Presented at
ShmooCon 2023,
Jan. 22, 2023, noon
(60 minutes)
Current techniques to monitor botnets towards disruption or takedown are either specific to individual families, require prohibitively tedious manual investigation, likely to result in inaccurate data gathered about the botnet, or be detected by C&C orchestrators. Seeking a covert and scalable solution, we look to an evolving pattern in modern malware that integrates standardized over-permissioned protocols, exposing privileged access to C&C servers. We implement techniques to detect and exploit these protocols from over-permissioned bots toward covert C&C server monitoring. Our empirical study of 200k malware captured over 15 years revealed 62,202 over-permissioned bots (nearly 1 in 3), with a steady increase in over-permissioned protocol use. Due to their ubiquity, even though over-permissioned protocols allow for C&C server infiltration, their efficiency and easy integration continue to make them prevalent in the malware operational landscape. We present C3PO, a pipeline enabling our study and empowering incident responders to identify over-permissioned protocols and infiltration vectors to spoof bot-to-C&C communication automatically. Over-permissioned protocol weakness provides a scalable approach to covertly monitor C&C servers, which is a fundamental enabler of botnet disruptions and takedowns.
Presenters:
-
Jonathan Fuller
Jonathan Fuller is a Research Scientist at the Army Cyber Institute, United States Military Academy. His research interests lie in computer systems and software security, focusing on combining cyber forensics and binary program analysis towards detecting, monitoring, and counteracting advanced malware.