Zombie networks: An investigation into the use of anti-forensic ...

More documents

Recommendations

Info

M801 Final Dissertation P6354752 Abstract The rise in the popularity of the digital marketplace has driven a rise in online crime, manifesting itself in many ways, including: the spread of virus software, websites that “phish” for personal information such as bank account details, malicious software that is capable of logging keystrokes, the theft of information through “ransomware”, the sending of spam emails to solicit purchase of non-existent goods and so on. This exploitation is often carried out by criminal communities with access to large networks of distributed computers, commonly referred to as “botnets”. Law enforcement agencies regularly employ computer forensic techniques against these botnets and the criminal communities that control them. This battleground has become more sophisticated over time and the software that powers a botnet now regularly deploys a growing library of anti-forensic techniques to make analysis harder. This research examines what anti-forensic techniques are in use by botnets throughout the botnet life-cycle. A number of botnets were analysed in a “safe” environment through a series of controlled experiments, using both static code analysis and dynamic execution of the malware. Throughout each experiment, the different types of anti-forensic techniques in use were recorded, and an attempt was made to identify the point in the botnet life-cycle when they were used. The experiments showed that a wide variety of anti-forensic techniques are indeed in use by botnets, offering considerable challenge to the forensic investigator. A catalogue of these techniques was produced with an indication of the difficulty each technique might present to the analyst. Program packing (obfuscating the executable code of the botnet) proved to be the most common anti-forensic technique in use; it also presented the greatest difficulty to the forensic analysis process. Many of the other anti-forensic techniques in use by the sample botnets were observed throughout the entire botnet life-cycle, suggesting that when protecting a botnet from forensic analysis, the author is not concerned with what stage of the life-cycle the botnet is in. A correlation was also observed between the quantity and overall difficulty level of the anti- forensic techniques in use, and the criminal success it has “in the wild”. Jeremy Annis Page ix 1-Mar-09
M801 Final Dissertation P6354752 Chapter 1 - Introduction 1.1 Background One of the most severe threats to the Internet today is an individual’s ability to control thousands of compromised computer systems in a distributed way (Rajab et al., 2006). These networks of computer systems, commonly referred to as “botnets” can be used to create chaos on the Internet, from further increasing their size by spreading like an infection, to performing network attacks, collecting usernames and passwords, credit card information and other personal information. The US Federal Bureau of Investigation state that “… because of their widely distributed capabilities, botnets are a growing threat to the national security, the national information infrastructure, and the economy” (FBI, 2007). 1.2 Botnets To understand botnets it is necessary to be clear about the terminology surrounding them. One starting point is the definition of malware which is a general term that is used to cover worms, viruses, rootkits, Trojan horses and other forms of malicious software (Szor, 2005). A computer virus is software that commonly infects computer executables that, when run attempts to spread and infect other similar files. A formal definition is, “a program that can infect other programs by modifying them to include a possibly evolved copy of itself” (Cohen, 1987). Worms differ from viruses by having the characteristic of propagation from computer to computer, primarily replicating over a network (Szor, 2005). The Trojan horse is a simple kind of malicious computer program. Trojans masquerade as “normal” computer programs that, when executed by a user, perform malicious activities. Rootkits take their name from the username “root”, the most powerful user on a UNIX based computer (The Microsoft Windows equivalent being the Administrator). A useful definition is, “a set of programs and code that allows a permanent or consistent undetectable presence on a computer” (Hoglund and Butler, 2005). This “undetectable” presence on a computer supports two main activities, command and control of the computer and eavesdropping on the users of the computer. Jeremy Annis Page 10 1-Mar-09
Page 1 and 2: ISSN 1744-1986 T e c h n i c a l R
Page 3 and 4: M801 Final Dissertation P6354752 Pr
Page 5 and 6: M801 Final Dissertation P6354752 3.
Page 7 and 8: M801 Final Dissertation P6354752 Li
Page 9: M801 Final Dissertation P6354752 Li
Page 15 and 16: M801 Final Dissertation P6354752 So
Page 17 and 18: M801 Final Dissertation P6354752 -
Page 19 and 20: M801 Final Dissertation P6354752 In
Page 21 and 22: M801 Final Dissertation P6354752 Ch
Page 25 and 26: M801 Final Dissertation P6354752 ph
Page 27 and 28: M801 2.5.1 Life-cycle: Initial ial
Page 29 and 30: M801 Jeremy Annis - Perform DDoS at
Page 31 and 32: M801 Final Dissertation P6354752 by
Page 33 and 34: M801 Final Dissertation P6354752 ty
Page 35 and 36: M801 Final Dissertation P6354752 It
Page 37 and 38: M801 Final Dissertation P6354752 or
Page 39 and 40: M801 Final Dissertation P6354752 Fi
Page 45 and 46: M801 Final Dissertation P6354752 th
Page 49 and 50: M801 behaviour Determining packer d
Page 51 and 52: M801 Final Dissertation P6354752 in
Page 53 and 54: M801 Figure 17 illustrates the the
Page 61 and 62:
M801 Final Dissertation P6354752 me
Page 63 and 64:
M801 Final Dissertation P6354752 At
Page 65 and 66:
M801 Final Dissertation P6354752 ip
Page 67 and 68:
M801 Final Dissertation P6354752 en
Page 69 and 70:
M801 Final Dissertation P6354752 Th
Page 71 and 72:
M801 Final Dissertation P6354752 It
Page 73 and 74:
M801 There was no no indication of
Page 75 and 76:
M801 Final Dissertation P6354752 Fr
Page 77 and 78:
M801 Final Dissertation P6354752 Ch
Page 79 and 80:
M801 Final Dissertation P6354752 ne
Page 81 and 82:
M801 Final Dissertation P6354752 Th
Page 83 and 84:
M801 Final Dissertation P6354752 Re
Page 85 and 86:
M801 Final Dissertation P6354752 IR
Page 87 and 88:
M801 Final Dissertation P6354752 Wa
Page 89 and 90:
M801 Final Dissertation P6354752 Ap
Page 91 and 92:
Page 93 and 94:
M801 Final Dissertation P6354752 00
Page 95 and 96:
Page 97 and 98:
M801 Final Dissertation P6354752 Dy
show all

Zombie networks: An investigation into the use of anti-forensic ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?