427 Botnet fm qxd

are sent or received. By examining this data, you can learn what the malware
has intended by these connections.
Often you will also be able to infer the host determination strategy from
the reports, especially if you find complete ranges of target IPs that are trying
to be connected or pinged, as in this case:

…

How Does the Bot 
Protect the Local Host and Itself?
A lot of bots try to protect a new infected host against further exploitation by
others. Of course, this is not being done for charitable reasons, rather for the
selfish reason of trying to ensue that that no one else can take control of the
host.This protection is accomplished by fixing known security leaks or by
completely disabling Windows Services that can be exploited. Mostly this is
done by removing existing Windows shares. In the following you can see how
first all existing shares are enumerated (
enum_share
) and then deleted
(
delete_share
):






To hide and protect its own existence, most malware performs the fol-
lowing actions on a newly infected system: It searches for known antivirus
and security products and stops them or modifies their configuration. When
malware tries to detect such running security applications, it normally
searches for the commonly known names of their corresponding services,
www.syngress.com
372
Chapter 10 • Using Sandbox Tools for Botnets
427_Botnet_10.qxd 1/9/07 3:06 PM Page 372

processes, or windows.This can be done by either enumerating all the
existing objects and then comparing each found one with the entries of an
internal list or by using functions for opening a handle to a named object,
providing the known name as a parameter. In the first case, you will find the
actions 
, ,
or

in your
report. In the second case, long lists of actions with the known object names
as parameters will appear in the analysis.The following example shows how
malware looks for services of antivirus software:




…






…




You can see that the bot loops through a long list (the original output has
over 50 tests) of hardwired service names. Because most of those applications
are not installed on our test system, nothing more is done than just querying
for those services.The last actions show us what happens if such a security
service could be found:The malware stops and disables the Windows
SharedAccess 
service, which implements the Application Layer Gateway and is
the low-level service for controlling network connections. Normally this one
is used for the Windows Firewall and for Internet Connection Sharing (ICS),
but it also runs if neither of them is enabled. By shutting down this service,
the Windows Firewall becomes inactive, but other unforeseen problems could
occur.
Some malware does not search for the services. Rather it tries to kill the
corresponding processes. In our example, the Windows XP command 
taskkill
is used, for which the parameter 
/im imagename
specifies the filename of the

Download 6,98 Mb.

Do'stlaringiz bilan baham: