Time-zone dependency in malicious activities performed by botnet Hiroaki Kikuchi1 , Shunji Matsuo1 , Masato Terada2 , and Masashi Fujiwara2 1

2

School of Information and Telecommunication Engineering, Tokai University, 4-1-1 Kitakaname, Hiratsuka, Kangawa, 259-1292, Japan Hitachi, Ltd. Hitachi Incident Response Team (HIRT), 890 Kashimada, Kawasaki, Kanagawa, 212-8567, Japan

Abstract. A botnet controls malware downloading servers distributed in remote sites, and hence download of malware is performed in the time of the target country. In this study, we analyze the source addresses of attacking data of CCC Dataset and found the correlation between active time for downloading and the time zone in which source address belong to．We propose a simple method to predict the true local time zone of server given the time series of malware downloading events.

1

Introduction

The Botnet is a set of malicious software robots running distributed environments, under the control of botnet’s originator, called “herder” or “bot master”. The set of compromised hosts jointly perform attacks for looking for vulnerabilities in target network, including Spamming, Phishing, Key logging, Click Fraud, Identity Theft, and DDoS. According to recent report in [7], The detecting botnet traffic, however, is not easy since botnets are evolving from centralized to the distributed strategy. In order to perform analysis in botnet traffic, many attempts are made so far. Yegneswaran et. al studied the botnet control mechanisms in conjunction with the host control commands in [2]. Stayer et. al proposed the heuristics for detecting botnet based on flow characteristics such as bandwidth, duration for performing attacks, and packet timings in [3]. Gu et. al developed the system to automate detecting process for botnet control channels. Their system, named as “BotSniffer”, uses the spatial-temporal correlation and similarity in network traffic[4]. Stone-Gross et. al made “active analysis”, i.e., intercepted communication among C&C servers and took over the Torping botnet[1]. One of the difficulties in analyzing botnet comes from fact that most compromised hosts are controlled by a remote command server that may not be in the same network to that in the compromised hosts. To address the problem, we focused on the drift of frequencies of malware downloading events in time. Most compromised computers are low security and for personal use and hence these are supposed to be not always-on. The malicious activities can be regulated according to the number of active (compromised) hosts, which would vary under

a particular distribution, for instance, increasing in evening and decreasing in 4 or 5 in the AM. Hence, observing the change in frequencies may allow us to predict which time zone the server belongs. In this paper, we investigate the time dependency in the CCC (Cyber Clean Center) DATA set 2010[6], consisting of raw packet data captured more than 90 independent honeypots for two years. The CCC, the Japanese governmental organization, is observing the backbone of Japanese tier-1 providers. Honeypot is a virtual host running two guests OSs, periodically rebooted. We present a simple but accurate method to automate identification time difference given unknown traffic (time series of downloading events) based on the correlation coefficient with regard to phase shift. Interestingly, our experiment with the CCC Dataset will reveal that botnet servers are classified into two groups; J in which malicious activities were performed according to Japanese local time, and L in which servers behaved in their local time zone. The rest of the paper is organized as follows. In Section 2, we show the time dependency in botnet activities observed from the CCC dataset, and present a simple identification method which time zone the botnet was controlled. In Section 3, we consider the reason why malicious activities were synchronized with Japanese local time and have two hypothesizes. We show a couple of experiment for verification of our hypothesizes. Finally, we give the concluding remarks in Section 3.5.

2 2.1

Time Zone in Botnet Botnet Activity in Local Time

A botnet uses a million of compromised computers to perform malicious activities. Typically, the normal personal computers without care of security are compromised and are under control of the botnet. Hence, the malicious activities must depend on the hourly time usage in the computers. For instance, the usage of computers has a peek around 22, according to a survey in [5]. Hence, there can be a correlation between the malicious activities and the hourly legitimate activities. We demonstrate the correlation in Figure 1, where the malicious activities, labeled as Download, are the number of downloading events observed from 100 honeypot in CCC Dataset 2010[6] whose source of packet was in Japan. The vertical axis indicates the fraction of number of downloading events (%) in a hour indicated by the horizontal axis. In the figure, we shows the distribution, with label Utilization, of the Internet utilization according to the survey. The number of malware changes as similar as the Internet utilization; both quantities increase from morning to evening and have peek at 22 in night. The positive correlation happens because most compromised computers are considered to be turned off in the mid-night and many commands to perform downloading are ignored in the period. The correlation between the distribution of downloading events and the hourly Internet utilization allows us to predict from which country unknown

