WP Detecting Apt Activity With Network Traffic Analysis
WP Detecting Apt Activity With Network Traffic Analysis
Research Paper
2012
Detecting APT
Activity with Network
Traffic Analysis
Today’s successful targeted attacks use a combination Targeted attacks or what have come to be known as
of social engineering, malware, and backdoor activities. “advanced persistent threats (APTs)” are extremely
This research paper will discuss how advanced detection successful. However, instead of focusing on the attack
techniques can be used to identify malware command-and- methods and effects to improve network defenses, many
control (C&C) communications related to these attacks, seem more concerned with debating whether they are
illustrating how even the most high-profile and successful “advanced” or not from a technical perspective. On one
attacks of the past few years could have been discovered. hand, some believe that the threat actors behind these
campaigns have mythical capabilities both in terms of
operational security and the exploits and malware tools
they use. In fact, they do not always use zero-day exploits
Trend Micro™ Deep Discovery advanced and often use older exploits and simple malware. Some,
threat protection solution utilizes the on the other hand, view the threats as pure hype conjured
techniques described in this paper and up by marketing departments even though they cannot
many more to detect malware and attacker explain why high-value targets worldwide suffer from
activities undetectable by conventional repeated, successful, and long-term compromises.
security solutions. See details in the final
section. While initial reports had a tendency to treat the cyber-
espionage networks they uncovered as an “attack” or a
“singular set of events,” it is becoming increasingly clear
that most targeted attacks are in fact part of ongoing
campaigns. They are consistent espionage campaigns—a
series of failed and successful attempts to compromise a
target over time—that aim to establish persistent, covert
presence in a target network so that information can be
extracted as needed. Careful monitoring and investigation
can help security researchers learn from the mistakes
attackers make, allowing us to get a glimpse into malicious
operations. In fact, we can track campaigns over time
by relying on a combination of technical and contextual
indicators. This paper focuses on using this threat
intelligence to detect APT activity with network traffic
analysis.
1 http://www.joestewart.org/csc07/defending-against-data-exfiltrating-
malware.odp
2 http://www.sans.edu/student-files/projects/JWP-Binde-McRee-
OConnor.pdf
3 Some techniques for building intelligence around IP addresses (found
in common ranges) and domain names (co-hosting on the same IP
address, registered by the same email address) exist but those are
beyond the scope of this research paper.
PAGE 2 | DETECTING APT ACTIVITY WITH NETWORK TRAFFIC ANALYSIS
Detecting Remote Access Trojans
GhostNet
7 http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20081211
8 http://community.websense.com/blogs/securitylabs/
4 http://www.nartv.org/mirror/ghostnet.pdf archive/2012/05/11/amnesty-international-uk-compromised.aspx and
5 http://www.datarescue.com/laboratory/trojan2008/index.html http://blog.shadowserver.org/2012/05/15/cyber-espionage-strategic-
and http://www.wired.com/images_blogs/threatlevel/files/mcafee_ web-compromises-trusted-websites-serving-dangerous-results/
security_journal_fall_2008.pdf 9 http://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.
6 http://www.wired.com/images_blogs/threatlevel/files/mcafee_ pdf and http://blogs.norman.com/2011/security-research/invisible-ynk-
security_journal_fall_2008.pdf a-code-signing-conundrum
PAGE 3 | DETECTING APT ACTIVITY WITH NETWORK TRAFFIC ANALYSIS
Nitro and RSA Breach Detecting simply based on a request of 256 bytes will
yield false positives. This can, however, be combined
with protocol-aware detection. While the default port for
The Nitro attacks were documented in an October 2011 PoisonIvy is 3460, it is most commonly seen used on ports
report on a series of attacks that began in July 2011 80, 443, and 8080 as well. This traffic can generically
against companies in the chemical and motor sectors be detected by looking for a 256-byte outbound packet
as well as human rights nongovernmental organizations containing mostly non-ASCII data on the ports PoisonIvy
(NGOs).10 The attacks continued through December 2011 attackers commonly use. This helps reduce false positives
with the attackers actually using the report documenting but still broadly covers PoisonIvy variants as long as they
their activities as bait.11 The malware used in that case was use the said challenge request.
PoisonIvy, a widely available RAT.12
Taidoor
16 http://www.symantec.com/content/en/us/enterprise/media/
security_response/whitepapers/trojan_taidoor-targeting_think_tanks.
pdf and http://www.trendmicro.com/cloud-content/us/pdfs/security-
15 A variety of IDS rules available from http://emergingthreats.net/ intelligence/white-papers/wp_the_taidoor_campaign.pdf
covers various PoisonIvy keep-alive requests, including the default 17 http://www.trendmicro.com/cloud-content/us/pdfs/security-
admin request. intelligence/white-papers/wp_ixeshe.pdf
PAGE 5 | DETECTING APT ACTIVITY WITH NETWORK TRAFFIC ANALYSIS
Another instance of malware that is very similar to A newer version of the malware connects in a similar way,
that used in the IXESHE campaign was used in a sister /cgi-bin/CMS_SubitAll.cgi.
campaign that produces very similar network traffic
but slightly different file paths—“AES[numbers].jsp,”
“CES[numbers].jsp,” and “DES[numbers].jsp.”
