Vorträge und Posterpräsentationen (mit Tagungsband-Eintrag):
M. Neugschwandtner, P. Milani Comparetti, Ch. Platzer:
"Detecting malware's failover C&C strategies with SQUEEZE";
Vortrag: Annual Computer Security Applications Conference (ACSAC),
Orlando, Florida;
05.12.2011
- 09.12.2011; in: "Proceedings of the 27th Annual Computer Security Applications Conference",
ACM,
27
(2011),
ISBN: 978-1-4503-0672-0.
Kurzfassung englisch:
The ability to remote-control infected PCs is a fundamental component of modern malware campaigns. At the same time, the command and control (C&C) infrastructure that provides this capability is an attractive target for mitigation. In recent years, more or less successful takedown operations have been conducted against botnets employing both client-server and peer-to-peer C&C architectures. To improve their robustness against such disruptions of their illegal business, botnet operators routinely deploy redundant C&C infrastructure and implement failover C&C strategies.
In this paper, we propose techniques based on multi-path exploration [1] to discover how malware behaves when faced with the simulated take-down of some of the network endpoints it communicates with. We implement these techniques in a tool called Squeeze, and show that it allows us to detect backup C&C servers, increasing the coverage of an automatically generated C&C blacklist by 19.7%, and can trigger domain generation algorithms that malware implements for disaster-recovery.
Schlagworte:
Malware
"Offizielle" elektronische Version der Publikation (entsprechend ihrem Digital Object Identifier - DOI)
http://dx.doi.org/10.1145/2076732.2076736
Elektronische Version der Publikation:
http://publik.tuwien.ac.at/files/PubDat_206040.pdf
Erstellt aus der Publikationsdatenbank der Technischen Universität Wien.