On the Reverse Engineering of the Citadel Botnet

Citadel is an advanced information-stealing malware which targets financial information. This malware poses a real threat against the confidentiality and integrity of personal and business data. A joint operation was recently conducted by the FBI and the Microsoft Digital Crimes Unit in order to take down Citadel command-and-control servers. The operation caused some disruption in the botnet but has not stopped it completely. Due to the complex structure and advanced anti-reverse engineering techniques, the Citadel malware analysis process is both challenging and time-consuming. This allows cyber criminals to carry on with their attacks while the analysis is still in progress. In this paper, we present the results of the Citadel reverse engineering and provide additional insight into the functionality, inner workings, and open source components of the malware. In order to accelerate the reverse engineering process, we propose a clone-based analysis methodology. Citadel is an offspring of a previously analyzed malware called Zeus; thus, using the former as a reference, we can measure and quantify the similarities and differences of the new variant. Two types of code analysis techniques are provided in the methodology, namely assembly to source code matching and binary clone detection. The methodology can help reduce the number of functions requiring manual analysis. The analysis results prove that the approach is promising in Citadel malware analysis. Furthermore, the same approach is applicable to similar malware analysis scenarios.Comment: 10 pages, 17 figures. This is an updated / edited version of a paper appeared in FPS 201

DDoS-Capable IoT Malwares: comparative analysis and Mirai Investigation

The Internet of Things (IoT) revolution has not only carried the astonishing promise to interconnect a whole generation of traditionally “dumb” devices, but also brought to the Internet the menace of billions of badly protected and easily hackable objects. Not surprisingly, this sudden flooding of fresh and insecure devices fueled older threats, such as Distributed Denial of Service (DDoS) attacks. In this paper, we first propose an updated and comprehensive taxonomy of DDoS attacks, together with a number of examples on how this classification maps to real-world attacks. Then, we outline the current situation of DDoS-enabled malwares in IoT networks, highlighting how recent data support our concerns about the growing in popularity of these malwares. Finally, we give a detailed analysis of the general framework and the operating principles of Mirai, the most disruptive DDoS-capable IoT malware seen so far

Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences

In this survey, we first briefly review the current state of cyber attacks, highlighting significant recent changes in how and why such attacks are performed. We then investigate the mechanics of malware command and control (C2) establishment: we provide a comprehensive review of the techniques used by attackers to set up such a channel and to hide its presence from the attacked parties and the security tools they use. We then switch to the defensive side of the problem, and review approaches that have been proposed for the detection and disruption of C2 channels. We also map such techniques to widely-adopted security controls, emphasizing gaps or limitations (and success stories) in current best practices.Comment: Work commissioned by CPNI, available at c2report.org. 38 pages. Listing abstract compressed from version appearing in repor

Peer-to-Peer Botnets: Analysis and Detection

Attacks such as spamming, distributed denial of service and phishing have become commonplace on the Internet. In the past, attackers would use high bandwidth Internet connection servers to accomplish their tasks. Since desktop users today have high-speed Internet connections, attackers infect users’ desktops and harness their computing power to perform malicious activities over the Internet. As attackers develop new methods to attack from distributed locations as well as avoid being detected, there is a need to develop efficient methods to detect and mitigate this epidemic of infection of hosts on the network. In this project, we aim to analyze the peer-to-peer botnet binary known as Trojan.Peacomm and its variants. Reverse engineering techniques have been used to disassemble the binary and to identify the techniques that the botnet binary uses to spread itself and to make its detection difficult by current scanners. In the process, we establish a framework and methods for malware analysis, which could be used to analyze other bot binaries and malware. Based on our findings we discuss a few techniques to detect and shut down botnets and demonstrated an attack scenario used to disrupt their activity

Botnet detection from drive-by downloads

The advancement in Information Technology has brought about an advancement in the development and deployment of malware. Bot Malware have brought about immense compromise in computer security. Various ways for the deployment of such bots have been devised by attackers and they are becoming stealthier and more evasive by the day. Detecting such bots has proven to be difficult even though there are various detection techniques. In this work, a packet capturing and analysis technique for detecting host-based bots on their characteristics and behavior is proposed. The system captures network traffic first, to establish normal traffic, then already captured botnet traffic was used to test the system. The system filters out HTTP packets and analyses these packets to further filter out botnet traffic from normal internet traffic. The system was able to detect malicious packets with a False Positive Rate of 0.2 and accuracy of 99.91%