture Facility Project and can be downloaded from here. The capture started on 2014/01/31 and lasted for 1 day and 6 hours approximately. It was generated by infecting a 32 bits Windows Seven computer with the executable file that has the MD5 HASH 9926b031c7e7dcd2a35786aa78534be8. This binary file is related with the Trojan Pushdo or Cutwail according to its VirusTotal report report

Step by Step analysis with stf

If you downloaded the pcap file from the MCFP site you can follow these steps.

  • Load the pcap capture
stf > datasets -c /temp/CTU-Malware-Capture-Botnet-35-1/2014-01-31_capture-win7.pcap
  • Generate the biargus and binetflow files
CTU-Malware-Capture-Botnet-35-1: stf > datasets -g

You can verify that the files have been generated with the command: datasets -f.

  • Extract the connections from the traffic.
CTU-Malware-Capture-Botnet-35-1: stf > connections -g

Remember that our definition of connection is a 4-tuple where the source port is ignored. This allow us to group together all the connections going from the bot to a specific destination service.

  • Looking at the amount of connections generated
CTU-Malware-Capture-Botnet-35-1: stf > connections -l
[*] Groups of Connections Available:`
+----------------------------+------------+-------------------------------------------------------------------------------------------------------------+-----------------------+
| Id of Group of Connections | Dataset Id | Filename                                                                                                    | Amount of Connections |
+----------------------------+------------+-------------------------------------------------------------------------------------------------------------+-----------------------+
| 1                          | 1          | /opt/Malware-Project/BigDataset/Scenarios/CTU-Malware-Capture-Botnet-35-1/2014-01-31_capture-win7.binetflow | 738                   |
+----------------------------+------------+-------------------------------------------------------------------------------------------------------------+-----------------------+

It can be seen that 738 different connections were generated.

  • Quick analysis of the connections

It is useful to look at the lengths of the connections to have an idea of what type of information we have.

CTU-Malware-Capture-Botnet-35: stf > connections -C 0 -f flowamount<3
[*] Amount of connections that match the filter: 179 

This means that 179 connections have less than 3 flows. These can be important flows (like a unique connection to a web server), but are not good candidates for being a C&C channel since a C&C channel usually sends a large amount of flows.

  • Looking at the names of the connections (the 4-tuples)

Looking at the names of the connections we can recognize which ports are being used and to which IP addresses. It is common to learn which were the most common destination ports and if there were some UDP connections.

CTU-Malware-Capture-Botnet-35: stf > connections -L 0
| Connection Id | Amount of flows |
| Connection Id | Amount of flows |
0.0.0.0-10.0.2.107--arp                  | 1
00:00:00:00:00:00-00:00:00:00:00:00--llc | 1
10.0.2.107-10.0.0.1-80-tcp               | 2
10.0.2.107-10.0.2.2--arp                 | 11
10.0.2.107-10.0.2.255-137-udp            | 19
10.0.2.107-103.15.178.29-25-tcp          | 22
10.0.2.107-103.15.178.29-80-tcp          | 19
10.0.2.107-103.28.250.103-80-tcp         | 3
10.0.2.107-103.9.101.141-25-tcp          | 36
10.0.2.107-103.9.101.141-80-tcp          | 14
10.0.2.107-107.23.77.188-25-tcp          | 30
10.0.2.107-107.23.77.188-80-tcp          | 23
10.0.2.107-108.162.196.118-25-tcp        | 17
10.0.2.107-108.162.196.118-80-tcp        | 13
10.0.2.107-108.162.197.118-25-tcp        | 21
10.0.2.107-108.162.197.118-80-tcp        | 5
10.0.2.107-108.162.198.150-80-tcp        | 2
10.0.2.107-108.162.198.18-80-tcp         | 5
(...)

Remember that the list of connections is shown with the less program. From this example listing we can see that there are a lot of connections to port 80 (we suppose web connections) and 25/TCP (we suppose SMTP). By looking at the listing we may also select which of them can be deleted before generating the models. Deleting connections is useful to save space in the database.

  • Generating the models

Lets generate the models and see how many we have.

CTU-Malware-Capture-Botnet-35-1: stf > models -g
CTU-Malware-Capture-Botnet-35-1: stf > models -l
[*] Groups of Models
+-------------------+------------------+------------+---------------------------------+
| Group of Model Id | Amount of Models | Dataset Id | Dataset Name                    |
+-------------------+------------------+------------+---------------------------------+
| 1-1               | 738              | 1          | CTU-Malware-Capture-Botnet-35-1 |
+-------------------+------------------+------------+---------------------------------+

We ended up with 738 models, which is perfect since we had 738 connections.

  • Exploring the Behavioral Models Generated

This is the most important step, since we visualize the behavioral models. Notice that to save space in the blog post we are showing only the connections that have more than 3 flows, but it can be done with all the connections.

CTU-Malware-Capture-Botnet-35-1: stf > models -L 1-1 -f statelength>3

The full list of models is shown using less. In the following example listing you can see some of the models:

 Note | Model Id | State |
[   ] | 0.0.0.0-10.0.2.107--arp                   | 2
[   ] | 00:00:00:00:00:00-00:00:00:00:00:00--llc  | 1
[   ] | 10.0.2.107-10.0.0.1-80-tcp                | 22
[   ] | 10.0.2.107-10.0.2.2--arp                  | 660z0i0I0i0i0i0i0i0i
[   ] | 10.0.2.107-10.0.2.255-137-udp             | 990I0E0v0000z0z0I0z0I0I0i00z00I0z0z0I0I0z
[   ] | 10.0.2.107-103.15.178.29-25-tcp           | 8800H0y0000yY*00YY+0Y0y00y0yy*y*H*y*Y*y*00yY*y*y+
[   ] | 10.0.2.107-103.15.178.29-80-tcp           | 88,y,Y+0000000Y000yY*0yY*000Y0yy*0000Y0yy*y*0Zz*I*
[   ] | 10.0.2.107-103.28.250.103-80-tcp          | 88000000000000h
[   ] | 10.0.2.107-103.9.101.141-25-tcp           | 88+H,Y*y*00YY*0yy*y*0y000yY*0YY,0Yy*y*y*Y+Y*H*0yy*0y0h00yY*y*Y+y,Y*y*y*y*00Y
[   ] | 10.0.2.107-103.9.101.141-80-tcp           | 88,Y.00Y0y0000y00yY*000Y00y00H0000yY*0000Y
[   ] | 10.0.2.107-107.23.77.188-25-tcp           | 88+Y*00Y00Hy*0y0000y0y0yy*y*0yy*y*y*y*0Y0HY,y+H+Y*Y+y*Y+0Y00yy*y*
[   ] | 10.0.2.107-107.23.77.188-80-tcp           | 99,00Z000IZ*000000000Z0Zz*0z00zz*0zZ.Z*z*z+0ZZ*z*I*z*0zZ*
[   ] | 10.0.2.107-108.162.196.118-25-tcp         | 88*00y0yY*y*00YY,0Y00y0H00000y0yY+y,Y*00Y
[   ] | 10.0.2.107-108.162.196.118-80-tcp         | 99*0IZ+000000000000ZZ*0z0I0000z0000iZ*z*z*
[   ] | 10.0.2.107-108.162.197.118-25-tcp         | 88,0000Y000y000hy*Y,H,y+y+Y,y,Y*y*00000000YY*y*y*00yy*0y
[   ] | 10.0.2.107-108.162.197.118-80-tcp         | 9900z00000000zZ*
[   ] | 10.0.2.107-108.162.198.150-80-tcp         | 99*
[   ] | 10.0.2.107-108.162.198.18-80-tcp          | 91Z.000000000000RZ.
[   ] | 10.0.2.107-108.162.199.150-80-tcp         | 9
[   ] | 10.0.2.107-108.162.199.72-80-tcp          | 91Z,