50 Downloads Utilization 45 40 35

activity

30 25 20 15 10 5 0 0

1

2

3

4

5

6

7

8

9

10 11 12 13 14 15 16 17 18 19 20 21 22 23 hour

Fig. 1. Daily Internet utilization[5] and the number of events of downloading per hour observed in CCC Dataset 2010

activities are performed. This provides useful information for tracing botmaster that controls the compromised computers in abroad. 2.2

Local Time Analysis

In order to verify the dependency of frequencies of downloading events on country where malware was sent out, we investigate the geometric information of source addresses of downloading events in the CCC Dataset, from May 2009 to April 2010. To identify the country that given IP address belongs, we use GeoLite City[8], a commercial GeoIP service. The frequency of downloading events in countries, however, varies too much to compare the influence of time zone. Hence, we normalize the activities as follows. Definition 21 Let di (t) be a frequency of malware downloading per a hour at time t in country i. By Di and diPdenote a total and an average frequency in 23 country i, respectively, i.e., Di = i=0 di (t), and di = Di /24. The Normalized frequency at time t in country i is d0i (t) =

di (t) . Di

(1)

Surprisingly, our analysis clarifies that countries from which malware have been sent are sharply classified into two groups; 1. group J are countries where downloading malware were performed according to Japanese time zone. Instances include Canada, U.S.A and India.

0.08 Canda India Serbia Ukraina United States Japan

0.07

Number of Donwloads di(t)

0.06

0.05

0.04

0.03

0.02

0.01 0

1

2

3

4

5

6

7

8

9

10 11 12 13 14 15 16 17 18 19 20 21 22 23 hour t

Fig. 2. Hourly normalized frequency of downloading in group J (countries within same time zone to Japan) Table 1. Statistics on number of downloading events in countries Group J

L

Country i total unique IPs # of Downloads time difference Canada 256 293693 15 U.S.A. 1145 127052 16 Ukraine 180 51560 7 Serbia 7 4948 8 India 1212 4806 3 Brazil 345 353 12 Italy 433 445 8 New Zealand 282 1314 -3 Porland 338 347 8 Rumania 537 580 7

2. group L are countries where performance of downloading are synchronized in the local time that the packets were sent from. For example, downloads from source addresses in Brazil, Italy, and New Zealand were made frequently in the according local time. Table 1 shows the statistics of frequencies of malware downloading events in two categories. Figures 2 and 3 show the normalized frequencies of malwaredownloading events in groups J and L, respectively. The downloading behavior from countries in group J looks very similar that of Japan, with the minimum and maximum peeks at 5 and 22 o’clock. Although the time difference between Japan and U.S.A is 16 hours, the downloading from U.S. are very close to Japan for some reason. We will study the reason in shortly. On the other hand, the countries in group L have totally distinct behaviors from the distribution in Japan. The uneven distributions may come from the time differences to Japan. To take consideration of time differences, we show the

0.1 Brazil Italy New Zealand Poland Romania Japan

0.09

Number of Downloads di(t)

0.08 0.07 0.06 0.05 0.04 0.03 0.02 0.01 0 0

1

2

3

4

5

6

7

8

9

10 11 12 13 14 15 16 17 18 19 20 21 22 23 hour t

Fig. 3. Hourly normalized frequency of downloading in group L (countries in time zones other than Japan)

modified normalized frequency d0i (t − p) with time shift p hours at local time t in country i in Figure 4. Obviously, the compromised computers in group L perform malicious activities (downloading) according to their local time zones. 2.3

Identifying Phase Shift of Activities

Frequencies of malicious activities are time series with local time dependency. If a compromised computer is controlled by a foreign site in significant time difference, the activities would depend on the remote time zone rather than the local time zone. Regarding frequency as wave, we formalize the difference with phase shift p. Hence, we attempt to figure out the phase shift given unknown time serise of malicious activities. Let Si,j be a correlation coefficient between country i and j in frequency of malware-downloading events, defined as P23 t=0 (di (t) − di )(dj (t) − dj ) qP Si,j = qP . (2) 23 23 2 2 (d (t) − d ) (d (t) − d ) i i j j t=0 t=0 Table 2 shows the correlation coefficient of malware-downloading frequencies between countries and Japan. All countries in group J have high positive correlation (close to 1.0) to frequencies from Japan, while there is not clear correlation between group L and Japan. For instance, Poland has no correlation (S = 0.008) and Brazil has a negative correlation to Japan. To identify the time difference given time series of malware-downloading events, we evaluate the correlation coefficients as a function of phase shift p for 0, . . . , 23, that is, P23 t=0 (di (t − p) − di )(dj (t − p) − dj ) qP . (3) Si,j (p) = qP 23 23 2 2 (d (t − p) − d ) (d (t − p) − d ) i i j j t=0 t=0

