Damballa researchers share some techniques for getting a better picture of botnets — and targeted attacks
By Kelly Jackson Higgins
Senior Editor, Dark Reading
Is that malware found on your client machine the sign of a targeted attack or a routine bot-herding run? How do you know for sure?
Botnet hunters from Damballa are using some traditional network monitoring techniques to determine the size and scope of botnets — information that can even help distinguish between a direct attack or a random bot recruitment.
â€œWe are working on ways to better [calculate] the numbers of these botnets with some accuracy,â€ says Christopher Davis, director of threat analysis for Damballa. Davis and Damballa chief scientist and co-founder David Dagon will discuss their companyâ€™s botnet research techniques at Black Hat D.C. next week.
Damballa researchers basically reverse-engineer the malware code that arrives at one of their customerâ€™s client machines, and then study how it communicates with its command and control (C&C) server. Then, using a DNS cache-inspection technique, combined with tracking the C&C serverâ€™s IP packet identifier in TCP/IP, they can take more accurate counts of the number of bots, C&C servers, and the potential scope of a particular botnet.
Damballa is basically putting a new spin on some existing techniques. Phishers, for example, have been known to use DNS cache inspection for reconnaissance before staging an exploit on an organization. â€œAlthough these techniques have been around and known for a long time, weâ€™ve never heard of anyone applying them to botnet research,â€ Davis says.
These methods are useful for bot malware that provides only limited visibility into the botnetâ€™s inner workings, such as HTTP-based botnets. An IRC-based botnet — or even Storm, which uses peer-to-peer communications — wouldnâ€™t require these techniques because they are more transparent and simpler to track, Davis says.
Learning about the size of the botnet behind a piece of malware can provide some clues as to whether itâ€™s a targeted attack or a bot-recruiting run. â€œYouâ€™re never able to say 100 percent that this wasnâ€™t a targeted attack. But generally, the bad guy isnâ€™t likely to have a [targeted] enterprise join a 20,000-member botnet. Itâ€™s going to be a small one,â€ Davis says.
With DNS cache inspection, the researchers query regional servers for the â€œbadâ€ domain. â€œWe can then see if this bad domain has been requested thereâ€¦it wouldnâ€™t be in the cache if no one else had asked for it,â€ Davis says.
So if an Atlanta-based ISPâ€™s DNS server retains the bad guyâ€™s domain in its cache, itâ€™s likely that users in that area are getting infected, he says. This gets them closer to learning about the range of the bot population.
Then comes the so-called IPID technique. Davis says the researchers can determine how many packets it takes for the malwareâ€™s update or download, so they can use that count to calculate roughly how many bots there are. IPID basically provides a packet counter they can refer to in each query to the C&C server. â€œWatching IPID, we can tell when [the C&C server] sends a command or someone downloads the malware from it,â€ Davis says.
The downside of these methods, however, is that theyâ€™re relatively â€œnoisy,â€ Davis says, which could potentially blow the researchersâ€™ cover and prompt the bad guys to relocate their servers. So the researchers try to keep a low profile when scanning DNS servers and when sending packets to the botnet C&C servers so their presence isnâ€™t detected, he says. The goal is to be able to better determine growth, spread, and shifts in a botnet.
Related Posts: On this day...
- Trespass: A History Of Uncommissioned Urban Art - 2011
- AI vs. IQ: IBM's Watson takes on the meatbags on Jeopardy - 2011
- LaCie iamaKey 8GB USB Portable Flash Drive for $28 shipped - 2010
- Bunnie Huang uncovers the mystery of Kingston MicroSD cards' crappy QA - 2010
- TSA forces travelling policeman to remove his disabled four-year-old son's leg-braces - 2010
- First study of mummy DNA leads to all sorts of discoveries - 2010
- Woman Sues Microsoft Over XP Downgrade Charge - 2009
- Unix Fundamentals - 2009
- Blackhat SEO: Cookie stuffing - 2009
- Facebook can ruin your life... and so can MySpace, Bebo... - 2008