Botnet Analytics Blog

Blogging the Science of Botnet Analysis

Welcome Vicky!

July 13th, 2010

Hello Guys,

We wish to welcome our new member to the Botnet Analytics team. Vicky has been a Security Analyst for the past few years with an expertise in Botnet Command & Control communication. He is good at detecting & decoding the communication. He would be a Senior Analyst at Botnet Analytics, with the major role of researching and blogging at our KaffeNews webportal. Please welcome Vicky!

Thank you for choosing Botnet Analytics.

- EvilFingers

Posted by BotnetAnalytics under Uncategorized with No Comments

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic

May 1st, 2010

This is another paper that we found when going through other stuff “BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic”, which can be found here:

http://www.cs.purdue.edu/homes/bertino/426Fall2009/17_botsniffer_detecting_botnet.pdf

Abstract from the paper:

Botnets are now recognized as one of the most serious security threats. In contrast to previous malware, botnets have the characteristic of a command and control (C&C) channel. Botnets also often use existing common protocols, e.g., IRC, HTTP, and in protocol-conforming manners. This makes the detection of botnet C&C a challenging problem. In this paper, we propose an approach that uses network-based anomaly detection to identify botnet C&C channels in a local area network without any prior knowl- edge of signatures or C&C server addresses. This detection approach can identify both the C&C servers and infected hosts in the network. Our approach is based on the observation that, because of the pre-programmed activities related to C&C, bots within the same botnet will likely demonstrate spatial-temporal correlation and similarity. For example, they engage in coordinated communication, propagation, and attack and fraudulent activities. Our prototype system, BotSniffer, can capture this spatial-temporal correlation in network traffic and utilize statistical algorithms to detect botnets with theoretical bounds on the false positive and false negative rates. We evaluated BotSniffer using many real-world network traces. The results show that BotSniffer can detect real-world botnets with high accuracy and has a very low false positive rate.

The following are the authors for this paper:

Guofei Gu, Junjie Zhang, and Wenke Lee
School of Computer Science, College of Computing
Georgia Institute of Technology
Atlanta, GA 30332
{guofei, jjzhang, wenke}@cc.gatech.edu

Thank you for choosing botnet analytics!

Posted by BotnetAnalytics under Uncategorized with No Comments

A Multifaceted Approach to Understanding the Botnet Phenomenon

April 30th, 2010

This is a great paper that we came across last week, when we were trying to understand the botnet phenomenon for implementing across the multi-stage botnet analysis tool that is in the process of development.

ABSTRACT
The academic community has long acknowledged the existence of malicious botnets, however to date, very little is known about the behavior of these distributed computing platforms. To the best of our knowledge, botnet behavior has never been methodically studied, botnet prevalence on the Internet is mostly a mystery, and the botnet life cycle has yet to be modeled. Uncertainty abounds. In this paper, we attempt to clear the fog surrounding botnets by constructing a multifaceted and distributed measurement infrastructure. Throughout a period of more than three months, we used this infrastructure to track 192 unique IRC botnets of size ranging from a few hundred to several thousand infected end-hosts. Our results show that botnets represent a major contributor to unwanted Internet traffic—27% of all malicious connection attempts observed from our distributed darknet can be directly attributed to botnetrelated spreading activity. Furthermore, we discovered evidence of botnet infections in 11% of the 800,000 DNS domains we examined, indicating a high diversity among botnet victims. Taken as a whole, these results not only highlight the prominence of botnets, but also provide deep insights that may facilitate further research to curtail this phenomenon.

We thought of sharing this with our readers. It has been really busy in researching and developing the tool that would be releasing soon. You could find the above paper at the following link:

http://www.cs.jhu.edu/~fabian/papers/botnets.pdf

Stay tuned for more update on the tools that we would be releasing soon. Thank you for choosing botnet analytics!

Posted by BotnetAnalytics under Uncategorized with No Comments

Botnet Hosed – Coming Soon!

April 18th, 2010

Botnet Hosed is a new project Botnet Analytics web portal. We are planning to work on online-based client-side botnet detection. More about the working will be releasing with the website itself. We are in collaboration with ShadowServer for this project and many other projects under Botnet Analytics. We are hoping for more collaborations to expand our visibility.

If you are a list owner and would like to share your data, we could provide services in exchange. Let us know! You could always reach us at contact.fingers @ gmail.com to know more about collaboration, volunteering and other stuff.

Thank you for choosing botnet analytics!

