TOWARD AN AUTOMATED BOTNET ANALYSIS FRAMEWORK: A DARKCOMET CASE-STUDY Submitted in partial fulfilment of the requirements of the degree Master of Sciences of Rhodes University Jeremy Cecil du Bruyn Grahamstown, South Africa June 2015 Abstract This research proposes a framework for the automated analysis of malware samples, specifically botnet binaries. This framework will automate the collection, analysis, and infiltration of botnets. Due to the increased number of samples released daily, such frameworks have become a necessity for anti-malware organisations and product vendors. Some academic research has recently been concluded into their design and development. A review of current botnet analysis frameworks highlights a number of fundamental shortcomings when compared to modern analysis framework design and implementation recommendations. As such, research was conducted into the design of a modern, automated botnet analysis framework incorporating this advice. This document presents a modular, low resource botnet analysis framework which is not botnet family or variant specific. Detailed information on the roles, design criteria and implementation of the systems which make up this framework is provided. To test and prove the proposed framework's feasibility, a case-study was conducted which resulted in the collection of 83,175 DarkComet Remote Administration Tool (RAT) samples, of which 48.85% were successfully analysed and their configuration information extracted. This lead to the infiltration of 751 Command and Control servers, which provided information on 109,535 unique victim computers. The collection of the DarkComet bot binaries occurred between August of 2013 and June 2014, with Command and Control (C&C) infiltration commencing on 10 May 2014 and concluding on 6 June 2014. This research updates and expands current DarkComet analysis literature by presenting a com- prehensive breakdown of all possible configuration settings embedded within DarkComet bot binaries. A refined exploit for the previously published QUICKUP vulnerability, which prevents detection by botmasters and supports the downloading of large files, is provided. This document concludes with some of the lessons learnt during the development and implementation of the framework and provides advice for future improvements. The contribution of this research is a review of the shortcomings of current academic automated botnet analysis frameworks, considerations for the development of future frameworks, and a de- tailed description of the design and implementation of the framework developed. Additionally, the results of a case-study which leveraged the framework to analyse DarkComet RAT sam- ples is provided, along with additional design considerations gleamed through a review of the framework's performance during the case-study. Acknowledgements A number of people have been instrumental in the success of this thesis, without who this work may never have been completed. Whilst some require special mention, to those not named, my eternal thanks go out to you. To my wife Samantha, for the limitless patience, support, and encouragement shown during this extended process. And to my daughters, Taylor and Juliet, for letting daddy "do his schoolwork" when required. To my supervisor Dr. Barry Irwin, for sharing his almost boundless knowledge, undeterred guidance, and essential "nudges" when the task seemed too great to accomplish and energy levels were depleted. To my long-time friends Nicholas Arvanitis and John McKay, for finding the time to proofread and highlight technical and grammatical mistakes my subconscious had decided to ignore. Any errors that remain are mine alone. i Table of Contents List of Figures iv List of Tables vi 1 Introduction 1 1.1 Research Goal . .2 1.2 Research Methodology . .2 1.3 Document Conventions . .3 1.4 Document Structure . .3 2 Literature Review 4 2.1 Malware Analysis . .4 2.1.1 Static Analysis . .5 2.1.2 Dynamic Analysis . .5 2.2 Malware Detection . .6 2.3 Malware Use . .7 2.4 Existing Automated Botnet Analysis Framework Research . .8 2.5 Existing Botnet Framework Shortcomings . 