A Darkcomet Case-Study

Total Page:16

File Type:pdf, Size:1020Kb

A Darkcomet Case-Study TOWARD AN AUTOMATED BOTNET ANALYSIS FRAMEWORK: A DARKCOMET CASE-STUDY Submitted in partial fulfilment of the requirements of the degree Master of Sciences of Rhodes University Jeremy Cecil du Bruyn Grahamstown, South Africa June 2015 Abstract This research proposes a framework for the automated analysis of malware samples, specifically botnet binaries. This framework will automate the collection, analysis, and infiltration of botnets. Due to the increased number of samples released daily, such frameworks have become a necessity for anti-malware organisations and product vendors. Some academic research has recently been concluded into their design and development. A review of current botnet analysis frameworks highlights a number of fundamental shortcomings when compared to modern analysis framework design and implementation recommendations. As such, research was conducted into the design of a modern, automated botnet analysis framework incorporating this advice. This document presents a modular, low resource botnet analysis framework which is not botnet family or variant specific. Detailed information on the roles, design criteria and implementation of the systems which make up this framework is provided. To test and prove the proposed framework's feasibility, a case-study was conducted which resulted in the collection of 83,175 DarkComet Remote Administration Tool (RAT) samples, of which 48.85% were successfully analysed and their configuration information extracted. This lead to the infiltration of 751 Command and Control servers, which provided information on 109,535 unique victim computers. The collection of the DarkComet bot binaries occurred between August of 2013 and June 2014, with Command and Control (C&C) infiltration commencing on 10 May 2014 and concluding on 6 June 2014. This research updates and expands current DarkComet analysis literature by presenting a com- prehensive breakdown of all possible configuration settings embedded within DarkComet bot binaries. A refined exploit for the previously published QUICKUP vulnerability, which prevents detection by botmasters and supports the downloading of large files, is provided. This document concludes with some of the lessons learnt during the development and implementation of the framework and provides advice for future improvements. The contribution of this research is a review of the shortcomings of current academic automated botnet analysis frameworks, considerations for the development of future frameworks, and a de- tailed description of the design and implementation of the framework developed. Additionally, the results of a case-study which leveraged the framework to analyse DarkComet RAT sam- ples is provided, along with additional design considerations gleamed through a review of the framework's performance during the case-study. Acknowledgements A number of people have been instrumental in the success of this thesis, without who this work may never have been completed. Whilst some require special mention, to those not named, my eternal thanks go out to you. To my wife Samantha, for the limitless patience, support, and encouragement shown during this extended process. And to my daughters, Taylor and Juliet, for letting daddy "do his schoolwork" when required. To my supervisor Dr. Barry Irwin, for sharing his almost boundless knowledge, undeterred guidance, and essential "nudges" when the task seemed too great to accomplish and energy levels were depleted. To my long-time friends Nicholas Arvanitis and John McKay, for finding the time to proofread and highlight technical and grammatical mistakes my subconscious had decided to ignore. Any errors that remain are mine alone. i Table of Contents List of Figures iv List of Tables vi 1 Introduction 1 1.1 Research Goal . .2 1.2 Research Methodology . .2 1.3 Document Conventions . .3 1.4 Document Structure . .3 2 Literature Review 4 2.1 Malware Analysis . .4 2.1.1 Static Analysis . .5 2.1.2 Dynamic Analysis . .5 2.2 Malware Detection . .6 2.3 Malware Use . .7 2.4 Existing Automated Botnet Analysis Framework Research . .8 2.5 Existing Botnet Framework Shortcomings . 