Posted by BotnetAnalytics under Uncategorized with No Comments

Automating Analysis of Large-Scale Botnet Probing Events

April 12th, 2010

When looking for automating botnet analysis I found this great paper “Automating Analysis of Large-Scale Botnet Probing Events”. This paper is from ASIACCS’09 March 10-12, 2009, Sydney, NSW, Australia.  You can download it from : http://www.icir.org/vern/papers/probing-analy.ccs09.pdf

Abstract [Copied and pasted from the above link]:

Botnets dominate today’s attack landscape. In this work we investigate ways to analyze collections of malicious probing trafic inorder to understand the signifcance of large-scale “botnet probes”. In such events, an entire collection of remote hosts together probes the address space monitored by a sensor in some sort of coordinated fashion. Our goal is to develop methodologies by which sites receiving such probes can infer-using purely local observation-information about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifcally targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack?
Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties such as trend, uniformity, coordination, and darknet avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. Cross-validating with data from DShield shows that our inferences exhibit promising accuracy.

Really nice read for someone who wants to understand more about automation part of analysis of large scale botnet events. This is something towards which most of the Security Operation Centers (SOCs) are moving towards to provide a cost effective solution, instead of outsourcing the services completely. We hope that you enjoy reading the paper. Thank you for choosing Botnet Analytics!

Posted by BotnetAnalytics under Uncategorized with No Comments

Botnet Monitor

April 12th, 2010

Hello guys,

Sorry for the delay in postings. We have been working on designing, developing and deploying tools that would help you secure yourself on a daily basis. To continue with our efforts, our next tool for the release April/May 2010 is Botnet Monitor. The features of the tool, including working, architecture and user manual would be releasing soon.

Feel free to contact us at contact.fingers@gmail.com. Thank you for choosing Botnet Analytics!

Posted by BotnetAnalytics under Uncategorized with No Comments

Busting Botnet-Herders – Behind the Scenes

March 16th, 2010

We have been observing that “busting botnet-herders” is really happening these days starting with the past few incidents, although we need to think about the big picture & behind the scenes. These are the questions that arise after we see such incidents:

  • Are these guys [who get arrested] the real guys behind the scene? Or are these guys Public Representatives for those botnets?
  • What are the botnet-herders doing next, to prevent from being caught?
  • There is an interference/intersection between underground & intelligence groups. How do the intelligence agencies deal with such issues?
  • Technology wise, how are they modifying the following to stay current in evasion techniques:
    • Payloads
    • Propagation
    • Algorithm
    • Implementation
    • DDNS
    • and other stuff
    • The so called “Top botnets” takes the best from each botnet and implements them. Does this make it complicated to detect & prevent it from happening?
    • Antivirus Engines or Security tools can detect only on “Infection Vector” to begin with. Some AV’s quarantine them and some don’t, but later it might catch on Botnet Activity to known hostile IPs or domains. Does this mean that:
      • the users should reimage the host[industry best standards], as soon as they see traffic to possible hostile IPs?
      • the users should consider any Trojan or Backdoor activity as possible botnet command & control activity, as it could possibly lead to them?
      • the users should reimage the host for every malware triggered on the host?
    • Botnet herders code their botnets to spread through the following vectors. Does this help them in expand their zombie networks really fast?
      • Phished websites
      • Malware sites
      • Hosed Webservers
      • DNS Poisoning
      • Client-side attacks
    • What could the next generation botnets do?
    • Is commercializing of botnets anticipated? If the answer is “Yes”, does law enforcement have any response to it.
    • Do the courts all around the world realize that they should modify/work on their law to ensure that these botnet herders get punished, no matter what part of the world they are residing in. Classic example is, “Mariposa” botnet guys were arrested at Spain, even though Spain is lenient in various other aspects of infoSec.
    • Will the  botnet herders mix botnets with real world issues like how phishing guys do:
      • SEO Poisoning
      • Deceptive linking
      • Pharming
      • and other techniques

    Hope this helped in opening your eyes to think more into botnets & its herders. Thank you for choosing Botnet Analytics!

