Did you know that your home smart devices could be soldiers in a malicious robot army called a botnet? Smart devices range from refrigerators that let you peer inside them remotely to baby monitors that let you check on your baby from wherever you are in the house.

To criminals, these, along with wireless printers, wearable health monitors, and countless other internet-connected household and office devices look like a vast army of docile robots waiting to do their dark bidding. 

But a new tool created by computer scientists at UC Riverside strikes at a botnet’s Achilles’ heel by tricking it into revealing itself.

A botnet starts with a command and control, or CnC, server. The server acts like a general, issuing orders to soldier robots. A CnC server can create a botnet by infecting and controlling thousands of Internet of Things, or IoT, devices. The army of infected bots will be later used for malicious purposes: mounting a denial of service attack to take critical servers down or launching massive email spam campaigns to commit identity theft or infect even more devices.

Discovering IoT botnets can be maddeningly difficult. 

The UC Riverside tool, called CnCHunter, could be a turning point in the battle against IoT botnets.

“Our tool provides a novel capability: we can get real malware to reveal its CnC server. We selected 100 IoT malware samples collected between 2017 and 2021 and were able to find their CnC servers with a 92% precision, ” said said Ali Davanian, a doctoral student in the Marlan and Rosemary Bourns College of Engineering and first author of a paper presented at this year’s Blackhat USA security conference, the leading corporate conference in computer security.

“CnC servers can change locations to avoid detection, use secret communication protocols, and often use end-to-end encryption,” said co-author Ahmad Darki, who recently completed his doctorate at UCR.

“Most approaches wait passively and try to identify botnet action in the traffic. We go seek them out wherever they are hiding.” 

In addition, most prior efforts first “learn” a malware communication protocol, then scan the Internet in search of live CnC servers. Although useful, this approach will not work with sophisticated malware that may use encryption or a communication protocol that is hard to reverse engineer.

In contrast, CnCHunter uses real, activated malware to look for live CnC servers, similar to how the malware would. It acts as a middleman and knows how to communicate with its server even in the presence of encryption. CnCHunter contacts a suspicious internet server using real malware and observes how the malware communicates with it.

If the dialogue between the suspect and the malware is meaningful in the botnet language, the Internet server is a CnC. 

“We take a more aggressive approach where we try to detect botnets proactively and by fooling malware twice, first by activating the malware in a safe environment, and then intercepting and redirecting the traffic where we want to trick the botnet to engage with us,” said senior author, UCR computer science professor Michalis Faloutsos.

The authors demonstrated the potential of their system at the BlackHat conference in Las Vegas this past August by activating a sample of a 4-year-old, well-known malware called Gafgyt and enabled it to communicate with a live CnC server for a recent sample of the same malware family.

They have also used CnCHunter to locate a recent CnC server used by Mirai, a malware used to build botnets that appeared in 2016 and continues to wreak havoc on computer networks. 

The University of California, Riverside is a doctoral research university, a living laboratory for groundbreaking exploration of issues critical to Inland Southern California, the state and communities around the world. Reflecting California’s diverse culture, UCR’s enrollment is more than 26,000 students.

Source: www.ucr.edu

Source: ucr.edu