Large-scale malware experiments

Disponible uniquement sur Etudier
  • Pages : 22 (5443 mots )
  • Téléchargement(s) : 0
  • Publié le : 26 mars 2011
Lire le document complet
Aperçu du document

Joan Calvet, Jose M. Fernandez École Polytechnique de Montréal, Montréal, Canada Email {joan.calvet, jose.fernandez} Pierre-Marc Bureau ESET, Montréal, Canada Email Jean-Yves Marion LORIA, Nancy, France Email

• Unlike within-the-wild experiments [1], there are fewer ethical or legal issues to deal with than when performing arbitrary attacks against infected computers. • Having an in vitro environment provides us with a way to conduct computer security research in a scientific way: we can reproduce experiments and test the effect of various independent variables. We decided to use the Waledac botnet as a first experiment forthe following reasons: • Thanks to prior reverse engineering [2], we had in-depth knowledge of this threat family. • This malware does not replicate, thus limiting the risk of running an experiment that might get out of control. • There exists a set of vulnerabilities in Waledac’s peer-topeer protocol that were worth investigating. We wanted to evaluate the impact of a mitigation scheme against thebotnet.

One of the most popular research areas in the anti-malware industry (second only to detection) is to document malware characteristics and understand their operations. Most initiatives are based on reverse engineering of malicious binaries so as to understand a threat’s features. In order to fully understand the challenges faced by a malware operator, it is sometimes necessaryto reproduce a scenario where researchers have to manage thousands of infected computers in order to reach a set of objectives. In this paper, we first discuss the reasons why one would want to replicate a botnet and perform experiments while managing it. In our case, our objective was to emulate the Waledac botnet and assess the performance of a mitigation scheme against its peer-topeerinfrastructure. We then present our experimental methodology and explain the technical decisions we took to perform our experiments. Finally, we explain our results, both in terms of the attacks against the Waledac botnet and the challenges we faced while creating our experimental environment.

1.1 The Waledac case study
The architecture of the Waledac botnet is split into four layers. The first layercontains infected hosts with private IP addresses that are referred to as spammers. They are essentially the ‘worker’ bots and constitute approximately 80% of the botnet. The second layer is composed of bots with public IP addresses which we call repeaters. Their main duty is to relay the command and control (C&C) traffic to the upper layer. At the third layer, we have the protectors, Linux serversresponsible for relaying traffic to and from the last layer, which is the command and control server, also known as the ‘mother ship’.

1. WHY?
There have been numerous studies on botnets where modelling and simulation were used to evaluate both the size and the communication infrastructure of networks of zombies. On the other hand, very limited work has been done to actually create a botnet inorder to observe its reaction to external stimuli and, most of all, understand the challenges faced by its operator. Thus our goal is to build a framework to make this type of experiment feasible in a controlled environment. We think there are several good reasons to investigate this research area: • It is a unique opportunity to learn about the problems faced by malware operators when managingthousands of infected computers. • Running in vitro lab experiments lets us understand the various phases of a botnet operation: its creation, its growth, its updates, defence mechanisms, etc.

Figure 1: Waledac botnet network architecture.




1.2 Communication protocols
All Waledac bots need...