[   ] | 10.0.2.107-108.166.119.110-25-tcp         | 88*000y0y000y0y0Hy*H*y*Y*0yy*0yy*0yY*H*00YY*s*Y,H,Y+Y,Y+Y,0Y0y0Hy*0y
[   ] | 10.0.2.107-108.166.119.110-80-tcp         | 9900yY,y,y,Z*z*y*0Zz*i*I*i*00z000z0yZ,Z*0zz*z*z*z*
[   ] | 10.0.2.107-108.174.151.250-25-tcp         | 88,y,y,y+y+000Y00000yY*00yZ,0Yy*00Y000HY*y*0y0Hy*0yy*Y+Y*
[   ] | 10.0.2.107-108.174.151.250-80-tcp         | 89000000000zZ*z*0000Z0zz*z*00Y00i
[   ] | 10.0.2.107-109.108.149.103-25-tcp         | 880000y00000yY*Y,Y.Y+y+y+y+H+0Yy*y*0yy*00YY*00Y0y00sY.Y,Y,Y.Y,y+Y*y*y*H*H*y*y*Y+0Yy*y*
[   ] | 10.0.2.107-109.108.149.103-80-tcp         | 99+Z*z*0000000000ZZ+000ZZ*00ZZ*z*0Z00z0zz*0z0zZ*z*Z+0Zz*I*
[   ] | 10.0.2.107-109.228.4.193-25-tcp           | 88*H*0YY*0Y000000yY*y*y*0yY*00Y0y00yy*0y00yY+y*y*y*y*y*Y+0Y0H
[   ] | 10.0.2.107-109.228.4.193-80-tcp           | 99z*0z0Iz*i*000Z0zZ.W*00ZZ*00ZZ+Z*I*z*z*0z0Iz*00Zz*z*z*z*z+Z*i*
[   ] | 10.0.2.107-109.234.111.40-80-tcp          | 99000000000000i
[   ] | 10.0.2.107-109.234.111.54-25-tcp          | 88.Y.Y*Y*Y*00yy*00yy*y*000YY.Y*y*H*0y0y00yY*Y+0Yy*0y0HY*y+0YY*00YY*
[   ] | 10.0.2.107-109.234.111.54-80-tcp          | 99,0Z0iz*I*00zz*0z00I00I00I0zz*z*z*i*00wZ,Z*Z*z+Z*0z
[   ] | 10.0.2.107-109.74.245.101-25-tcp          | 88,y+00YY*y*0y0H0H0000yY,Y*0y0yY*00Y0y0y00HY+y*y*y+y*y*y+0Yy*y*H*y*
[   ] | 10.0.2.107-109.74.245.101-80-tcp          | 8800yy*00000YY,Y*y*0yY*y*0Y00000yY*H*y*Y,Y*H*0yy*0y
[   ] | 10.0.2.107-110.45.146.64-25-tcp           | 88,y.0YY*y+Y*Y+000YY*0y0000yY*y*y*y*000Yy*y*000YY*0Yy*Y,y,Y*0YY+Y*00y
[   ] | 10.0.2.107-110.45.146.64-80-tcp           | 88,0000Y0000H000y0y0yY*000YY*y*000Y0yY,Y*y*0y00yY*
[   ] | 10.0.2.107-116.0.19.79-25-tcp             | 88,Y+Y*y*y*y+y*0yy*0yy*0y0yY*y*0Y0hy*00y00y00000000y0Y0y
[   ] | 10.0.2.107-116.0.19.79-80-tcp             | 88*H*Y+y*0000Y00yy*0y000y0yY*y*000Y000HY*0yy*y*H*00y
[   ] | 10.0.2.107-116.251.204.148-25-tcp         | 88,Y*H*0yY+000Y0yY+y*000Yy*Y+Y*y*Y+Y*h*000000YY*00y0yy*H*Y+0YY*Y+0Y
[   ] | 10.0.2.107-116.251.204.148-80-tcp         | 99,z,00000000000ZZ.Z,0ZZ*0Z0I0000z0zZ*z*z*0zz*
[   ] | 10.0.2.107-116.251.204.207-80-tcp         | 99
[   ] | 10.0.2.107-117.104.150.233-25-tcp         | 22.Y,y,y,Y*Y+Y*y*y*0000000YY*0y0hY.y,Y+y*y*y*00Yy*0H0H0yY*000Y0yY,Y*Y+y*y*0y0yy*0y
[   ] | 10.0.2.107-117.104.150.233-80-tcp         | 88Y*00YY*y*y*0000YY*0yy*0y0H0y0HY+000YY*y*Y+0Y
[   ] | 10.0.2.107-118.67.90.160-25-tcp           | 5
[   ] | 10.0.2.107-118.67.90.160-443-tcp          | 55.v.e.e.E.v.e.E.v.E.E.v.v.e.v.v.e.e.e.e.v.v.e.v.v.v.v.v.e.v.v.v.e.e.e.e.e.e.v.E.E.E.v.v.v.e.v.v.e.v.v.v.v.e.e.e.e.e.e.v.E.v.v.v.e.e.v.E.e.v.e.v.v.e.e.e.V.V.e.e.e.e.v.E.v.v.v.e.V.V.e.e.E.E.e.e.e.e.v.e.v.e.e.e.e.e.e.e.e.E.e.e.v.e.v.e.e.v.v.e.e.e.e.e.e.e.e.e.e.e.e.e.e.e.e.e.e.e.e.v.v.E.E.E.e.e.e.e.e.v
(...)

