CnCHunter: An MITM-Approach to Identify Live CnC Servers

Presented at Black Hat USA 2021, Aug. 5, 2021, 3:20 p.m. (40 minutes)

How can we identify active CnC servers? Answering this question is critical for containing and combating botnets. Finding CnC servers is not trivial because: CnC servers can change locations expressly to avoid detection, use proprietary communication protocols, and often use end-to-end encryption. Most prior efforts first "learn" a malware communication protocol, and then, scan the Internet in search of live CnC servers. Although useful, this approach will not work with sophisticated malware that may use encryption or communication protocol that is hard to reverse engineer.

In this session, we propose CnCHunter, a systematic tool that discovers live CnC servers efficiently. The novelty of our approach is that it uses real "activated" malware to search for live CnC servers, with CnCHunter acting as a Man-In-The-Middle. As a result, our approach overcomes the limitations of prior efforts. For example, the malware binary knows how to communicate with its server even if in the presence of encryption. We randomly selected 50 IoT malware samples collected between 2017 and 2021, and found their CnC servers. CnCHunter could automatically activate 96% of the malware and dynamically find the CnC servers.

Additionally, we demonstrate the potential of our system by activating an old Gafgyt malware sample and enabling it to communicate with a live CnC server for a recent sample of the same family. This proves that an old malware binary of a family can be used to scan the Internet and find live Cnc servers for that malware family.

Presenters:

• Ali Davanian - Security Researcher, University of California Riverside
  Ali Davanian is a fourth-year PhD candidate at the University of California Riverside. Ali has two masters in Security and Privacy from the University of Twente and the University of Trento. Ali conducts research in system and network security and his research has been published in USENIX Security, Recent Advancements in Intrusions and Detections (RAID), Symposium on Access Control Models and Technologies (SACMAT), and International Conference on Security and Privacy in Communication Systems (SecureComm). Ali's research has been cited more than 50 times. Ali is also a reviewer for CCS, AsiaCCS, and the Journal of Computer Virology. He has also served as a committee member for the ACSAC conference.
• Michalis Faloutsos - Professor, University of California Riverside
  Prof. Michalis Faloutsos is a faculty member at the Computer Science Dept. of the University of California, Riverside, since 1999, with a brief interruption for being the Dep. Chair of CS at U. New Mexico (2012-2015). He obtained his bachelor's degree at the National Technical University of Athens and his M.Sc. and PhD at the University of Toronto (1999). His interests include network and systems security, online social network analytics, and network measurements. With his two brothers, he co-authored the paper "On power laws of the Internet topology" (SIGCOMM'99), which received the "Test of Time" award from ACM SIGCOMM. His research has resulted in more than 21K citations, an h-index greater than 60, and an i10-index greater than 140. His work has been supported by many NSF, DHS, Army and DAPRA grants with a cumulative of more than $12M. He is the co-founder of stopthehacker.com, a web-security start-up, which received two awards from the National Science Foundation, and got acquired in November 2013. In Aug 2014, he co-founded programize.com, which provides product development as a service. Between 2015-2019, he was the Director of Entrepreneurship to spearhead commercialization efforts on campus.
• Ahmad Darki - Security Researcher, University of California Riverside
  Ahmad Darki is a system and network security researcher specializing in threat detection and malware analysis. He has obtained his PhD in Computer Science at the University of California, Riverside (2020). During his PhD, he developed an adaptive malware analysis sandbox focusing on analyzing IoT malware and simulating their C&C servers. He has published his work in Recent Advancements in Intrusions and Detections (RAID), CoNEXT, USENIX CSET, and more. In addition, he is a reviewer for<br>IEEE TCAD, SN Applied Sciences, and MDPI journals and has been an external reviewer for ACM SenSys. After finishing his PhD, Ahmad started working as a Senior Threat Detection Engineer at Salesforce.com researching threat models for network and cloud infrastructure, Incident Response automation, and game theory in cybersecurity. <br>

Links:

• https://www.blackhat.com/us-21/briefings/schedule/#cnchunter-an-mitm-approach-to-identify-live-cnc-servers-23524
• https://www.blackhat.com/us-21/briefings/schedule/#cnchunter-an-mitm-approach-to-identify-live-cnc-servers-235241625062799

Similar Presentations:

• LayerOne 2019 / Swords to Plowshares: Repurposing the Ghost Gunner
• Still Hacking Anyway (SHA2017) / Get more work area from a CNC machine: How to index work on a NXTstep cnc machine by way of example
• ToorCamp 2018 / Carving with a Maslow CNC