Endpoint

11/30/2018
10:30 AM
Elad Menahem
Elad Menahem
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Threat Hunting: Improving Bot Detection in Enterprise SD-WANs

How security researchers tracked down Kuai and Bujoi malware through multiple vectors including client type, traffic frequency, and destination.

For over a year, security researchers at Cato Networks have observed a trend occurring across SD-WANs that relates to unidentified malware in the enterprise. This malware continues to persist despite the investment in antivirus (AV) and other preventative systems. Below are two examples. Let's take a closer look to better understand how to protect your network.

Case #1: Kuai
In the following example, we identify a new malicious bot that we call "Kuai." To clarify, although the term "bot" is commonly used in a way that's synonymous with malicious intent, in fact, bots are also legitimate networking elements, such as an OS updater. As someone concerned about the security of your SD-WAN, you need to distinguish between the two. We have found that malicious bots can be identified by looking at multiple vectors — in this case, the client type, the traffic frequency, and the destination.

The first sign that this is a malicious bot is the client. Our researchers use machine learning algorithms to analyze network flows across the Cato Cloud network. By studying network flows, the researchers identify whether traffic originates from a browser, a bot, or other types of clients, and then "guess" at the exact client — for example, in the case of a bot, the type of bot, such as an OS updater or a Python/Ruby client. In this case, we identify the client as a bot of type "unknown."

Next, we notice the shape of the client's traffic flow. We measure traffic frequency over time, providing multidimensional insight into a traffic flow. Periodicity and traffic patterns help determine whether the traffic is initiated by a human or a machine. As you can see by looking at the communication graph (Figure 1), the activity is consistent and uniform. Human-generated traffic tends to vary over time while machine-generated traffic tends to be almost uniformly distributed, like this graph.

Figure 1 - Periodic communication is one indicator of bot-like C&C traffic.
Figure 1 - Periodic communication is one indicator of bot-like C&C traffic.

Notice the destinations. The IP addresses reside in three autonomous system numbers — AS4837, AS4808, and AS134420 — all of which are based in China, an originating point of many malicious bots. The URLs are also marked by low reputation (not shown). This is different from most threat-hunting or AV systems where the URL generally would be marked "malicious" using one of the third-party feeds available on the market.

Our experience has been that such feeds often include too many false positives and fail to accurately categorize new URLs. What's more, attackers can use the services' APIs to game them. Instead, we developed a popularity model that ranks URLs by the likelihood of posing a threat. The model analyzes the millions of network flows traversing our networks, flows involving many domains and clients. The model then ranks domains; the lower the reputation, the higher the risk.

Together, the three elements of client type, the destination, and traffic frequency lead to the identification of the malicious bot, Kuai. It's important to note that most AV software, even next-generation AVs relying on machine-learning models rather than file signatures, fail to identify Kuai. According to VirusTotal, a service from Alphabet's Chronicle that scans files by multiple AVs, only six out of 68 AV engines considered this file a true threat.

Figure 2 - VirusTotal screenshot, reveals a low detection rate of the threat
Figure 2 - VirusTotal screenshot, reveals a low detection rate of the threat

Case #2: Bujo
In our second case, we identify a new bot from a Chrome extension. The Bujo bot (named after the destination domain, bujot.com) again exhibits periodic communication but this time to a parked domain bujot.com. Upon investigation, we see that this domain is registered without any association to a web service.The traffic reveals that the domain was generated by Chrome extension (user agent below), an extension source not found on the Chrome web store.

Figure 3 - Periodic bot-generated communication of Bujo.
Figure 3 - Periodic bot-generated communication of Bujo.

Further analysis of a Bujo sample reveals a fraudulent network monetizing a major search engine vendor. And once again, we see very few network-based, preventative solutions can detect Bujo. According to VirusTotal, only four of the 68 AV engines tagged Bujo as malicious.

Figure 4 - Low detection rate of Bujo as reported by VirusTotal.
Figure 4 - Low detection rate of Bujo as reported by VirusTotal.

Prevention? Detection? Response? You Need All of Them
Prevention mechanisms are designed to prevent infection attempts in real time. Yet malware is evasive and every day we witness new types of scams or techniques that manage to evade AVs. It's a cat-and-mouse game where AV vendors produce very large databases with malicious file signatures and attackers work to get around them.

All too often, though, when malware is less common or not widely distributed, AVs come late to the game. As a result, machines end up infected by threats detectable when observing network communications with command and control servers. Even more advanced engines, relying on machine learning rather signatures, often fail to detect these threats. Organizations simply cannot rely solely on AV to protect from Internet-borne threats. 

Indicators of Compromise (IOCs)
Here are the known C&C domains used by the Bujo and Kuai bots.

Table 1: Indicators of Compromise (IOCs)

Here are the known C&C domains used by the Bujo and Kuai bots.
Kuai
abckantu[.]com
Bujo
bujot[.]com
nusojog[.]com
rokuq[.]com
focuquc[.]com
tawuhoju[.]com
qukusut[.]com
sastts[.]com
tocopada[.]com
norugu[.]com
pacudoh[.]com
srchlp[.]com

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Elad Menahem is the head of security research at Cato Networks, a disruptive cloud-based enterprise platform with a mission to make networking and security simple again. Elad served in an elite tech unit in the Israel Defense Forces (IDF) Intelligence Corps, and has more than ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: So now we are monitoring the monitor?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20145
PUBLISHED: 2018-12-13
Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option per_listener_settings was set to true, and the default listener was in use, and the default listener specified an acl_file, then the acl file was being ignored.
CVE-2018-12076
PUBLISHED: 2018-12-13
A vulnerability in the UPC bar code of the Avanti Markets MarketCard could allow an unauthenticated, local attacker to access funds within the customer's MarketCard balance, and also could lead to Customer Information Disclosure. The vulnerability is due to lack of proper validation of the UPC bar c...
CVE-2018-18922
PUBLISHED: 2018-12-13
add_user in AbiSoft Ticketly 1.0 allows remote attackers to create administrator accounts via an action/add_user.php POST request.
CVE-2018-18923
PUBLISHED: 2018-12-13
AbiSoft Ticketly 1.0 is affected by multiple SQL Injection vulnerabilities through the parameters name, category_id and description in action/addproject.php; kind_id, priority_id, project_id, status_id and title in action/addticket.php; and kind_id and status_id in reports.php.
CVE-2018-19039
PUBLISHED: 2018-12-13
Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions.