ETeC 2024: Why botnet tracking is so effective

Next story
Roman Cuprik

ESET has been successfully utilizing botnet tracking for years. 

When cybersecurity vendors invest heavily into sophisticated malware replication mechanisms studying real-life malware behavior in isolated environments, one may ask what the point of malware tracking is. What do we learn by extracting data from malicious code without it running or communicating with a command and control (C&C) server?

Using the Grandoreiro banking trojan as an example, ESET senior malware researcher Jakub Souček explained the pros and cons of botnet tracking and malware replication at the ESET Technology Conference 2024, an annual ESET conference discussing the best in ESET security and research.

If you want to know more about how ESET participated in the Grandoreiro disruption, check out our other blog discussing the case at length.

ESET tracking systems

With malware tracking, researchers need to implement a dedicated program (parser) for the relevant malware family deployed on the targeted machine. With this tool, the malware is nothing more than an input to such a program.

Using a heuristic approach, code patterns, and analytical output, the parser extracts all interesting information from the malware sample without it running or communicating. It can also emulate the C&C protocol and lure even more information from the C&C server.

“At ESET, botnet tracking has proven to be an invaluable resource several times in recent years,” Souček said.

ESET researchers have utilized such tracking in cases like the Trickbot disruption, which infested over a million computing devices between 2016 and 2020, the pervasive malware family Emotet, and a large variety of infostealers and remote access trojans (RATs). 

The ESET tracking system is designed with the following objectives in mind:

  • Extraction of C&C server domains and IP addresses. These are routed toward automatic blocking. In some cases, ESET also emulates network traffic to obtain more data.
  • Extraction of payloads, both embedded and downloaded. These are great candidates for automatic detection as well.
  • The most significant benefit lies in the ability to extract any custom information researchers want, such as DGA configuration, C&Cs that may be used as backup only, mutex names, and license ID.
  • In the case of banking trojans, ESET engines also extract a list of targeted banks.

Pros and cons of botnet tracking

The benefits of malware tracking are many – full power over the malware sample, no actual compromise occurring, anti-emulation techniques don’t work, and the processing speed depends only on the complexity of the used parser.

However, tracking is not suitable for every piece of malware. Heavy code protection breaks binary patterns, frequent code changes increase maintenance requirements, and setting up such tracking may be time-consuming.

“To summarize, tracking is a great option for analyzing large stable botnets when long-term data is needed, and the samples contain information researchers wouldn’t otherwise have access to,” Souček said.

What about malware replication?

Malware replication requires a dedicated machine that is deliberately compromised to observe malware behavior, ideally establishing a connection to a C&C server and analyzing their communication. In a best-case scenario, the C&C server replies with additional payloads or plugins and a list of targets in the case of banking trojans, for example.

Setting up such an environment is relatively fast and easy, the entire process doesn’t require heavy maintenance, and the main benefit is that malicious code protection (such as virtualization or heavy obfuscation) can be ignored.

On the other hand, the malware may wait quite a long time before reaching out to a C&C server and, while waiting, both time and processing power are wasted. It may also be quite difficult to see under the custom encryption layers in network communication.  

When analyzing installed malware, evading all sandbox-detection mechanisms may be quite tricky. There is also a risk of unusual control flow, like restarting the machine, which further complicates automatic replication.

“In a nutshell, replication is great for unknown malware where we don’t really care about long-term data. It can also be extremely helpful in overcoming code protection techniques,” Souček explained.

Tracking vs. Replication: Which one is better?

When it comes to botnets, the Grandoreiro case shows the benefits of malware tracking over malware replication.

Needless to say, a reliable cybersecurity solution should use both to cover the complex threat landscape.

This heuristic and multilayered cybersecurity strategy is part of the ESET prevention-first approach, based on the idea of stopping malware before it does any harm. To achieve that, ESET developed sophisticated solutions minimizing the threat surface (i.e. all possible connection points or attack vectors that attackers can use to enter victims’ systems).  

Let’s take botnets in general as an example. ESET technology has multiple tools at its disposal to stop them at different stages, such as:

Anti-Phishing – Botnets (including Grandoreiro) often spread via phishing messages containing malicious content or links redirecting users to phishing websites. ESET Anti-Phishing blocks web pages known to distribute phishing content.

Reputation & Cache – When inspecting a file or URL, before any scanning takes place, ESET products check the local cache for known malicious or whitelisted benign objects. This improves scanning performance.

ESET DNA Detections – These perform a deep analysis of the code and extract the “genes” responsible for its behavior. ESET DNA Detections can identify specific known malware samples, new variants of a known malware family or even previously unseen or unknown malware that contains genes that indicate malicious behavior.

ESET Botnet Protection –ESET Botnet Protection detects malicious communication used by botnets and, at the same time, identifies the offending processes. Any detected malicious communication is blocked and reported to the user.

ESET LiveGrid® – Whenever a zero-day threat is seen, the file is sent to ESETcloud-based malware protection system ESET LiveGrid® where the threat is detonated and its behavior is monitored. The results of this system are provided to all endpoints globally within minutes without requiring any updates. This approach has a significant positive impact on scanning performance and deflection of zero-day threats on all protected endpoints with active ESET LiveGrid®.

Conclusion

Malware tracking has been an irreplaceable tool in the hands of ESET researchers for many years, contributing to numerous disruptions of dangerous malware. This mechanism is not a rival to malware replication; quite the contrary – both represent different approaches, which can be used separately when needed or even complement each other.

However, malware analysis is still only a small fraction of ESET multi-layered cybersecurity focusing on prevention. ESET combines multiple technologies, AI and human expertise to deliver top-notch security and threat intelligence from which ESET partners and law enforcement authorities benefit greatly.