We have developed a set of techniques to detect malicious SSL certificates using data collected by Bro. Our analysis framework consists of Bro for collecting the data and a variety of tools such as Splunk and AWS ML for data analysis. We show how we used Bro for collecting the attributes we needed for SSL certificates from both good and bad sources. Bro is a very effective and simple tool for analyzing and extracting data from network traffic. Next, the extracted data was loaded into Splunk and we ran a series of Machine Learning algorithms to identify those attributes that correlated with malicious activity. The algorithms we used also allowed for categorization of certificates used in the delivery and control of malware. Our analysis showed that there were a number of patterns that emerged that allowed for classification of high-jacked devices, self-signed certificates, etc. We will present the results of our analysis which show which attributes are the most relevant for detecting malicious SSL certificates and as well the performance of the ML algorithms. Finally, we show how well the training has worked in detecting new malicious sources. All of the source code will be made available on github.

1. Detecting Malicious SSL
Certificates Using Bro
Andrew Beard
Ajit Thyagarajan

2. Motivation
• SSL traffic is increasing and so is malicious usage!

3. Motivation
• SSL traffic is increasing and so is malicious usage!
• Content visibility of SSL traffic is becoming increasingly harder

4. Motivation
• SSL traffic is increasing and so is malicious usage!
• Content visibility of SSL traffic is becoming increasingly harder
• BSides Charm talk – Using Bro IDS to Detect X509 Anomalies by Will
Glodek

5. Direct application of cert feeds
• Well known SSL cert blacklist, SSLBL by abuse.ch
• Identifies certificates via hash (SHA1)
• Averages about 10 new entries per week
• Relatively high efficacy

6. David Bianco’s Pyramid Triangle of Pain
• Reflects the pain you
cause to an adversary
• Generating new
certificates (even signed
ones) causes little pain

7. Using cert feeds and Bro to greater effect
• Use the feeds as a starting point to gather and label data
• Analyze metadata from known bad certificates as a training set
• Treat other certs resulting from other feeds as maybes
• Try to find patterns in the metadata we can use to match as many
known bad and maybes as possible, verify against known (or at least,
heavily biased) good traffic

8. Why Bro?
• Content awareness
• Ability to apply patterns to live network traffic
• Symmetry on the front and the back end

9. I don’t have a supercomputer
• I have a 7 year old Dell workstation
my wife’s IT department was
throwing out
• Nothing here would be remotely
considered HPC

10. Generating training sets
• Visit every potentially malicious site you can possibly find
• OSINT feeds are great for this
• Don’t have a lot of context (if any)
• Look for certificates that match our known bad ones
• “Everything else” creates a data set that isn’t totally trustworthy, use
for testing

11. Feed
Data
(All)
Fetch
Script
In
Cert
Feed?
Known
Bad
Maybe
Bad
Yes
No

12. Problems with generating data sets
• Expect a low response rate
• Sites get taken down, not HTTPS port 443, don’t serve anything out,
unregistered DGAs, etc
• Less than 1 in 5000 respond (with no guarantee those responses are
actually bad)
• Number that match on the SSLBL is even worse, and that’s biased
• Based entirely on what’s already labeled as bad

13. x509.log Fields
• ts
• id
• version
• serial
• subject
• issuer
• not_valid_before
• not_valid_after
• key_alg
• sig_alg
• key_type
• key_length
• exponent
• curve
• san.dns
• san.uri
• san.email
• san.ip
• basic_constraints.ca
• basic_constraints.path_len

14. Subjects and Issuers
• CN=nycards2016.com,OU=PositiveSSL,OU=Domain Control
Validated
• emailAddress=ha@163.com,CN=gjf,OU=comba,O=comba,L=guang
zhou,ST=china,C=CN
• CN=A_LifeSize_System,C=US,ST=Texas,L=Austin,emailAddres
s=hostmaster@lifesize.com,OU=IT,O=LifeSize
Communications, Inc.
• CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec
Trust Network,O=Symantec Corporation,C=US
• OU=Test,O=Peersec
Networks,L=Bellevue,ST=WA,C=US,CN=MatrixSSL Sample
Server CA

15. Splitting the Attributes
• Subject and Issuer are the string representations of multiple Attribute
Value Assertions (AVAs)
• Hard to compare them as big strings, but a lot more commonality
once you split them up
• Not hard to parse out each attribute using something like Splunk or
Kiabana, but it makes matching on those fields harder later
• Split the fields into a new Bro log based on x509.log
(x509_extended.log)

16. Many attributes, but we’re just using a subset
• C Country
• CN Common Name (Site identifier)
• L Locality (City)
• O Organization
• OU Organizational Unit
• ST State (or Province)
• emailAddress
• unstructuredName
• serialNumber