The letters in the behavioral models may help us detect many types of malware (and normal) connections. The chain of letters assigned to each connection represent its behavior in time. According to the table of letters assignment that you can see here, each connection can be understood in reference to its behavior. A quick way of finding the most promising C&C channels is to look for the periodic letters (a-iA-I) in the behavioral model.

Detecting the C&C Chanel

In the previous listing it can be seen that the last connection 10.0.2.107-118.67.90.160-443-tcp shows the periodic letters e and E (you may need to scroll right to see all of them). The symbol ‘.’ between the letters indicates that the time difference between the flows is less than 5 seconds, which is very short for a C&C channel.

  • Traffic Inspection of the Candidate C&C channels

Once that we detected a candidate C&C channel we can verify our findings using the following command:

CTU-Malware-Capture-Botnet-35-1: stf > connections -F 10.0.2.110-118.67.90.160-80-tcp

 State: "5" TD: -1.0 T2: False T1: False        1970/01/02 01:07:58.642328,1.554076,tcp,10.0.2.107,   ->,118.67.90.160,443,FSPA_FSA,0,0,9,530,310,s[32]=............P.............O.....,,
 State: "5." TD: -1.0 T2: 0:00:01.554323 T1: False      1970/01/02 01:08:00.196651,0.558844,tcp,10.0.2.107,   ->,118.67.90.160,443,FSPA_FSA,0,0,9,530,310,s[32]=............P.............O.....,,
 State: "v." TD: 2.780537 T2: 0:00:00.559001 T1: 0:00:01.554323 1970/01/02 01:08:00.755652,0.57453,tcp,10.0.2.107,   ->,118.67.90.160,443,FSPA_FSA,0,0,9,530,310,s[32]=............P.............O.....,,
 State: "e." TD: 1.028084 T2: 0:00:00.574700 T1: 0:00:00.559001 1970/01/02 01:08:01.330352,0.552947,tcp,10.0.2.107,   ->,118.67.90.160,443,FSPA_FSA,0,0,9,530,310,s[32]=............P.............O.....,,
 State: "e." TD: 1.039013 T2: 0:00:00.553121 T1: 0:00:00.574700 1970/01/02 01:08:01.883473,0.596455,tcp,10.0.2.107,   ->,118.67.90.160,443,FSPA_FSA,0,0,9,530,310,s[32]=............P.............O.....,,
 State: "E." TD: 1.07867 T2: 0:00:00.596635 T1: 0:00:00.553121  1970/01/02 01:08:02.480108,1.590512,tcp,10.0.2.107,   ->,118.67.90.160,443,FSPA_FSA,0,0,9,530,310,s[32]=............P.............O.....,,
 State: "v." TD: 2.666309 T2: 0:00:01.590813 T1: 0:00:00.596635 1970/01/02 01:08:04.070921,1.565302,tcp,10.0.2.107,   ->,118.67.90.160,443,FSPA_FSA,0,0,9,530,310,s[32]=............P.............O.....,,
 State: "e." TD: 1.016337 T2: 0:00:01.565242 T1: 0:00:01.590813 1970/01/02 01:08:05.636163,1.448992,tcp,10.0.2.107,   ->,118.67.90.160,443,FSPA_FSA,0,0,9,530,310,s[32]=............P.............O.....,,
 State: "E." TD: 1.080091 T2: 0:00:01.449176 T1: 0:00:01.565242 1970/01/02 01:08:07.085339,0.575346,tcp,10.0.2.107,   ->,118.67.90.160,443,FSPA_FSA,0,0,9,530,310,s[32]=............P.............O.....,,
