One threat has evolved and dominated the threats landscape like no other: botnets. Practically every day a new set of online criminals attempt to exploit users in some way or the other. The best way to stop this threat at the perimeter is to identify its communication channel and block the bot from connecting to its control server. Blocking the communication will also prevent data exfiltration and the downloading of other threats.
But that’s easier said than done. Bot masters have become so advanced and organized that they can churn out thousands of undetectable and unique malware binaries each day. That coupled with the ability to rapidly change the control-server hosting infrastructure allows them to stay active longer without being taken down. At McAfee, we deal with thousands of such samples every day.
To give you an idea of the magnitude, here are some mind-boggling statistics. Starting in January to date, we processed close to 8.5 million distinct malicious binaries in our automation system. Of those, 2 million had the ability to communicate on a control channel. Of those, 37% were already known botnets!
The pie chart shows the Top 10 bot families during this period. You can see that some bots are very old, but we still see new binaries today. Zeus and its variants continue to dominate the botnet scene. There were in all 9,000 distinct domains and IPs that the malwares used for hosting their communication channels during this period. Some of them are active today.
One of the ways of handling such a daily onslaught of malware is to use advanced automation systems that can very rapidly extract the control server information from the binaries. But running automatic analysis systems comes with its own set of challenges. To start with, the bad guys are becoming smarter and the malware they create these days have anti-sandbox techniques that simply abort execution or act benign if it detects automatic analysis systems. Most of these techniques are already known and some of these have already been discussed by my fellow researchers in previous blogs. Then there are bots that use a domain-generation algorithm to connect to a large number of domains that do not exist, so we need to identify which are active and which are not. And finally there are “noisy” malwares that generate lot of network activity. Not only do they connect to the control server but they also connect to a lot of benign sites to either check connectivity or simulate “clicks” on advertisements.
Through months of research, we have built a system that not only uses advanced techniques to extract the control information but also helps us differentiate “known bad” from new “unknown” sites. Despite these challenges, our systems continue to process thousands of malware samples daily and we see new control server sites added to our database every day. This volume tells us how well organized the bot masters are and how fast they are able to switch channels to prevent their bots from being taken down.
Our automation system is just one of the ways we collect botnet intelligence. The system has limitations but by complementing it with other tactics, we stay a step ahead of these bad guys.
The data that this system generates feeds our Global Threat Intelligence database, McAfee’s cloud-based threat intelligence service. The Advanced Malware and Botnet protection feature in the latest release of the McAfee Network Security Platform (NSP 7.5) makes use of this intelligence to offer the best network protection to our customers. You can find more information about that here.