11 2.6 Summary . 12 3 DarkComet 13 3.1 DarkComet Introduction . 14 3.2 DarkComet Capabilities . 14 3.3 DarkComet Components . 14 3.3.1 DarkComet Client and Builder . 16 3.3.2 DarkComet Server . 18 3.4 DarkComet Configuration . 19 3.5 DarkComet Communication . 20 3.6 Previous DarkComet Research . 23 3.7 DarkComet Summary . 24 4 Framework Design 25 4.1 Framework Design Considerations . 25 4.2 Framework Details . 26 4.3 Sample Collection System . 28 4.3.1 Sample Acquisition Module . 28 4.3.2 Sample Metadata Collection Module . 29 ii 4.4 Sample Analysis System . 30 4.4.1 Static Analysis Module . 31 4.4.2 Dynamic Analysis Module . 33 4.5 Infiltration System . 35 4.5.1 C&C Liveness Module . 36 4.5.2 C&C Interaction Module . 37 4.6 Message Queue . 39 4.7 Framework Design Summary . 40 5 Framework Implementation 42 5.1 Sample Collection System Implementation . 42 5.1.1 Sample Acquisition Module Implementation . 44 5.1.2 Sample Metadata Collection Module Implementation . 47 5.2 Sample Analysis System Implementation . 51 5.2.1 Static Analysis Module Implementation . 51 5.3 Infiltration System Implementation . 56 5.3.1 C&C Liveness Module Implementation . 56 5.3.2 C&C Interaction Module Implementation . 58 5.4 Datastore Implementation . 61 5.5 Framework Implementation Summary . 64 6 Case-study: Data Analysis 67 6.1 Sample Acquisition Module Analysis . 67 6.2 Sample Metadata Collection Module Analysis . 68 6.2.1 Malware Family Distribution . 68 6.2.2 File Type Distribution . 69 6.2.3 File Size Analysis . 73 6.2.4 First Seen Distribution . 78 6.2.5 Using Fuzzy Hashing to Identify DarkComet Versions . 80 6.3 Sample Analysis System Analysis . 81 6.3.1 Statically Analysed Malware Family Distribution . 81 6.3.2 Statically Analysed File Types Distribution . 83 6.3.3 Statically Analysed First Seen Distribution . 84 6.3.4 C&C Servers per Bot Binary . 85 6.3.5 C&C Hostname Analysis . 86 6.3.6 C&C TCP Port Analysis . 87 6.3.7 C&C Communication Encryption Key Analysis . 88 6.3.8 C&C Bot Configuration Analysis . 89 6.4 C&C Liveness Module Analysis . 91 6.4.1 C&C Geographic Dispersion . 92 6.5 C&C Interaction Module Analysis . 93 6.5.1 Victim Geogrpahic Distribution . 94 6.5.2 Victim Organisation Distribution . 94 6.5.3 Common C&C Ports . 95 6.5.4 Botnet Size . 95 6.5.5 Victim Operating System . 96 6.5.6 Victim Username . 96 6.6 Summary . 97 iii 7 Conclusion 99 7.1 Research Methodology . 99 7.1.1 Existing Framework Reviews . 99 7.1.2 Framework Design Considerations . 100 7.2 Case-study Results . 102 7.3 Proposed Framework Shortcomings . 103 7.4 Future Work . 104 References 104 Appendices 111 A DarkComet Builder Menus 112 B DarkComet Complete Configuration Key-Value Pairs 122 iv List of Figures 3.1 The DarkComet client/operator main interface. 16 3.2 DarkComet client main menu. 17 3.3 DarkComet builder minimalist configuration. 17 3.4 DarkComet builder "Full editor" menu. 18 3.5 DarkComet version 4 binary showing configuration information. 19 3.6 DarkComet version 5.1 binary showing encrypted configuration information. 20 4.1 Framework process flow. 27 4.2 Sample Acquisition module process flow. 29 4.3 Metadata collection module process flow. 30 4.4 Sample Analysis System analysis process flow. 31 4.5 A generic Static Analysis module process flow. 33 4.6 The Dynamic Analysis module process flow. 34 4.7 Infiltration System process flow. 36 4.8 C&C Liveness module process flow. 37 4.9 C&C Interaction module process flow. 39 4.10 Message queue process flow. 40 5.1 DarkComet configuration extraction process. 54 5.2 Case-study Static Analysis module process flow. 55 5.3 Datastore Implementation. ..