 State: "v." TD: 2.517609 T2: 0:00:00.575616 T1: 0:00:01.449176 1970/01/02 01:08:07.660955,0.606261,tcp,10.0.2.107,   ->,118.67.90.160,443,FSPA_FSA,0,0,9,530,310,s[32]=............P.............O.....,,
 State: "E." TD: 1.053565 T2: 0:00:00.606449 T1: 0:00:00.575616 1970/01/02 01:08:08.267404,0.57505,tcp,10.0.2.107,   ->,118.67.90.160,443,FSPA_FSA,0,0,9,530,310,s[32]=............P.............O.....,,
 State: "E." TD: 1.054245 T2: 0:00:00.575245 T1: 0:00:00.606449 1970/01/02 01:08:08.842649,1.556427,tcp,10.0.2.107,   ->,118.67.90.160,443,FSPA_FSA,0,0,9,530,310,s[32]=............P.............O.....,,
 State: "v." TD: 2.705651 T2: 0:00:01.556412 T1: 0:00:00.575245 1970/01/02 01:08:10.399061,0.577581,tcp,10.0.2.107,   ->,118.67.90.160,443,FSPA_FSA,0,0,9,530,310,s[32]=............P.............O.....,,
 State: "v." TD: 2.69343 T2: 0:00:00.577855 T1: 0:00:01.556412  1970/01/02 01:08:10.976916,0.584412,tcp,10.0.2.107,   ->,118.67.90.160,443,FSPA_FSA,0,0,9,530,310,s[32]=............P.............O.....,,
 State: "e." TD: 1.011266 T2: 0:00:00.584365 T1: 0:00:00.577855 1970/01/02 01:08:11.561281,1.592617,tcp,10.0.2.107,   ->,118.67.90.160,443,FSPA_FSA,0,0,9,530,310,s[32]=............P.............O.....,,
 State: "v." TD: 2.725957 T2: 0:00:01.592954 T1: 0:00:00.584365 1970/01/02 01:08:13.154235,0.566184,tcp,10.0.2.107,   ->,118.67.90.160,443,FSPA_FSA,0,0,9,530,310,s[32]=............P.............O.....,,
 State: "v." TD: 2.812756 T2: 0:00:00.566332 T1: 0:00:01.592954 1970/01/02 01:08:13.720567,0.58569,tcp,10.0.2.107,   ->,118.67.90.160,443,FSPA_FSA,0,0,9,530,310,s[32]=............P.............O.....,,
 State: "e." TD: 1.034443 T2: 0:00:00.585838 T1: 0:00:00.566332 1970/01/02 01:08:14.306405,0.585682,tcp,10.0.2.107,   ->,118.67.90.160,443,FSPA_FSA,0,0,9,530,310,s[32]=............P.............O.....,,
 State: "e." TD: 1.000486 T2: 0:00:00.586123 T1: 0:00:00.585838 1970/01/02 01:08:14.892528,0.577656,tcp,10.0.2.107,   ->,118.67.90.160,443,FSPA_FSA,0,0,9,530,310,s[32]=............P.............O.....,,
 State: "e." TD: 1.014396 T2: 0:00:00.577805 T1: 0:00:00.586123 1970/01/02 01:08:15.470333,0.559662,tcp,10.0.2.107,   ->,118.67.90.160,443,FSPA_FSA,0,0,9,530,310,s[32]=............P.............O.....,,
 State: "e." TD: 1.032025 T2: 0:00:00.559875 T1: 0:00:00.577805 1970/01/02 01:08:16.030208,1.596475,tcp,10.0.2.107,   ->,118.67.90.160,443,FSPA_FSA,0,0,9,530,310,s[32]=............P.............O.....,,
 (...)

In the listing of flows and payloads it can be seen that the time between flows was approximately 0.5 seconds when periodic (T2 value), that the flows were established (FSPA_FSA state: which means that there was confirmation from the destination IP) and that the payload is not TLS and probably binary or encrypted. We conclude that this connection is a C&C channel because it is strongly periodic most of the time, it sent a large amount of flows (29,831 flows) and packets (268,463 packets), and the payload does not correspond to the normal usage of the port 443/TCP which should have been TLS.

