Detecting Malware’s Failover C&C Strategies with SQUEEZE

Final pdf 356KB

Presentation pdf 1.1MB

Matthias Neugschwandtner
Vienna University of Technology
Austria

Paolo Milani Comparetti
Vienna University of Technology
Austria

Christian Platzer
Vienna University of Technology
Austria

Abstract:
The ability to remote-control infected PCs is a fundamental
component of modern malware campaigns. At the same time, the command and control (C&C) infrastructure that provides this capability is an attractive target for mitigation. In recent years, more or less successful takedown operations
have been conducted against botnets employing both client-server and peer-to-peer C&C architectures. To improve their
robustness against such disruptions of their illegal business, botnet operators routinely deploy redundant C&C infrastructure and implement failover C&C strategies.

In this paper, we propose techniques based on multi-path exploration [1] to discover how malware behaves when faced with the simulated take-down of some of the network endpoints it communicates with. We implement these techniques in a tool called Squeeze, and show that it allows us to detect backup C&C servers, increasing the coverage of an automatically generated C&C blacklist by 19.7%, and can trigger domain generation algorithms that malware implements for disaster-recovery.