330 likes | 345 Views
Dive into the evolution of bot families and variants through statistical analysis & future trend identification in the malware landscape. Discover the challenges and innovations shaping bot technology today.
E N D
Bot Feature & Technology Trends Robert Lyda Principle Engineer robert.lyda@sparta.com
Topics • Background • Bot Families & Variants • Bot Feature Trends • Research Challenges • Summary • Questions & Answers
Motivation Identify malware with “interesting” technology, including bots, within a large malware collection • Approach: • Characterize malware attributes and capabilities • Identify malware features • Look for statistical outliers • Perform in-depth analysis of the interesting samples • Use standard static and dynamic analysis and reverse engineering techniques • Identify current (and future) technology trends • Identifying future trends approach: • Extrapolate current trends • Look for precursors in “non-wild” samples • Funded work performed jointly with McDonald Bradley, Inc.
Data Sources and Analysis Methods • Analyzed Bot samples for 2005 • Source: McAfee collection – 3,491 samples (wild and non-wild) • Each variant is treated as a sample • Selected samples with prefix ‘Bot’ or ‘Tob’ • Caveats: • Not all collections are the same • Selection criteria does not identify all bots • Rely on McAfee determination • Family and variant designation • Discovery date – year and month
Data Sources and Analysis Methods • Applied static tools used to perform analysis • Static unpacking tool • PeID – packing identification • Malware String Analysis Tool (MSAT) • Applies string heuristic rules • Methodology used to generate statistics • Unpack samples - twice • Extract string data • Statically analyze strings to identify features • Store processed data in relational database • Use SQL to query for statistics
GT bots combined mIRC client, hacking scripts & tools EggDrop, discovered, recognized as first IRC bot W32/Agobot bot family added modular design and significant functionality W32/Mytob hybrid bot, major e-mail outbreak RPCSS W32/PrettyPark 1st worm to use IRC as C&C W32/Spybot family emerged W32/Sdbot First family of bots developed as a single binary Emergence of Bots 2006 1993 1999 2000 2001 2002 2003 2004 Present 2005
Bot Families & Variants • Genealogy of Bots Implementations • Most bots derived from a common code base • Six families comprise the majority of 2005 variants • Variants result from: • Increase in capabilities • Publishing & sharing code • modular plug-ins • packing • Distinction between bots families is blurred • Hybridization of bots and non-bots • Harder to make family determination
Bot Families & Variants • W32/Gaobot (a.ka Agobot) • Related families: Phatbot, Forbot, Polybot, XtremBot • Modular code written C++ • Appears to be a re-write of W32/Sdbot • source code is available under the GPL. • Primary Capabilities • IRC C&C • sniff network traffic • rootkit hiding • anti-reverse engineering techniques • Phatbot variant used WASTE (P2P protocol)
Bot Families & Variants • W32/SpyBot • Related families: SDBot, Rbot, URBot, URXBot • Written poorly in C • available under the GPL • Primary capabilities • similar to Agobot family. • Spread by P2P networks & backdoors left by other malware programs
Bot Families & Variants • W32/Mytob • Discovered Feb/March 2005 • Bot hybrid • Combines mass mailing with IRC C&C • Primary capabilities • uses social engineering & spoofed e-mail addresses • Carries own SMTP client • C&C capabilities similar to Spybot • W32/Polybot • Derived from the W32/Gaobot code base • Named for its use of polymorphism • Morphs its code on each infection
Bot Families & Variants • W32/PoeBot (a.k.a W32/Linkbot) • worm / bot hybrid • Primary capabilities: • infects machines through open shares • installs a backdoor • waits for commands via IRC
Bot Families & Variants • Other bot types and families • Perl bots • Written using perl scripts • VB Bots • Written using Microsoft Visual Basic • DNSX Bots • Dataspy Network X bot written in C++ and is extendable via plugins. • Q8 Bots • a very small UNIX/Linux-based bot consisting of 926 lines of C code. • Kaiten • a bot written for the UNIX and Linux platforms.
Bot Packing Analysis • Packing technology has significant impact on detection • Packing contributes to bot variant creation • % of bots variants from packing unknown • 2005 Bots Packing Stats • 46 distinct packing technologies identified • Top 12 packers used make up 83% of packed samples • 2,747 samples had packing technology • 79% of samples packed • 524 having no identifiable packing, but possibly packed
Research Challenges • General challenges • Scaling static analysis / reverse engineering process • Efficiently unpacking large numbers of samples • Limitations of string extraction • Lack of context • Junk strings • Obfuscated strings • Lack of tools • Need more automated tools • Need tools with better analysis capabilities • Acquiring malware collections • Difficult to obtain complete corpus • Most collectors protect their collections
Summary • Presented a flavor of 2005 bot trends • Analysis of trends in preliminary stage • Many different ways to statically analyze bot trends and patterns • Need to address several challenges • Processing a large corpus of samples efficiently • Acquiring or building better tools • Determining best features and feature combinations to trend • Acquiring new malware collections • We are open to collaboration!
References • J. Canavan, “The Evolution of Malicious IRC Bots,” 2005 VirusBtn Conference. http://www.symantec.com/avcenter/reference/the.evolution.of.malicious.irc.bots.pdf • “Know you Enemy: Tracking Botnets”, The Honeynet Project & Research Alliance. http://www.honeynet.org/papers • McAfee, Inc., Virus Information Library, http://vil.nai.com/default.aspx • N. Ianelli, A. Hackworth, “Bots as a Vehicle for Online Crime”, CERT/CC, www.cert.org/archive/pdf/Botnets.pdf • E. Cook, F. Jahanian, D. McPherson, “The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets”, USENIX SRUTI’05, www.usenix.org/events/sruti05/tech/talks/cooke.pdf • Sophos, Inc. “W32/POEBot,” http://www.sophos.com/virusinfo/analyses/w32poebota.html