Botnet Analytics Blog

BrowserDefender is a Threat Expert based web portal that is used for website safety lookup.The following is what they say:

Browser Defender™ Website Safety Lookup:

Web sites are tested for what we believe are excessive pop-ups, “phishing” and other fraudulent practices, and browser exploits. Downloads are tested for viruses and bundled adware, spyware or other possibly unwanted programs.

About:

Browser Defender™ was developed by the same team of professionals who created Threat Expert, the advanced automated threat analysis system.  Threat Expert is known to produce reports with the level of technical detail that matches or exceeds antivirus industry standards such as those found in online virus encyclopedias.

The following is the main page of the site:





The following is the sample report of the sites:





This is pretty good research portal to protect yourself from visiting malware sites, even if they have mistakenly been added in the top of the search results in Google search page. This is how the Browser Defender looks when it is installed in the browser, and when a search is performed:





Browser Defender is a really great tool to protect yourself from several types of malwares, especially the drive-by-download malwares. Thank you for choosing our blog!

ShadowServer has published an article few hours ago on Pushdo‘s update, as shown below:

Friday, 29 January 2010

Pushdo DDoS’ing or Blending In?

Is your site on the list we have posted here or in the table at the bottom of this page? If so you might have noticed a massive uptick in SSL connections to your website over the past week or so. What do I mean by massive? I mean you are likely seeing an unexpected increase in traffic by several million hits spread out across several hundred thousand IP addresses. No you didn’t read that wrong that is millions of hits and hundreds of thousands of IP addresses. This might be a big deal if you’re used to only getting a few hundred or thousands of hits a day or you don’t have unlimited bandwidth.

What’s going on here? Well it seems the Pushdo botnet recently made changes to its code to cause infected nodes to create junk SSL connections to approximately 315 different websites. Special thanks to Joe Stewart from SecureWorks for pointing this out earlier in the week when some of us were scratching our heads. Our friends over at ZeuS tracker noticed a big uptick in port 443 traffic to their website early this week. They thought they were being DDoS’d. Technically they are being attacked, although knocking the sites offline doesn’t seem to be the goal. The bots seem to start to initiate an SSL connection and a bit of junk to the websites and then disconnect. They do not actually request an resources from the website or do anything else other than repeat the cycle periodically. They are doing this to hundreds of sites all day long. We find it hard to believe this much activity would be used to make the bots blend in with normal traffic, but at the same time it doesn’t quite look like a DDoS either.

ZeuS tracker tells us they have counted multiple hundreds of thousands of unique IPs hitting their site in just over a 24 hour period. This is a lot of bots generating a lot of traffic. Check the list below or the link above to see if you too are a lucky recipient of this traffic.

Read more on ShadowServer’s – Pushdo DDoS’ing or Blending In?

Thank you for choosing our blog!

About EmergingThreats:

Emerging Threats is an open source community project. Through the support of our community we are able to produce the fastest moving and most diverse Snort Signature set and firewall rules available.  Other related projects find a home here as well. Matt Jonkman manages this project. ( jonkman@emergingthreats.net. This e-mail address is being protected from spambots. You need JavaScript enabled to view it )

Our content is free to use by any user or organization, commercial or private. We only ask that when you detect new threats in your environment or write new rules suitable for public release that you share that intelligence with the community at large. We update these rulesets as new information surfaces (usually several times a day 7 days a week) and highly recommend you update at least twice a week to stay up to date.  Daily is your best bet.

Emerging Threats has been in operation under several names since early 2003. We were formed originally as Bleeding Snort, but had to remove Snort from our name several years later for trademark issues. We then became Bleeding Threats. That project had to be abandoned and is defunct unfortunately because of some possible license conflicts that appeared to be arising, so the entire ruleset was moved here, to Emerging Threats. In 2008 we received grant funding from the Army Research Office and the National Science Foundation to continue this project and research.

Emerging Threats exists because of the contributions of intelligence and signatures by the community. We are grateful for our grant funding from the National Science Foundation and the Army Research Office. We give great thanks to those organizations for their support!

You can download our rulesets here, view our Documentation Wiki, or browse some of the other excellent projects that have found a home here.

We exist because of the community. These are your rules!

Sample botnet C&C rules from EmergingThreats:

alert tcp $HOME_NET any -> [109.74.196.127,110.44.26.158,112.216.12.244,115.165.178.40,
119.110.82.239,12.31.165.81,12.31.165.82,122.117.146.70,122.144.2.20,122.183.243.46,122.183.243.48,
124.158.128.129,124.40.3.92,125.160.17.71,125.160.17.72,125.40.126.201,128.121.20.113,128.194.112.48,
128.39.2.28,129.125.101.62,129.128.110.46,129.128.176.166,130.237.188.200,130.237.188.216,
130.239.18.157,130.240.22.201,137.82.84.68,139.175.160.252,140.211.166.64,141.213.238.252,
145.89.150.59,145.97.193.206,147.32.127.200,149.9.1.16,150.101.96.75,151.189.0.165,158.36.131.20,
158.38.8.251,163.178.205.7,163.19.14.2,173.45.124.226,173.45.124.227,174.120.182.86,174.129.139.32,
174.129.199.66,174.129.231.136,174.129.41.143,174.132.242.67,174.133.173.90,174.133.57.54,
174.133.63.91,174.137.55.10,174.138.58.102,174.139.16.131,174.139.16.132,174.139.16.134,
174.143.170.208,174.143.208.107,174.143.240.27,174.34.135.37] any (msg:"ET DROP Known Bot C&C Server
Traffic TCP (group 1) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src,
seconds 3600, count 1; classtype:trojan-activity; sid:2404000; rev:1791;)

