Abstract
The command & control (c&c) protocols of botnets are moving away from plaintext IRC communicationt towards encrypted and obfuscated protocols. In general, these protocols are proprietary. Therefore, standard network monitoring tools are not able to extract the commands from the collected traffic. However, if we want to monitor these new botnets, we need to know how their protocol decryption works.
In this paper we present a novel approach in malware analysis for locating the encryption and decryption functions in botnet programs. This information can be used to extract these functions for c&c protocols.
We illustrate the applicability of our approach by a sample from the Kraken botnet. Using our approach, we were able to identify the encryption routine within minutes. We then extracted the c&c protocol encryption and decryption. Both are presented in this paper.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Amini, P.: PyDbg - A pure Python win32 debugging abstraction class last visit (l.v.) (October 2008), http://pedram.redhive.com/PyDbg/
Amini, P.: Kraken Botnet Infiltration, Blog on DVLabs (April 2008), http://dvlabs.tippingpoint.com/blog/2008/04/28/kraken-botnet-infiltration
Amini, P.: PaiMei - Reverse Engineering Automization (October 2008), http://pedram.redhive.com/research/reverse_engineering_automation/
Archer and FEUERRADER, QuickUnpack, (August 2008), http://reversengineering.wordpress.com/2007/10/06/quick-unpack-v20-final/
Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: A Tool for Analyzing Malware. In: 15th Annual Conference of the European Institute for Computer Antivirus Research (EICAR) (2006)
Bellard, F.: QEMU, a Fast and Portable Dynamic Translator. In: USENIX Annual Technical Conference (2005)
Brulez, N.: Unpacking Storm Worm (August 2008), http://securitylabs.websense.com/content/Blogs/3127.aspx
Christodorescu, M., et al.: Semantics-aware malware detection. In: IEEE Symposium on Security and Privacy (2005)
Combs, G.: Wireshark - network protocol analyzer (October 2008), http://www.wireshark.org
Dittrich, D., Dietrich, S.: Command and control structures in malware. Usenix magazine 32(6) (December 2007)
Russinovich, R., Cogswell, B.: Windows Sysinterals (October 2008), http://technet.microsoft.com/en-us/sysinternals/default.aspx
Fisher, D.: Storm, Nugache lead dangerous new botnet barrage, Article (October 2008), http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1286808,00.html
Hoglund, G., Butler, J.: Rootkits. Addison Wesley, Reading (2005)
Father, H.: Hooking Windows APITechnics of Hooking API Functions on Windows. CodeBreakers Journal 1(2) (2004)
Immunity Inc., Immunity Debugger, (October 2008), http://www.immunitysec.com/products-immdbg.shtml
Linn, C., Debray, S.: Obfuscation of executable code to improve resistance to static disassembly. In: Proceedings of the 10th ACM conference on Computer and communications security (2003)
Pierce, C.: Owning Kraken Zombies, a Detailed Dissection, Blog on DVLabs (October 2008), http://dvlabs.tippingpoint.com/blog/2008/04/28/owning-kraken-zombies
Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware. In: ACSAC 2006: Proceedings of the 22nd Annual Computer Security Applications Conference on Annual Computer Security Applications Conference (2006)
Royal, P.: On the Kraken and Bobax Botnets, Whitepaper, Damball (April 2008)
Shadowserver Foundation, ShadowServer Homepage (October 2008), http://shadowserver.org
Szor, P.: The Art of Computer Virus Research and Defense. Addison-Wesley, Reading (2005)
Symantec Coorp. Symantec Internet Security Threat Report Volume XIII, Whitepaper (April 2008)
Wicherski, G.: botsnoopd - Sniffing on Botnets, Blog (October 2008), http://blog.oxff.net/2006/10/botsnoopd-sniffing-on-botnets.html
Willems, C., Holz, T., Freiling, F.: Toward Automated Dynamic Malware Analysis Using CWSandbox. In: IEEE Security & Privacy (2007)
Yuschuk, O.: OllyDbg Debugger (October 2008), http://www.ollydbg.de/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 IFIP International Federation for Information Processing
About this paper
Cite this paper
Leder, F.S., Martini, P. (2009). NGBPA Next Generation BotNet Protocol Analysis. In: Gritzalis, D., Lopez, J. (eds) Emerging Challenges for Security, Privacy and Trust. SEC 2009. IFIP Advances in Information and Communication Technology, vol 297. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-01244-0_27
Download citation
DOI: https://doi.org/10.1007/978-3-642-01244-0_27
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-01243-3
Online ISBN: 978-3-642-01244-0
eBook Packages: Computer ScienceComputer Science (R0)