0.1 Brazil Italy New Zealand Poland Romania Japan

0.09

Number of Downloads di(t)

0.08 0.07 0.06 0.05 0.04 0.03 0.02 0.01 0 0

1

2

3

4

5

6

7

8

9

10 11 12 13 14 15 16 17 18 19 20 21 22 23 hour t

Fig. 4. Modified hourly normalized frequency of downloading in group L (countries in modified local time) Table 2. Correlation Coefficient to Japan in malware-downloading frequency group J

country Si,j Canada 0.993 U.S.A 0.816 Ukraine 0.959 Serbia 0.450 India 0.785 L Brazil −0.429 Italy −0.073 New Zealand 0.058 Porland 0.008 Rumania 0.219

The change of correlation coefficients reveals the optimal phase shift p∗ as shown in Figure 5 (group J). We observe that all time series in group J show coherent waves, with shift p∗ is nearly equal to 0 or +2 hours. On the other hands, the countries in group J have distinct waves in Figure 6, where we can easily identify the optimal phase p∗ at which an average correlation coefficient is maximized, as, p∗ = argmaxSi,j (p∗ ). This simple scheme allows us to automate to identify the possible country from which malicious activities are initialized in high accuracy. Table 3 shows the identified phase shift p∗ for both groups. The difference between the identified and the true time difference, p0 − p∗ , in group L are within 2 hours and the correlation coefficients are close to 1.0. The accuracy is high enough to identify the country where the botmaster could be in.

1 Canada India Serbia Ukraine United States

0.8

0.6

correlation Si,j(p)

0.4

0.2

0

-0.2

-0.4

-0.6

-0.8 0

1

2

3

4

5

6

7

8

9

10 11 12 13 14 15 16 17 18 19 20 21 22 23 phase shift p

Fig. 5. Correlation Coefficients with regard to phase sift p, group J (Japanese timezone) 1 Brazil Italy New Zealand Poland Romania

0.8

0.6

correlation Si,j(p)

0.4

0.2

0

-0.2

-0.4

-0.6

-0.8 0

1

2

3

4

5

6

7

8

9

10 11 12 13 14 15 16 17 18 19 20 21 22 23 phase shift p

Fig. 6. Correlation Coefficients with regard to phase sift p, group L (Local timezone)

The optimal phase shift p∗ in group J are quite different to their true time zones, but the shifted correlation coefficients Si,j (t − p∗ ) are as high as that of group L. Therefore, we conclude that the malicious activities were perfumed according to Japanese local time.

3

Why malicious activities were synchronized with Japanese local time?

Let us consider the reason why downloading events sourced from group J were synchronized with Japanese local time.

Table 3. Time difference p0 and the identified phase shift p∗ , correlation coefficient between country i and Japan country time diff. to Ja.p0 identified phase p∗ p0 − p∗ Si,j (t − p0 ) Si,j (t − p∗ ) Canda 15 0 15 −0.494 0.993 U.S.A. 16 0 16 0.038 0.816 Ukraine 7 0 7 −0.57 0.959 Serbia 8 20 12 −0.771 0.789 India 3 22 5 0.19 0.809 L Brazil 12 11 1 0.809 0.847 Italy 8 6 2 0.655 0.765 New Zealand −3 19 2 0.671 0.881 Porland 8 6 2 0.677 0.831 Rumania 7 5 2 0.579 0.773

group J

A C&C server (botmaster) 1. exploit, and download command

2 . downloading request

B malware server 3 . malware download

C victim host (honey pot) Fig. 7. Malware downloading steps performed in Botnet

3.1

Procedure for malware download

Contemporary botnet makes malware being infected in target victim through a complicated steps. Figure 7 illustrates a simplified procedure in downloading malware to victim host C, which is our honey pot. At first, a command server, possibly botmaster, sends a (small) exploit code to the victim C and a command to download (large) malware. Then, the victim establishes a connection to specified destination, a malware server B, which finally sends a particular malware to the victim C. Note that hosts A and B are not always in the same country. Since the CCC observes malicious activities at Japanese backbone, victim hosts C are always in Japan, but some B are outside of Japan. From the limitation of the CCC dataset, the connections between A and C were not always observed and small captured packets are available to analyze. While, the malware downloading events, that is, all connections between B and C, have been perfectly logged.

