Botnet Milking: Malware Freshly Served From the Source
Getting new malware is essential for fine-tuning detection systems. But, given the huge volume of malware collected from users and 3rd party sources, finding the newest malware samples can be like finding the proverbial needle in the haystack. Avira researchers have developed an automated botnet-tracking system with disguised clients to get communications and malware straight from botnets’ Command & Control servers. By systematically milking the bots, the Avira team has the cream of the crop: a selection of nearly 100% pure and fresh malware.
It all starts with the basic malware defense process: Cybercriminals try to infect Avira users, malware is automatically uploaded to our cloud before it can be executed, and these files are subsequently handled by a simple blacklist, cloud-protected generic detection rules, and a continuously retrained artificial intelligence system. But then, some of the data goes into the botnet tracking system, and this is where things get really interesting.
1. SORTING MALWARE AT THE DUMP
The fun starts at the “Autodump”, Avira’s automated system for stripping away layers of tricks and obfuscation. It basically executes the malware in an especially controlled virtual machine to let the malware unpack itself and takes memory dumps at certain events. During this process, we conceal information about our analysis system from the cybercriminals, preventing them from fingerprinting our machines or creating new evasive techniques. At the end we scan all dumps with Yara signatures to identify interesting dumps and the malware family.
2. EXTRACTING BOTNET DETAILS
Armed with potentially useful data from the Autodump, samples go through the Extractor where we get the operational details. We target specific botnet families and primarily look for information on communicating with their malware servers. There is an incomplete list of what we look for. The specifics depends heavily on the botnet:
- C&C URLs,
- communication encryption keys,
- protocol version,
- campaign ID,
- user-agent-string, and
- size of configuration data.
In the past, it was fairly easy to extract C&C data. Over time, this process has gotten more complicated and manual adaptions to our extractor are needed. But as a positive benefit, we now always get a complete list of command & control server URLs and we get the encryption keys.
PLACING BOTCHECKER AGENTS IN THE FIELD
Botchecker is our modular botnet infiltration system for monitoring botnets’ C&C servers. It includes a network of software clients and a central server that automatically collects all the malware intelligence, distributes a list of C&Cs to our client agents, and collects the returned data.
We focus on active monitoring, where clients act like an infected computer and connect to C&C servers just like a real victim machine, forging requests the same way the C&C is expecting it. Finally, our clients send the gathered information, including the new downloaded malware samples, to the Botchecker server which is then used to update security for our users. This data includes:
- fresh malware samples,
- new C&C servers,
- download URLs,
- emails to be spammed, web injects, ATS scripts, and
- lists of received commands.
Our monitoring agents are, of course, observation only and do not perform any harmful actions even when commanded by the bot master.
4. HIDDEN IN PLAIN VIEW
To shield our identity, we use a modular framework as we work with the botnet protocols. When cybercriminals know that an AV company is monitoring the botnet, they may simply blacklist them, change the protocol, or switch to another C&C.We can use a SOCKS proxy or Tor as a gateway for requests sent to the C&C, but with Tor there are drawbacks such as speed, difficulties in quickly getting a new IP, and the potential for cybercriminals to blacklist all Tor exit nodes. When talking to an HTTP botnet, we send requests just as the botnet expects it – while avoiding any header and value artifacts.
5. UNLOADING THE GAMARUE PAYLOAD
The Gamarue / Andromeda botnet is a good example of the benefits to running our network of fake botnet clients. Although it is cumbersome to get a PE file of the real payload for analysis, the bot is widespread and provides a lot of interesting downloads.
From the end of 2014, Andromeda has used a JSON protocol to communicate with the C&Cs. After decrypting the response from the C&C, the resulting JSON object contains a list of commands for the victim which can include:
- ID 1: Download file to disk and execute via CreateProcess
- ID 2: Download file to disk and registry and load via LoadLibrary and call exported function “aStart”
- ID 3: Download file and update self
- ID 6: Delete all plugins from the registry
- ID 9: Uninstall self
The first three commands are the most interesting to us as they provide us with fresh download URLs and malware samples as well as new Gamarue samples containing new C&Cs.
6. AVIRA BOTCHECKER AGENTS PRODUCE RESULTS
We have been running this version of the Botchecker framework for nine months now, identified over 4,000 C&C servers, and confirmed over 4,000 malicious URLs. In the Gamarue botnets alone, we have identified the use of 125 different malware families. Although maintaining this system is more work than a pure sandbox system and is limited to specific botnet families, it has several advantages:
- We can extract the complete list of C&Cs even if they are not seen during one execution of the malware.
- We get a deep understanding of the communication protocol.
- We get the decryption keys used for the communication.
- We also get malware downloads which are neither downloaded nor stored as PE files.
- We can prove that a C&C really speaks a botnet protocol even if no additional malware is downloaded.
- We can process C&C communication much faster with far less resources.
Using Botchecker, we’ve been one of the first in the security research community to get some previously unknown malware samples. In the future, we have plans to implement more botnet protocols and improve support for data files like configurations and webinjects. We also want to provide more information for botnet takedown operations.