Watching a Botnet From the Inside

When you hear about botnets such as Rustock, Mariposa or Grum being taken down, one of the tactics that’s usually involved is sinkholing. The technique, which involves pointing the infected machines to a server controlled by good guys rather than attackers, often is used as one of the last steps to take the botnet offline. But some recent work done by researchers at Damballa took a slightly different tack and used the sinkhole as a way to study a recently discovered botnet in operation, and what they found in their traffic analysis was pretty interesting.

BotnetWhen you hear about botnets such as Rustock, Mariposa or Grum being taken down, one of the tactics that’s usually involved is sinkholing. The technique, which involves pointing the infected machines to a server controlled by good guys rather than attackers, often is used as one of the last steps to take the botnet offline. But some recent work done by researchers at Damballa took a slightly different tack and used the sinkhole as a way to study a recently discovered botnet in operation, and what they found in their traffic analysis was pretty interesting.

The Damballa researchers had come across the botnet, which they have not named, in recent weeks and were looking at the way that the network used a domain-generation algorithm to come up with new command-and-control domains for infected machines to contact. Many botnets use this same method, as it give them the ability to react quickly when one domain is taken down or blacklisted by a large number of security products. When that happens, the botmaster can simply send out an instruction for all of the bots to connect to the new domain. Or the bots can be programmed to connect to various new domains at regular intervals, based on the date or other variables.

In this case, the researchers saw that a lot of bots were trying to connect to some domains that had not been registered yet. So they did some quick statistical analysis and picked out some of the most frequently requested domains and registered the domains themselves. The Damballa researchers then pointed the domains to a sinkhole maintained by the Georgia Tech Information Security Center and sat back and watched the action.

“Our objective of purchasing the domain names and setting up the sinkhole had been to hopefully gain some insight into the type of botnet agent that had been deployed by observing the HTTP headers of the inbound connection attempts. Our expectations were completely exceeded,” Gunter Ollmann, VP of research at Damballa, said.

“Maybe it’s just poor coding by the malware authors, but not only were we able to identify the malware family, but we were flooded with tens-of-thousands of inbound C&C connections! If our statistical analysis was anywhere near correct, then this particular botnet is probably in the hundreds-of-thousands of victims worldwide (although prominently North American and European victims) – i.e. pretty damned big!”

As they watched the traffic into and out of the sinkhole server, the researchers noticed a couple of intersting phenomena. First, as soon as the domains were registered and up and running on the sinkhole, some of the organizations in which bot-infected machines were located began to block outbound connections to the sinkhole server. Because the Georgia Tech sinkhole server IP address is known in the security community, some of the IPS and other security systems began preventing their machines from connecting to it.

Second, the researchers noticed that they could identify which organizations had IP blacklist technologies deployed and how quickly they updated them.

“On the malware front, now that some of the DGA-based domain names existed, some of the victims were able to locate the “live” C&C server and made their connections to our sinkhole. Based upon those observations, it was possible to identify which organizations employ IP and/or domain blacklists and how fast they action the updates from blacklist suppliers. For some it took hours, and others it took days,” Ollmann said.

Ollmann did not identify which botnet was involved in the research, but said that some of the C&C traffic was “closely associated with past TDL malware variants”. TDL is a family of particularly nasty malware that includes the TDSS rootkit, also known as Alureon. The malware has been around for years, causing trouble and has morphed several times. Ollmann said that his company will continue watching the botnet for the time being to see how it reacts.

“We’re planning on monitoring this particular botnet for a bit longer and will of course continue sharing our discoveries with the appropriate authorities (along with all the other interesting DGA-based botnets we encounter daily). It would appear to be a relatively large botnet – and I’d hope to have more interesting findings to share about the threat sometime soon,” he said.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.