Did you know that your smart home devices can be soldiers in an army of malicious robots called botnets? Smart devices range from refrigerators that allow you to look inside them remotely to baby monitors that allow you to control your baby from wherever you are at home.
To criminals, these, along with wireless printers, clad health monitors, and countless other Internet-connected home and office devices look like a huge army of obedient robots waiting to make their dark offer.
But a new tool created by computer scientists at UC Riverside hits the Achilles heel of a botnet by tricking it into being discovered.
For context, a botnet operates in a hierarchy. It consists of a command and control server, or CnC. The server acts as a general, issuing commands for soldier robots. A CnC server can create a botnet by infecting and controlling thousands of Internet of Things or IoT devices. The army of infected robots will later be used for malicious purposes: launching a denial of service attack to remove critical servers or launching massive unsolicited email campaigns to commit identity theft or infect even more devices .
IoT botnets can do serious damage. In 2016, IoT botnets shut down major service providers such as Github, Twitter, Reddit, Airbnb and Netflix. CnCs control bots and are crucial to the existence of bots. Therefore, they are also the Achilles heel of IoT botnets. By removing a CnC server, the botnet will be down. But first, a potential botnet user must discover the CnC server address, which is not easy.
Detecting IoT botnets can be extremely difficult. Companies put a lot of effort into securing computers against intrusion, but security for IoT devices often comes as a later thought, if at all. And while a laptop may eventually show signs of compromise, a clogged toothbrush or refrigerator can avoid detection. In fact, according to a threat report published by SonicWall, the number of IoT attacks rose to a record 56.9 million between 2019 and 2020, a 66% increase. Given the growing use of IoT devices, the worst is yet to come.
The UC Riverside tool, called CnCHunter, could be a turning point in the battle against IoT botnets.
“Our tool offers a new capability: we can get real malware to detect its CnC server. We selected 100 IoT malware samples collected between 2017 and 2021 and were able to find their CnC servers with 92% accuracy, said Ali Davanian, a doctoral student at Marlan College of Engineering and Rosemary Bourns and the first author of a submitted work. at this year’s Blackhat USA security conference, the leading corporate conference on computer security.
“CnC servers can change locations to avoid detection, use covert communication protocols, and often use end-to-end encryption,” said co-author Ahmad Darki, who recently completed his doctorate at UCR. “Most approaches wait passively and try to identify the action of the botnet in traffic. We go looking for them wherever they hide. ”
Additionally, most previous attempts initially “learned” a malware communication protocol, then scanned the Internet in search of direct CnC servers. Although useful, this approach will not work with sophisticated malware that may use encryption or a communication protocol that is difficult to recover.
In contrast, CnCHunter uses real, enabled malware to search for direct CnC servers, similar to what malware would do. It acts as an intermediary and knows how to communicate with its server even in the presence of encryption. CnCHunter contacts a suspicious Internet server using real malware and monitors how the malware communicates with it.
If the dialogue between the suspect and the malware is meaningful in botnet language, the Internet server is a CnC.
“We have a more aggressive approach where we try to detect botnets proactively and by cheating twice malware, first by activating malware in a secure environment and then by eavesdropping and redirecting the traffic where we want to cheat the botnet to ‘engaged with us.’ said senior author, UCR computer science professor Michalis Faloutsos.
The authors demonstrated the potential of their system at the BlackHat conference in Las Vegas last August by activating a sample of a 4-year-old malware known as Gafgyt and enabling it to communicate with a live CnC server for a final sample. of the same malware family. They have also used CnCHunter to find a recent CnC server used by Mirai, a malware used to build botnets that appeared in 2016 and continues to wreak havoc on computer networks.
The authors are currently working on an automated system that can constantly find IoT malware CnC servers.
CnC Hunter is the first open source tool to find CnCs of IoT malware. The code is available for download here. The work detailing the work, “CnChHunter: A MITM Approach to Identifying Direct CnC Servers,” is available here. The authors have also discussed their work in an episode of the podcast The Hacker Mind.
Head photo: Franck on Unsplash