    Posted by BotnetAnalytics under Uncategorized with 1 Comment

    Commercializing Botnets

    March 15th, 2010

    The past few years has been a big boom in the botnet world. Botnet herders [a.k.a. the creators of botnet] are commercializing botnets by showing how powerful their botnets are than existing botnets. Some of them are good at one thing, while certain others are good at other stuff. Some of them have been listed below:

    • Infection Vector
    • Propogation
    • Payload
    • Acquiring Zombies
    • DDNS
    • Simple Lifecycle
    • Easy to communicate
    • and more

    Some of the famous botnets & botnet apps has been commercialized in recent days, although law enforcement is trying to bring such entities down. One of the most famous one is “Mariposa” botnet. Defense Intelligence was solely working on researching Mariposa and creating sinkholes to prevent users from communicating with the Zombie network or from being hosed. Though a user would be infected with infection vector of a botnet such as a Trojan, user would be taken to specific IPs or domains that would then push out the malicious code that makes them a part of Zombie network. This is where sinkholes help in protecting users from going to the real IP that holds the malicious code, and also to help such security organizations to detect the victims of this attack.

    I am not sure, but the following site looks like a commercialized version of Mariposa to me:

    They call their product as “Butterfly Flooder” and here is the list of Features that they have proposed:

    Features
    Features (client):
    • Direct code injection into remote process (part of module system) for automatic Windows Firewall bypass
    • Module system (in-file & on-fly module loading mechanism)
    • UDP flood with random data and packets sizes, configurable strength of flood
    • Strong TCP flood, working with max power on all WINNT systems with configurable strength of flood
    • USB spreader with on-fly autorun.inf content
    • Downloader that downloads files via ButterFly Network Protocol (no need for third party HTTP or FTP servers)
    • MSN spreader (hooking send and WSARecv functions) – completely version independant message replacer
    • Visit module (client visit website; hidden or with default browser)
    • External downloader – can download via HTTP, HTTPS and FTP protocols, extended options (user agent, additional request headers, target folder and filename, execute, melt and update options, single download option)
    • NEW: Reverse Proxy Simple module with receiver (turn every client into proxy server instantly!)
    • Post Data Grabber for Internet Explorer 6, 7 and 8 (catches all data sent by POST method, including HTTPS)
    • Connect Hook for Internet Explorer, Firefox, Opera and Chrome (all versions)
    • Adware Simple (adwertise your website on clients while they browse world wide web)
    • Cookie Stuffer for Internet Explorer and Mozilla Firefox
    • NEW: Slowloris Flooder (great flooder for stress testing HTTP Web servers)
    Features (protocol):
    • Based on UDP
    • Own application layer protocol
    • Own acks, reliability control
    • Support for transferring large data blocks
    • Download modules over protocol
    • Download third party software over protocol (also update)
    • Configurable max upload per second for each peer
    Features (server):
    • Multithreaded design with variable number of threads selection for maximized performance
    • Ability to configure frames per seconds to fine tune servers CPU usage / latency ratio
    • Ability to configure servers overall max upload
    • GEOIP client localization (accurate country info on clients)
    • Automated modules distribution to clients without needed modules
    Features (master):
    • Multiple server connect instances possible
    • Debug console
    • Console on/off for each instance
    • Client dump window
    • On-join commands
    • Timer commands
    • One-time commads
    • Various conditions for commands, can be used together (check screenshots)
    • Console style commanding, from where any command can be issued (for “PROs”)

    Are the Mariposa guys really arrested, or are those the ones who just do the front-end job[as in, communicate with the bots/zombies]? Is “http://bfsystems.net” part of the Mariposa network, or rather their commercialized version of Mariposa?

    Whois data for BFSYSTEMS.NET:

     Whois Server Version 2.0
 Domain names in the .com and .net domains can now be registered
 with many different competing registrars. Go to http://www.internic.net
 for detailed information.
    Domain Name: BFSYSTEMS.NET
    Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
    Whois Server: whois.PublicDomainRegistry.com
    Referral URL: http://www.PublicDomainRegistry.com
    Name Server: NS11.LOVINGHOSTING.COM
    Name Server: NS12.LOVINGHOSTING.COM
    Status: ok
    Updated Date: 07-mar-2010
    Creation Date: 31-oct-2009
    Expiration Date: 31-oct-2011
 >>> Last update of whois database: Mon  15 Mar 2010 16: 23: 41 UTC <<<

    67.43.3.69 falls in the IP range of DailyDNS:

     network: Class-Name: network
 network: ID: NETBLK-SPARKDAILYDN.67.43.3.69/32
 network: Auth-Area: 67.43.0.0/20
 network: Network-Name: SPARKDAILYDN-67.43.3.69
 network: IP-Network: 67.43.3.69/32
 network: IP-Network-Block: 67.43.3.69-67.43.3.69
 network: Organization;I: SPARKDAILYDN
 network: Org-Name: spark.dailydns.com
 network: Street-Address: po box 211
 network: City: wilbur
 network: State: wa
 network: Postal-Code: 99185
 network: Country-Code: US
 network: Tech-Contact;I: thecrazedking@aol.com
 network: Abuse: abuse@sourcedns.com

    Domains Per Host indicates 1000’s of hosts on the same IP[67.43.3.69].

