Botnet Analytics Blog

Jorge Mieres, our friend from Malware Intelligence group has published a new paper on Phoenix exploits. There has been a raise in the Zeus exploit toolkits and a great involvement of the underground from various countries around the world. It would be best for us to not name any specific country, as there are many unknown factors in any research we do. In this paper, Jorge has gone into the myth of a criminal business using Phoenix exploit toolkit as the main focus.

Introduction

“Criminal alternatives grow very fast in an ecosystem where day to day business opportunities are conceived through fraudulent processes. In this sense, the demand for resources for the cyber criminal isn’t expected and is constantly growing. Generally I find new crimeware looking to get a place and a good acceptance in the virtual streets of the world underground, trying to reflect a balance on the cost/benefit of the “product” promoted, that allows criminals to enter the market as quickly as possible. Similarly, crimeware already accepted in the well-known circuit and updated looking to optimize their “quality of service”. Phoenix Exploit’s Kit, despite its minimalist state compared to others in its style, is one of the most active malicious crimeware today. This paper presents a series of data on criminal activities and fraud carried out using Phoenix Exploit’s Kit as channel management, how often the cycle of criminal business on this crimeware and what are the exploits found in its different versions.”

To read more, check out:

English version
http://www.malwareint.com/docs/pek-analysis-en.pdf

Spanish version
http://www.malwareint.com/docs/pek-analysis-es.pdf

and if you could not reach the above link, you might want to check out the local version HERE. Thank you for choosing Botnet Analytics and thanks to Jorge Mieres for all his contribution to the security community.

EF

NOTE: This website is not created to list new stuff alone. This is a knowledge sharing portal. Hence, we would have old but ACTIVE/WORKING links and papers too. Kindly, do not comment or email about the same. Thank you.

Botnet Judo: Fighting Spam with Itself

Author(s):

Andreas Pitsillidis,    Kirill Levchenko, Geoffrey M. Voelker,    Vern Paxson,

Christian Kreibich,    Chris Kanich,  Nicholas Weaver,    Stefan Savage

Abstract
We have traditionally viewed spam from the receiver’s point of view: mail servers assaulted by a barrage of spam from which we must pick out a handful of legitimate mes- sages. In this paper we describe a system for better filtering spam by exploiting the vantage point of the spammer. By instantiating and monitoring botnet hosts in a controlled environment, we are able to monitor new spam as it is cre- ated, and consequently infer the underlying template used to generate polymorphic e-mail messages. We demonstrate this approach on mail traces from a range of modern bot- nets and show that we can automatically filter such spam precisely and with virtually no false positives.

Comments from Botnet Analytics:

This is a really nice paper for the academia. Since, there are 1000′s of papers out there and since you have very less time to search and then gather the info, we have been trying to comment on Research papers every once in a while. This is one such good paper that definitely deserve to be listed here. The paper is available at the following link (legality not tested):

http://cseweb.ucsd.edu/~voelker/pubs/judo-ndss10.pdf

Hoping that you like this! Let us know if you have any questions. We would be releasing botnet analytics tools pretty soon(date unknown).

Thank you for following us!

EF

This is another paper that we found when going through other stuff “BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic”, which can be found here:

http://www.cs.purdue.edu/homes/bertino/426Fall2009/17_botsniffer_detecting_botnet.pdf

Abstract from the paper:

Botnets are now recognized as one of the most serious security threats. In contrast to previous malware, botnets have the characteristic of a command and control (C&C) channel. Botnets also often use existing common protocols, e.g., IRC, HTTP, and in protocol-conforming manners. This makes the detection of botnet C&C a challenging problem. In this paper, we propose an approach that uses network-based anomaly detection to identify botnet C&C channels in a local area network without any prior knowl- edge of signatures or C&C server addresses. This detection approach can identify both the C&C servers and infected hosts in the network. Our approach is based on the observation that, because of the pre-programmed activities related to C&C, bots within the same botnet will likely demonstrate spatial-temporal correlation and similarity. For example, they engage in coordinated communication, propagation, and attack and fraudulent activities. Our prototype system, BotSniffer, can capture this spatial-temporal correlation in network traffic and utilize statistical algorithms to detect botnets with theoretical bounds on the false positive and false negative rates. We evaluated BotSniffer using many real-world network traces. The results show that BotSniffer can detect real-world botnets with high accuracy and has a very low false positive rate.

The following are the authors for this paper:

Guofei Gu, Junjie Zhang, and Wenke Lee
School of Computer Science, College of Computing
Georgia Institute of Technology
Atlanta, GA 30332
{guofei, jjzhang, wenke}@cc.gatech.edu

Thank you for choosing botnet analytics!

This is a great paper that we came across last week, when we were trying to understand the botnet phenomenon for implementing across the multi-stage botnet analysis tool that is in the process of development.

