The hunter becomes the hunted – analyzing network traffic to track down botnets
2023-04-29 | 17:30 – 18:00
Since their first signs of existence in the early 2000’s, botnets have been a subject of interest for information security researchers. Considering the technological advancements in the latest releases of most common botnets, it can be said that their impact in the cyber-landscape is not only technical, but also financial and sociological. Nowadays, botnets are a real game-changer in the underground economy, providing criminals with the infrastructure they need to perpetrate a wide array of crimes: spam, click jacking, carding and denial-of-service attacks are some well-known examples.
There are several methods to study botnets – some of them stem from classical malware analysis techniques, like reverse engineering, behavioral analysis, and others are closer to computer and network forensic science. Since botnets are usually operated according to important financial incentives, open-source investigation techniques (a.k.a. ‘good old detective work’) are also a way to gather interesting intelligence on botnets and their handlers.
Botnets have a very specific characteristic that makes them unique: they’re a social malware. Just as social animals must interact with each other in order to survive, bots belonging to a same botnet must communicate, between bots or towards a central command and control (C&C) point in order to run. Bots can hide, but they must run. This has great consequences on their resilience, and also on how complicated it is to create and maintain one. Remember that bots can hide, but they must run; no matter how complex or advanced, they will eventually have to reach out to their peers. Botnets’ communication channels and protocols as well as C&C infrastructures will be our main focus throughout the presentation.
I will expose my point of view on how network traffic and botnets’ communication protocols can be analyzed to understand how they operate and establish proper strategies for identification, containment, and countermeasures against botnet attacks. I’ll start by giving a brief overview of the evolutions of botnets’ network architecture throughout history, usually following closely the habits of corporate and personal computer users. With the important financial motives behind them, botnets are becoming increasingly complex; different botnets use different C&C topologies – centralized, decentralized, multi-server, hierarchical, peer-to-peer, fluxing… we’ll take a look at these architectures and see what kind of information we can extract when analyzing their communications, and which countermeasures are best for each case. I will also introduce Malcom, a malware communications analysis tool that I created to obtain real-time visualizations of a given malware’s network communications. Malcom allows us to determine – in a whisk – what kind of topology is in use, and track eventual changes as they are being made by the botmasters.
Actionable intelligence is great to have when dealing with botnets. But knowing where to strike, which servers to take down, or which addresses to avoid is not enough if that information is not fresh. We’ll see how Malcom can be used to track and correlate malicious elements in botnets, and how that information can be used to build a profile on the botherders or malware family, by using Whois, emails, URLs, or AS information. Sharing that kind of information with other entities dealing with this kind of threats (such as CERTs) is a crucial step in the fight against malware. We’ll also see how Malcom can allow such information to be shared in a safe and anonymous way, so as to make incident response as swift as possible.