17. x509_extended
type Info: record {
fuid: string &log;
sha1: string &log;
subject_c: string &log &optional;
subject_cn: string &log &optional;
subject_l: string &log &optional;
subject_o: string &log &optional;
subject_ou: string &log &optional;
subject_st: string &log &optional;
subject_email: string &log &optional;
subject_unstruct: string &log &optional;
subject_serial: string &log &optional;
issuer_c: string &log &optional;
…
}

18. Need a prototyping system
• Wanted to gather data, then test patterns on the same data sets over
and over
• Could do this with Bro directly, but you don’t really need to reprocess
the packets and sessions over and over again
• Process traffic into Bro logs, evaluate via Splunk or SQL
• May want to apply new certificate feeds to existing logs outside of Bro

19. Analysis
• Look at data in $VISUALIZATION
• Clustering -> Pattern Synthesis
• Check for hits in the bad table
• Check for hits in the unknown table
• Confirm against a known good set

20. Examples

21. Default Values
C ST O emailAddress
AU Some-State Internet Widgits Pty Ltd -
AU Some-State Internet Widgits Pty Ltd chmod 0600 /etc/nginx/ssl/server.key
AU Some-State Internet Widgits Pty Ltd -

22. openssl Command Defaults
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

23. Is it actionable?
• Very strong correlation between sites that were hosting malware or
control nodes, though
• Gozi, Gootkit, Shifu, others have all been identified running from
servers with “Internet Widgits Pty Ltd” certificates
• Non-malicious sites mostly default server pages and sites under
development
• A user visiting a site outside the network could be considered
anomalous
• Default Company Ltd, Default City, also used by some OpenSSL
distributions

24. Copypasta
sha1 O L ST
1147947433f261bcd2cd8f508461e01898c3960b Dis Springfield Denial
f2a61975cb541e6a62ed8ca5214020108d922a14 Dis Springfield Denial
368e6beb6f8d2f6049831fe25dd397287823c5e6 Dis Springfield Denial
a9650a4522140d42e5ca4529da54805625eebe64 Dis Springfield Denial
• 4 cert feed matches in our original sample set
• SSLBL lists all four as TorrentLocker C2 servers
• 14 others were found with the same ST, L, and O fields (and other
fields not present)
• 5 of those have shown up in the SSLBL feed since
• So far ALL TorrentLocker C2 servers seem to use the same pattern

25. Where did it come from?

26. “Random” Values
C CN L O ST
CN TJMauph2wkefdglVFzqmyEvM 3KLyyRWQF0IRfH91yu5frdLX rfUvM2rqVg1P8IpFP2mJbEjD ST
CN RJHeFQ9nCz69k5RNTTLmVCIf gBEUDkp44OE7ihODZD4VbdDv oLsGPV9bx43NaNg1ZjOqIGfJ ST
CN Hcoc6tfYqmEXPnDtwJ39vBFg N9El3p9XpqOBDcqUQxKCbw5V OJ2vl3Vz2Tn0skdsUsLUMwFz ST
CN X5WBo9o5AqvtVGGAVyBiNgwO wHMhVyFMNPcbdG84Q8gKcijH 8V3jDPLZIGdNoOmKQ42ZmhlE ST
CN rQ9YqiO7S1pgULTmD3nNahn7 OBfmruLgjF88LKyg0fVHqRzU zs3L7avZO3gDESogMpf4HBxj ST
• Fixed C and ST values, and exactly 24 character in the CN, L, and O
fields
• Over 27 matches for the same pattern in the “maybe” set
• All C2 nodes from the same malware family

27. Applying Patterns to Bro
• Wrote collection of bro scripts that load the x509_extended module
• Hooks into an event after subject and issuer subfields have been
parsed out
• Logs to notice.log

28. Triangle of Pain, Revisited

29. Recap
• Bro makes it easy to extract certificate metadata
• Using OSINT and Bro you can easily collect large sets of data on bad
and suspect certificates
• Patterns in the certificate metadata can yield higher-value
information than the feeds alone
• Hard to definitively say something is malicious with no context, but
you can get to a high level of confidence
• Since Bro can operate a line speed, it can be used to match against
those patterns with live traffic

30. Future
• Better ways of applying patterns in Bro (less hardcoding into scripts)
• Certificate analysis has potential for uncovering a lot more patterns
• Better automatic clustering
• BSides DC talk focusing on clustering and analysis (Oct 22, '16)
• Continuing to enhance our collection of good/bad certs
• Looking for collaborators - let us know if you are interested...

31. Thanks to:
• Abuse.ch
• John Bambenek and Bambenek Consulting
• AlienVault and numerous OTX contributors
• Ravi Pandey from University of Maryland

32. Questions?
Andrew Beard
andrew@atomicmole.com
Ajit Thyagarajan
ajit@atomicmole.com
Atomic Mole GitHub
https://github.com/atomicmole/brocon2016