HTTP Header Heuristics

HTTP Header Heuristics
for Malware Detection
SANS Institute InfoSec Reading Room

Author: Tobias Lewis

link to paper

!
Presented by:

Clay Wells (Sr. Systems Programmer)

Department of Biostatistics & Epidemiology

University of Pennsylvania

View Slide

HTTP Header Heuristics for Malware Detection
Overview
Introduction
Analysis of HTTP heuristics

Recommendations

Conclusion

Resources

View Slide

Introduction
Methods for malware detection

- Signature based “known knowns”

- Heuristics, rules and patterns “unknown”

View Slide

Introduction
Basic assumptions

!
- Malware will “phone-home” (C&C)

- Malware masquerades as legitimate web trafﬁc

- Uses Hypertext Transfer Protocol, HTTP

View Slide

Introduction
HTTP

!
- Application layer protocol (client-server)

- Transfers information using headers

!
“allows the client to pass additional information about
the request, and about the client itself, to the server”!
- RFC2616!

View Slide

Introduction
HTTP request-header ﬁelds

!
- User-Agent:

- Host: *required

- Referer:

View Slide

Introduction
User-Agent

!
"User-Agent" ":" 1*( product | comment )!
!
User-Agent: CERN-LineMode/2.15 libwww/2.17b3!

View Slide

Introduction
Host

!
Host = "Host" ":" host [ ":" port ]!
!
Host: www.w3.org!

View Slide

Introduction
Referer

!
Referer = "Referer" ":" ( absoluteURI | relativeURI )!
!
https://encrypted.google.com/#q=w3c

View Slide

Overview
Introduction

Recommendations

Conclusion

Resources

View Slide

General heuristics

!
- User-Agents

- Typographic errors

- URL complexity

!
Using p0f for generic malware detection

!
- Introduction

- Demonstration

- Deployment options

- Considerations

View Slide

User-Agents

!
Proxy log example

!
!
!

View Slide

User-Agents

!
- fairly static, but..

- a large number exist with BYOD, etc

- works best when ﬁne-tuned

View Slide

User-Agents, SNORT based signatures

!
- doesn’t present User-Agent of a possible standard build

- doesn’t contain the correct OS

View Slide

Typographic errors

!
- Explicitly hardcoded header ﬁelds

MEDIANA

PROTUX

QUARIAN

View Slide

Typographic errors, MEDIANA

!
Surplus white space (ACSII 0x20)

View Slide

Typographic errors, MEDIANA

!
SNORT rule

View Slide

Typographic errors, PROTUX

!
Surplus white space in URL

View Slide

Typographic errors, QUARIAN

!
Other incorrect header ﬁelds

View Slide

URL complexity

!
- Some complexity will exist (valid Referer)

- Servers shouldn’t rely on > 255 characters

View Slide

URL complexity, IXESHE

!
Absent Referer ﬁeld

View Slide

URL complexity, TAIDOOR

!
Absent Referer ﬁeld

View Slide

URL complexity, MONGALL

!
More extreme example

View Slide

URL complexity, NETTRAVELER

!
More extreme example

View Slide


View Slide

URL complexity

!
Long & complex URLs do exist in legitimate trafﬁc

!
- Microsoft-CryptoAPI service

- Banner ads

View Slide

URL complexity

!
- Fine tune for your environment

- Use with other heuristics

View Slide

URL complexity

!
Snort rule using “urilen”

View Slide

General heuristics

!
- User-Agents

- Typographic errors

- URL complexity

!
Using p0f for generic malware detection

!
- Introduction

- Demonstration

- Deployment options

- Considerations

View Slide

p0f: Introduction

!
- Passive ﬁngerprinting tool

- Assuming malware uses TCP library of the host OS

- Uses structure of OSI model

!
TTL, Window Size, Sequence numbers

!
References a ﬁngerprint library

View Slide

p0f: Demonstration

!
- Generated trafﬁc using wget and Firefox (header plug-in)

- Conducted from a Windows 7 machine

- Used a ﬁxed User-Agent claiming to be IE6 on XP

- Captured data using Fakenet

View Slide

wget

View Slide

Firefox

modiﬁed

View Slide

NETTRAVELER

View Slide

Legitimate

trafﬁc

View Slide

p0f: Deployment options

!
- gateway devices

- part of a larger suite of network monitoring tools (using API)

View Slide

p0f: Considerations

!
- Examines at the application and transport layers

- Struggles to reliably detect the host OS

- Relies on the spoof-ability of the malware author

- Identiﬁes malicious behavior fairly well

- No tool or tool set will ever be 100% accurate!

View Slide

Overview
Introduction


Recommendations
Conclusion

Resources

View Slide

Recommendations
- Baseline your network

- Lower the noise ﬂoor where possible

- Heuristics work best when ﬁne-tuned to the environment

- Don’t rely on a single method for detection

View Slide

Overview
Introduction


Recommendations

Conclusion
Resources

View Slide

Conclusion
- Heuristics can be a useful tool in your arsenal

- Compliments signature based IDS or host based

View Slide

Resources
Link to paper

RFC2616, HTTP/1.1

http://practicalmalwareanalysis.com/fakenet/

p0f

www.snort.org

View Slide

2014-02-06: User-Agent strings!
!
Fedora release 19!
-----------------!
!
Firefox: "Mozilla/5.0 (X11; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0"!
!
Chrome: "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36"!
!
Seamonkey: "Mozilla/5.0 (X11; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0 SeaMonkey/2.23"!
!
Midori: "Mozilla/5.0 (X11; Linux) AppleWebKit/537.32 (KHTML, like Gecko) Chrome/18.0.1025.133 Safari/537.32 Midori/
0.5"!
!
!
OS X 10.9.1!
-----------!
!
Firefox: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0"!
!
Chrome: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107
Safari/537.36"!
!
Safari: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.73.11 (KHTML, like Gecko) Version/7.0.1
Safari/537.73.11"!
!
!
Windows XP!
----------!
!
Firefox: "Mozilla/5.0 (Windows NT 5.1; rv:23.0) Gecko/20100101 Firefox/23.0"!
!
IE: "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; InfoPath.1; .NET CLR
3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E)"!
!
Chrome: "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36"!
!
Safari: "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2"

View Slide

Thank You!
everyone

!
www.sans.org

!

View Slide

HTTP Header Heuristics

HTTP Header Heuristics

Clay Wells

More Decks by Clay Wells

Other Decks in Technology

Featured

Transcript