Table 4. Attacking Scenario case command server A victim host C malware server B active timezone 1 * Japan Japan Japanese time 2a Japan Japan group J 2b group J Japan group J Japanese time 2c group L Japan group J 3a Japan Japan group L 3b group J Japan group L local ime 3c group L Japan group L CCC Dataset captured packets downloading logs

3.2

Our Hypothesis

There are possible seven cases for assignments of hosts A, B, and C to countries, in Japan, groups J and L, in Table 4. From our observation in previous section, we have seen that downloading events in case 1, 2 and 3 happened according to Japanese, Japanese and local time zones, respectively. For the reason why malicious activities are synchronized with time-zone, we come up with two hypothesizes; Hypothesis 1 Command server A depends on local time zone and regulates the whole downloading activities according to time zone that A belongs. Hypothesis 2 Malware server B depends on local time zone and causes the failure of downloads even when command server A sends downloading command to victim C. We assume victim hosts C are always online because of the CCC honey pot administrative policy. If Hypothesis 1 is true, the availabilities of command servers must depend on period of time in a day and attacking scenarios 2a (A is in Japan) and 3c (A is in group L) hold. If not, Hypothesis 2 must be true and accordingly the dataset would contain many failures of TCP handshake between C and B. For this case, attacking scenarios 3a, 3b, and 3c would be possible but the reason of case 2 is hard to explain. From the observation of the CCC dataset, most downloads had been performed in a Pull style, i.e., a victim host initiates connection with SYN packets and after it sends SYN/ACK packet, the malware server begins a transfer of malware. Hence, we assume that a host that sends SYN packet is either A or C. We ignore download in Push-style because of its too small fraction. In order to verify our hypothesizes, we perform the following experiments. 3.3

Experiment

The purpose of this experiments is to identify which server A (hypothesis 1) or C (hypothesis 2) determines time zone dependency in malware-downloading frequencies.

For our purpose, we investigated the captured packets in the CCC Dataset 2010[6]. The dataset contains all packets with honeypot as either source or destination address. The followings is the method of our experiment. 1. Examine the captured data and clarify (a) the all source IP addresses for A from which SYN packets were sent out (b) the number of command hosts A and belonging countries (c) the fraction of failure of TCP handshake (no SYN/ACK packet) in group L and J, 2. Test periodically ICMP Echo (Ping) to the all command hosts A from September 1st to 3rd in 2010 and show (a) the availability in a day for each country 3.4

Experimental Results

CCC Captured Data We extract 1164 IP addresses for command servers from the captured data in CCC Dataset. Table 5 shows the top unique addresses and the corresponding countries for command servers A and malware servers B. The most frequent country is Japan and U.S.A. and Brazil follow. There are 39 addresses that failed TCP handshake, with SYN but no SYN/ACK packet found in the captured data. The part of these failure addresses are listed in Table 6. Most domains show typical consumer internet provider, e.g., ocn.ne.jp, eed.net.tw. The fact indicates that personal hosts were compromised for use by botnet. ICMP Echo test We perform PING (ICMP echo) test for 1164 command servers and show the number of online (with reply) hosts for three days in Figure 8. Four countries in group J, we show the number of online servers in Japan and U.S.A in Figure 9 and 10, respectively. Most servers are stable for all day long and hence we guess that always-on servers are in group J. Group L shows the change in numbers of online hosts, as shown in Figure 11 (Brazil) and 12 (Italy). Obviously, the frequency of malware downloading activities depends on the local time where the server belong. 3.5

Consideration

The experimental results show that the number of online servers were stable in group J, i.e., most servers B are always-on. Our honeypots C are always-on, too. Hence, the time dependency must be caused by A, that is, malware server in group J were performed by command server in Japan. According to the unstable behavior in group L, the time dependency in group L must be caused from their command server in L. Hence, we come to conclusion that 2a. A in Japan, B in group J and 3c. A in group L, B in group L After all, for either group L and J, our hypothesis 1 is verified.