Figure 10: IXESHE AES network traffic Figure 12: New Enfal variant’s network traffic that posts the
victim’s details to the C&C server
In some cases, compromised servers are hosted on target
organizations’ networks after successful infiltration. This In addition, we uncovered samples of the original version
means that network defenses placed at the perimeter of Enfal that operate in a nearly identical way apart from
will not detect standard IXESHE network traffic because using different file paths. In effect, Enfal was simply
communication occurs internally. The attackers can modified to connect to different file paths on the C&C
communicate through an alternate means with the server. Instead of the traditional POST request to /cg[a-z]-
internal C&C server in order to avoid detection. bin/Owpq4.cgi, these samples access /8jwpc/odw3ux.
Figure 11: Enfal network traffic that posts the victim’s details to Enfal makes requests for files that contain any command
the C&C server that the attackers want the compromised computers to
execute.
18 http://www.trendmicro.com/cloud-content/us/pdfs/security-
intelligence/white-papers/wp_dissecting-lurid-apt.pdf, http://www.
secureworks.com/research/threats/sindigoo/, http://events.ccc.de/
congress/2007/Fahrplan/attachments/1008_Crouching_Powerpoint_ Figure 15: New Enfal variant’s network traffic that checks if
Hidden_Trojan_24C3.pdf, http://isc.sans.org/presentations/ commands have been specified
SANSFIRE2008-Is_Troy_Burning_Vanhorenbeeck.pdf, http://isc.sans.
edu/diary.html?storyid=4177, http://www.nartv.org/mirror/shadows-
in-the-cloud.pdf, http://wikileaks.org/cable/2009/04/09STATE32025.
html, and http://cablesearch.org/cable/view.php?id=08STATE116943
PAGE 6 | DETECTING APT ACTIVITY WITH NETWORK TRAFFIC ANALYSIS
These requests can be detected because they follow a In July 2012, new versions of the Sykipot malware were
specific format that includes two directories, followed detected. These connected via HTTPS with a different URL
by the hostname and MAC address of the compromised path documented by Alienvault, GET/get.asp?nm=index.
computer. This consistent pattern is still detected despite dat&hnm=[HOSTNAME]-[IP-ADDRESS]-[IDENTIFIER].22
modifications made to Enfal. The SSL certificate on the server, however, remained one
that could be detected using an already publicly published
Snort rule.
Deep Discovery detects these Enfal
communications using the various methods
previously described as well. Deep Discovery specifically detects the
SSL certificate Sykipot malware uses. In
addition, generically detecting suspicious
SSL certificates has proven quite useful at
Sykipot proactively detecting zero-day malware,
including the recently discovered Gauss
malware. Looking for default, random, or
The Sykipot campaign, which has been known by many
empty values in SSL certificate fields and
names over the years, can be traced back to 2007 and
restricting such detections to only certificates
possibly even 2006.19 The campaign became better
supplied by hosts outside an organization’s
known after the discovery of a zero-day exploit (i.e.,
monitored network provides a great balance
CVE-2011-2462) targeting U.S. Department of Defense
of proactive detection with manageable false
(DOD) smartcards.20 While older versions of Sykipot
positives.
malware communicated with a C&C server over HTTP,
newer versions have been seen using HTTPS, perhaps
because requests made to the C&C server consistently
use the format, /kys_allow_get.asp?name=getkys.kys, and,
therefore, detectable.
19 http://blog.trendmicro.com/the-sykipot-campaign/
20 http://labs.alienvault.com/labs/index.php/2012/when-the-apt-owns-
your-smart-cards-and-certs/
21 http://labs.alienvault.com/labs/index.php/2011/are-the-sykipots-
authors-obsessed-with-next-generation-us-drones/ 22 http://labs.alienvault.com/labs/index.php/2012/sykipot-is-back/
PAGE 7 | DETECTING APT ACTIVITY WITH NETWORK TRAFFIC ANALYSIS
Will Adversaries Adapt? Network-Based Detection Challenges
There is a consistent need to weigh the risks of revealing Two key factors pose challenges to network-based
enough information about APT campaigns to alert the detection—encryption and the cloud. The use of SSL
public and allow defenders to take corrective action and encryption evades detection based on patterns in URL
giving the threat actors behind attacks an understanding parameters and HTTP headers. The use of legitimate
of what is known about their operations and the services in the cloud, meanwhile, evades attempts to
opportunity to adapt. Information about these campaigns simply block access to known “bad” locations. Together,
can be effectively used without pushing threat actors to these two factors make detecting APT activity challenging.