11 2.6 Summary . 12 3 DarkComet 13 3.1 DarkComet Introduction . 14 3.2 DarkComet Capabilities . 14 3.3 DarkComet Components . 14 3.3.1 DarkComet Client and Builder . 16 3.3.2 DarkComet Server . 18 3.4 DarkComet Configuration . 19 3.5 DarkComet Communication . 20 3.6 Previous DarkComet Research . 23 3.7 DarkComet Summary . 24 4 Framework Design 25 4.1 Framework Design Considerations . 25 4.2 Framework Details . 26 4.3 Sample Collection System . 28 4.3.1 Sample Acquisition Module . 28 4.3.2 Sample Metadata Collection Module . 29 ii 4.4 Sample Analysis System . 30 4.4.1 Static Analysis Module . 31 4.4.2 Dynamic Analysis Module . 33 4.5 Infiltration System . 35 4.5.1 C&C Liveness Module . 36 4.5.2 C&C Interaction Module . 37 4.6 Message Queue . 39 4.7 Framework Design Summary . 40 5 Framework Implementation 42 5.1 Sample Collection System Implementation . 42 5.1.1 Sample Acquisition Module Implementation . 44 5.1.2 Sample Metadata Collection Module Implementation . 47 5.2 Sample Analysis System Implementation . 51 5.2.1 Static Analysis Module Implementation . 51 5.3 Infiltration System Implementation . 56 5.3.1 C&C Liveness Module Implementation . 56 5.3.2 C&C Interaction Module Implementation . 58 5.4 Datastore Implementation . 61 5.5 Framework Implementation Summary . 64 6 Case-study: Data Analysis 67 6.1 Sample Acquisition Module Analysis . 67 6.2 Sample Metadata Collection Module Analysis . 68 6.2.1 Malware Family Distribution . 68 6.2.2 File Type Distribution . 69 6.2.3 File Size Analysis . 73 6.2.4 First Seen Distribution . 78 6.2.5 Using Fuzzy Hashing to Identify DarkComet Versions . 80 6.3 Sample Analysis System Analysis . 81 6.3.1 Statically Analysed Malware Family Distribution . 81 6.3.2 Statically Analysed File Types Distribution . 83 6.3.3 Statically Analysed First Seen Distribution . 84 6.3.4 C&C Servers per Bot Binary . 85 6.3.5 C&C Hostname Analysis . 86 6.3.6 C&C TCP Port Analysis . 87 6.3.7 C&C Communication Encryption Key Analysis . 88 6.3.8 C&C Bot Configuration Analysis . 89 6.4 C&C Liveness Module Analysis . 91 6.4.1 C&C Geographic Dispersion . 92 6.5 C&C Interaction Module Analysis . 93 6.5.1 Victim Geogrpahic Distribution . 94 6.5.2 Victim Organisation Distribution . 94 6.5.3 Common C&C Ports . 95 6.5.4 Botnet Size . 95 6.5.5 Victim Operating System . 96 6.5.6 Victim Username . 96 6.6 Summary . 97 iii 7 Conclusion 99 7.1 Research Methodology . 99 7.1.1 Existing Framework Reviews . 99 7.1.2 Framework Design Considerations . 100 7.2 Case-study Results . 102 7.3 Proposed Framework Shortcomings . 103 7.4 Future Work . 104 References 104 Appendices 111 A DarkComet Builder Menus 112 B DarkComet Complete Configuration Key-Value Pairs 122 iv List of Figures 3.1 The DarkComet client/operator main interface. 16 3.2 DarkComet client main menu. 17 3.3 DarkComet builder minimalist configuration. 17 3.4 DarkComet builder "Full editor" menu. 18 3.5 DarkComet version 4 binary showing configuration information. 19 3.6 DarkComet version 5.1 binary showing encrypted configuration information. 20 4.1 Framework process flow. 27 4.2 Sample Acquisition module process flow. 29 4.3 Metadata collection module process flow. 30 4.4 Sample Analysis System analysis process flow. 31 4.5 A generic Static Analysis module process flow. 33 4.6 The Dynamic Analysis module process flow. 34 4.7 Infiltration System process flow. 36 4.8 C&C Liveness module process flow. 37 4.9 C&C Interaction module process flow. 39 4.10 Message queue process flow. 40 5.1 DarkComet configuration extraction process. 54 5.2 Case-study Static Analysis module process flow. 55 5.3 Datastore Implementation. ..
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages138 Page
-
File Size-