alert udp $HOME_NET any -> [109.74.196.127,110.44.26.158,112.216.12.244,115.165.178.40,
119.110.82.239,12.31.165.81,12.31.165.82,122.117.146.70,122.144.2.20,122.183.243.46,122.183.243.48,
124.158.128.129,124.40.3.92,125.160.17.71,125.160.17.72,125.40.126.201,128.121.20.113,128.194.112.48,
128.39.2.28,129.125.101.62,129.128.110.46,129.128.176.166,130.237.188.200,130.237.188.216,
130.239.18.157,130.240.22.201,137.82.84.68,139.175.160.252,140.211.166.64,141.213.238.252,
145.89.150.59,145.97.193.206,147.32.127.200,149.9.1.16,150.101.96.75,151.189.0.165,158.36.131.20,
158.38.8.251,163.178.205.7,163.19.14.2,173.45.124.226,173.45.124.227,174.120.182.86,174.129.139.32,
174.129.199.66,174.129.231.136,174.129.41.143,174.132.242.67,174.133.173.90,174.133.57.54,
174.133.63.91,174.137.55.10,174.138.58.102,174.139.16.131,174.139.16.132,174.139.16.134,
174.143.170.208,174.143.208.107,174.143.240.27,174.34.135.37] any (msg:"ET DROP Known Bot C&C
Server Traffic UDP (group 1) "; reference:url,www.shadowserver.org; threshold: type limit,
track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404001; rev:1791;)

alert tcp $HOME_NET any -> [174.34.155.107,174.34.174.106,174.34.174.204,174.34.187.36,
174.34.187.37,174.34.187.44,174.34.187.46,174.36.194.109,188.165.47.211,188.40.203.43,
188.72.203.210,188.72.203.211,188.72.203.212,188.72.203.217,188.72.203.218,188.72.203.219,
188.72.203.231,188.72.211.171,188.72.212.42,188.72.218.74,188.72.226.31,188.72.236.123,
189.19.68.201,190.120.228.216,190.120.238.90,190.3.183.13,192.188.242.12,192.219.30.200,
193.104.94.11,193.108.43.213,193.109.122.77,193.136.119.33,193.136.216.101,193.138.215.226,
193.138.229.18,193.163.220.3,193.188.71.66,193.19.210.1,193.200.193.4,193.218.154.34,
193.219.61.23,193.27.229.245,193.33.179.4,193.34.88.17,193.40.58.131,193.43.88.137,193.43.88.138,
193.68.150.140,193.71.199.6,193.84.182.19,193.85.232.219,194.109.129.220,194.109.129.222,
194.109.20.90,194.109.206.106,194.109.206.107,194.109.64.131,194.117.246.5,194.124.229.59,
194.126.217.2] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 2) ";
reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1;
classtype:trojan-activity; sid:2404002; rev:1791;)

According to the signature, these IPs were gathered from ShadowServer.org[reference:url,www.shadowserver.org;].

In the last 2 years, there has been a huge increase in the number of botnets. This means one or more of the following possibilities:

• Increase in the number of botnet herders.
• Increase in the amount of hosed macines/zombies.
• Increase in the number of vulnerable systems across the world.
• Increase in data-loss, data-theft and other bad stuff.
• Bot herders are significantly improving their expertise.
• The good side is loosing gradually, or is unable to catch up with the bad side.

In all the above cases, there is a hint of darkness/bad stuff. Drastic efforts has to be taken in order to bring this to an end. This could be done in the following ways:

• Sharing research data and findings.
• Security community should collectively fighting against bad guys.
• Money should not be the motive. Although for the effort that is put to do this, returns are good.
• Courts should increase the  severity of punishments, to deter the bot herders.
• All countries across the world should agree on shutting down Dynamic DNS servers that make into the list of botnet hosting C&C servers.

This should be a good start, for making drastic changes in this increasing botnet count.  EmergingThreats botnet C&C signatures were created with the intent of blocking outgoing traffic to the possible botnet command & control hosts. This blog was written with the intent of increasing the awareness of botnet C&C rules.

Thank you for choosing our blog!

EF

We noticed that there was a great report on Mariposa botnet analysis by Defense Intelligence. We have posted it in our blog to share it with our readers. Credit:  Defence Intelligence

About Defence Intelligence:

Defence Intelligence is a privately held information security firm specializing in compromise prevention and detection. Based in Ottawa, Canada, the founders of Defence Intelligence are globally recognized industry experts. They have headed information security for Fortune 50 companies, consulted with hundreds of private enterprises and government agencies, and have assisted in the capture and prosecution of international computer criminals.

The Defence Intelligence team consists of highly respected information security professionals who have been at the forefront of information security for the last fifteen years. Defence Intelligence team members have appeared on CNN, ABC, BBC, NBC, CBS, CBC, and Fox and been featured in national publications such as The Wall Street Journal, USA Today, The Washington Post, The Globe and Mail, and The National Post.

Chris Davis, CEO and founder, is “…one of the best in the business when it comes to cracking supposedly secure computer networks” according to CBC Fifth Estate.

The Advisory Board is very active and plays a pivotal role in the growth and development of Defence Intelligence. These industry leaders are involved on an ongoing basis and provide us with an unmatched wealth of knowledge and experience.

The following is the blog post on the official website:

Mariposa Botnet Analysis

Mariposa was first observed in May of 2009 by Defence Intelligence as an emerging botnet. In recent months, Mariposa has shown a significant increase in beaconing traffic to its command and control servers. This is indicative of an increasingly high number of compromised computers actively participating in the Mariposa botnet.