Note that the number of flows can be obtained from within this less listing in stf by writing ! to go to command mode and then the command:

cat % |wc -l

And the total number of packets can be obtained with the command:

!cat %|awk -F, ‘{SUM=SUM+$11}END{print SUM}’

If more evidence is needed, according to VirusTotal this IP address was used for the domain shinobe.org, which in turn is related with the malware hash 6aa0315c5166604a989c1fc92c92317c3e1e13c49bcfaf1d4caabd3c8a1edfd5.


Although this may be enough to detect a candidate C&C channel, it is a good idea to analyze the content of the rest of the connections in the capture until we get comfortable with the behavioral model.

Let’s analyze some of the other connections:

Behavior of 10.0.2.107-10.0.2.2—arp: 660z0i0I0i0i0i0i0i0i

This behavior is periodic because of the letters i and also we know that the flows were large and with a long duration. This is because the ARP packets are grouped in flows. The behavior also tells us that between flows there was more than 1 hour of waiting. This is not a C&C connection because it uses the ARP protocol.

Behavior of 10.0.2.107-103.15.178.29-25-tcp 8800H0y0000yY00YY+0Y0y00y0yyyHyYy00yYy*y+

This behavior does not have periodic letters and has a lot of timeouts (remember that each 0 corresponds to 1 hour of timeout). So it is not a C&C channel.

Behavior 10.0.2.107-109.234.111.54-80-tcp | 99,0Z0izI00zz0z00I00I00I0zzzzi00wZ,ZZz+Z0z

