Presented at DeepSec 2014 „Do you want to know more?“
The most of honeypot systems pretend that they are vulnerable or badly confirured systems in other to gather information about unkonwn attackers and the techniques they using during the attacks. In my research, I chaged this approach a little bit.
In my lecture I will share the result of my research which is about how to trap a botnet variant to collect valuable information directly for the bad guys. It is a kind of honeypot where the malware is allowed to run in a dedicate and carefully separated network (network sandboxing) to do its dirty job. The infected machine can communicate with the Command and Control (C&C) servers but the other network connections are absolutely just simulated. As a result of this "cheat": the C&C servers and the bot think they have the ability to spread the spam emails. In real, all the messages, and any other network actions, are just emulated (not threaten the world) and the only result of their activities is that we will have all the spams and all the malware variants they try to spread during the champagnes.
With observation and monitoring a working botnets you can gain more knowledge and information about it. We will get everythink, not just the spam samples they are trying to send but, the C&C network they are using, and you are able to collect information about other victims (tipically, infected sites) which are used by the botnets. With this intel you can easily eliminate the damage of the botnet, and you could help others in the world - if you share the information with others. ☺
Most of the cases, a spam message has a link to somewhere but these links usually points not to the destination address directly but to a legitimate and (!)infected site to make the detection harder and the reaction slower. The spammers also use URL-sorter services to hide the real destination of the link. With analysing the spam messages (extract the link, follow the destination) we can disclosure the final destination, thus we can easily collect all the victim server URLs and all the malicious sort-links. With this information we can alert the victims and we can bolck the malicious addresses as well.
During the presentation we also walk through a quick guide how to set up a trap like this, which free tools can be used to handle the problem of the network sandboxing and the network service emulation.
I will also share the statistic result of the uses of this trap which can provide a real life information about the spam botnets and the activities of them. As a sneak peek: only (!)one spam bot can spread almost 800K message a week and each of them are a little bit different, but if we had all the spam messages and all the new malware variants at the same minute as it would start to spread, I think, we would be in a good position. This is the purpose of this research.
Educational value of the topic:
The audience will see:
- how a typically spam-bot works
- how the bad guys spread spam (advertising) messages and malicious files as well through the botnet
- how they spread the malware to keep the network alive and growing
- how often release a new polimorf version and how often release a realy new one
- which is the relation with spams and infected sites
- I will demonstrate, how to set up a trap, which free tools can be used in this project
- I will share the collected and summarized statistic data with audience about the activities of the bot (the current dataset was generated in 10 days but it is still working and available so, it is still growing)
Technical level of the topic:
It is likely every IT security professional (technical expert and manager as well) will understand what I am speaking about. The logic of the trapping concept is quite simple and the gaming with virtual machines is nowadays a kind of ordinary thing. The network sandboxing is also easily understandable.
- SophosLab, Senior Threat Researcher
Attila Marosi has always been working in information security field since he started working. As a lieutenant of active duty he worked for almost a decade on special information security tasks occuring within the Special Service for National Security. After then he was transferred to the newly established GovCERT-Hungary, which is an additional national level in the internationally known system of CERT offices. Now he work for the SophosLab as a Senior Threat Researcher.
He has several international certificates such as CEH, ECSA, OSCP, OSCE. During his free time he also read lections and does some teaching on different levels; on the top of them for white hat hackers. He has presented on may security conferences including Hacker Halted, DeepSEC, AusCERT, Troopers, and Ethical Hacking.