The most dangerous capability of this botnet is that arbitrary executable programs are downloaded and executed on command. This allows the bot master to infinitely extend the functionality of the malicious software beyond what is implemented during the initial compromise. In addition, the malware can be updated on command to a new variant of the binary, effectively reducing or eliminating the detection rates of traditional host detection methods.

Commands from the botnet master may be directed at participants in a specific country, individual computers, or all computers. As a result, the observation of the live command and control channel may not include all of the activity and capabilities of Mariposa.

The command and control channel employs custom encrypted UDP datagrams to receive instructions and transmit data. A detailed analysis of the encryption and message formats used by the protocol are presented in this paper.

During empirical analysis of internal controlled compromised systems, the following DNS domain names were observed as the command and control servers:

• lalundelau.sinip.es
• bf2back.sinip.es
• thejacksonfive.mobi
• butterfly.BigMoney.biz
• bfisback.sinip.es
• qwertasdfg.sinip.es

Over the last two weeks of analysis, two unique malicious programs were downloaded and executed on the compromised computers. One malware update was received during this period, introducing new command and control domain names, adding a ‘confirmation of download’ message, and renaming ASCII commands.

It has also been observed that the botnet participants are receiving Google custom search engine URL fragments in a command from the bot master. This indicates a possible hijacking of Google AdSense advertisement revenue.

This paper details the result of static binary analysis, a review of the command and control protocols including a breakdown of the encryption, and empirical behaviour analysis findings.

The full Mariposa Botnet Analysis is available in PDF form at defintel.com

This is an awesome contribution by Defence Intelligence to Botnet analysis. Thank you for choosing our blog!

EF

Attacks that check for multiple ways to exploit a software or a system, using a series of checks for combination of vulnerabilities comes under the scope of Blended threats. The attack can be performed by automated tools, semi-automated frameworks or worm infections. In current days, Drive-by download malware spread to the various clients visiting the malicious/hosed server by checking for the browser type, version & various vulnerabilities that exist on these versions. Blended threat seems to be like a long-lasting term in the threat landscape. Attackers would always always try various ways to perform successful exploitation by evading detection and prevention devices/softwares.

Since the current threat landscape defines botnets as the most critical threat, every enterprise might look at blended threats as possible botnet activity. It does not make sense right? Botnet life-cycle involves finding infection vector, compromising the system, setting up a network of zombies and communicating them for data theft, DDoS, etc. Blended attack involves compromising a system or software through various means. Although, this could be used as the first step of a botnet life-cycle [the "infection vector" stage], it is not fair to name a blended attack as a possible botnet to get customers attention. Some might think of this as a proactive measure to stop the attack at the first stage itself. This is the same with most domains where there is a very thin line of separation between the various terms. How do we broaden the lines of separation in such cases? It is something to think about…

Thank you for choosing our blog!

EF

Overview of BitBlaze [Source: Berkeley Page]:

Binary analysis is imperative for protecting COTS (common off-the-shelf) programs and analyzing and defending against the myriad of malicious code, where source code is unavailable, and the binary may even be obfuscated. Also, binary analysis provides the ground truth about program behavior since computers execute binaries (executable), not source code. However, binary analysis is challenging due to the lack of higher-level semantics. Many higher level techniques are often inadequate for analyzing even benign binaries, let alone potentially malicious binaries. Thus, we need to develop tools and techniques which work at the binary level, can be used for analyzing COTS software, as well as malicious binaries.

The BitBlaze project aims to design and develop a powerful binary analysis platform and employ the platform in order to (1) analyze and develop novel COTS protection and diagnostic mechanisms and (2) analyze, understand, and develop defenses against malicious code. The BitBlaze project also strives to open new application areas of binary analysis, which provides sound and effective solutions to applications beyond software security and malicious code defense, such as protocol reverse engineering and fingerprint generation.

The BitBlaze project consists of two central research directions: (1) the design and development of the underlying BitBlaze Binary Analysis Platform, and (2) applying the BitBlaze Binary Analysis Platform to real security problems. The two research focii drive each other: as new security problems arise, we develop new analysis techniques. Similarly, we develop new analysis techniques in order to better or more efficiently solve known problems. Below, we give an overview of the two research directions. Here is an overview paper of the BitBlaze project.

This is one of the most popular research group for researching botnets. BitBlaze publications page has a really good list of publications, such as the ones listed below:

• Dispatcher: Enabling Active Botnet Infiltration using Automatic Protocol Reverse-Engineering
• Emulating Emulation-Resistant Malware
• Towards Generating High Coverage Vulnerability-Based Signatures with Protocol-Level Constraint-Guided Exploration
• Loop-Extended Symbolic Execution on Binary Programs
• Measuring Channel Capacity to Distinguish Undue Influence
• Secure Content Sniffing for Web Browsers or How to Stop Papers from Reviewing Themselves
• BinHunt: Automatically Finding Semantic Differences in Binary Programs
• BitBlaze: A New Approach to Computer Security via Binary Analysis
• Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications
• HookFinder: Identifying and Understanding Malware Hooking Behaviors
• Polyglot: Automatic Extraction of Protocol Message Format using Dynamic Binary Analysis.
• Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis.
• Renovo: A Hidden Code Extractor for Packed Executables.
• Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation.
• Creating Vulnerability Signatures Using Weakest Pre-conditions.
• Dynamic Spyware Analysis.
• Sweeper: a Lightweight End-to-End System for Defending against Fast Worms.
• Replayer: Automatic Protocol Replay by Binary Analysis.
• Towards Automatic Generation of Vulnerability Signatures.
• Vulnerability-Specific Execution Filtering for Exploit Prevention on Commodity Software.
• Dynamic Taint Analysis: Automatic Detection, Analysis, and Signature Generation of Exploit Attacks on Commodity Software.
• Automatically Identifying Trigger-based Behavior in Malware.
• Sting: an End-to-End Self-healing System for Defending against Internet Worms.
• Extracting Models of Security-Sensitive Operations using String-Enhanced White-Box Exploration on Binaries.
• BitScope: Automatically Dissecting Malicious Binaries.
• Sting: an End-to-End Self-healing System for Defending against Zero-day Worm Attacks on Commodity Software.

