Digital Quorum Sensing for Self-Organizing Malware
Fioravanti, Mark Edward
MetadataShow full item record
INTRODUCTION: Malware authors present an interesting problem for the security community as they evolve and adapt to overcome network and host defenses. The determined adversary is a special class of malware author who may attempt to disrupt national interests. These adversaries may seek potentially novel Command and Control (C2) channels to coordinate their activities. Isolated and air-gapped networks pose an interesting challenge that these adversaries must adapt to in order to maintain persistence on these networks. In this work we propose that a determined adversary may seek to implement a digital quorum sensing system inspired by the quorum sensing systems used by some bacteria to coordinate their social behaviors. OBJECTIVES: The primary objective of this research was to characterize a potential digital quorum sensing C2 channel that relies on subtly modifying the global packet distribution on a network. METHODS: A proof of concept was developed and studied to determine if a C2 channel based on quorum sensing is feasible. Based on the results of the proof of concept, a prototype was implemented and studied in a number of different networking environments in order to more fully characterize the signal. The strength of the quorum sensing signal (the independent variable) was adjusted and through a series of statistical tests the statistical significance of the impact on the global packet distribution was determined. RESULTS: Network packet captures were analyzed from several different networks with Friedman tests. When the probability of a delaying packets was approximately in the range of (0.25,0.1) the delay was statistically significant with alpha=0.05 for the global packet distribution but not for the packet counts observed from the individual hosts. Wilcoxon rank-sum tests were used to determine which portions of the data sets contained statistically significant deviations, at a significance level of 95% (alpha=0.05). CONCLUSION: Digital quorum sensing could be used as a novel C2 channel providing a determined adversary a unique method of coordinating activities on a network without allowing the network defender to identify the infected hosts. During the experiment it was observed that this signal is easy to disrupt by altering the time synchronization between the hosts on the network.