This Web page shows the visualization of HTTP activity by our visualization tool Hviz (HTTP(S) traffic visualizer).
Hviz has been developed by David Gugelmann, Fabian Gasser, Bernhard Ager and Vincent Lenders. It was presented at DFRWS EU 2015 Annual Conference, Dublin, Ireland in March 2015, where it received the Best Paper Award.
On this Web page, we illustrate three sample scenarios: a challenge that was part of DFRWS 2009, Zeus malware activity and an obfuscated data upload.
For more information, check the paper or the slides of the presentation.
The underlying trace file for this visualization is publicly available as part of a challenge at DFRWS 2009. (The original pcap-file named nssal-capture-1.pcap.bz2 can be downloaded here.)
In short, the DFRWS challenge was to find evidence that “inappropriate” images of the Mardi Gras carnival event in new Orleans had been published by a hacker named nssad. The suspect claims that he was not responsible for any transfer of data.
The Hviz visualization provides evidence that nssad had been deliberately searching for such images on both Google and Yahoo and had visited the found websites. In this scenario, the causality of requests is easily investigated by looking at the graph visulalized by Hviz.
This scenario shows a user browsing on BBC interlaced with Zeus malware communication. The Zeus malware family belongs to the most popular trojans and is specialized on stealing credentials.
We synthesize an example trace by merging a Zeus traffic sample and a short sample of a Web browsing session.
The C&C server of this Zeus malware sample was located at greenvalleyholidayresort.com (the domain has been deleted since). Zeus omits settings fake Referer headers, i.e., Zeus does not attempt to pretend that its communication is part of regular Web browsing. As a consequence, the Zeus bots's first request—a request for bot the configuration—is an unconnected yellow node appearing between head request 5 and 6. The following requests to greenvalleyholidayresort.com are used to exfiltrate data from the infected workstation to the C&C server. Hviz highlights the corresponding uploads using red hatches, enabling an analyst to spot these uploads.
This trace additionally contains Windows update background traffic and background traffic to Google. Requests without Referer to various sub-sites of microsoft.com and google.com occur on many workstations, causing the popularity filter to fade out the corresponding yellow nodes.
File uploads as small as a few megabytes become well visible in Hviz. The reason is that Hviz scales nodes according to outgoing traffic volume.
To create a scenario that is more challenging than a simple file upload, we (i) use regular Web browsing as background noise during the data upload, and (ii) obfuscate the upload by splitting the file into small chunks, and transmitting each of these chunks as URL parameter in a request of its own. (Actually, we use the same background traffic as in the first example.) We implement the splitting and URL-compliant base64 and URL encoding in JavaScript, and run it in the Web browser. The total upload volume is less than 2 MB. Most importantly, the splitting step prevents simple HTTP POST and request size detectors from triggering an alarm.
This includes Hviz, which does not mark the node with red hatches as an upload. Still, the file upload becomes immediately apparent due to the upload volume based sizing of nodes (large yellow node connected to head request 3). Because all HTTP requests containing the uploaded data have been sent within a minute, Hviz aggregates these uploads into one single event which is rendered as a single large node. In order to to avoid this aggregation, an attacker could distributed the requests over prolonged periods of time or many different domains. However, in the visualization Hviz would create many smaller nodes. Dozens or even hundreds of singular events may again raise attention.
(We obfuscated the host name of the testbed that we used for this trace.)
Last modified: 2015-01-06, dg