They have an online analysis page, where anyone could submit samples for analysis. This site lists W32.IRCbot and W32.Spybot.Worm analysis results as sample results. BitBlaze also has tons of current projects. Check it out when you get a chance.  Giuseppe Bonfa, who has been working in Malware Analytics project for the past year mentioned about BitBlaze to EvilFingers and we thought of sharing it our Blog readers. Thank you for choosing our blog!

Anushree

About MalwareURL[Source:MalwareURL]:

“The MalwareURL Team is a group of Internet security experts dedicated to fighting malware, Trojans and a multitude of other web-related threats. Our database is built-up using proprietary software and analytic techniques to locate, assess and monitor suspected sources of web criminality. We provide invaluable and up-to-date information to everyone from interested individuals to the world’s leading Internet security organizations.”

MalwareURL imports data from the following sites:

• VirusTotal
• Wepawet
• Anubis
• Threat Expert

MalwareURL is used by the following sites:

• MyWOT
• Clean-mx
• MalwarePatrol
• hpHosts
• MalwareDomainList
• Zeus Tracker

The following is a snapshot of MalwareURL.com:

MalwareURL stats:

Total domains: 38985
Total IP addresses: 9815

This site is a very good resource for botnet IPs/Domains. Thank you for choosing our blog!
- Anushree

Norton Safeweb is a great website analysis tool where the project uses a combination of research and review. The fact that the automated research is combined with a human factor of reviewing the site for leaving comments would help the users to understand what is wrong, why is it wrong and other details. The best part about Safeweb, is that it also provides the list of malware, drive-by-downloads, trojans, spywares and botnet related data if necessary. In this way, the users are also sure that they do not get into trouble by going into malicious sites. The following is about Norton Safeweb, copied and pasted from the official site:

What is Norton Safe Web?

Everyone knows that the Internet is huge, there are many online threats like viruses, phishing, and spyware, and there’s a lot of unsavory Web sites out there—Web sites that will try to deceive you, steal your credit card numbers or passwords, or even crash your computer. By the time you visit a Web site it’s usually too late The damage has been done, you’ve been had. So, how can you find out if a Web site is a safety risk before you visit it?

The answer is right here!

Norton Safe Web is a new reputation service from Symantec. Our servers analyze Web sites to see how they will affect you and your computer. Then, using the Norton Toolbar installed on your PC, we let you know how safe a particular Web site might be before you view it. If you need to find out more about how a Web site might behave, we provide more detailed information right here on Norton Safe Web.

How to get involved?

Signing up for an account is easy—you just need to pick a user name and a password, and enter your email address. We won’t be sharing your email address with anyone, and we send very few emails. Sign up for Norton Safe Web Account to get started! If you are already a Norton user and have a valid Norton Account, it will work here too, so you don’t have to create another account!

Write a review of a Web site

Share your stories and experiences—good or bad—about any Web site that you feel strongly about! Help others avoid the same pitfalls that you’ve gone through on some sites. Plus, let us know which sites are extraordinary and exceptional.

This is how it looks, when a malicious site is observed through Norton SafeWeb analysis page:The left column shows the research [includes general info and threat report] and the right column shows the community review. To understand what they are trying to say and to be safe about the site, one must understand the site categorization. It is listed in the official site, as below:

Once you understand this, you would know that it is safe to open only the ones that are listed under the Green “SAFE” category. Although, this does not mean that it is completely safe. Drive-by-download malware or botnets could also come through advertisement banners if the advertising contractor/company lets anyone and everyone to advertise, without validating them through proper measures. This is why, many analysts might have seen how a user gets compromised from a highly legitimate site, which had a web ad-banner that was sub-contracted to a company that did not validate the advertising person or the advertisement. To ensure continuous business and prevent loss of trust from customers, business should take proper measures to validate the advertising party as well as the advertisement itself to ensure safety of their customers.

To conclude, Norton SafeWeb is a great tool for understanding the site that you are about to enter into. It involves some overhead to check every site that you are about to visit, but it is the best way to protect oneself from getting hosed. This is definitely faster and preferable, compared to the time it takes to reimage [industry best practice] your host after each visit to a website that could be possibly suspicious/malicious. Hope this article helped you to understand the seriousness of web site analysis.

Thank you for choosing our blog!

EF

Analysis of botnets involves complex process and not as simple as clicking the “Next” button.  It depends on how or where we detect the botnet and how you would like to analyze:

In a System based detection, the following is something that people would look for:

• Behavior Analysis:
  • Files
  • Registry entries
  • Memory
  • Processes
  • Network connections

• Code Analysis

In a Network traffic based detection, the following are things that people look for:

• Protocol used
• Ports involved
• Traffic data/content
• Source & Destination IPs
• Criticality of the source[from a DMZ/Server]
• Time-frame of the activity

In any given scenario, the tools that you choose to analyze the botnet is really important for attaining good results.  For performing behavior analysis, there are some really well known tools that are known for its accuracy/results.

Filesystem Analysis:

In here, analysts generally try to get an idea of:

• Files added
• Files deleted
• Files edited/updated/modified

Filemon – This is a really good tool. Process Monitor is the new tool that combines filemon and regmon into one single tool. File

Tripwire – This is a really neat tool for Linux boxes.
Project Details [Source: http://sourceforge.net/projects/tripwire/]:
“Open Source Tripwire software is a security and data integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems. The project is based on code originally contributed by Tripwire, Inc. in 2000.”

