Battling the botnets and zombies

download pdf version of this case study

The building of a botnet army

In the summer of 2007, the online consumer service organization received an ominous notice from a consumer. It appeared that the person had received an email from what they thought was the consumer service organization that contained a link to its site. The email was a fake designed to lure recipients to a location in order to trigger a malware download onto their PC. The intent of the malware – identified as the Storm Worm - was to turn the recipient’s machine into a zombie or robot to serve a global botnet.

Botnets are used by perpetrators to conduct various malicious activities, such as launching denial of service attacks against specific organizations. It does this by using a global network of zombies to flood Internet connections with spam and ultimately prevent connectivity to legitimate sites. In this particular case, the downloaded malware caused infected PCs to send out spam emails containing the location of the malware download in order for it to propagate to even more unsuspecting users.

Upon making some initial inquiries, the company unearthed 10 emails that referenced their brand and included unique IP addresses that were distributing the malware. BD-BrandProtect was then engaged to investigate the matter further. In doing so, they quickly found that they had uncovered the tip of a huge iceberg. Within two hours, BD-Brand- Protect logged hundreds of similar types of emails from unique IP addresses of infected systems. These infected systems were acting as a download source for the Storm Worm – and it appeared that the infection was rapidly expanding to thousands of machines by the hour.

To begin, BD-BrandProtect used a “honeypot” strategy. This is a comprehensive trap that is used to detect attempts to spoof an organization’s brand. In simple terms a honeypot is a mailbox that is made to appear to be part of a network, but is isolated and monitored. The mailbox collects spam messages, which are then parsed based on client keyword matches. The main purpose is to attract malicious or unauthorized activities and provide a means to trace the sources of attacks. The BD-BrandProtect Honeypot allowed the team to track the thousands of IP addresses hosting the malware in question.

BD-BrandProtect then used the information to begin mitigation procedures. Once the infected addresses were identified, BD-BrandProtect began contacting the ISPs worldwide who were responsible for the IP addresses. The ISPs in turn had to determine the specific machine that was using the address at the time, temporarily suspend the machine from the network, notify the individual, and request the owner clean the system.

This was no small task. Since there were hundreds of ISPs involved, BD-BrandProtect mobilized their Incident Response Analysts and engaged the services of dedicated Internet Response Teams around the world, to help coordinate the mitigation efforts in their specific geographic regions.

At the same time BD-BrandProtect applied reverse engineering procedures on the malware in a lab environment. This allowed the research team to identify the domains that were being used to coordinate the attack. A total of 13 different domains were identified – all of which were registered through a single registrar in Estonia, which was identified as having suspect motives. This made contacting the registrar a questionable option as they could potentially alert the perpetrators to BDBrandProtect’s actions.

(Continue)