Extracting CnC from Malware

I've been asked quite a bit about the risks and value of automatic malware analysis within the enterprise over the last few months. There are of course a lot of technologies that enterprise can purchase and deploy withing their network to take in suspicious samples and classify them as benign or malicious.

Most of these technologies use a mix of signature and behavioral engines, although there's been a greater push recently to use virtual/sandboxing technologies as well (or as a replacement). I'm not convinced this is such a smart idea. The tools being used to create new families and serial variants of malware tend to be more sophisticated nowadays that whats being used to thwart them at the perimeter network. In fact practically anyone with the ability to use Google and permissions to install software on a computer can download many of the DIY malware construction kits and start generating crimeware thats guaranteed to defeat most of these commercial VM/Sandboxing technologies - some will even enable the would-be cybercriminal to use exploits to break out of the sandbox.

Anyhow, I've pulled together a whitepaper discussing the use of such technologies in obtaining botnet command and control information - and the limitations of such technologies within the enterprise.

"Extracting CnC from Malware" is now available on the Damballa web site.

Understanding Botnet Communication Topologies

Not all botnets communicate the same way. It's disappointing, but true. Yet many of the organizations I deal with struggle to understand the significance of a botnet's communication topology and the tools/services botnet operators typically use to make their botnets resilient to blocking or shutdown.

By understanding how bot agents communicate with their CnC infrastructure, security teams can better adapt and tune their existing protection systems to combat.

This new whitepaper I wrote - "Botnet Communication Topologies" - is a plain language analysis of the CnC topologies commonly seen in the wild. It covers the topologies used today by botnet masters as well as describing the fluxing technologies typically deployed in conjunction - making them more robust to takedown and blocking.

The papers objective is education as to the nature of the threat, and seeks to explain the relative strengths and weaknesses of the botnet topologies - with a view of enabling organizations to make better decisions pertaining to their proposed blocking strategies.