    • Is Mariposa still up & Running and do we still see traffic to newer Mariposa compromised hosts? The answer is “YES”.
    • Have the arrest of those 3 guys changed anything relating to the working of Mariposa? The answer is “Not Really!”.
    • What are the various justifications for the current situation:
      • Could be that the botnets are modularized and sold to many places.
      • Open-source botnets make it harder for security community.
      • Your Botnet is My Botnet concept of Torpig makes it harder.
      • Metamorphic & Polymorphic code makes it harder to prevent research against botnets.
      • Competition in the botnet community: “Mine is better & bigger than yours”.
      • Commercializing Botnets to the Underground community to help them knock off more systems.
    • Why would they do it open-source when they can commercialize it? Botnet modules can be taken by someone else and improvised to their situations or to their creativity, when the modules are open source. Someone always see’s what someone else doesn’t. Botnet community is using this mentality in a way to make their botnets stronger, grow bigger & difficult to detect and prevent.

    We are not sure about Butterfly networks or who is behind it, but their website & content looks too Spooky to make a mention over this blog. If you guys from Butterfly networks feel that this isn’t true, kindly shoot us an email to contact.fingers@gmail.com and we will retract the post. Also, give a possible explaination as to how commercializing your UDP flood services would help anyone. Pentesters should also know their testing limits. Botnets getting sold to Pentesters is not going to help them test if their customer’s are protected against botnets. It might infact compromise their customers & make them part of the Zombie networks.

    Hoping that this post was helpful in opening your eyes. Thank you for choosing Botnet Analytics!

    Posted by BotnetAnalytics under Uncategorized with No Comments

    Your Botnet is My Botnet: Analysis of a Botnet Takeover

    February 23rd, 2010

    The paper described about how one botnet can control the hosts hosed by other botnets.  This is a really nice paper from the following author’s:

    Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski,
    Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna
    Department of Computer Science, University of California, Santa Barbara
    {bstone,marco,sullivan,rgilbert,msz,kemm,chris,vigna}@cs.ucsb.edu

    It is a really good for everyone who are trying to understand about internals of Torpig botnet.

    Abstract:

    Botnets, networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security problems on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program that is designed to harvest sensitive information (such as bank account and credit card data) from its victims. In this paper, we report on our efforts to take control of the Torpig botnet and study its operations for a period of ten days. During this time, we observed more than 180 thousand infections and recorded almost 70 GB of data that the bots collected. While botnets have been “hijacked” and studied previously, the Torpig botnet exhibits certain properties that make the analysis of the data particularly interesting. First, it is possible (with reasonable accuracy) to identify unique bot infections and relate that number to the more than 1.2 million IP addresses that contacted our command and control server. Second, the Torpig botnet is large, targets a variety of applications, and gathers a rich and diverse set of data from the infected victims. This data provides a new understanding of the type and amount of personal information that is stolen by botnets.

    You can read the paper from here: http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf

    We hope that you enjoy the paper, because we definitely did. Thank you for choosing our blog!

    Posted by BotnetAnalytics under Uncategorized with No Comments

    Botnet Monitor

    February 20th, 2010

    When looking for Botnet Monitors, we found the following that sounded really interesting:

    Infiltrator

    Infiltrator v0.1

    — Posted by zeroq @ 17:19 – 15 Nov, 2007

    For those of you interested in little helpful tools, i uploaded my infiltrator script for quick and dirty botnet monitoring. There is no documentation available right now but usually a questionmark in front of a command gives some hints (e.g. ? show all).

    Have fun: infiltrator.tar.gz

    Source: http://zeroq.kulando.de/post/2007/11/15/infiltrator_v01#comments

    Rishi Botnet Detection

    Rishi is a botnet detection software, capable of detecting hosts infected with IRC based bots by passively monitoring network traffic. A webinterface provides additional information to found incidents.

    Source: http://sourceforge.net/projects/rishi/

    Both the tools listed above was created by Jan Goebel. Just thought of sharing it with our users. Thank you for choosing our blog!

    Posted by BotnetAnalytics under Uncategorized with No Comments
    Next Page »