This behavior is strange. There are some timeouts and non-periodic letters, but from time to time there are some weak-periodic letters (I). This usually means that the connection is not periodic, in fact the behavior seem to be erratic, and that the periodicity letters are due to chance. If we visualize the flows in this connection we see:

```
 State: "9" TD: -1.0 T2: False T1: False        1970/01/01 01:06:43.682692,14.542476,tcp,10.0.2.107,   ->,109.234.111.54,80,SRPA_FSPA,0,0,10,1366,806,s[470]=POST / HTTP/1.1..Accept: */*..Accept-Language: en-us..Content-Type: application/octet-stream..Content-Length: 21
7..User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)..Host: milonga.pl..Connection: Keep-Alive..Cache-Control: no-cache.....w.W...[A..`c.Id.pth)+.me..q..>v...z.!.~!F..C.6.e.`.............!Sq.Pw.......Y$..}h.....{.c..m........0...X.....G...\C%..3...W..
.{$..:O.K*..*i...rN....t.O:.nr|..[).....3n......T..!.k.&.&.3{.1...6a$/;.x>@.g4E&"]J.vlOa,d[340]=HTTP/1.1 200 OK..Server: nginx..Date: Thu 30 Jan 2014 11:07:08 GMT..Content-Type: text/html..Content-Length: 98..Connection: keep-alive..Last-Modified: Tue 28 Jan 2014 22:01
:18 GMT..ETag: "4bc2af3-62-4f10ef6bb149a"..Accept-Ranges: bytes....<meta http-equiv="refresh" content="0;url=https://www.facebook.com/groups/62518246394/?fref=ts" />,
 State: "9," TD: -1.0 T2: 0:00:21.755774 T1: False      1970/01/01 01:07:05.438466,13.181123,tcp,10.0.2.107,   ->,109.234.111.54,80,SRPA_FSPA,0,0,10,1172,612,s[276]=POST / HTTP/1.1..Accept: */*..Accept-Language: en-us..Content-Type: application/octet-stream..Content-Length: 24..User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)..Host: milonga.pl..Connection: Keep-Alive..Cache-Control: no-cache........f+..8....Ym!..h0...?,d[340]=HTTP/1.1 200 OK..Server: nginx..Date: Thu 30 Jan 2014 11:07:28 GMT..Content-Type: text/html..Content-Length: 98..Connection: keep-alive..Last-Modified: Tue 28 Jan 2014 22:01:18 GMT..ETag: "4bc2af3-62-4f10ef6bb149a"..Accept-Ranges: bytes....<meta http-equiv="refresh" content="0;url=https://www.facebook.com/groups/62518246394/?fref=ts" />,
 State: "0Z" TD: 299.732244 T2: 1:48:40.906952 T1: 0:00:21.755774       1970/01/01 02:55:46.345418,114.178856,tcp,10.0.2.107,   ->,109.234.111.54,80,SRPA_FSPA,0,0,10,1200,640,s[308]=POST / HTTP/1.1..Accept: */*..Accept-Language: en-us..Content-Type: application/octet-stream..Content-Length: 56..User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)..Host: milonga.pl..Connection: Keep-Alive..Cache-Control: no-cache....|.....Vc6....J.JT.......K..}.A[.8..RG.*.....g....YL#..].,d[340]=HTTP/1.1 200 OK..Server: nginx..Date: Thu 30 Jan 2014 12:56:09 GMT..Content-Type: text/html..Content-Length: 98..Connection: keep-alive..Last-Modified: Tue 28 Jan 2014 22:01:18 GMT..ETag: "4bc2af3-62-4f10ef6bb149a"..Accept-Ranges: bytes....<meta http-equiv="refresh" content="0;url=https://www.facebook.com/groups/62518246394/?fref=ts" />,
 State: "0i" TD: 1.005434 T2: 1:48:05.666513 T1: 1:48:40.906952 1970/01/01 04:43:52.011931,125.358582,tcp,10.0.2.107,   ->,109.234.111.54,80,SRPA_FSPA,0,0,10,1343,783,s[451]=POST / HTTP/1.1..Accept: */*..Accept-Language: en-us..Content-Type: application/octet-stream..Content-Length: 198..User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)..Host: milonga.pl..Connection: Keep-Alive..Cache-Control: no-cache....j..6<K..1C7......B.k...-........[c|. .tC..e..+....k.cC.KPI..pl..ak.....m>..7.E......W~]l..])....|.#....bX..E.A... b.|.+.J..w...:Zg..SX@...@...VW...._..H.....i.^..5.7i]....D..S\..*H.....~...:r<.U...,d[340]=HTTP/1.1 200 OK..Server: nginx..Date: Thu 30 Jan 2014 14:44:15 GMT..Content-Type: text/html..Content-Length: 98..Connection: keep-alive..Last-Modified: Tue 28 Jan 2014 22:01:18 GMT..ETag: "4bc2af3-62-4f10ef6bb149a"..Accept-Ranges: bytes....<meta http-equiv="refresh" content="0;url=https://www.facebook.com/groups/62518246394/?fref=ts" />,
 State: "z*" TD: 1.952569 T2: 0:55:21.606436 T1: 1:48:05.666513 1970/01/01 05:39:13.618367,132.294556,tcp,10.0.2.107,   ->,109.234.111.54,80,SRPA_FSPA,0,0,10,1385,825,s[480]=POST / HTTP/1.1..Accept: */*..Accept-Language: en-us..Content-Type: application/octet-stream..Content-Length: 240..User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)..Host: milonga.pl..Connection: Keep-Alive..Cache-Control: no-cache....dfv..'..Vodwv.tR!9.N.......pj....W.....B `_#b.a`.!D.kG!.3....4.#...n....R.y...R.%.l.-..$...........1.z...S.Xc2.Q..|.N.g?$.....Y;.}.`.[F..7ld....Y....z.C<.....19..9W.xs.YRV....h.......C..o....b..J}.k(4.K..%(U??.h.6.+yI..3...*w,d[340]=HTTP/1.1 200 OK..Server: nginx..Date: Thu 30 Jan 2014 15:39:37 GMT..Content-Type: text/html..Content-Length: 98..Connection: keep-alive..Last-Modified: Tue 28 Jan 2014 22:01:18 GMT..ETag: "4bc2af3-62-4f10ef6bb149a"..Accept-Ranges: bytes....<meta http-equiv="refresh" content="0;url=https://www.facebook.com/groups/62518246394/?fref=ts" />,
