Press Center

Malware and antivirus software

News

ETeC 2024: Why botnet tracking is so effective

Created: 2024-11-12 07:27:02

 

ESET has been successfully utilizing botnet tracking for years. 

When cybersecurity vendors invest heavily into sophisticated malware replication mechanisms studying real-life malware behavior in isolated environments, one may ask what the point of malware tracking is. What do we learn by extracting data from malicious code without it running or communicating with a command and control (C&C) server?

Using the Grandoreiro banking trojan as an example, ESET senior malware researcher Jakub Souček explained the pros and cons of botnet tracking and malware replication at the ESET Technology Conference 2024, an annual ESET conference discussing the best in ESET security and research.

If you want to know more about how ESET participated in the Grandoreiro disruption, check out our other blog discussing the case at length.

ESET tracking systems

With malware tracking, researchers need to implement a dedicated program (parser) for the relevant malware family deployed on the targeted machine. With this tool, the malware is nothing more than an input to such a program.

Using a heuristic approach, code patterns, and analytical output, the parser extracts all interesting information from the malware sample without it running or communicating. It can also emulate the C&C protocol and lure even more information from the C&C server.

“At ESET, botnet tracking has proven to be an invaluable resource several times in recent years,” Souček said.

ESET researchers have utilized such tracking in cases like the Trickbot disruption, which infested over a million computing devices between 2016 and 2020, the pervasive malware family Emotet, and a large variety of infostealers and remote access trojans (RATs). 

The ESET tracking system is designed with the following objectives in mind:

  • Extraction of C&C server domains and IP addresses. These are routed toward automatic blocking. In some cases, ESET also emulates network traffic to obtain more data.
  • Extraction of payloads, both embedded and downloaded. These are great candidates for automatic detection as well.
  • The most significant benefit lies in the ability to extract any custom information researchers want, such as DGA configuration, C&Cs that may be used as backup only, mutex names, and license ID.
  • In the case of banking trojans, ESET engines also extract a list of targeted banks.

Pros and cons of botnet tracking

The benefits of malware tracking are many – full power over the malware sample, no actual compromise occurring, anti-emulation techniques don’t work, and the processing speed depends only on the complexity of the used parser.

However, tracking is not suitable for every piece of malware. Heavy code protection breaks binary patterns, frequent code changes increase maintenance requirements, and setting up such tracking may be time-consuming.

“To summarize, tracking is a great option for analyzing large stable botnets when long-term data is needed, and the samples contain information researchers wouldn’t otherwise have access to,” Souček said.

What about malware replication?

Malware replication requires a dedicated machine that is deliberately compromised to observe malware behavior, ideally establishing a connection to a C&C server and analyzing their communication. In a best-case scenario, the C&C server replies with additional payloads or plugins and a list of targets in the case of banking trojans, for example.

Setting up such an environment is relatively fast and easy, the entire process doesn’t require heavy maintenance, and the main benefit is that malicious code protection (such as virtualization or heavy obfuscation) can be ignored.

On the other hand, the malware may wait quite a long time before reaching out to a C&C server and, while waiting, both time and processing power are wasted. It may also be quite difficult to see under the custom encryption layers in network communication.  

When analyzing installed malware, evading all sandbox-detection mechanisms may be quite tricky. There is also a risk of unusual control flow, like restarting the machine, which further complicates automatic replication.

“In a nutshell, replication is great for unknown malware where we don’t really care about long-term data. It can also be extremely helpful in overcoming code protection techniques,” Souček explained.

Tracking vs. Replication: Which one is better?

When it comes to botnets, the Grandoreiro case shows the benefits of malware tracking over malware replication.

Needless to say, a reliable cybersecurity solution should use both to cover the complex threat landscape.

This heuristic and multilayered cybersecurity strategy is part of the ESET prevention-first approach, based on the idea of stopping malware before it does any harm. To achieve that, ESET developed sophisticated solutions minimizing the threat surface (i.e. all possible connection points or attack vectors that attackers can use to enter victims’ systems).  

Let’s take botnets in general as an example. ESET technology has multiple tools at its disposal to stop them at different stages, such as:

Anti-Phishing – Botnets (including Grandoreiro) often spread via phishing messages containing malicious content or links redirecting users to phishing websites. ESET Anti-Phishing blocks web pages known to distribute phishing content.

Reputation & Cache – When inspecting a file or URL, before any scanning takes place, ESET products check the local cache for known malicious or whitelisted benign objects. This improves scanning performance.

ESET DNA Detections – These perform a deep analysis of the code and extract the “genes” responsible for its behavior. ESET DNA Detections can identify specific known malware samples, new variants of a known malware family or even previously unseen or unknown malware that contains genes that indicate malicious behavior.

ESET Botnet Protection –ESET Botnet Protection detects malicious communication used by botnets and, at the same time, identifies the offending processes. Any detected malicious communication is blocked and reported to the user.

ESET LiveGrid® – Whenever a zero-day threat is seen, the file is sent to ESETcloud-based malware protection system ESET LiveGrid® where the threat is detonated and its behavior is monitored. The results of this system are provided to all endpoints globally within minutes without requiring any updates. This approach has a significant positive impact on scanning performance and deflection of zero-day threats on all protected endpoints with active ESET LiveGrid®.

Conclusion

Malware tracking has been an irreplaceable tool in the hands of ESET researchers for many years, contributing to numerous disruptions of dangerous malware. This mechanism is not a rival to malware replication; quite the contrary – both represent different approaches, which can be used separately when needed or even complement each other.

However, malware analysis is still only a small fraction of ESET multi-layered cybersecurity focusing on prevention. ESET combines multiple technologies, AI and human expertise to deliver top-notch security and threat intelligence from which ESET partners and law enforcement authorities benefit greatly.

 




About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.

Why ESET?

ESET has over 25 years' experience of helping people to Enjoy Safer Technology. Our software is light on hardware, but hard on malware.

Our Technology

ESET’s award-winning NOD32® Antivirus technology is at the cutting edge of digital security. It’s updated daily to keep you secure.

Free Support

Enjoy your free, industry-leading customer support locally. For technical, sales and marketing enquires dial +65 6296 4268.