Integrated Honeypot Based Malware Collection and Analysis, pdf

   

Integrated Honeypot Based Malware Collection and Analysis

   

   

Contents

Abstract v

Zusammenfassung vii

Acknowledgements xi

1 Introduction 1

1.1 Initial Situation . . . . . . . . . . . 2

1.2 Task and Contribution of this Thesis . . . . . . . . . . . 2

1.3 Outline . . . . 3

2 Background 5

2.1 Introduction . 5

2.2 Attacker Model . . . . . . . . . . . 5

2.2.1 Attack Classes . . . . . . . . 5

2.2.2 Attacker Types . . . . . . . 8

2.2.3 Malware-specific Aspects . 9

2.3 Malware . . . 10

2.3.1 Definition . . . . . . . . . . 10

2.3.2 Types and Terminology . . 11

2.3.3 Evolution . . . . . . . . . . 14

2.3.4 Life-Cycle . . . . . . . . . . 16

2.4 Botnets . . . . 19

2.4.1 Centralized C&C Server . . 19

2.4.2 P2P based C&C Server . . . 19

2.4.3 Fast-Flux Service Networks 20

2.5 Summary . . . 20

3 Malware Collection using Honeypots 23

3.1 Introduction . 23

3.2 Honeypot Concept . . . . . . . . . 23

3.3 Honeypot Technology . . . . . . . 24

3.4 Classification of Existing Approaches . . . . . . . . . . 26

3.4.1 Low Interaction Server Honeypots . . . . . . . . 28

3.4.2 High Interaction Server Honeypots . . . . . . . 36

3.4.3 Low Interaction Client Honeypots . . . . . . . . 38

3.4.4 High Interaction Client Honeypots . . . . . . . . 40

3.4.5 Honeypot Taxonomy . . . . 42

3.4.6 Honeynets . . . . . . . . . . 44

3.5 Summary . . . 45

4 Malware Analysis 47

4.1 Introduction . 47

4.2 The Malware Analysis Problem . . 47

4.3 Static Malware Analysis . . . . . . 48

4.4 Dynamic Malware Analysis . . . . 49

4.4.1 Techniques . . . . . . . . . . 50

4.4.2 Tools . 53

4.4.3 Implications and Limitations . . . . . . . . . . . 58

4.5 Summary . . . 59

5 A Holistic Approach for Integrated Malware Collection and Analysis 61

5.1 Introduction . 61

5.2 Problem Statement . . . . . . . . . 61

5.3 Overall Approach . . . . . . . . . . 63

5.3.1 Goals . 63

5.3.2 Basic Concept . . . . . . . . 64

5.3.3 Added Value . . . . . . . . 64

5.3.4 Components . . . . . . . . . 65

5.4 General Design . . . . . . . . . . . 65

5.4.1 Setup . 66

5.4.2 Part 1: Fetching malware . 68

5.4.3 Part 2: Malware analysis . . 69

5.4.4 Part 3: Service Provisioning 71

5.5 Summary . . . 75

6 Proof of Concept Implementation 77

6.1 Introduction . 77

6.2 ScriptGen . . . 78

6.2.1 Basic Idea . . . . . . . . . . 78

6.2.2 Modules . . . . . . . . . . . 78

6.2.3 Discussion . . . . . . . . . . 81

6.3 Implementation and Validation . . 82

6.3.1 Setup . 82

6.3.2 Generation of C&C Traffic . 83

6.3.3 Traffic Dissection and FSM Generation . . . . . 84

6.3.4 FSM Traversal and Script Building . . . . . . . . 85

6.3.5 Results 89

6.4 Summary . . . 90

7 Summary 95

7.1 Conclusion . . 95

7.2 Outlook and Future Work . . . . . 96

Bibliography 97

   

   

다운로드

http://www.martinbrunner.net/doc/MasterThesis-MartinBrunner.pdf

or

MasterThesis-MartinBrunner.pdf