Recommended publications
  • Pest Control: Taming the Rats
    RESEARCH pest control: taming the rats Authors Remote Administration Tools (RATs) allow a Shawn Denbow remote attacker to control and access the Twitter: @sdenbow_ system. In this paper, we present our analysis of Email: [email protected] their protocols, explain how to decrypt their Jesse Hertz traffic, as well as present vulnerabilities we have Twitter: @hectohertz found. Email: [email protected] Introduction As 2012 Matasano summer interns, we were tasked with running a research project with a couple criteria: • It should be something we are both interested in. • We should be able to present our research for the company at the end of our internship. However, on completion, we decided that it would be best if we made our findings public. With John Villamil, our advisor, we decided that given our interest in low-level analysis, we should analyze Remote Administration Tools (RATs). RATs have recently seen media attention due to their use by oppressive governments in spying on activists and other “dissidents”. We felt this to be a perfect project. Remote Administration Tools are pieces of software which, once installed on a victim’s computer allow a remote user to control and access the system. RATs can be used legitimately by system administrators, or they can be used maliciously. There are a variety of methods by which they are installed on a computer: Various social engineering tactics can be employed to get a user to open the executable, they can be bundled with other pieces of software, they can be installed as the payload of a virus or worm, or they can be installed after an attacker gains access to a system through an exploit.
    [Show full text]
  • Adwind a Cross Platform
    ADWIND A CROSSPLATFORM RAT REPORT ON THE INVESTIGATION INTO THE MALWAREASASERVICE PLATFORM AND ITS TARGETED ATTACKS Vitaly Kamluk, Alexander Gostev February 2016 V. 3.0 #TheSAS2016 #Adwind CONTENTS Executive summary ..................................................................................................... 4 The history of Adwind ................................................................................................ 5 Frutas RAT ................................................................................................................. 5 The Adwind RAT ..................................................................................................... 11 UNRECOM ................................................................................................................ 17 AlienSpy ..................................................................................................................... 24 The latest reincarnation of the malware ............................................................. 28 JSocket.org: malware-as-a-service ................................................................. 28 Registration .............................................................................................................. 29 Online malware shop ........................................................................................... 30 YouTube channel .................................................................................................... 32 Profitability ..............................................................................................................
    [Show full text]
  • Growth and Commoditization of Remote Access Trojans
    30 September - 2 October, 2020 / vblocalhost.com GROWTH AND COMMODITIZATION OF REMOTE ACCESS TROJANS Veronica Valeros & Sebastian García Czech Technical University in Prague, Czech Republic [email protected] [email protected] www.virusbulletin.com GROWTH AND COMMODITIZATION OF REMOTE ACCESS TROJANS VALEROS & GARCÍA ABSTRACT Remote access trojans (RATs) are an intrinsic part of traditional cybercriminal activities, and they have also become a standard tool in advanced espionage attacks and scams. There have been significant changes in the cybercrime world in terms of organization, attacks and tools in the last three decades, however, the overly specialized research on RATs has led to a seeming lack of understanding of how RATs in particular have evolved as a phenomenon. The lack of generalist research hinders the understanding and development of new techniques and methods to better detect them. This work presents the first results of a long-term research project looking at remote access trojans. Through an extensive methodological process of collection of families of RATs, we are able to present an analysis of the growth of RATs in the last 30 years. Through a closer analysis of 11 selected RATs, we discuss how they have become a commodity in the last decade. Finally, through the collected information we attempt to characterize RATs, their victims, attacks and operators. Preliminary results of our ongoing research have shown that the number of RATs has increased drastically in the past ten years and that nowadays RATs have become standardized commodity products that are not very different from each other. INTRODUCTION Remote access software is a type of computer program that allows an individual to have full remote control of the device on which the software is installed.
    [Show full text]
  • Rat Software Download
    Rat software download click here to download Remote Administration Tools The function of RAT (Remote Administration Tool) is considered that programs that allow certain types. Download | Chrome remote. 2. TeamViewer. Teramviewer remote VNC is a program free software based on a client-server structure. Also called software Remote ​Best Remote Administration · ​Chrome remote · ​TeamViewer · ​CrossLoop. While desktop sharing and remote administration have many legal uses, “RAT” software is usually associated with unauthorized or malicious activity. of it's undetectable by many of the anti-viruses, but it surely was not a secure RAT possibly now they've improved their product in stability. Download jspy. Free trial of our award-winning software. WhatsUp® Gold - Start A Free Day Trial Icon. If you are like the rest of our user community, your IT team is busy. With pressure to deliver on- time projects, you don't have a lot of time to spend making your management tools work. You need network monitoring tools that work for. DarkComet RAT All Versions · With 7 comments · DarkComet RAT. In this post you can download all the good versions of DarkComet RAT these are original files downloaded from the DarkComet website before it was taken down. DarkCometRAT · DarkCometRAT53 · DarkCometRATF. Trojan - RAT Program free download - trojan rat programı indir - http://dosya. You will find downloads, sources, of a variety of products, coded by our team. You may also use the Search to find an specific program. Binders | Packers | Joiners | Crypters - Contains 2 downloads. View this product section Binders, file joiners, packers, crypters and related. Bots | IRC - Contains 1 downloads.