Table 5. Top unique IP addresses in each category Command server A malware server B group rank country unique IPs rank country unique IPs J 1 JP 228 1 JP 49 4 US 89 3 US 9 8 IN 34 9 UA 3 17 CA 11 13 IN 2 22 UA 9 19 CA 1 L 6 BR 51 6 RO 6 9 RO 29 10 PL 3 10 IT 28 13 BR 2 12 PL 20 19 IT 1 420 1st Day 2nd Day 3th Day 410

Number of Host

400

390

380

370

360 0

5

10

15

20

hour

Fig. 8. Distribution of numbers of online hosts that were involved in downloading malware in total

4

Conclusions

We have studied the time dependency of malicious activities performed by botnet. Our analysis of the CCC Dataset 2010 clarified that malware downloading events had happened according to the time zone where the source of packets were sent. Based on the correlation coefficient with regard to phase shift, we successfully identified the country that botnet controls their compromised computers from given unknown time series of events in high accuracy. Our additional experiments reveal that the local time dependency was caused by the server that sends command to victim hosts rather than by the servers that provide malware to the victim hosts. Our future studies include a tracking processes performed in the botnet, a distinguishing the botnet and a countermeasure to detect and avoid attacks from the botnet.

70 1st Day 2nd Day 3th Day 60

Number of Host

50

40

30

20

10

0 0

5

10

15

20

hour

Fig. 9. Distribution of numbers of online hosts in Japan that were involved in downloading malware

References 1. Brett Stone-Gross， Marco Cova， Lorenzo Cavallaro，Bob Gilbert， Martin Szydlowski， Richard Kemmerer， Chris Kruegel， and Giovanni Vigna，“Your Botnet is My Botnet: Analysis of a Botnet Takeover” in Proceedings of the ACM CCS， Chicago， IL， November 2009. 2. Barford, Paul, Yegneswaran, Vinod., “An Inside Look at Botnets”, Special Workshop on Malware Detection, Advances in Information Security, Springer Verlag, 2006. 3. W. T. Strayer, R. Walsh, C. Livadas and D. Lapsley, “Detecting Botnets with Tight Command and Control”, Advances in Information Security, Springer, pp. 195-202, 2006. 4. Guofei Gu, Junjie Zhang, and Wenke Lee, “BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic”, the 15th Annual Network and Distributed System (NDSS’08), 2008. 5. Daisuke Shibuya, “Personal Internet Usage from Survey Report”, White Paper on Internet 2010, pp. 180-193, Impress Japan, 2010 (in Japanese). 6. Hatada, et. al, “Malware Workshop and Common Data set – MWS 2010 Datasets –”, Malware Workshop (MWS2010), with IPSJ CCS 2010, 2010. 7. Fujiwara et. al, “Malware Analysis and Classifications”, IPSJ Technical Report, pp. 177-182, 2008. 8. MaxMind. GeoIP,http://www.maxmind.com/app/ip-location，2008. 9. Time Difference in the world (in Japanese) http://www.travelerscafe.jpn.org/ world time.html． 10. Shadowserver, “Botnet Charts”, http://www.shadowserver.org/wiki/pmwiki. php/Stats/BotnetCharts

40 1st Day 2nd Day 3th Day 35

Number of Host

30

25

20

15

10

5

0 0

5

10

15

20

hour

Fig. 10. Distribution of numbers of online hosts in U.S.A. that were involved in downloading malware

40 1st Day 2nd Day 3th Day 35

Number of Host

30

25

20

15

10

5

0 0

5

10

15

20

hour

Fig. 11. Distribution of numbers of online hosts in Brazil that were involved in downloading malware

1st Day 2nd Day 3th Day

14

12

Number of Host

10

8

6

4

2

0 0

5

10

15

20

hour

Fig. 12. Distribution of numbers of online hosts in Italy that were involved in downloading malware

Table 6. Source IP addresses from which SYN packet has been sent but no SYN/ACK packet (failure) time slot ID 1 3 6 7 10 11 16 27 27 29 57 58 80 89 89 89 118

IP FQDN country code country 67.43.236.xx N/A LB Lebanon 123.205.232.xx xxx.dynamic.seed.net.tw. TW Taiwan 69.64.147.xxx ash.parking.local. US U.S.A. 69.64.147.xxx ash.parking.local. US U.S.A. 122.18.181.xxx xxx.tokyo.ocn.ne.jp. JP Japan 41.97.253.xxx N/A DZ Algeria 122.18.181.xxx xxx.tokyo.ocn.ne.jp. JP Japan 189.84.197.xxx xxx.projesom.com.br. BR Brazil 5.160.60.xxx N/A ? ? 130.22.1.xx N/A US U.S.A. 124.86.121.xx xxx.kanagawa.ocn.ne.jp. JP Japan 124.86.121.xx xxx.kanagawa.ocn.ne.jp. JP Japan 218.232.43.xxx Nothing KR Korea 66.2.3.x xxx.algx.net. US U.S.A. 77.28.192.xx N/A MK Macedonia 89.106.98.xx xxx.optilinkbg.com. BG Bulgaria 39.99.169.xxx N/A US U.S.A.