Zombie networks: An investigation into the use of anti-forensic ...
Zombie networks: An investigation into the use of anti-forensic ...
Zombie networks: An investigation into the use of anti-forensic ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
M801 Final Dissertation P6354752<br />
Abstract<br />
The rise in <strong>the</strong> popularity <strong>of</strong> <strong>the</strong> digital marketplace has driven a rise in online crime, manifesting<br />
itself in many ways, including: <strong>the</strong> spread <strong>of</strong> virus s<strong>of</strong>tware, websites that “phish” for personal<br />
information such as bank account details, malicious s<strong>of</strong>tware that is capable <strong>of</strong> logging<br />
keystrokes, <strong>the</strong> <strong>the</strong>ft <strong>of</strong> information through “ransomware”, <strong>the</strong> sending <strong>of</strong> spam emails to solicit<br />
purchase <strong>of</strong> non-existent goods and so on. This exploitation is <strong>of</strong>ten carried out by criminal<br />
communities with access to large <strong>networks</strong> <strong>of</strong> distributed computers, commonly referred to as<br />
“botnets”. Law enforcement agencies regularly employ computer <strong>forensic</strong> techniques against<br />
<strong>the</strong>se botnets and <strong>the</strong> criminal communities that control <strong>the</strong>m. This battleground has become<br />
more sophisticated over time and <strong>the</strong> s<strong>of</strong>tware that powers a botnet now regularly deploys a<br />
growing library <strong>of</strong> <strong>anti</strong>-<strong>forensic</strong> techniques to make analysis harder.<br />
This research examines what <strong>anti</strong>-<strong>forensic</strong> techniques are in <strong>use</strong> by botnets throughout <strong>the</strong> botnet<br />
life-cycle. A number <strong>of</strong> botnets were analysed in a “safe” environment through a series <strong>of</strong><br />
controlled experiments, using both static code analysis and dynamic execution <strong>of</strong> <strong>the</strong> malware.<br />
Throughout each experiment, <strong>the</strong> different types <strong>of</strong> <strong>anti</strong>-<strong>forensic</strong> techniques in <strong>use</strong> were<br />
recorded, and an attempt was made to identify <strong>the</strong> point in <strong>the</strong> botnet life-cycle when <strong>the</strong>y were<br />
<strong>use</strong>d.<br />
The experiments showed that a wide variety <strong>of</strong> <strong>anti</strong>-<strong>forensic</strong> techniques are indeed in <strong>use</strong> by<br />
botnets, <strong>of</strong>fering considerable challenge to <strong>the</strong> <strong>forensic</strong> investigator. A catalogue <strong>of</strong> <strong>the</strong>se<br />
techniques was produced with an indication <strong>of</strong> <strong>the</strong> difficulty each technique might present to <strong>the</strong><br />
analyst. Program packing (obfuscating <strong>the</strong> executable code <strong>of</strong> <strong>the</strong> botnet) proved to be <strong>the</strong> most<br />
common <strong>anti</strong>-<strong>forensic</strong> technique in <strong>use</strong>; it also presented <strong>the</strong> greatest difficulty to <strong>the</strong> <strong>forensic</strong><br />
analysis process. Many <strong>of</strong> <strong>the</strong> o<strong>the</strong>r <strong>anti</strong>-<strong>forensic</strong> techniques in <strong>use</strong> by <strong>the</strong> sample botnets were<br />
observed throughout <strong>the</strong> entire botnet life-cycle, suggesting that when protecting a botnet from<br />
<strong>forensic</strong> analysis, <strong>the</strong> author is not concerned with what stage <strong>of</strong> <strong>the</strong> life-cycle <strong>the</strong> botnet is in. A<br />
correlation was also observed between <strong>the</strong> qu<strong>anti</strong>ty and overall difficulty level <strong>of</strong> <strong>the</strong> <strong>anti</strong>-<br />
<strong>forensic</strong> techniques in <strong>use</strong>, and <strong>the</strong> criminal success it has “in <strong>the</strong> wild”.<br />
Jeremy <strong>An</strong>nis Page ix 1-Mar-09