1 / 33

Bot Feature & Technology Trends

Bot Feature & Technology Trends. Robert Lyda Principle Engineer robert.lyda@sparta.com. Topics. Background Bot Families & Variants Bot Feature Trends Research Challenges Summary Questions & Answers. Background. Motivation.

eleazar
Download Presentation

Bot Feature & Technology Trends

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bot Feature & Technology Trends Robert Lyda Principle Engineer robert.lyda@sparta.com

  2. Topics • Background • Bot Families & Variants • Bot Feature Trends • Research Challenges • Summary • Questions & Answers

  3. Background

  4. Motivation Identify malware with “interesting” technology, including bots, within a large malware collection • Approach: • Characterize malware attributes and capabilities • Identify malware features • Look for statistical outliers • Perform in-depth analysis of the interesting samples • Use standard static and dynamic analysis and reverse engineering techniques • Identify current (and future) technology trends • Identifying future trends approach: • Extrapolate current trends • Look for precursors in “non-wild” samples • Funded work performed jointly with McDonald Bradley, Inc.

  5. Data Sources and Analysis Methods • Analyzed Bot samples for 2005 • Source: McAfee collection – 3,491 samples (wild and non-wild) • Each variant is treated as a sample • Selected samples with prefix ‘Bot’ or ‘Tob’ • Caveats: • Not all collections are the same • Selection criteria does not identify all bots • Rely on McAfee determination • Family and variant designation • Discovery date – year and month

  6. Data Sources and Analysis Methods • Applied static tools used to perform analysis • Static unpacking tool • PeID – packing identification • Malware String Analysis Tool (MSAT) • Applies string heuristic rules • Methodology used to generate statistics • Unpack samples - twice • Extract string data • Statically analyze strings to identify features • Store processed data in relational database • Use SQL to query for statistics

  7. GT bots combined mIRC client, hacking scripts & tools EggDrop, discovered, recognized as first IRC bot W32/Agobot bot family added modular design and significant functionality W32/Mytob hybrid bot, major e-mail outbreak RPCSS W32/PrettyPark 1st worm to use IRC as C&C W32/Spybot family emerged W32/Sdbot First family of bots developed as a single binary Emergence of Bots 2006 1993 1999 2000 2001 2002 2003 2004 Present 2005

  8. Bot Families & Variants

  9. Bot Families & Variants • Genealogy of Bots Implementations • Most bots derived from a common code base • Six families comprise the majority of 2005 variants • Variants result from: • Increase in capabilities • Publishing & sharing code • modular plug-ins • packing • Distinction between bots families is blurred • Hybridization of bots and non-bots • Harder to make family determination

  10. Bot Family Prevalence

  11. Prevalence of Popular Bot Families

  12. Bot Families & Variants • W32/Gaobot (a.ka Agobot) • Related families: Phatbot, Forbot, Polybot, XtremBot • Modular code written C++ • Appears to be a re-write of W32/Sdbot • source code is available under the GPL. • Primary Capabilities • IRC C&C • sniff network traffic • rootkit hiding • anti-reverse engineering techniques • Phatbot variant used WASTE (P2P protocol)

  13. Bot Families & Variants • W32/SpyBot • Related families: SDBot, Rbot, URBot, URXBot • Written poorly in C • available under the GPL • Primary capabilities • similar to Agobot family. • Spread by P2P networks & backdoors left by other malware programs

  14. Bot Families & Variants • W32/Mytob • Discovered Feb/March 2005 • Bot hybrid • Combines mass mailing with IRC C&C • Primary capabilities • uses social engineering & spoofed e-mail addresses • Carries own SMTP client • C&C capabilities similar to Spybot • W32/Polybot • Derived from the W32/Gaobot code base • Named for its use of polymorphism • Morphs its code on each infection

  15. Bot Families & Variants • W32/PoeBot (a.k.a W32/Linkbot) • worm / bot hybrid • Primary capabilities: • infects machines through open shares • installs a backdoor • waits for commands via IRC

  16. Bot Feature Trends

  17. Bot Feature Trends

  18. Bot Feature Trends

  19. Bot Feature Trends

  20. Bot Feature Trends

  21. Bot Families & Variants • Other bot types and families • Perl bots • Written using perl scripts • VB Bots • Written using Microsoft Visual Basic • DNSX Bots • Dataspy Network X bot written in C++ and is extendable via plugins. • Q8 Bots • a very small UNIX/Linux-based bot consisting of 926 lines of C code. • Kaiten • a bot written for the UNIX and Linux platforms.

  22. Bot Packing Analysis • Packing technology has significant impact on detection • Packing contributes to bot variant creation • % of bots variants from packing unknown • 2005 Bots Packing Stats • 46 distinct packing technologies identified • Top 12 packers used make up 83% of packed samples • 2,747 samples had packing technology • 79% of samples packed • 524 having no identifiable packing, but possibly packed

  23. Bot Packing Analysis

  24. Bot Packing Analysis

  25. Research Challenges • General challenges • Scaling static analysis / reverse engineering process • Efficiently unpacking large numbers of samples • Limitations of string extraction • Lack of context • Junk strings • Obfuscated strings • Lack of tools • Need more automated tools • Need tools with better analysis capabilities • Acquiring malware collections • Difficult to obtain complete corpus • Most collectors protect their collections

  26. Summary • Presented a flavor of 2005 bot trends • Analysis of trends in preliminary stage • Many different ways to statically analyze bot trends and patterns • Need to address several challenges • Processing a large corpus of samples efficiently • Acquiring or building better tools • Determining best features and feature combinations to trend • Acquiring new malware collections • We are open to collaboration!

  27. References • J. Canavan, “The Evolution of Malicious IRC Bots,” 2005 VirusBtn Conference. http://www.symantec.com/avcenter/reference/the.evolution.of.malicious.irc.bots.pdf • “Know you Enemy: Tracking Botnets”, The Honeynet Project & Research Alliance. http://www.honeynet.org/papers • McAfee, Inc., Virus Information Library, http://vil.nai.com/default.aspx • N. Ianelli, A. Hackworth, “Bots as a Vehicle for Online Crime”, CERT/CC, www.cert.org/archive/pdf/Botnets.pdf • E. Cook, F. Jahanian, D. McPherson, “The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets”, USENIX SRUTI’05, www.usenix.org/events/sruti05/tech/talks/cooke.pdf • Sophos, Inc. “W32/POEBot,” http://www.sophos.com/virusinfo/analyses/w32poebota.html

  28. Questions & Answers

More Related