File Monitor – is a tool that could be used to perform filesystem monitoring in a Mac OS X system. According to the file monitor developer page, the following are the features included in the tool [Source: http://alphaomega.software.free.fr/filemonitor/File%20Monitor.html]:

Features:
- You can monitor several files and folders at the same time.
- You can drag and drop files and folders to add them in the monitoring window.
- You can automatically add folders inside a root folder recursively.
- You can adjust the monitoring period.
- It can automatically start monitoring at launch.
- You can open modified files when their modification is detected.
- It can automatically send a full detailed email to any recipients when a modification is detected.
- It can monitor modification dates, and/or sizes, and/or numbers of contained files (for folders).
- It can automatically continue to monitor after a modification is detected.
- It can bounce its icon when a modification is detected.
- It can speak when a modification is detected.
- It doesn’t need any installation which makes it very easy to use.
- It is available in Dutch, English, French, German, Italian, Polish, Russian, Spanish and many other languages.
Read the whole documentation for more details…

Registry Analysis:

RegMon – This is a Microsoft tool for Windows based Registry monitoring. It is a really great tool for analyzing registry writes, reads and modifications.
Regshot – This is another tool for Windows (95/98/NT/2000/XP)[32-bit] OS. This tool will help you take 2 snapshots before and after you run or execute programs of your choice and to do a DIFF[finding difference] between the 2 snapshots taken by this tool. This would help you know, what changes are done at the registry. Things that people analysts would look for is RegDelete and RegWrite. RegRead is used by the software to understand/read existing registry value.

Process[Memory] Analysis:

Since processes run in the memory, some might refer this as memory analysis. There are several tools that could do this. Although, Process monitor [that was mentioned in filesystem section] could do this, we generally look at Process Explorer to fall into this category, since it lists all the processes added or removed along with the ones that are currently running.

Process Memory Dumper[PMD] – is a Windows based tool. “Process Memory Dumper (PMD) is an application that allows you to dump the entire memory of the chosen process. NOTE: this is NOT a PE Dumper. PMD dumps the ENTIRE memory space of the process. We believe that this tool could help in Forensics and Credentials Disclosure Research.” – Source: EvilFingers.com.

Hidden Process Detector – is a Windows based tool that would list all the hidden processes created by the botnet/malware. “Hidden Process Detector (HPD) is our first tool that would run at the user end(client-side). This tool would detect and fix any hidden processes running on the system. This is a simple rootkit detection technique used for Windows rootkits.” – Source: EvilFingers.com.

Watsup – a simple system monitoring tool that can list processes running at the current time span with other stuff. There are other tools such as ps-watcher, which is a Perl Program for Monitoring a System via ps-like Commands.

“This program runs the ps command periodically and triggers commands on matches. The match patterns are Perl regular expressions which can refer to the process information via variables.

For example it can be used to ensure that a daemon is running, or is not running too many times. It can also be used to determine when a process has consumed too many resources, perhaps due to a memory leak.” - Source: http://ps-watcher.sourceforge.net/

Activity Monitor – is a Mac OS X tool for Process & Memory monitoring. According to Apple.com [Source: http://www.apple.com/macosx/what-is-macosx/apps-and-utilities.html#activity]:

“Activity Monitor displays information about all of the processes running on your Mac, including CPU, disk, memory, and network usage. You can see exactly how your computer’s resources are being used via a searchable table, helpful graphs, or even directly in the Dock icon. You can view the processes organized in different groupings, quickly search for processes, and quit processes. Activity Monitor also makes it easy to see how your memory is being used and how much memory is available, as well as disk activity and data transferred over the network.”

Network connections:

System level network connections monitoring involves command line tools such as netstat, ipconfig/ifconfig, route, etc. There are other tools that are useful in determining other kinds of data.

Portmon – is a Windows based tool from Sysinternals. According to Sysinternals:

“Portmon is a utility that monitors and displays all serial and parallel port activity on a system. It has advanced filtering and search capabilities that make it a powerful tool for exploring the way Windows works, seeing how applications use ports, or tracking down problems in system or application configurations.”

TCPView is a network based utility for Windows machines. It lists all the TCP & UDP connections from the system, including the state of the connection and whether or not, it is local or a remote connection.

Code Analysis

Code analysis is a huge complex domain in botnet analysis. It is something that takes tremendous man hours, advanced tools and extensive knowledge in order to know what the bad guys are doing in this particular code. Some of the well known tools in this domain are IDAPro, SoftICE, OllyDbg and so on. But since, our aim is to only list them, we are keeping this section short for now.

Network traffic based detection

Network based detection of botnets is done based on live traffic analysis or by log analysis. Some companies perform live traffic analysis[if they have heavy infrastructure and manpower to support it] and some do log analysis. In log analysis, the analysts would correlate the logs to determine any inbound scans from possibly known botnet hosts or outbound traffic from internal hosts to possible known botnet hosts. On either case, it is most important to have all the pieces of the puzzle, to arrive at a diplomatic conclusion rather than jumping onto immediate results.

Protocol Usage:

To learn more about ICMP Protocol, you could always use ICMPStuff that gives you good description of some of the Type and Code combination of ICMP messages. TCP and UDP are the most common protocols observed in network traffic. There are other protocols that could be seen too. Protocol analyzers are built into packet sniffers and log analysis tools.