ABSTRACT
The academic community has long acknowledged the existence of malicious botnets, however to date, very little is known about the behavior of these distributed computing platforms. To the best of our knowledge, botnet behavior has never been methodically studied, botnet prevalence on the Internet is mostly a mystery, and the botnet life cycle has yet to be modeled. Uncertainty abounds. In this paper, we attempt to clear the fog surrounding botnets by constructing a multifaceted and distributed measurement infrastructure. Throughout a period of more than three months, we used this infrastructure to track 192 unique IRC botnets of size ranging from a few hundred to several thousand infected end-hosts. Our results show that botnets represent a major contributor to unwanted Internet traffic—27% of all malicious connection attempts observed from our distributed darknet can be directly attributed to botnetrelated spreading activity. Furthermore, we discovered evidence of botnet infections in 11% of the 800,000 DNS domains we examined, indicating a high diversity among botnet victims. Taken as a whole, these results not only highlight the prominence of botnets, but also provide deep insights that may facilitate further research to curtail this phenomenon.

We thought of sharing this with our readers. It has been really busy in researching and developing the tool that would be releasing soon. You could find the above paper at the following link:

http://www.cs.jhu.edu/~fabian/papers/botnets.pdf

Stay tuned for more update on the tools that we would be releasing soon. Thank you for choosing botnet analytics!

Botnet Hosed is a new project Botnet Analytics web portal. We are planning to work on online-based client-side botnet detection. More about the working will be releasing with the website itself. We are in collaboration with ShadowServer for this project and many other projects under Botnet Analytics. We are hoping for more collaborations to expand our visibility.

If you are a list owner and would like to share your data, we could provide services in exchange. Let us know! You could always reach us at contact.fingers @ gmail.com to know more about collaboration, volunteering and other stuff.

Thank you for choosing botnet analytics!

When looking for automating botnet analysis I found this great paper “Automating Analysis of Large-Scale Botnet Probing Events”. This paper is from ASIACCS’09 March 10-12, 2009, Sydney, NSW, Australia.  You can download it from : http://www.icir.org/vern/papers/probing-analy.ccs09.pdf

Abstract [Copied and pasted from the above link]:

Botnets dominate today’s attack landscape. In this work we investigate ways to analyze collections of malicious probing trafic inorder to understand the signifcance of large-scale “botnet probes”. In such events, an entire collection of remote hosts together probes the address space monitored by a sensor in some sort of coordinated fashion. Our goal is to develop methodologies by which sites receiving such probes can infer-using purely local observation-information about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifcally targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack?
Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties such as trend, uniformity, coordination, and darknet avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. Cross-validating with data from DShield shows that our inferences exhibit promising accuracy.

Really nice read for someone who wants to understand more about automation part of analysis of large scale botnet events. This is something towards which most of the Security Operation Centers (SOCs) are moving towards to provide a cost effective solution, instead of outsourcing the services completely. We hope that you enjoy reading the paper. Thank you for choosing Botnet Analytics!

Hello guys,

Sorry for the delay in postings. We have been working on designing, developing and deploying tools that would help you secure yourself on a daily basis. To continue with our efforts, our next tool for the release April/May 2010 is Botnet Monitor. The features of the tool, including working, architecture and user manual would be releasing soon.

Feel free to contact us at contact.fingers@gmail.com. Thank you for choosing Botnet Analytics!

We have been observing that “busting botnet-herders” is really happening these days starting with the past few incidents, although we need to think about the big picture & behind the scenes. These are the questions that arise after we see such incidents:

• Are these guys [who get arrested] the real guys behind the scene? Or are these guys Public Representatives for those botnets?
• What are the botnet-herders doing next, to prevent from being caught?
• There is an interference/intersection between underground & intelligence groups. How do the intelligence agencies deal with such issues?
• Technology wise, how are they modifying the following to stay current in evasion techniques:
  • Payloads
  • Propagation
  • Algorithm
  • Implementation
  • DDNS
  • and other stuff
• The so called “Top botnets” takes the best from each botnet and implements them. Does this make it complicated to detect & prevent it from happening?
• Antivirus Engines or Security tools can detect only on “Infection Vector” to begin with. Some AV’s quarantine them and some don’t, but later it might catch on Botnet Activity to known hostile IPs or domains. Does this mean that:
  • the users should reimage the host[industry best standards], as soon as they see traffic to possible hostile IPs?
  • the users should consider any Trojan or Backdoor activity as possible botnet command & control activity, as it could possibly lead to them?
  • the users should reimage the host for every malware triggered on the host?
• Botnet herders code their botnets to spread through the following vectors. Does this help them in expand their zombie networks really fast?
  • Phished websites
  • Malware sites
  • Hosed Webservers
  • DNS Poisoning
  • Client-side attacks
• What could the next generation botnets do?
• Is commercializing of botnets anticipated? If the answer is “Yes”, does law enforcement have any response to it.
• Do the courts all around the world realize that they should modify/work on their law to ensure that these botnet herders get punished, no matter what part of the world they are residing in. Classic example is, “Mariposa” botnet guys were arrested at Spain, even though Spain is lenient in various other aspects of infoSec.
• Will the  botnet herders mix botnets with real world issues like how phishing guys do:
  • SEO Poisoning
  • Deceptive linking
  • Pharming
  • and other techniques

Hope this helped in opening your eyes to think more into botnets & its herders. Thank you for choosing Botnet Analytics!

The past few years has been a big boom in the botnet world. Botnet herders [a.k.a. the creators of botnet] are commercializing botnets by showing how powerful their botnets are than existing botnets. Some of them are good at one thing, while certain others are good at other stuff. Some of them have been listed below:

• Infection Vector
• Propogation
• Payload
• Acquiring Zombies
• DDNS
• Simple Lifecycle
• Easy to communicate
• and more

Some of the famous botnets & botnet apps has been commercialized in recent days, although law enforcement is trying to bring such entities down. One of the most famous one is “Mariposa” botnet. Defense Intelligence was solely working on researching Mariposa and creating sinkholes to prevent users from communicating with the Zombie network or from being hosed. Though a user would be infected with infection vector of a botnet such as a Trojan, user would be taken to specific IPs or domains that would then push out the malicious code that makes them a part of Zombie network. This is where sinkholes help in protecting users from going to the real IP that holds the malicious code, and also to help such security organizations to detect the victims of this attack.

I am not sure, but the following site looks like a commercialized version of Mariposa to me:

They call their product as “Butterfly Flooder” and here is the list of Features that they have proposed:

Domains Per Host indicates 1000′s of hosts on the same IP[67.43.3.69].

• Is Mariposa still up & Running and do we still see traffic to newer Mariposa compromised hosts? The answer is “YES”.
• Have the arrest of those 3 guys changed anything relating to the working of Mariposa? The answer is “Not Really!”.
• What are the various justifications for the current situation:
  • Could be that the botnets are modularized and sold to many places.
  • Open-source botnets make it harder for security community.
  • Your Botnet is My Botnet concept of Torpig makes it harder.
  • Metamorphic & Polymorphic code makes it harder to prevent research against botnets.
  • Competition in the botnet community: “Mine is better & bigger than yours”.
  • Commercializing Botnets to the Underground community to help them knock off more systems.
• Why would they do it open-source when they can commercialize it? Botnet modules can be taken by someone else and improvised to their situations or to their creativity, when the modules are open source. Someone always see’s what someone else doesn’t. Botnet community is using this mentality in a way to make their botnets stronger, grow bigger & difficult to detect and prevent.

We are not sure about Butterfly networks or who is behind it, but their website & content looks too Spooky to make a mention over this blog. If you guys from Butterfly networks feel that this isn’t true, kindly shoot us an email to contact.fingers@gmail.com and we will retract the post. Also, give a possible explaination as to how commercializing your UDP flood services would help anyone. Pentesters should also know their testing limits. Botnets getting sold to Pentesters is not going to help them test if their customer’s are protected against botnets. It might infact compromise their customers & make them part of the Zombie networks.

Hoping that this post was helpful in opening your eyes. Thank you for choosing Botnet Analytics!

The paper described about how one botnet can control the hosts hosed by other botnets.  This is a really nice paper from the following author’s:

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski,
Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna
Department of Computer Science, University of California, Santa Barbara
{bstone,marco,sullivan,rgilbert,msz,kemm,chris,vigna}@cs.ucsb.edu

It is a really good for everyone who are trying to understand about internals of Torpig botnet.

Abstract:

Botnets, networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security problems on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program that is designed to harvest sensitive information (such as bank account and credit card data) from its victims. In this paper, we report on our efforts to take control of the Torpig botnet and study its operations for a period of ten days. During this time, we observed more than 180 thousand infections and recorded almost 70 GB of data that the bots collected. While botnets have been “hijacked” and studied previously, the Torpig botnet exhibits certain properties that make the analysis of the data particularly interesting. First, it is possible (with reasonable accuracy) to identify unique bot infections and relate that number to the more than 1.2 million IP addresses that contacted our command and control server. Second, the Torpig botnet is large, targets a variety of applications, and gathers a rich and diverse set of data from the infected victims. This data provides a new understanding of the type and amount of personal information that is stolen by botnets.

You can read the paper from here: http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf

We hope that you enjoy the paper, because we definitely did. Thank you for choosing our blog!