427 Botnet fm qxd

■
The DLL installs API hooks for all important functions of the
Windows API.
■
If a new process is started by the malware or if an existing one is
infected, this process is also monitored.
■
After a customizable time, all monitored processes are terminated.
■
A high-level summarized analysis report is created of all the mon-
itored actions.
■
The network traffic is examined, important Web protocols
(HTTP, FTP, IRC, and so on) are recognized, and all relevant pro-
tocol data (username, password, and the like) is reported.
Automated Analysis Suite (AAS) is a tool for automatic collection
and analysis of malware:
■
AAS uses a database to store malware samples and the corre-
sponding created analysis reports.
■
AAS integrates the honeypot tool 
Nepenthes
for automatic mal-
ware collection.
■
Additionally, malware can be submitted via a PHP-based Web
interface.
■
AAS embeds CWSandbox for automatic analysis.
Examining a Sample Analysis Report
The CWSandbox analysis report of Backdoor.IRCBot.S
(BitDefender), BackDoor.Generic4.VT (AVG), and
Backdoor.Win32.IRCBot.yc (Kaspersky) is presented.
This binary is a simple bot application that shows most of the
common actions performed by this malware class:
■
The initial file copies itself into the Windows Directory and starts
this copy.
■
The copy first deletes the initial malware file.
■
Then a mutex is created to prevent multiple parallel instances.
■
An autostart registry key is created.
www.syngress.com
388

Download 6,98 Mb.

Do'stlaringiz bilan baham: