Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

11/30/2018
10:30 AM
Elad Menahem
Elad Menahem
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Threat Hunting: Improving Bot Detection in Enterprise SD-WANs

How security researchers tracked down Kuai and Bujoi malware through multiple vectors including client type, traffic frequency, and destination.

For over a year, security researchers at Cato Networks have observed a trend occurring across SD-WANs that relates to unidentified malware in the enterprise. This malware continues to persist despite the investment in antivirus (AV) and other preventative systems. Below are two examples. Let's take a closer look to better understand how to protect your network.

Case #1: Kuai
In the following example, we identify a new malicious bot that we call "Kuai." To clarify, although the term "bot" is commonly used in a way that's synonymous with malicious intent, in fact, bots are also legitimate networking elements, such as an OS updater. As someone concerned about the security of your SD-WAN, you need to distinguish between the two. We have found that malicious bots can be identified by looking at multiple vectors — in this case, the client type, the traffic frequency, and the destination.

The first sign that this is a malicious bot is the client. Our researchers use machine learning algorithms to analyze network flows across the Cato Cloud network. By studying network flows, the researchers identify whether traffic originates from a browser, a bot, or other types of clients, and then "guess" at the exact client — for example, in the case of a bot, the type of bot, such as an OS updater or a Python/Ruby client. In this case, we identify the client as a bot of type "unknown."

Next, we notice the shape of the client's traffic flow. We measure traffic frequency over time, providing multidimensional insight into a traffic flow. Periodicity and traffic patterns help determine whether the traffic is initiated by a human or a machine. As you can see by looking at the communication graph (Figure 1), the activity is consistent and uniform. Human-generated traffic tends to vary over time while machine-generated traffic tends to be almost uniformly distributed, like this graph.

Notice the destinations. The IP addresses reside in three autonomous system numbers — AS4837, AS4808, and AS134420 — all of which are based in China, an originating point of many malicious bots. The URLs are also marked by low reputation (not shown). This is different from most threat-hunting or AV systems where the URL generally would be marked "malicious" using one of the third-party feeds available on the market.

Our experience has been that such feeds often include too many false positives and fail to accurately categorize new URLs. What's more, attackers can use the services' APIs to game them. Instead, we developed a popularity model that ranks URLs by the likelihood of posing a threat. The model analyzes the millions of network flows traversing our networks, flows involving many domains and clients. The model then ranks domains; the lower the reputation, the higher the risk.

Together, the three elements of client type, the destination, and traffic frequency lead to the identification of the malicious bot, Kuai. It's important to note that most AV software, even next-generation AVs relying on machine-learning models rather than file signatures, fail to identify Kuai. According to VirusTotal, a service from Alphabet's Chronicle that scans files by multiple AVs, only six out of 68 AV engines considered this file a true threat.

Case #2: Bujo
In our second case, we identify a new bot from a Chrome extension. The Bujo bot (named after the destination domain, bujot.com) again exhibits periodic communication but this time to a parked domain bujot.com. Upon investigation, we see that this domain is registered without any association to a web service.The traffic reveals that the domain was generated by Chrome extension (user agent below), an extension source not found on the Chrome web store.

Further analysis of a Bujo sample reveals a fraudulent network monetizing a major search engine vendor. And once again, we see very few network-based, preventative solutions can detect Bujo. According to VirusTotal, only four of the 68 AV engines tagged Bujo as malicious.

Prevention? Detection? Response? You Need All of Them
Prevention mechanisms are designed to prevent infection attempts in real time. Yet malware is evasive and every day we witness new types of scams or techniques that manage to evade AVs. It's a cat-and-mouse game where AV vendors produce very large databases with malicious file signatures and attackers work to get around them.

All too often, though, when malware is less common or not widely distributed, AVs come late to the game. As a result, machines end up infected by threats detectable when observing network communications with command and control servers. Even more advanced engines, relying on machine learning rather signatures, often fail to detect these threats. Organizations simply cannot rely solely on AV to protect from Internet-borne threats. 

Indicators of Compromise (IOCs)
Here are the known C&C domains used by the Bujo and Kuai bots.

Table 1: Indicators of Compromise (IOCs)
Here are the known C&C domains used by the Bujo and Kuai bots.
Kuai
abckantu[.]com
Bujo
bujot[.]com
nusojog[.]com
rokuq[.]com
focuquc[.]com
tawuhoju[.]com
qukusut[.]com
sastts[.]com
tocopada[.]com
norugu[.]com
pacudoh[.]com
srchlp[.]com

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Elad Menahem is the head of security research at Cato Networks, a disruptive cloud-based enterprise platform with a mission to make networking and security simple again. Elad served in an elite tech unit in the Israel Defense Forces (IDF) Intelligence Corps, and has more than ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/1/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19393
PUBLISHED: 2020-10-01
The Web application on Rittal CMC PU III 7030.000 V3.00 V3.11.00_2 to V3.15.70_4 devices fails to sanitize user input on the system configurations page. This allows an attacker to backdoor the device with HTML and browser-interpreted content (such as JavaScript or other client-side scripts) as the c...
CVE-2020-16844
PUBLISHED: 2020-10-01
In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields, callers will never be denied access, bypassing the intended policy.
CVE-2020-24620
PUBLISHED: 2020-10-01
Unisys Stealth(core) before 4.0.132 stores Passwords in a Recoverable Format.
CVE-2020-25017
PUBLISHED: 2020-10-01
Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Envoy’s setCopy() header map API does not replace all existing occurences of a non-inline header.
CVE-2020-25018
PUBLISHED: 2020-10-01
Envoy master between 2d69e30 and 3b5acb2 may fail to parse request URL that requires host canonicalization.