Zombie networks: An investigation into the use of anti-forensic ...

More documents

Recommendations

Info

M801 Final Dissertation P6354752 Botnet name: MD5 Hash: Date: Anti-Forensic Present? Difficulty VM detection Debugger detection Program packing Program compression Program mutation (polymorphic) Program encryption C&C encryption Communicates using P2P design Uses fast flux DNS Use of covert network channel techniques Rootkit enabled Hidden processes Hidden files Hides network activity Hides registry activity Other 4.6 Summary Table 4 : Experiment result summary form (Yes/No/Not seen) (1 = easy, 5 = hard) This chapter has described the environment used to analyse the malware. The forensic process has been discussed. The two main steps in this process, static and dynamic analysis, have also been discussed, together with the tools that will be used to perform the analysis. The outcomes of each of the forensic experiments will be presented in a narrative fashion and summarised in a form. The next chapter discusses the results of these experiments using this approach. Jeremy Annis Page 57 1-Mar-09
M801 Final Dissertation P6354752 Chapter 5 - Results 5.1 Introduction The previous chapter discussed the analysis environment and the forensic process used in the case studies. The tools used in the experiments are also described. This chapter describes the research results. Forensic analysis was undertaken for the Srizbi, Storm and Bobax botnets. Bobax is presented in this chapter as a detailed case study, describing the results of the experiments in a narrative manner. To keep the analysis in context, analytic commentary is presented using italics, in close proximity to each result. After each section, a summary of the analysis is supplied. The chapter concludes with an overall analysis of the results. More detail on the Storm and Srizbi case studies can be found in Appendices C and D respectively. 5.2 Case Study – The Bobax botnet MD5: 38aa0d55a2931b6f9143fa4621089735 Offensive Computing upload date: 6 th June 2008 Analysis Date: 20 th October 2008 5.3 Introduction The Bobax botnet was first seen in 2004 2 and was noted to use HTTP for P2P communications with its C&C servers. It uses Dynamic DNS (DDNS, a mechanism of flexibly changing the IP address assigned to a domain name) with its own pseudo-random DNS name generation algorithm to address possible C&C servers or peers. The botnet is used to generate large quantities of spam. Interestingly, Bobax has been linked with Storm and Kraken, more recent P2P botnets. It has been postulated that the Storm botnet was bootstrapped from the Bobax infection. It is also thought that the code base of Storm and Bobax is sufficiently similar that they are probably managed by the same organisation (Royal, 2008). The sample being tested had recently been submitted to Offensive Computing on 6 th June 2008. 2 http://www.symantec.com/security_response/writeup.jsp?docid=2004-051912-4449-99 Jeremy Annis Page 58 1-Mar-09
Page 1 and 2:
ISSN 1744-1986 T e c h n i c a l R
Page 3 and 4:
M801 Final Dissertation P6354752 Pr
Page 5 and 6:
M801 Final Dissertation P6354752 3.
Page 7 and 8: M801 Final Dissertation P6354752 Li
Page 9 and 10: M801 Final Dissertation P6354752 Li
Page 11 and 12: M801 Final Dissertation P6354752 Ch
Page 13 and 14: M801 Final Dissertation P6354752 1.
Page 15 and 16: M801 Final Dissertation P6354752 So
Page 17 and 18: M801 Final Dissertation P6354752 -
Page 19 and 20: M801 Final Dissertation P6354752 In
Page 25 and 26: M801 Final Dissertation P6354752 ph
Page 27 and 28: M801 2.5.1 Life-cycle: Initial ial
Page 29 and 30: M801 Jeremy Annis - Perform DDoS at
Page 31 and 32: M801 Final Dissertation P6354752 by
Page 33 and 34: M801 Final Dissertation P6354752 ty
Page 35 and 36: M801 Final Dissertation P6354752 It
Page 37 and 38: M801 Final Dissertation P6354752 or
Page 39 and 40: M801 Final Dissertation P6354752 Fi
Page 43 and 44: M801 Final Dissertation P6354752 3.
Page 45 and 46: M801 Final Dissertation P6354752 th
Page 49 and 50: M801 behaviour Determining packer d
Page 51 and 52: M801 Final Dissertation P6354752 in
Page 53 and 54: M801 Figure 17 illustrates the the
Page 55 and 56: M801 Final Dissertation P6354752 Fi
Page 57: M801 Final Dissertation P6354752 Fi
Page 61 and 62: M801 Final Dissertation P6354752 me
Page 63 and 64: M801 Final Dissertation P6354752 At
Page 65 and 66: M801 Final Dissertation P6354752 ip
Page 67 and 68: M801 Final Dissertation P6354752 en
Page 69 and 70: M801 Final Dissertation P6354752 Th
Page 71 and 72: M801 Final Dissertation P6354752 It
Page 73 and 74: M801 There was no no indication of
Page 75 and 76: M801 Final Dissertation P6354752 Fr
Page 79 and 80: M801 Final Dissertation P6354752 ne
Page 81 and 82: M801 Final Dissertation P6354752 Th
Page 83 and 84: M801 Final Dissertation P6354752 Re
Page 85 and 86: M801 Final Dissertation P6354752 IR
Page 87 and 88: M801 Final Dissertation P6354752 Wa
Page 89 and 90: M801 Final Dissertation P6354752 Ap
Page 93 and 94: M801 Final Dissertation P6354752 00
Page 97 and 98: M801 Final Dissertation P6354752 Dy
show all

Zombie networks: An investigation into the use of anti-forensic ...

Create successful ePaper yourself

Delete template?

Save as template?