Botnet Analytics Blog

The paper described about how one botnet can control the hosts hosed by other botnets.  This is a really nice paper from the following author’s:

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski,
Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna
Department of Computer Science, University of California, Santa Barbara
{bstone,marco,sullivan,rgilbert,msz,kemm,chris,vigna}@cs.ucsb.edu

It is a really good for everyone who are trying to understand about internals of Torpig botnet.

Abstract:

Botnets, networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security problems on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program that is designed to harvest sensitive information (such as bank account and credit card data) from its victims. In this paper, we report on our efforts to take control of the Torpig botnet and study its operations for a period of ten days. During this time, we observed more than 180 thousand infections and recorded almost 70 GB of data that the bots collected. While botnets have been “hijacked” and studied previously, the Torpig botnet exhibits certain properties that make the analysis of the data particularly interesting. First, it is possible (with reasonable accuracy) to identify unique bot infections and relate that number to the more than 1.2 million IP addresses that contacted our command and control server. Second, the Torpig botnet is large, targets a variety of applications, and gathers a rich and diverse set of data from the infected victims. This data provides a new understanding of the type and amount of personal information that is stolen by botnets.

You can read the paper from here: http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf

We hope that you enjoy the paper, because we definitely did. Thank you for choosing our blog!

When looking for Botnet Monitors, we found the following that sounded really interesting:

Infiltrator

Infiltrator v0.1

• Security

— Posted by zeroq @ 17:19 – 15 Nov, 2007

For those of you interested in little helpful tools, i uploaded my infiltrator script for quick and dirty botnet monitoring. There is no documentation available right now but usually a questionmark in front of a command gives some hints (e.g. ? show all).

Have fun: infiltrator.tar.gz

Source: http://zeroq.kulando.de/post/2007/11/15/infiltrator_v01#comments

Rishi Botnet Detection

Rishi is a botnet detection software, capable of detecting hosts infected with IRC based bots by passively monitoring network traffic. A webinterface provides additional information to found incidents.

Source: http://sourceforge.net/projects/rishi/

Both the tools listed above was created by Jan Goebel. Just thought of sharing it with our users. Thank you for choosing our blog!

When  searching for “Kneber Zeus”, the following resources were listed. They looked pretty cool, especially the Netwitness report. Check it out:

http://www.hackingtheuniverse.com/infosec/isnews/kneber-zeus

http://tech.yahoo.com/blogs/null/160728/beware-kneber-search-results-lead-to-malware/

http://www.symantec.com/connect/blogs/kneber-zeus

http://www.netwitness.com/resources/kneber.aspx

http://www.guardian.co.uk/technology/blog/2010/feb/19/kneber-zeus

http://www.pcworld.com/businesscenter/article/189772/protect_your_business_from_kneberstyle_botnets.html

http://www.sophos.com/blogs/gc/g/2010/02/19/zeus-kneber-botnet-unmasked/

Interestingly, there was one other link:

Firefox gives the following page when clicking on it:

Norton Safe Web report gives the following report:

The following is the Threat Report from Norton Safe Web [pretty comprehensive list of Roguewares]:

Drive-By Downloads (what’s this?)

Threats found: 21
Here is a sample:

JSunpack report can be viewed here: http://jsunpack.jeek.org/dec/go?report=2832f2dd4b93ada474e9c8a5c3e69625d03a7c97

The reason for writing this blog was:

• To aggregate the articles for Kneber Zeus at one place.
• To ensure that no one gets deceived by the fake antivirus/rogueware link.

We hope that you enjoyed reading our blogs. Thank you for choosing our blog!

In the current world, Botnets are widely spreading with a really great pace. In such situations, it is quite hard to keep up with the bad guys. This means that we need something that is proactive, than solutions that are reactive. BotHunter is a proactive tool that helps protect networks of computers from getting compromised due to botnets.

You can download or visit BotHunter from its original site: http://www.bothunter.net. This is how it looks:

About BotHunter [To read more, check out the Source: About]:

Regardless of how malware enters your network (through innocent web surfing, email attachments, direct exploit, or by attaching your laptop to the wrong wireless network), once a machine within your perimeter is compromised your whole network is under threat.  BotHunter helps you quickly identify and isolate these infected machines, and helps you figure out who really owns your computers.

What is BotHunter

BotHunter is NOT an intrusion detection system, firewall, spam blocker, or antivirus tool.  These tools generally don’t work in helping you rid your network of malware infections. Rather, BotHunter takes a different approach. It is an entirely new network defense  algorithm designed to help everyone from network administrators to individual Internet-connected PC users detect whether their systems are running coordination-centric malware (such as botnets, spambots, spyware, Trojan exfiltrators, worms, adware).   It is based on an algorithm called network dialog correlation, developed under the Cyber-TA research program (http://www.cyber-ta.org), by the Computer Science Laboratory at SRI International.