adapt and evade detection. They have, for instance, made
the following changes: The use of these techniques is certainly not new. Such
techniques have been extensively used in typical criminal
• Targeted attacks that have been using Gh0st RAT operations. In the past, Twitter, Tumblr, Google Apps,
utilize modified versions wherein the “Gh0st” header Google Groups, and Facebook have all been used as
has been replaced by other five-character strings such malware C&C channels.23 It is not surprising, therefore,
as “LURK0.” This means that IDS rules that only match that APT attackers have also been using such services as
the “Gh0st” header can be evaded. C&C channels.
The ability to detect APT activity at the network level • Timing and size: Since malware typically “beacon”
is heavily dependent on leveraging threat intelligence. to C&C servers at given intervals, monitoring
A variety of very successful ongoing campaigns consistent intervals for Domain Name System (DNS)
can be detected at the network level because their requests or requests to the same URL will help.28 As
communications remain consistent over time. more APT campaigns move from HTTP to HTTPS
Modifications made to malware’s network communications communications, as Sykipot did, communications may
can, however, disrupt the ability to detect them. As such, still be detected by analyzing traffic based on the
the ongoing development of threat intelligence based on “volume of transferred data, timing, or packet size.”29
increased visibility and information sharing is critical to Such requests can then be further investigated.
developing indicators used to detect such activity at the
network level. As adversaries adapt, more general methods can be
implemented to detect suspicious behaviors. While this
Trend Micro has also included more generic techniques may result in an increase in false positives, enterprises
in Deep Discovery, which have proven useful. While these that are consistently targeted by APT activity may wish
indicators may generate false positives, they will still to explore such options. Multiple ongoing APT campaigns,
help detect previously unknown malicious activity at the however, can be consistently detected at the network
network level: level. While exploits and binaries may be modified to
avoid detection, network traffic tends to remain constant.
• Protocol-aware detection: Many of the RATs used In such a case, it is possible to detect APT activity by
in targeted attacks use HTTP/HTTPS ports to leveraging threat intelligence in network traffic analysis.
communicate, often because only these ports are
open at the firewall level. This means that detecting
any non-HTTP traffic on port 80 or any non-HTTPS
traffic on port 443 flags potentially malicious traffic
for further investigation. While not conclusive, such
alerts can provide direction as to where to focus
investigative resources.
28 http://www.splunk.com/web_assets/pdfs/secure/Splunk_for_APT_
Tech_Brief.pdf
27 http://sector.ca/sessions2011.htm#Rodrigo%20Montoro 29 https://anonymous-proxy-servers.net/paper/wpes11-panchenko.pdf
PAGE 11 | DETECTING APT ACTIVITY WITH NETWORK TRAFFIC ANALYSIS
Trend Micro™ Deep Discovery in Focus
Deep Discovery delivers the networkwide visibility, insight, • Advanced Threat Scan Engine
and control needed to detect and identify targeted attacks
in real time. It provides in-depth analysis and actionable • Combines traditional antivirus file scanning with
intelligence to immediately remediate threats and prevent new aggressive heuristic scanning techniques to
further damage. detect both known and unknown malware and
document exploits
Deep Discovery’s proven approach provides the best
detection with the fewest false positives by identifying • Trend Micro Smart Protection Network
malicious content, communications, and behavior across
every stage of the attack sequence. Through detection and • A global threat intelligence and reputation service
in-depth analysis of both advanced malware and evasive that correlates 16+ billion URL, email, and file
attacker behaviors, Deep Discovery provides enterprises queries daily
and government organizations a new level of visibility and
intelligence to combat APTs and targeted attacks across • Virtual Analyzer
the evolving computing environment.
• A virtualized threat sandbox analysis system that
How Deep Discovery Works uses customer-specific configurations to detect
and analyze malware
Deep Discovery uses a three-level detection scheme to As a result, Deep Discovery is able to detect malicious
perform initial detection, simulation and correlation, and, content and identify suspect communications.
ultimately, a final cross-correlation to discover “low-
and-slow” and other evasive activities discernible only
over an extended period of time. Specialized detection
and correlation engines provide the most accurate and
up-to-date protection aided by global threat intelligence
from the Trend Micro™ Smart Protection Network™
infrastructure and our dedicated threat researchers. The
result is a high detection rate, low false positives, and in-
depth incident reporting information designed to speed up
the containment of an attack.
©2012 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company
names may be trademarks or registered trademarks of their owners.