What are we going to learn? - How to track botnet How to make sense of data How to automate it How are we going to learn it? Through practical scenarios explanation How are we going to use it? - Explain through demos on how to use
How many of you are familiar with botnets and zombies?
How did people get to this conclusion? Analyzing the binaries. Of course, the way for you to get more information, is to be part of the botnet and analyze its patterns, logs – first hand.
If you want to know when it happens, and how it happens, you have to be part of it to know. Analyzing click logs aren’t the only way.
If you want to see the latest spam templates and where they are spamming, the place where the spam is sent is from the bots in the botnet. Huge profit for sending ads that no one are interested in.
Decide to analyze afterwards, or analyze 1-by-1 on the fly. We will analyze 1-by-1 on the fly.
Decide to analyze afterwards, or analyze 1-by-1 on the fly. We will analyze 1-by-1 on the fly.
Yea, I know sec geeks love practical, but we cannot ignore theoretical aspects as well. I'll explain. There were a lot of subtleties in that for loop. I'll mention a few, the interested ones can look for my paper for exact details and how I address them one by one. 1. How to start a VM? What VM I used? I use VirtualBox. The VirtualBox has a VBoxManage command line tool to control VMs, very powerful, everything on GUI can be done with it. 2. How to start monitoring tools? In our case, we only need wireshark to capture network traffic. Start OUTSIDE of host to prevent Kernel object tampering, or start INSIDE to prevent HTTPS. 3. How to transfer the malware? General. Write a client and server, putting the client on Guest. When the Guest gets a file, it will automatically execute it. For any VM that can attach CD/DVD, like VirtualBox, attach a .iso that autoruns the malicious binary. 4. How long should the malware execute? 1 ~ 5 min. Some malware just wait, wait, wait forever. Or it is a downloader, and it is slow to get the real malware. Depending on if you are distributed and how much time you have ( usually run behind the scenes ), let it run for some 5 minutes. It isn't a CD, so it should do OK. 5. How about anti-debugging / anti-virtualizing malware? Out of scope, not discussed here. Provided resources and explanations how th ey work on my blog. "Detecting Virtualbox"
Yea, I know sec geeks love practical, but we cannot ignore theoretical aspects as well. I'll explain. There were a lot of subtleties in that for loop. I'll mention a few, the interested ones can look for my paper for exact details and how I address them one by one. 1. How to start a VM? What VM I used? I use VirtualBox. The VirtualBox has a VBoxManage command line tool to control VMs, very powerful, everything on GUI can be done with it. 2. How to start monitoring tools? In our case, we only need wireshark to capture network traffic. Start OUTSIDE of host to prevent Kernel object tampering, or start INSIDE to prevent HTTPS. 3. How to transfer the malware? General. Write a client and server, putting the client on Guest. When the Guest gets a file, it will automatically execute it. For any VM that can attach CD/DVD, like VirtualBox, attach a .iso that autoruns the malicious binary. 4. How long should the malware execute? 1 ~ 5 min. Some malware just wait, wait, wait forever. Or it is a downloader, and it is slow to get the real malware. Depending on if you are distributed and how much time you have ( usually run behind the scenes ), let it run for some 5 minutes. It isn't a CD, so it should do OK. 5. How about anti-debugging / anti-virtualizing malware? Out of scope, not discussed here. Provided resources and explanations how th ey work on my blog. "Detecting Virtualbox"
1. What if the botnet operator sends a message to you?! They won't, unless it's a small botnet. (It's on the rise. Torpig. ) Otherwise, they will only automatically ping you. Just pong them. If they PING :113355 Then you PONG :113355 2. Username, host, mode, password, channel, server. Does the order matter in which I send? How about timing? For ordering, theoretically yes. But it's not that strict. The password is required, nick too, first. Then the channel goes the last. Normally, you authenticate yourself before doing anything, right? The same goes for botnet access control designs. 3. The botnet operator is sending me commands my software and even I do not recognize. What should I do? Employ "the rule of silence". Just don't say anything stupid. The internet is a best-effort place, so connection is not expected realtime or blackholed packets. Keep silence, and you will blend into the real bots. Botnets now are quite smart and if you send any commands that isn't whitelist, you immediately get an IP/NICK ban.
Commands, understand and help document unseen commands for security researchers. HTTP urls, especially those with .exe .bat, these are likely to be malware binaries. Generally other HTTP urls could be phishing sites. Conversation logs. Inexperienced operators might treat it safe to talk on their botnet, revealing information. Other timing relation information. You might discover patterns or even preemptive 0-day attacks.
If you got malware, you can then feed this malware into the system again analyzing. It mustn't point to the same botnet (FireEye blog), or perhaps it's some new interesting exploits. Now, you got a feedback loop. You get a malware and spy a botnet, and get a malware from the botnet and spy on yet another botnet.