BotHunter monitors the two-way communication flows between hosts within your internal network and the Internet.  It aggressively classifies data exchanges that cross your network boundary as potential dialog steps in the life cycle of an ongoing malware infection.   BotHunter employs Snort as a dialog event generation engine, and Snort is heavily modified and customized to conduct this dialog classification process.   Dialog events are then fed directly into a separate dialog correlation engine, where BotHunter maps each host’s dialog production patterns against an abstract malware infection lifecycle model.  When enough evidence is acquired to declare a host infected, BotHunter produces an infection profile to summarize all evidence it has gathered regarding the infection.  In short, BotHunter helps you rapidly identify infected machines inside your network that are clearly and helplessly under the control of external malicious hackers.

Dialog correlation attempts to produce classification events for certain network traffic exchanges that are produced and received by your computers. While not all network traffic exchanges produce a dialog event, those that do contribute to an evidence trail that may lead to a malware infection diagnosis report for the associated computer. Dialog events are fed directly into a separate dialog correlation engine, where each host’s individual dialog production pattern is mapped and scored against an abstract malware infection life cycle model. When the dialog correlation algorithm determines that a host’s dialog production patterns maps sufficiently close to the life cycle mode, the host is declared infected, and an infection profile is generated to summarize all evidence regarding the infection.  See our Samples Page, for examples of infection profiles produced from a wide variety of Internet malware.

BotHunter is funded through the Cyber-Threat Analytics research grant from the U.S. Army Research Office, and is free to all end users to help you combat malware infections.  In addition, BotHunter includes an auto-update service that allows fielded systems to receive the latest threat intelligence regarding new sources for ad and spyware management, botnet control sites, backdoor and control ports, and malware-related domain name lookups. The update service also publishes new dialog analysis rules to help BotHunter recognize emerging exploits and malware communication patterns. Modern malware defenses need to be adaptive and aware of the latest strategies used by Internet malware, and BotHunter is ready to meet this challenge.

This project is being run by SRI International, which is an independent, nonprofit research institute conducting client-sponsored research and development for government agencies, commercial businesses, foundations, and other organizations. SRI also brings its innovations to the marketplace by licensing its intellectual property and creating new ventures. [Source: SRI]

SRI collects all the malware research data, analyzes them and displays them in their Malware Threat Center, a snapshot of which is pasted below:

SRI International has been doing great research with any malware in existence, especially the famous ones out there. They have been publishing great research from time-to-time. BotHunter’s UserGuide and GUIGuide are available Online. In their ‘Coming Soon‘ section of the website:

Here is a summary of what we are working on

o   BotHunter v2.0 is under development.  This version will introduce an entirely new user interface experience and will
support large-scale remote management.  This version will take Bot hunting to a whole new level.

o  Our research team anticipates forthcoming announcements on entirely new technologies to combat malware.

Thanks for your support!

The BotHunter’s Community Respository, is an open list of Botnet C&C IPs, location details[City, Region and Country], Domain/NetSpeed Servicer Provider, Forensics and Evindence Summary: Performed by the Botclient Victim. This is great stuff for people performing research and trying to shut down botnets out there. We hope that this blog post helped you to learn more about BotHunter. Thank you for choosing our blog!

This is a really good paper that I came across, when performing some research on finding information from FAIL messages. We people[security folks who follow RFC's] assume that RST means that someone is scanning and our system is dropping those packets with RST packet. What if we are wrong? What if those RST packets are generated by botnets or malware in the system and sent outbound to make you think that it is a DENY message? What if RST packets carry data or beacons? What if your firewall [both packet filter and stateful firewalls] lets the packet through since it thinks that it is a egress RST? What if it lets the traffic go ingress, thinking that it is a response traffic for a packet going outbound?

Though you would think that it is not possible in stateful firewall, it really depends on how the network is setup. In most enterprise network setup, one firewall is used for egress traffic and one other is used for ingress traffic. This could be to save the load[balancing load between inbound and outbound traffic filtering firewalls], to ensure that it performs only one duty[and does that duty pretty well], and for many other reasons justified by their scenario.

In this paper, I found an interesting concept of using such failure messages inside the network to perform analysis and detect enterprise zombies in your network. Their abstract is as follows:

Abstract. We propose failure information analysis as a novel strategy for uncovering malware activity and other anomalies in enterprise network traffic. A focus of our study is detecting self-propagating malware such as worms and botnets. We begin by conducting an empirical study of transport- and application-layer failure activity using a collection of long-lived malware traces. We dissect the failure activity observed in this traffic in several dimensions, finding that their failure patterns differ significantly from those of real-world applications. Based on these observations, we describe the design of a prototype system called Netfuse to automatically detect and isolate malware-like failure patterns. The system uses an SVM-based classification engine to identify suspicious systems and clustering to aggregate failure activity of related enterprise hosts. Our evaluation using several malware traces demonstrates that the Netfuse system provides an effective means to discover suspicious application failures and infected enterprise hosts. We believe it would be a useful complement to existing defenses.

The authors of this paper are really experienced in what they do. They are:

1. Zhaosheng Zhu – Department of Electrical and Computer Engineering, Northwestern University
2. Vinod Yegneswaran – Computer Science Laboratory, SRI International
3. Yan Chen – Department of Electrical and Computer Engineering, Northwestern University

To look into the paper, check out the Professor Yan Chen’s Publication section, or click here to directly go to the paper. Hope you enjoy the paper. We would definitely share what we learn, and definitely when we come across impressing paper like this one.

Thank you for choosing our blog!