(Page 2 of 2)
The researchers analyzed 15 messages they'd collected by monitoring a MegaD bot: Seven commands sent from the control servers and eight responses from the bot. The Dispatcher tool analyzed the bot as it ran on the virtual machine and automatically detected the point at which the program decrypted commands but had not yet encrypted its responses.
Network administrators can also use the Dispatcher tool to infiltrate the botnet. MegaD clients typically will check to see if they can send e-mail, so as to become a useful cog in a spamming campaign. Because the researchers block all outgoing mail traffic, however, the client would normally send a message to the controlling server saying that its mail test failed. But the researchers modified the message en route, responding instead with the code for a successful spamming test.
"Normally, it would have sent a message saying that it can't spam," UC Berkeley's Caballero says. "We [instead] actually got the spam template, so we could see what sort of spam it would send out."
Tools such as Dispatcher could expand what is currently a small number of researchers that regularly reverse engineer botnets, says Joe Stewart, senior security researcher for SecureWorks, a network security firm. "It would solve a problem that the world has--having enough people to analyze botnets," he says. "There are only so many people who can do reverse engineering on botnets. You have a cadre of enthusiasts who could use this to help them."
Stewart adds, however, that experienced researchers don't yet need such automated tools for analyzing most malware. While more complicated botnets can take weeks to reverse engineer, run-of-the-mill malware encountered by most companies and organizations is no problem at all. More than 90 percent of all botnets use easy-to-break encryption to protect their communications, making manual techniques relatively easy and fast.
"Not every (bot master) needs the MegaD-type encryption," Stewart says. "I just don't think it is worth their time, not with the effect we are having on them now, which is minimal."
Yet botnets will continue to evolve, says UC Berkeley's Song. "Botnet programs are becoming more complicated," she says. "They are using various obfuscation techniques and so on. So maybe manual analysis can work for now, but in the future, we will need better tools."
A shadowy industry lets spammers and other cybercriminals pay their way into your computer.
New communications schemes could make zombie PC networks far harder to shut down.
The unusual activity generated by zombie computer networks can lead security experts right to them.
Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.
This document is part of the “How-To Guide for Most Common Measurements” centralized resource portal. This tutorial provides a detailed guide for measurement and device considerations to take temperature measurements using thermocouples. Get an introduction to thermocouples, which are inexpensive sensing devices widely used with PC-based data acquisition systems. Also review some specific thermocouple examples and learn how thermocouples work and ways to integrate them into a data acquisition measurement system.
View full PDF >
Listen to story > 
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
Wunderbarb
11 Comments
ESORICS 2009
A very similar approach has been presented by seemingly another team at ESORICS 2009. Here also, they use the analysis of data lifetime, buffer activity... The communication is available at http://www.springerlink.com/content/e12g64j4855u1l06/?p=d8f9dc0e710a4af8aa5c834d525498b0&pi=12.
The approach is also interesting to study for developer of secure code. What if the target of the analysis is not a botnet, but a normal program.
Reply