Zombie networks: An investigation into the use of anti-forensic techniques employed by botnets

Annis, Jeremy (2008). Zombie networks: An investigation into the use of anti-forensic techniques employed by botnets. Student dissertation for The Open University module M801 MSc in Software Development Research Dissertation.

Please note that this student dissertation is made available in the format that it was submitted for examination, thus the author has not been able to correct errors and/or departures from academic standards in areas such as referencing.

DOI: https://doi.org/10.21954/ou.ro.00016072

Abstract

The rise in the popularity of the digital marketplace has driven a rise in online crime, manifesting itself in many ways, including: the spread of virus software, websites that “phish“ for personal information such as bank account details, malicious software that is capable of logging keystrokes, the theft of information through “ransomware“, the sending of spam emails to solicit purchase of non-existent goods and so on. This exploitation is often carried out by criminal communities with access to large networks of distributed computers, commonly referred to as 'botnets'. Law enforcement agencies regularly employ computer forensic techniques against these botnets and the criminal communities that control them. This battleground has become more sophisticated over time and the software that powers a botnet now regularly deploys a growing library of anti-forensic techniques to make analysis harder. This research examines what anti-forensic techniques are in use by botnets throughout the botnet life-cycle. A number of botnets were analysed in a “safe“ environment through a series of controlled experiments, using both static code analysis and dynamic execution of the malware. Throughout each experiment, the different types of anti-forensic techniques in use were recorded, and an attempt was made to identify the point in the botnet life-cycle when they were used. The experiments showed that a wide variety of anti-forensic techniques are indeed in use by botnets, offering considerable challenge to the forensic investigator. A catalogue of these techniques was produced with an indication of the difficulty each technique might present to the analyst. Program packing (obfuscating the executable code of the botnet) proved to be the most common anti-forensic technique in use; it also presented the greatest difficulty to the forensic analysis process. Many of the other anti-forensic techniques in use by the sample botnets were observed throughout the entire botnet life-cycle, suggesting that when protecting a botnet from forensic analysis, the author is not concerned with what stage of the life-cycle the botnet is in. A correlation was also observed between the quantity and overall difficulty level of the anti-forensic techniques in use, and the criminal success it has “in the wild“.