Ports:

People see ports in different ways, just like how anything can be thought of for multiple uses. Ports are really important:

• To know the direction of traffic: One can judge by differentiating between server-side ports and client-side ports.
• To know if a service is authorized over that specific port: If your firewall is blocking it and someone from inside is trying to go over it, then something is either wrong or someone is trying something beyond what is necessary.
• To know the application/services: It is possible to determine the application or service based on the traffic logs, if the traffic is NOT crafted and is doing what it is supposed to do. In case of crafted packets, there are other indicators that would tell us that it is out of the ordinary.

Evilfingers PortsDatabase is created with the intent of sharing all the possible services and malicious traffic that could flow through the ports. But this only lists them and does not explain very clearly. We have started working on a new portal for much detailed Ports Database, called PortsAnalytics. This should be releasing soon, once we have gathered all the information we can to segregate and associate with real world data to make clear understanding of what each port could be used for, deviation from norm, deviation from RFC, etc.

Traffic/Packet Data:

Traffic data is granular analysis, where an analyst would be seeing the original packet/content that was sent over the network. In this, the analyst would get the big picture of what really is going on. Once all other pieces are put together, it would be easier to come to a conclusion as to what is going on. If a botnet has encoded its traffic with Base64 encoding, Evilfingers Base64 tool can help in Encoding or Decoding the packet. Hex2ASCII and ASCII2Hex tools can help the analysts to convert from Hex to Ascii or vice versa when the packets are in those data formats. The %u encoded data could be decoded using the UUDecode tool. Some people call this as %u decode and some call this as UUDecode. Javascript code or any website content can be analyzed using JSunpack and Wepawet. Anubis is a great tool for analyzing botnet binaries too. VirusTotal and ThreatExpert are couple of analysis sites where someone could upload malware/botnet and analyze the sample. One could also search existing analyzed files based on MD5 sum.

Source & Destination IPs:

There are many subnet masking tools, IP tools, IP conversion tools that could help you in the process of analyzing IPs. Knowing the range of internal IPs would be the first step to do. When that is done, it is easier to know if a traffic is internal, external or inbound. If it is external, why see it in our firewall or if it is inbound why is it coming from an IANA reserved range of IPs. Knowing the direction of traffic is most important, when it comes to determining the criticality of botnet activity. IP conversion stuff can be done at IPStuff, SubnetCalculator can help you understand the subnet mask and the breadth of your network, IPTools is a good site for Ping, Domain Info, IP to Country, CIDR, Traceroute, DNS Lookup, Spam DB Lookup, Whois Lookup(Domain), Reverse DNS Lookup, ISP Cached DNS, Resolve Host, Whois Lookup(IP), URL Obfuscator/De-obfuscator, Abuse Contact Lookup, Tracepath, or more.

Dynamic Block lists is a good place to look at for SMTP related botnets. There are some really cool online tools that maintains history of such IPs. DNSRBL is one of them. “A DNSBL (DNS-based Blackhole List, Block List, or Blacklist; see below) is list of IP addresses published through the Internet Domain Name Service in a particular format. DNSBLs are most often used to publish the addresses of computers or networks linked to spamming; most mail server software can be configured to reject or flag messages which have been sent from a site listed on one or more such lists.” – Source: Wikipedia. Sample implementation can be found at Spamhaus, Senderbase, Malware Domains, Project Honeypot and others. EmergingThreats botnet command and control signatures has the list of IPs including ShadowServer‘s list of possible botnet IPs. The Honeynet Project is one of the first honeypot projects that allowed people from around the world to contribute, share and correlate possible botnet and other malware data. It is great to share such valuable information, since the public should know how to differentiate between the good and the bad. There are projects that list the details of domains based on the scans or related data. Web of Trust[WOT] helps in rating a site based on community voting, where as Norton Safeweb, McAfee SiteAdvisor, ThreatExpert BrowserDefender and certain others work by performing analysis of the crawled website data.

Criticality of the Source host:

In real-time analysis, it is important to ensure that the source host is not a Critical system. Criticality depends on the purpose of the source host. If the host is important for running the business, if it contains sensitive data, if it is something that the business cannot survive without, etc., such as web server, backend server, other kinds of hosts in the DMZ that provide dedicated services. There are tools like HIDS/HIPS[Host-based Intrusion Detection System/Host-based Intrusion Prevention System] that can be used in critical servers to protect them to a certain extent from being hit, even if the malware/botnet is has penetrated through the firewall and the network-based intrusion detection/prevention devices. OSSEC, Samhain, Osiris, Aide, etc. could be used as HIDS to protect the critical hosts. To protect your web server you could use ModSecurity a free[open-source] web application firewall.

Timeframe:

Time-frame is really important to understand the botnet propagation. Without the time-frame, it is hard to say whether the botnet has infected the internal host to initiate the traffic or if the internal host is responding to a scan that is being performed by the botnet herder. Time-frame is also important data to determine, when and how did this compromise exactly occur, and other kinds of correlation.

Conclusion:

This article was written to give a generic view of botnet analysis along with some of the simpler tools for our users to understand. Our intent was not to go deep into botnet analysis or into any of these tools, in this article. The future, or the forth coming articles/blogs would be on how to use these tools to make the most of it, in your botnet analysis. We are also planning to help you set up a botnet home lab, where you can run simple tools and analyze stuff from your home. Keeping things simple always helps. Kindly, educate yourself with what not to do and how things could affect you if done incorrectly, before you do something terribly wrong. Glad to share our stuff with you. Thank you for choosing our blog!

Anushree

JSunpack is a JavaScript unpacker from iDefense, created by Blake Hartstein. JSunpack blog lists all the latest updates and research on the tool for its users to be up-to-date on what is going on with the tool.