    [Show full text]
  • The Gateway Trojan
    THE GATEWAY TROJAN Volume 1, Version 1 TABLE OF CONTENTS About This Report ....................................................................................................................................1 Why This Malware?..................................................................................................................................2 The Basic Questions About RATs..........................................................................................................2 Different Breeds of RATs ........................................................................................................................5 Symantec’s Haley Subcategories of RATs .........................................................................................6 Dissecting a RAT .......................................................................................................................................7 Category II: Common RATs ....................................................................................................................9 Back Orifice ...........................................................................................................................................9 Bifrost ................................................................................................................................................. 10 Blackshades ....................................................................................................................................... 11 DarkTrack .........................................................................................................................................
    [Show full text]
  • Penetration Testing, Metasploit Tutorial, Metasploit Hacking,Pentest
    Hacking Articles Raj Chandel's Blog Author Web Penetration Testing Penetration Testing Courses We Offer My Books Donate us Penetration Testing Subscribe to Blog via Email Linux Privilege Escalation using Miscongured NSF Enter your email address to Linux Privilege Escalation using Sudo Rights subscribe to this blog and receive Capture NTLM Hashes using PDF (Bad-Pdf) notications of new posts by email. Privilege Escalation in Linux using etc/passwd le Email Address Compressive Guide to File Transfer (Post Exploitation) SUBSCRIBE SNMP Lab Setup and Penetration Testing 6 Ways to Hack SNMP Password Comprehensive Guide to SSH Tunnelling 4 ways to Hack MS SQL Login Password Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD Nmap Scan with Timing Parameters Comprehensive Guide to Crunch Tool Spawn TTY Shell using Msfvenom (One Liner Payload) 6 Ways to Hack VNC Login Password 6 Ways to Hack PostgresSQL Login 5 Ways to Hack MySQL Login Password Bypass SSH Restriction by Port Relay Generating Scan Reports Using Nmap (Output Scan) Port Scanning using Metasploit with IPTables Understanding Guide to Mimikatz Understanding Guide for Nmap Timing Scan (Firewall Bypass) Understanding Guide for Nmap Ping Scan (Firewall Bypass) Manual Post Exploitation on Windows PC (Network Command) Sessions Command in Metasploit Comprehensive Guide to Nmap Port Status Categories Bind Payload using SFX archive with Trojanizer BackTrack 5 Tutorials Best of Hacking Beginner Guide to IPtables Browser Hacking Post Exploitation Using WMIC (System Command)
    [Show full text]
  • UNIVERSITY of CALIFORNIA SAN DIEGO Understanding the Remote
    UNIVERSITY OF CALIFORNIA SAN DIEGO Understanding the Remote Access Trojan malware ecosystem through the lens of the infamous DarkComet RAT A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science (Computer Engineering) by Brown Rhodes Farinholt Committee in charge: Professor Kirill Levchenko, Chair Professor Farinaz Koushanfar Professor Stefan Savage Professor Alex Snoeren Professor Geoff Voelker 2019 Copyright Brown Rhodes Farinholt, 2019 All rights reserved. The Dissertation of Brown Rhodes Farinholt is approved and it is acceptable in quality and form for publication on microfilm and electronically: Chair University of California San Diego 2019 iii DEDICATION To my parents, for raising me to chase my dreams. I owe this all to you. iv EPIGRAPH The first principle is that you must not fool yourself, and you are the easiest person to fool. Richard Feynman In writing, you must kill all your darlings. William Faulkner The truth may be puzzling. It may take some work to grapple with. It may be counterintuitive. It may contradict deeply held prejudices. It may not be consonant with what we desperately want to be true. But our preferences do not determine what’s true. We have a method, and that method helps us to reach not absolute truth, only asymptotic approaches to the truth never there, just closer and closer, always finding vast new oceans of undiscovered possibilities. Cleverly designed experiments are the key. Carl Sagan v TABLE OF CONTENTS Signature Page . iii Dedication . iv Epigraph . v Table of Contents . vi List of Figures . x List of Tables .
