Analysis in Executable File Windows Operating Systems ... Windows OS : executable file (.exe) â malware / botnet ... activities, and network traffic monitoring.
The Detection of 8 Type Malware botnet using Hybrid Malware Analysis in Executable File Windows Operating Systems G.B. Satrya, N.D.W. Cahyani, and R.F. Andreta Forensics and Security Laboratory, Telkom School of Computing, Telkom University, Bandung. Indonesia.
Outline i.
Introduction
ii.
Related Works
iii.
Malware Analysis Overview
iv.
Proposed Scheme
v.
Implementation & Analysis
vi.
Conclusion
Introduction ▪ Internet Cybercrime ▪ Cybercrime botnet ▪ Windows OS : executable file (.exe) malware / botnet
▪ Botnet Detection Malware Analysis
Related Works Based on a Feily’s study, creation of a botnet consists of 5 stages: i.
Initial infection
ii. Secondary injection
iii. Connection iv. Malicious command and control v. Updates and maintenance.
Botnet Overview
J. Park. Acquiring Digital Evidence from Botnet Attacks: Procedures and Methods. PhD thesis, AUT University, 2011.
Malware Analysis Overview ▪ Malware backdoor, botnet, downloader, launcher, rootkit, scareware, spam, virus/worm
▪ Malware Analysis
Static Malware Analysis
File fingerprinting by hashing, Extraction of hard coded strings, Disassembly, Extract linked libraries and functions, and Debugging
Dynamic Malware Analysis
Viewing Process Details, File System monitoring activities, Registry activities, and network traffic monitoring
monitoring
[14] M. Sikorski and A. Honig. Practical Malware Analysis: The HandsOn Guide to Dissecting Malicious Software. No Starch Press, 1 edition, March 2012. [15] C. Valli. The malware analysis body of knowledge (mabok). 2008.
Network Topology (in Laboratory)
Flowchart of Hybrid Analysis
Botnet Samples No
Botnet Name
1 2 3 4 5 6 7 8
Herpestnet Ann Loader mbot Vertexnet Athena Elite Loader Gbot Cythosia
Download & Execute √ √ √ √ √ √ √ √
Visit Website √ X √ √ X X X X
Key logger x x x √ x x x x
Flood Attack x x x √ √ x √ √
Update
Uninstall
√ x x √ √ √ √ √
√ x x √ √ x x √
Data Characteristics of Botnet No 1 2 3 4 5 6 7 8 9
Criteria Url contained in the embedded strings There is a Botnet Command on embedded strings There is Autorun registry on embedded strings Has a Verified signature Command line when there is executed Doing File duplication in the system Make additions to the system Registry Autorun On network traffic visible to communicate with a web via url Gateway (HTTP) Receive Command from a server, and then perform the functionality
Information Risk Level Yes 3 Yes 4 Yes 2 No 3 No 1 Yes 5 Yes 5 Yes 3 Yes
5
Risk Level [botnet VS non-botnet]
Conclusion by using the data recommendation (risk level) from the results of hybrid malware analysis, can be generated characteristics data of botnet by looking at the malware botnet linked libraries, it can detect functionalities contained
testing to detect other types of malware in addition to botnets
Using a 64-bit Windows operating system as an infected system
Thank You The Detection of 8 Type Malware botnet using Hybrid Malware Analysis in Executable File Windows Operating Systems
G.B. Satrya, N.D.W. Cahyani, and R.F. Andreta Forensics and Security Laboratory, Telkom School of Computing, Telkom University, Bandung. Indonesia.
