BotRaids: Botnet Remediation via Automated deceptIon and payloaD Seizure

Abstract

This research directly benefits the resiliency of the US government s cyber infrastructure by advancing the state-of-the-art in cybe,r forensics and botnet prevention. Cybercriminals construct massive networks of malware running on infected victim devices that conn,ect back to command and control servers on the internet, so-called botnets. For decades, the US government with law enforcement and,commercial entities have attempted to take down these globally-distributed botnets with mixed success. For example, US Cyber Command, and Microsoft have worked for years to disable TrickBot and prevent the botnet from communicating with its command and control serv,ers, but the botnet operator was able to upgrade the malware and regain control. This work proposes that botnet takedown operations,must not only remediate command and control servers but also disable or remove frontend malware from infected devices, effectively e,liminating the chance for a botnet revival.This research provides a more automated approach to holistic botnet clean-up: both monito,ring and disabling command and control servers on the internet as well as remediating or removing the malware from victim devices. A,t the heart of this issue is the use of code reflection for command and control payload distribution, a popular trend in malware des,ign that enables many botnets to survive takedowns. This research will develop BotRaids, a program-analysis-centric pipeline combini,ng automated malware forensics techniques toward holistic remediation of frontend malware and command and control backends. First, B,otRaids identifies network behaviors, potential capabilities, and code reflection routines in the malware sample. Next, BotRaids per,forms covert monitoring of the command and control server via protocol identification to establish an effective strategy for command, and control takedown. Finally, BotRaids enables the automated generation of a customized remediation payload, by examining the malw,are?s code reflection routines, capable of disabling the malware or alerting the infected-device user. This approach puts the botnet, operators at a disadvantage because they must begin again from nothing, attempting to reinfect victim devices, greatly reducing the, danger and societal costs inflicted by cyber attacks. Approved for public release.

Document Details

Document Type

DoD Grant Award

Publication Date

Dec 06, 2022

Source ID

N000142312073

Entities

Tags