    [Show full text]
  • List of TCP and UDP Port Numbers - Wikipedia, Th
    List of TCP and UDP port numbers - Wikipedia, th... https://en.wikipedia.org/wiki/List_of_TCP_and_U... List of TCP and UDP port numbers From Wikipedia, the free encyclopedia This is a list of Internet socket port numbers used by protocols of the transport layer of the Internet Protocol Suite for the establishment of host-to-host connectivity. Originally, port numbers were used by the Network Control Program (NCP) in the ARPANET for which two ports were required for half-duplex transmission. Later, the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP) needed only one port for full-duplex, bidirectional traffic. The even-numbered ports were not used, and this resulted in some even numbers in the well-known port number range being unassigned. The Stream Control Transmission Protocol (SCTP) and the Datagram Congestion Control Protocol (DCCP) also use port numbers. They usually use port numbers that match the services of the corresponding TCP or UDP implementation, if they exist. The Internet Assigned Numbers Authority (IANA) is responsible for maintaining the official assignments of port numbers for specific uses.[1] However, many unofficial uses of both well-known and registered port numbers occur in practice. Contents 1 Table legend 2 Well-known ports 3 Registered ports 4 Dynamic, private or ephemeral ports 5 See also 6 References 7 External links Table legend Official: Port is registered with IANA for the application.[1] Unofficial: Port is not registered with IANA for the application. Multiple use: Multiple applications are known to use this port. Well-known ports The port numbers in the range from 0 to 1023 are the well-known ports or system ports.[2] They are used by system processes that provide widely used types of network services.
    [Show full text]
  • Comodo Threat Research Labs Q1 2017 REPORT THREAT RESEARCH LABS
    Comodo Threat Research Labs Q1 2017 REPORT THREAT RESEARCH LABS Table of Contents Executive Summary ..................................................................................................3 Malware Analysis .......................................................................................................6 1 | Backdoor ...............................................................................................12 2 | Packer ...................................................................................................15 3 | Trojan.....................................................................................................18 4 | Virus ......................................................................................................21 5 | Worm .....................................................................................................24 Ransomware ...........................................................................................................27 United States Analysis ............................................................................................30 World Analysis .........................................................................................................35 1 | Africa .....................................................................................................36 2 | Asia .......................................................................................................38 3 | Europe ...................................................................................................40
    [Show full text]
  • Pobierz Raport
    Raport CERT Orange Polska za rok 2014 Raport CERT Orange Polska za rok 2014 Spis treści Raport powstał we współpracy z Integrated Solutions, 1. Dlaczego powstał raport CERT Orange Polska? 5 dostawcą nowoczesnych rozwiązań ze świata 2. Podsumowanie informacji zawartych w raporcie 7 3. CERT Orange Polska – kim jesteśmy? 9 informatyki i telekomunikacji. 4. Najgroźniejsze podatności 2014 roku na świecie 11 4.1 Okiem partnera – McAfee 11 5. Najważniejsze zagrożenia roku 2014 w sieci Orange Polska 13 5.1 Case study – atak na modemy DSL (luty 2014) 15 5.2 Case study – fałszywe faktury, ataki phishingowe (2. połowa roku) 17 6. Ataki DDoS 19 6.1 Ryzyka związane z atakami DDoS 19 6.2 Statystyki 19 6.3 Okiem partnera – Radware 23 7. Malware 25 7.1 Malware na platformy stacjonarne 27 7.2 Malware na platformy mobilne 30 7.3 Okiem partnera – FireEye 31 8. Skanowania portów i podatności 33 8.1 Skanowania portów 33 8.2 Podatności 35 9. Cyberświat 2015 oczami partnerów Orange Polska 40 10. Komercyjne usługi bezpieczeństwa Orange Polska 44 11. Załączniki 46 11.1 Załącznik 1. Analiza malware WinSpy (na komputery stacjonarne) 47 11.2 Załącznik 2. Analiza malware Emotet (na komputery stacjonarne) 55 11.3 Załącznik 3. Analiza malware NotCompatible.C (na urządzenia mobilne z systemem Android) 59 11.4 Załącznik 4. Analiza podatności Heartbleed 64 11.5 Załącznik 5. Analiza podatności Shellshock 66 11.6 Załącznik 6. Analiza podatności Poodle 71 11.7 Załącznik 7. Inne interesujące podatności 75 2 3 Raport CERT Orange Polska za rok 2014 1. Dlaczego powstał raport CERT Orange Polska? Ponad 2 miliony klientów stacjonarnych usług szerokopasmowego dostępu do internetu, przeszło 100 tysięcy alertów DDoS, kilkanaście tysięcy incydentów bezpieczeństwa w ciągu roku, niezliczone ilości przejętego i przeanalizowanego złośliwego oprogramowania, 18 lat doświadczenia w dziedzinie bezpieczeństwa IT.
