Botnet Analysis

Botnet difficulties

Botnets have existed for some time, but the landscape has dramatically changed.

Botnets now operate purely on economic or political grounds. They are traded and retraded in the same way that insurance is reinsured, with every slave machine representing a unit of money. A large botnet will typically have dozens of individuals involved in its operation at some level, each taking on their share of the risk and receiving a share of the reward, as with insurance.

Botnets that operate on political grounds typically perform distributed denial of service (DDoS) attacks on websites or services that they hold a political disagreement with. Although some may applaud their use, almost always the end-user suffers with damage to intermediate infrastructure.

So how do we stop them? Automated mechanisms can be put in place to recognize patterns in packet bursts, but this is only the first step of identification. In some scenarios, a good intrusion detection system (IDS) will detect large surges in botnet activity and successfully configure a ruleset to block the attacks, but this usually doesn't work. Public firewall rulesets are fairly successful at blocking known attacks, but usually only several months after initial identification.

How we track botnets

It's clear that automated mechanisms alone cannot protect your network from botnets. Our manual research involves keeping up-to-date with the latest botnet trojans available from the underground market - this enables us to analyze the real pre-compiled source code, rather than a reverse-engineered version of the binary.

Once a botnet trojan is released to market, several modified versions tend be released within weeks, in an attempt to steal the fame. We track these specific versions carefully, as they will often behave differently.

What we can provide

To enable hosts and corporations to defend against the latest emerging botnets, we offer ad-hoc and ongoing services:

  • Ad-hoc: Provide reverse-engineered binaries and source code of requested trojans and control panels
  • Ad-hoc: Signature and revision history of requested trojans
  • Ad-hoc: Provide IDS rules to block against latest requested threats
  • Ad-hoc: Botnet source tracing with a report on weaknesses and vulnerabilites of the botnet, how to take it down and any potential implications
  • Ongoing: perform predictive analysis of upcoming events using a tailored pseudo-packet analysis service
  • Ongoing: Medium- and long-term reporting on botnet activity within a network
Botnet analysis: how our techniques integrate your infrastructure

Image: how our techniques can integrate seamlessly with your existing IDS and firewall

Example service

The LOIC client DDoS tool is used to leverage a "voluntary botnet" against targets. To protect against such attacks, we can offer:

  • Analysis and reverse engineering of all versions of LOIC, HOIC, JS-LOIC, LOIC2, LOIC_Python SlamDunk and other emerging tools of similar nature
  • Surveillance and analysis of command channels used to control attacks
  • Media analysis of financial and business impact caused by attacks
  • Intrusion detection rules for covered tools
  • Modified client tools that join the botnet without participating, enabling real-time reporting of new targets

Find out more

We offer both community and commercial services. Get in touch to find out how we can help you today.