phdays.com, phdays.ru
Moscow, 2012
Day2, Track1, 15:00
Fyodor Yarochkin, Vladimir Kropotov,
Life cycle and detection of bot infections through network traffic analysis

Carbert
    check if a live-user - mouse move
    if live-user, then proceed to infection
        have a random but long enough delay before contacting the C&C
    otherwise, possibly a sandbox analysis - don't proceed

Java exploits jar/class where on FTP
	user anonymous
	pass java version, eg. Java1_6.30@
		helps to get the proper version exploit from the exploit loader

Detection during infection
    infection
        obfuscated IP address (like a number)
        password = java version
    exploitation
        download the updates .exe
    post exploitation
        check_system.php

What are we building
    analyze DNS traffic
        currently only DNS traffic
    WHOIS (including team cymru whois)

DNS traffic analysis
    dictionary-based, know names

DNS domain detection – by return codes
    rcode: 3 (non-existing domains)
    rcode: 2 (failed servers)

all DNS packets are indexed
    cross-correlation through database & whois queries
    easy to automate
    further steps

Detection flow
    failed dns lookups
    mine whois cross-correlation
    identify domains with same characteristic, but which are pinged and resolved
    then render those in the sandbox

Detection by visualization
    parallel coordinates
    see Alexander Dulanoy CIRCL.LU

Demo video
    trc_herd.sh
    a lot of domains from .ro in the honeypot
    fun trivia – scripts/programs in the sandbox are loaded and executed, but the execution is faked and shows random output (eg. Some Spanish phrases, etc.)

Specifics in russian malware
    loader
    exploit packs
    a lot of glue code and infrastructure to put it all together
    a little dirty/ugly and the aim is fastest monetization of the target

Specifics in chinese malware
    some javascript
    most probably just a single neat file
    most probably they have a longer-term vision than just quick exploitation and monetization

Recommendation
    do not use AV, since if it's active, malware can enable AV evasion and start running on fake/strange execution paths
    use passive monitoring and cross-correlation methods
    default deny policy
        short-life-span domain names would help a lot of these domains

Questions
    Q: are there any fake C&C in the wild to study honeypots?
    A: haven't seen fake C&C