    [Show full text]
  • Growth and Commoditization of Remote Access Trojans
    Growth and Commoditization of Remote Access Trojans Veronica Valeros Sebastian Garcia Department of Computer Science Department of Computer Science Czech Technical University Czech Technical University Prague, Czech Republic Prague, Czech Republic [email protected] [email protected] Abstract—In the last three decades there have been significant remains to today, their use has evolved. In the last decade changes in the cybercrime world in terms of organization, type more and more RATs were used in espionage, financial of attacks, and tools. Remote Access Trojans (RAT) are an and state sponsored attacks [3]–[5]. While many of them intrinsic part of traditional cybercriminal activities but they had their source code leaked or open sourced, the market have become a standard tool in advanced espionage and scams for Fully Undetectable (FUD) RATs and special plugins attacks. The overly specialized research in our community matured. Nowadays, RATs have become a commodity. on Remote Access Trojans has resulted in a seemingly lack Despite the abundance of reports on individual RAT of general perspective and understanding on how RATs have families and attacks that use them [6], there is no previous evolved as a phenomenon. This work presents a new generalist research that looks at RATs as a whole. The growth and perspective on Remote Access Trojans, an analysis of their evolution of RATs appears to have escaped public attention growth in the last 30 years, and a discussion on how they so far. The lack of a more generalist research hinders have become a commodity in the last decade. We found that the understanding and development of new techniques and the amount of RATs increased drastically in the last ten years methods to better detect them.
    [Show full text]
  • A Comparative Evaluation of Remote Administration Tools Rupal D
    Volume 4, No. 4, March-April 2013 ISSN No. 0976-5697 International Journal of Advanced Research in Computer Science REVIEW ARTICLE Available Online at www.ijarcs.inf A Comparative Evaluation of Remote Administration Tools Rupal D. Bhatt* Dr. D.B.Choksi Anand Mercantile College of Science Department Of Computer Science Management and Computer Technology, Anand Sardar Patel University, V.V.Nagar. Anand, Gujarat, India Anand, Gujarat, India [email protected] [email protected] Abstract: Remote administration is important for improving efficiency in managing and maintaining computer systems across communication networks in a cost-effective manner. Contemporary remote access tools support versatile features for controlling remote systems through a wide range of attractive features. Many remote administration tools are found in the market and it is difficult to choose appropriate tools to meet our needs. This paper presents comparative study of selected popular remote administration tools to help users in making appropriate selection of suitable tools. The paper undergoes comparison among various categories, such as Graphical User Interface (GUI) oriented tools, Command-Line Interface (CLI) tools, Windows Management Instrumentation (WMI) tools, Web based GUI tools, Console based tools, etc. considering various popular remote access software tools. Keywords: Remote administration; Remote Access Tools (RATs); Communication Networks desktop" software to access desktop from any place in the I. INTRODUCTION world [3]. Some virtualization platforms allow a user to simultaneously run multiple virtual machines on local A remote access software tool refers to a piece of hardware, such as a laptop, using hypervisor technology. software that allows a user to control a remote system as if a The controlling computer displays a copy of the image user has a physical access to that system [1].
    [Show full text]