Botnet Monitoring Frontend

Anubis Sandbox Becoming Useless

Doing mostly botnet research with the samples we obtain through the mwcollect Alliance, the most interesting thing in the Anubis sandbox reports for me were the network traces. Following the lame ``run the binary in a VM, hooking all interesting APIs'' the Anubis sandbox has to really connect to the C&C server in order to get to know channel names, keys, etc.

The big problem here is, that the public online submission interface analysis machine all run on static IPs, not utilizing proxies and even worse -- having a valid reverse DNS entry pointing to Anubis. In the end, this made most ``advanced'' herders block the Anubis sandbox, as can be seen from this exemplary report (search for ``ERROR :Closing'').

Time to finally finish my own sandboxing stuff... not relying on the remote connection but on statical behavioural analysis with some emulation (packers, self-modifying code, ...).

oxff Inc. -- Bragging Redefined

I count at least five of nine papers from HotBots referencing at least one paper, I have had my hands involved in.

botsnoopd - Sniffing on Botnets

botsnoopd is a project I have now been working on for quite some time. Initially, it was invented as a replacement for the ShadowServer's snoop infrastructure. But now that I was so slow and they put so much effort into their Perl script, it seems they want to keep it. So we're now going to use this in the mwcollect Alliance.

We are going to have a three tier approach consisting of

• nepenthes / other G.O.T.E.K. inputs
• CWSandbox / Norman Sandbox / other analysis devices
• botsnoopd

to efficiently catch and collect malware, analyse it in regards of extracting botnet C&C information and then finally sniff the bot herders' commands and store them.

Although it seems there were some rumors on the Virus Bulletin 2006 hallways that botsnoopd has been publically released, that is definitely not true. People might have been refering to a presentation we have been giving at Blackhat: Georg Wicherski & Thorsten Holz: «Catching Malware to Detect, Track and Mitigate Botnets». botsnoopd is not finished software yet and as new transport protocols for C&C emerge, new modules will be created (it's the same story as with nepenthes).

It is not our plan to ever publically release it anyway, since it might be a powerful tool for bot herders as well, the current idea is to release it as opensource to selected parties under a NDA.