Thanks to Rapid7's funding and technical support via the Magnificent 7 program we will be able to work on a framework for botnet command and control monitoring for the next year. The motivation behind this project is based on the fact that botnet analysis is often neglected due to the lack of proper open source tools. But this is about to change. Both developers have previously build their own, very specialized and case specific solutions and in this project we are going to combine and build on top of our experience.
Botnet monitoring is a process of actively joining a botnet infrastructure in order to learn about its inner workings for research and analysis purposes. One clear distinction between a real bot and a monitoring bot is that the monitoring bot does not perform any harmful actions when instructed to by the bot herder.
If the monitoring bot can collect information we will be able to understand what is going on inside the botnet and also find weaknesses and design flaws of the botnet protocol. This information can then be used for botnet takedown.
In Buttinsky, we will introduce some fresh ideas. One of the more exciting features of this project is the ability to mimicking bot behaviour in order to provoke more interaction from the bot herder. A simple example would be collection of instructions and responses from the control channel and generation of a communication dictionary used by the bot herder.
Another interesting feature is support for receiving control channel parameters from malware analysis systems (MAS) such as Cuckoo Sandbox and starting the monitoring tool in an automated fashion. The design will be highly modular where each layer of the framework stack can be customized using plugins. It will be especially interesting to see how the community will make use of the framework for monitoring new botnet c&c protocols, adapt it to the data collected in a channel on the fly as well as customization of the behavior emulation.
In the end we want to provide a platform to help creating an automated threat assessments of the monitored botnets.
The project is divided into two phases over a one year period. Main targets for each phase are listed below.
Phase I - First release
- Receive bot parameters from a MAS (malware analysis system) for spawning new botnet monitors.
- Plugins for some well-known IRC, HTTP and P2P botnet protocols.
- Process collected information (e.g., intercepted update files) in a MAS.
- Bot behaviour mimicking using the collected data and machine learning.
Phase II - Final release in M7 program
- Support for distributed botnet monitoring.
- Gathering of auxiliary information to enrich the data collected by the monitors.
- Attach analysis tools to logged botnet data to provide input for automated threat assessment of botnets (e.g. amount of attacks, targets and collected botnet metrics).
After each phase we are going to publish our results from some monitored botnets and describe the features in more detail so stay tuned for updates and releases!