 State: "I*" TD: 1.249533 T2: 0:44:18.279165 T1: 0:55:21.606436 1970/01/01 06:23:31.897532,138.258835,tcp,10.0.2.107,   ->,109.234.111.54,80,SRPA_FSPA,0,0,10,1151,591,s[259]=POST / HTTP/1.1..Accept: */*..Accept-Language: en-us..Content-Type: application/octet-stream..Content-Length: 8..User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)..Host: milonga.pl..Connection: Keep-Alive..Cache-Control: no-cache....l..-..'.,d[340]=HTTP/1.1 200 OK..Server: nginx..Date: Thu 30 Jan 2014 16:23:56 GMT..Content-Type: text/html..Content-Length: 98..Connection: keep-alive..Last-Modified: Tue 28 Jan 2014 22:01:18 GMT..ETag: "4bc2af3-62-4f10ef6bb149a"..Accept-Ranges: bytes....<meta http-equiv="refresh" content="0;url=https://www.facebook.com/groups/62518246394/?fref=ts" />,
 State: "00z" TD: 2.747026 T2: 2:01:42.362870 T1: 0:44:18.279165        1970/01/01 08:25:14.260402,41.069557,tcp,10.0.2.107,   ->,109.234.111.54,80,SRPA_FSPA,0,0,10,1373,813,s[480]=POST / HTTP/1.1..Accept: */*..Accept-Language: en-us..Content-Type: application/octet-stream..Content-Length: 228..User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)..Host: milonga.pl..Connection: Keep-Alive..Cache-Control: no-cache....a..aO[......d..`.Q...b..JA??........v..3......B..n.D`.......JY.'..m.....~.l....o..p.7.3.oA.S.......L.Q..5.i....:....rs......].(.j.p;g!/.D.....e6"?..q.o....f....G<b..0.P.v6..@..i.y:.....[$..\d)C.sv..G......).c2.~. .r...:[k....iU,d[340]=HTTP/1.1 200 OK..Server: nginx..Date: Thu 30 Jan 2014 18:25:37 GMT..Content-Type: text/html..Content-Length: 98..Connection: keep-alive..Last-Modified: Tue 28 Jan 2014 22:01:18 GMT..ETag: "4bc2af3-62-4f10ef6bb149a"..Accept-Ranges: bytes....<meta http-equiv="refresh" content="0;url=https://www.facebook.com/groups/62518246394/?fref=ts" />,
 State: "z*" TD: 3.310497 T2: 0:36:45.820574 T1: 2:01:42.362870 1970/01/01 09:02:00.080976,113.559013,tcp,10.0.2.107,   ->,109.234.111.54,80,SRPA_FSPA,0,0,17,8865,862,s[422]=POST / HTTP/1.1..Accept: */*..Accept-Language: en-us..Content-Type: application/octet-stream..Content-Length: 169..User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)..Host: milonga.pl..Connection: Keep-Alive..Cache-Control: no-cache.....y.>..*..^)...q........B.Z...R{.{..h.R....P:.D..1.W+.lm.w.!.f..P.+...Gq*.]..o<w...DW.....1l........D.........X.w..M.~..h)..%P.....f...u].'...$.).i...i3..S........i`.6..h,d[480]=HTTP/1.1 508 unused..Server: nginx..Date: Thu 30 Jan 2014 19:02:23 GMT..Content-Type: text/html..Content-Length: 7347..Connection: keep-alive..Retry-After: 14400.....<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<HTML><HEAD>.<TITLE>508 Resource Limit Is Reached</TITLE>.</HEAD><BODY>.<H1>Resource Limit Is Reached</H1>.      .      .      .      .      .      .      .      .      .      .      .      .      .      .      .      .      .      .      .      .      .      .,
(...)
```

It can be seen that the flows were connecting to the milonga.pl domain, sending binary information on POST requests and receiving a redirection inside an http-equiv HTTP header. These flows may be malicious and worth analyzing but they are definetively not part of a C&C since there is no data that is being sent to the botmaster and no orders comming back.

Conclusion

The purpose of this blog post was to show how the behavioral models used by the Stratosphere Project can help analysts identify C&C channels faster. In this 1 day and 5 hours long capture we were able to detect the C&C channels in less than some minutes. The flexibility of these models allow us to use the stf tool to analyze and find more behaviors, including normal ones. The main purpose of the behavioral models is to be used in the Stratosphere IPS tool, which will allow anyone to detect and stop malicious behaviors in the network based on these models. The Stratosphere IPS is still not ready to be used, but you can try the stf to find interesting behaviors in the network.

Download

The stf program can be downloaded from github and a deeper description can be seen in here


Written by Sebastian Garcia in Research Blog on Sun 09 March 2014. Tags: Research, Malware, C&C, stf, Detection,