The Anti-virus Times

Monday, June 4, 2018

Only law enforcement agencies are authorised to conduct the activities that must be undertaken to identify criminals. For example, they may be entitled by law to retrieve information from a computer belonging to an alleged perpetrator, an activity that is otherwise illegal in most countries. How then do anti-virus companies acquire information about how many devices are infected with a particular Trojan and in what countries the users of those devices are located?

Conspiracy theorists will hardly be surprised—after all, they already know who actually makes malware!

But in reality, things are much more interesting. For starters, let's say a few words about how a botnet operates. Cybercriminals need their zombie networks to be resilient. And that's quite logical: if all bots communicate with a single C&C (command and control) server, the latter can be blocked easily (that's exactly what happened during the WannaCry outbreak). Naturally, in cases like this, the threat actors lose control of their network.

Another option is to use a special domain-generation algorithm (DGA) so that if a C&C server stops responding at a certain address, the bots will switch to another one. The attackers just need to promptly register the new domain names. But this approach is not failure-proof either. Security researchers may discern how the botnet operates, get in touch with the hosting provider and seize control of the server.

Another alternative is a peer-to-peer botnet where bots communicate with each other and exchange information. They don't send queries directly to servers which complicates their discovery and neutralisation.

Interestingly, with this network topology, computers with no access to the Internet can be enrolled in a botnet too. One PC with Internet connectivity is enough—all the other hosts on the network will get infected automatically.

Actually, sinkholing is the technology used to seize control over botnets. Botnet control is intercepted in several stages. First, anti-virus analysts examine the malicious code. Then they register a domain name the bots are expected to use in order to reach their C&C server. Then the security specialists wait until the bots start using the domain to connect to the server (or multiple servers). Generally speaking, it's just like fishing.

Sinkholing violates no laws. Furthermore, the technique not only helps researchers obtain information about botnets, but also is used to disrupt their operation by transferring control to a server maintained by the researchers, and frequently law enforcement agencies or a hosting provider assist them in their investigation. And, naturally, all investigation results are brought to the attention of the police.

Botnets analysed and C&C servers hijacked. Congratulations!

Sinkholing has its limitations though: if a botnet uses multiple C&C servers, researchers may fail to seize them all. Therefore, they won't be able to control all the bots. Thus, they won’t know how big the botnet actually is since they will only know about the bots they control.

And it sometimes turns out that several teams of experts are examining the same botnet:

Researchers can also use specific features of a decentralised system to gain control over all its nodes. Because attackers want their networks to be able to resist attempts to bring them down, they must be able to update the bots and send instructions to them. Therefore, all bots can be instructed to connect to a specific host or even uninstall themselves.