I am currently working on a few presentations that I will give in the upcoming weeks. One of them will touch correlating data and actually is giving some interesting information. Using some older data to demonstrate this, in 2007 I made a screen dump from our Analysis Desktop’s Botnet database, in particular from a – at that time – new botnet. It showed that we had 3 different pieces of unique malware all connecting to the same Channel (Matrizzz) of the Botnet on the same C&C Server.
I repeated that exercise today for the sake of the presentation and it showed that the Matrizzz channel on this server is now accessed a few more times. But it also shows that a similar channel (matrizzzz) is present on another Server. Examining the code showed that this indeed is related.
Going to the data on that server, we can see that this C&C server is actually hosting two botnet channels. I could go deeper into the second channel, but the phrase “matrix” is used a lot in a wide variety of botnet/channels, so that won’t reveal too much information.
If we continue on the channel we started with, it is noticeable that the channel password everywhere contains the phrase “makako123”. If we start to do a search on that phrase, another Server shows up.
And at that server, there is a channel. Now this exercise could continue for a few more cycles and we would reveal more and more information and more and more nodes that are interlinked. A nice graph is building. If we would do this for every Botnet, we will actually see that specific servers are part of multiple botnets and there is a big overlap.
And before you know it, what seems to be Chaos is actually Organized…
Funnily enough, the same graphs can be made about Who knows Whom on social networks…
Add comment
If you find the content of this comment offensive, you can report it and our crew will have a look at it
Comments