Sample post:

Friday, January 8, 2010
Jsunpack-n update 0.3.1c: Decoding and Functionality Updates
I just released a new version of jsunpack-n, this version has some great new features! First off, it handles new decoding techniques like PDF annots. What are Annots you ask? Well, its just like getElementByID but for PDF files. This allows exploit authors to store arbitrary content within a PDF file then access that content directly from javascript using the getAnnots() function. Similarly, attackers have been using the “this.info.title” variable also! This version of jsunpack-n supports both of these new obfuscation techniques.

I also added many improvements to PDF decoding and added a few new detection rules for new exploits. You will find that I’ve also added many new sample-* files for jsunpack-n users to test with and see what jsunpack-n is capable of.

IDEA: I’ve been considering creating an svn repository to store high volumes of pcaps and malicious samples … if there is interest contact me or let me know if you would find it valuable.

Updates 2010-01-08 version 0.3.1c
1) pdf improvements
1a) handling and decoding of pdf annots (see sample-pdf-annots.file)
1b) octal-based object decoding support
1c) handling of obfuscation for this.info.title (see sample-infoTitle.pcap)
2) graphing in verbose mode now displays all nodes rather than just malicious ones, increased node limit to 60
3) bug fix for gzip python library to better handle IOError case for ‘Not a gzipped file’
Posted by jsunpack at 8:20 AM 0 comments Links to this post

JSunpack-n is the network version of JSunpack, which helps the users run it locally. Most recent version JSunpack-n v0.3.1c, can be downloaded from: http://jsunpack.jeek.org/jsunpack-n.tgz. The following post from jsunpack blog explains more about jsunpack-n:

Sunday, June 7, 2009
Very Cool jsunpack-n release: JavaScript Decoding on the Network (The Future)
My favorite tools to decode JavaScript today are for security research and often have too little impact because administrators must find URLs, submit them for research, and it requires significant additional effort. There is no current way to detect threats against a real network using these tools in an automatic manner.

Until now! I started building a tool that is useful to administrators defending networks. The main difference is that it is a completely passive JavaScript decoder to perform Intrusion Detection, by processing network traffic (either an interface or pcap file), rather than URLs.

I built a basic implementation of this concept as a new version of “jsunpack-network” or (jsunpack-n). Some of the benefits of this technique are:

* Tracks streams and decodes Transfer and Content encodings of types chunked and gzip.

* Completely passive: Don’t need to worry about User-Agents, proxies, or other tricks that attackers use to prevent analysis

* Detect if an exploit is successful: the system monitors all URLs. It can determine if an exploit would fetch another URL and when the client requests that URL, the system knows that the exploit was successful.

The source code for this project is available from http://jsunpack.jeek.org/jsunpack-n.tgz. Here is an example output using the test file (included in the jsunpack-n.tgz archive):

$ ./jsunpack-n.py sample-http-exploit.pcap
DECODED JavaScript Data
exploit_watch append hxxp://hifgejig.cn/nuc/exe.php

The exploit_watch variable tracks all URLs to track if an exploit is successful and if it is, then the script prints the associated IP addresses and URLs:

print ‘Exploit Successful ‘, tcp.addr, ‘ from URL ‘, exploit_watch[host+url]

Since this project is very new, I expect there will be a few issues and therefore you run this at your own risk. I am releasing this code as alpha/unstable, because I think that there is a lot of opportunity to improve it.

Two of the areas that are completely lacking at this point are

* signature-based detection

* pdf decoding

I am releasing a PDF decoding script with this code, available in the jsunpack-n.tgz archive called “pdf.py”; however, I haven’t integrated it with jsunpack-n yet. While this should be a simple task, I’m still testing and improving the PDF decoding, as it now only handles a few of the decoding techniques I’d like it to support.

Please leave me your comments (good or bad), to improve the project. I haven’t fully integrated jsunpack’s algorithms yet (I will soon, I promise).
Posted by jsunpack at 4:23 PM

The 2009 presentation of JSunpack shmoocon slides is available here.

JSunpack also lists 20 most recently decodings & executables, which helps the users to know what others are seeing. If someone is seeing something interesting, you could also see it in here. An example of a successful executable is as shown below:

Sections ( .text .rdata .data .ndata .rsrc )
File: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
Strings:Software\Microsoft\Windows\CurrentVersion
Strings:http://nsis.sf.net/NSIS_Error
Strings:.exe
Strings:Nullsoft Install System v2.39

Size: 163944 bytes,
MD5: ac0d49c97ca2f09cc941b07a4a0e86b1

Searching for the MD5 ac0d49c97ca2f09cc941b07a4a0e86b1, in the VirusTotal HashDatabase, gave the following result [to view the result in VirusTotal, click here]:

