Coming In May: Netting Botnets

April 29, 2015 by Ixia Blog Team

Next month, Ixia ATI is introducing the new Botnets monthly update package. This update contains strikes that emulate botnet command and control (C&C) communication behavior. If you want to know whether your security devices can effectively block C&C traffic, you will soon be able to put them to the test.

Some examples of powerful botnets,and how they impact your organization’s security, can be found here.[1] These include Zeus, Koobface, Tidserv, Confiker and others.

Package Contents

Each monthly update package contains roughly 50 botnet strikes that can be added and run through the Ixia BreakingPoint Security Engine. Metadata is also provided for each botnet, so you can explore the technical details and how those details are being classified by antiviruses.

Botnet Traffic Emulation

Each botnet strike emulates the communication between the infected machine and the C&C server in a two-arm mode, meaning that both sides are simulated by the Security Engine. This means that the majority of evasions the Security Engine supports can also be applied to the botnet traffic in order to further conceal it from the detection engine of the security device under test.

Botnets Dynamic Strike List

Each monthly update package also includes a strike list that contains only the botnet strikes published in that particular package. This can be used to easily identify and run the new content. As a naming convention, we use “Botnets <Month>-<Year>” in order to identify the strike list (e.g.,“Botnets May-2015”).

Besides the strike list pertaining to each update package, there’s also a new dynamic strike list called “Botnets” containing all of the botnet strikes published to date. (This list is updated when each new botnet update package is installed.)

Capturing Botnet Communications

Now, let’s turn to the process of how we capture and emulate the botnet traffic in the first place. In order to capture botnet traffic, we run different malware samples through the Cuckoo Malware Analysis Sandbox[2] and monitor the network activity of that malware. If it initiates any traffic flows, we capture and analyze the traffic flows to see what kind of information is being transmitted, as well as the protocols involved.

If the detected traffic flows are considered dangerous and/or suspicious, we create a new botnet strike based on that particular traffic pattern. The botnet strike preserves the content, as well as the message-relative timing, that has been observed during analysis.

Testing Your Network Security

Having a botnet in your network is a serious issue. Having it go undetected for a long period of time is even more so, because it can spread and infect other machines in the network and lead to undesirable events (information leakage, spam, DDoS attacks, etc.). Try out our new botnets package and see how your network security would fare if it had a botnet.

The new packages can be found on StrikeCenter[3] alongside the monthly malware package updates, by the end of May 2015.

Leverage Subscription Service to Stay Ahead of Attacks

The Ixia BreakingPoint Application and Threat Intelligence (ATI) program provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.

Additional Resources:

Ixia security solutions

Ixia ATI subscription