*********************************
There is now a CONTENT FREEZE for Mercury while we switch to a new platform. It began on Friday, March 10 at 6pm and will end on Wednesday, March 15 at noon. No new content can be created during this time, but all material in the system as of the beginning of the freeze will be migrated to the new platform, including users and groups. Functionally the new site is identical to the old one. webteam@gatech.edu
*********************************
Title: The Bot Reveals Its Master: Exposing and Infiltrating Botnet Command and Control Servers via Malware Logic Reuse
Committee:
Dr. Brendan Saltaformaggio, ECE, Chair, Advisor
Dr. , Co-Advisor
Dr. Frank Li, ECE
Dr. Mustaque Ahamad, ECE
Dr. Jon Lindsay, INTA
Dr. Stephen Hamilton, US Miliary Academy and Army Cyber Institute
Abstract: C&C server monitoring is a fundamental enabler of botnet disruption and take down occurring before any action is taken and after to gauge the success of counteraction attempts. The first step to monitor C&C servers is locating the domain, which their bots resolve statically or dynamically. Unfortunately, automatic solutions for identifying C&C domain resolution techniques and leveraging them for botnet monitoring are not scalable and error-prone. Thus, malware proliferates, and botnets continue to damage victim systems globally. This dissertation presents C3PO and R2D2, measurement pipelines that study the (1) evolution of over-permissioned protocols in 200k malware spanning 15 years and (2) under-explored DDR technique in 100k malware spanning 5 years. C3PO identified 62,202 over-permissioned bots across 8,512 families identifying infiltration vectors that allow C3PO to spoof bot-to-C&C communication. C3PO also identified 443,905 C&C monitoring capabilities, which reveal the composition and contents of the C&C server to guide monitoring post infiltration. We deployed C3PO on two bots with live C&C servers validating its ability to identify over-permissioned protocols, infiltrate C&C servers, and leverage C&C monitoring capabilities to achieve covert monitoring. C3PO also identified over 2500 files containing victim information, additional malicious payloads, exploitation scripts, and stolen credentials, providing legally admissible evidence to engender counteraction attempts. Armed with C3PO, authorities can pursue disruptions and takedowns of over-permissioned protocol-based botnets. Similarly, R2D2 targets the disruption and takedown of DDR-based botnets. During its analysis of 100k malware, R2D2 revealed 10,170 DDR malware from 154 families. R2D2 also revealed the type of encoding used, providing authorities with rapid means to decode C&C server domains, with String Parsing and Base64 being the most common. I reported all of our findings to web app providers, and they confirmed them and took action against the 9,155 DDRs (90% of DDR malware discovered). This dissertation demonstrates that malware development practices can be leveraged to enable botnet disruption and takedown.