File d029d903058ce7c7d34d680107110e228 received on 2009.12.13 11:45:46 (UTC)
Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.13 -
AhnLab-V3 5.0.0.2 2009.12.12 -
AntiVir 7.9.1.108 2009.12.11 DR/Click.Agent.exx
Antiy-AVL 2.0.3.7 2009.12.11 Trojan/Win32.Agent.gen
Authentium 5.2.0.5 2009.12.02 W32/Trojan2.JXSQ
Avast 4.8.1351.0 2009.12.12 Win32:Adware-gen
AVG 8.5.0.427 2009.12.13 Clicker.UHH
BitDefender 7.2 2009.12.13 Generic.Adw.Rotator.B35AD0F1
CAT-QuickHeal 10.00 2009.12.12 -
ClamAV 0.94.1 2009.12.13 Trojan.BHO-3774
Comodo 3228 2009.12.13 TrojWare.Win32.TrojanClicker.Agent.exx
DrWeb 5.0.0.12182 2009.12.13 Trojan.Click.28633
eSafe 7.0.17.0 2009.12.10 Win32.DRClick.Agent
eTrust-Vet 35.1.7171 2009.12.11 -
F-Prot 4.5.1.85 2009.12.12 W32/Trojan2.JXSQ
F-Secure 9.0.15370.0 2009.12.13 Generic.Adw.Rotator.B35AD0F1
Fortinet 4.0.14.0 2009.12.13 Adware/Agent
GData 19 2009.12.13 Generic.Adw.Rotator.B35AD0F1
Ikarus T3.1.1.74.0 2009.12.13 Virus.Win32.Agent.ABKG
Jiangmin 13.0.900 2009.12.13 Adware/Clicker.jez
K7AntiVirus 7.10.918 2009.12.11 Trojan-Clicker.Win32.Agent.exx
Kaspersky 7.0.0.125 2009.12.13 Trojan-Clicker.Win32.Agent.exx
McAfee 5830 2009.12.12 potentially unwanted program Generic PUP
McAfee+Artemis 5830 2009.12.12 potentially unwanted program Generic PUP
McAfee-GW-Edition 6.8.5 2009.12.13 Heuristic.LooksLike.Win32.Packed.C
Microsoft 1.5302 2009.12.13 Adware:Win32/AdRotator
NOD32 4683 2009.12.13 a variant of Win32/Adware.GooochiBiz
Norman 6.04.03 2009.12.12 -
nProtect 2009.1.8.0 2009.12.13 -
Panda 10.0.2.2 2009.12.13 Trj/Genetic.gen
PCTools 7.0.3.5 2009.12.12 Adware.Begin2search
Prevx 3.0 2009.12.13 High Risk Worm
Rising 22.25.06.05 2009.12.13 Trojan.Win32.Undef.quy
Sophos 4.48.0 2009.12.13 AdRotate
Sunbelt 3.2.1858.2 2009.12.13 Trojan.Win32.Generic!BT
Symantec 1.4.4.12 2009.12.13 Adware.Begin2search
TheHacker 6.5.0.2.092 2009.12.12 -
TrendMicro 9.100.0.1001 2009.12.13 -
VBA32 3.12.12.0 2009.12.12 Trojan-Clicker.Win32.Agent.glr
ViRobot 2009.12.12.2085 2009.12.12 Trojan.Win32.Clicker.163944
VirusBuster 5.0.21.0 2009.12.12 Adware.Adrotator.Gen.2
Additional information
File size: 163944 bytes
MD5   : ac0d49c97ca2f09cc941b07a4a0e86b1
SHA1  : d029d903058ce7c7d34d680107110e2289cde069
SHA256: 2336dc37474b4a15f7fb100bbd3666c93f57b4bc22561db47a2f7ce923f2423b
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×3225
timedatestamp…..: 0x48A737E7 (Sat Aug 16 22:26:15 2008)
machinetype…….: 0x14C (Intel I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×5976 0x5A00 6.47 335c19bb25cd1d02eec2b0a4eacb979c
.rdata 0×7000 0×1190 0×1200 5.18 db16645055619c0cc73276ff5c3adb75
.data 0×9000 0x1AF98 0×400 4.69 59710519e577598f785044e4d95261f4
.ndata 0×24000 0xD000 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0×31000 0×908 0xA00 3.96 36426195b15a54195dc60707ed8dd004

( 8 imports )

> advapi32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
> comctl32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create
> gdi32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
> kernel32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
> ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
> shell32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
> user32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
> version.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

( 0 exports )
TrID  : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ssdeep: 3072:zNyah0mJdnKYMh3D0FOUGXE9d6rH1nQEh9SiwxFc1xYkKblIY9OV1Uqg:zwvhQO/oqLSiYyvKGYY4qg
Prevx Info: http://info.prevx.com/aboutprogramtext.asp?PX5=8BBFD99768C3D6E0801502CEBA5295007870E5C5
PEiD  : -
packers (F-Prot): NSIS
CWSandbox: http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=ac0d49c97ca2f09cc941b07a4a0e86b1
packers (Authentium): NSIS
RDS   : NSRL Reference Data Set
-

JSunpack is a huge asset to analyze botnet IPs, malwares in general, drive-by-downloads and other such malicious stuff. It could be used as a webpage analysis tool, link analysis tool, an online sandbox and for other research. Blake is presenting at Shmoocon 2010 once again, though in a new topic [the following has been copied and pasted from: http://www.shmoocon.org/presentations-all.html]:

Jsunpack-network Edition Release: JavaScript Decoding and Intrusion Detection
Blake Hartstein

Attackers using web exploits are always improving their attacks to make them more effective at exploiting the victim, avoiding detection, and generally making attacks difficult for researchers to understand. While anti-virus products often try to detect malicious content by applying filters and finding hidden content, they generally do not help researchers because the only output they produce is a name indicating whether a file is malicious.

Jsunpack-n reports vulnerabilities that attackers target and full information of decodings. Jsunpack-n contains many unique improvments to last year’s 2009 introduction of jsunpack at Shmoocon, most notably these include: release of full source code, the ability to use jsunpack-n to actively monitor network traffic (interface/packet capture file), detection of malicious content using both customizable rules and built-in detection mechanisms, pdf and swf decoding modules, and tree structures and URL tracking mechanisms.

Blake Hartstein works on the Rapid Response team at iDefense, a Verisign company. At iDefense, he is responsible for analyzing and reporting on samples of unknown malicious code and other suspicious activity. Prior to iDefense, Blake was an author of intrusion detection signatures and contributed to Emerging Threats, an open source community project that promotes a diverse Snort Signature set.

This blog post was intended to explain about the tool[JSunpack] that could be useful to you, in the process of botnet analysis. Hope you enjoyed it!

Thank you.
EF