The primary purpose of malware analysis is to determine how a given piece of malware works, extract IOCs (Indicators of Compromise) and determine potential countermeasures. This work is almost purely technical in nature: it focuses on binary files and their properties. Results from malware analysis are crucial for organisations to allow them to defend against an outbreak or to remediate a live infiltration. They are also crucial for security software vendors, enabling them to build better detections and protective measures for their customers.
But sometimes other types of questions need answers. Is this file related to that other one? How is the C&C (Command & Control) infrastructure built, and how does the communication protocol work? How does the botnet monetize its activities: pay-per-install, spam, traffic redirection?
Answering questions like these is what malware research is all about. It allows for better understanding of the big picture behind a single malware sample, to connect the dots and to understand what’s going on.
Of course, this also helps security software, aka AV vendors design better protection. But information stemming from malware research can also be useful to law enforcement in the fight against cybercrime. How so? Let’s see, with a few examples of work done by ESET that have helped disrupt malicious operations.
Disruption campaign against Dorkbot
In 2015, ESET was invited to join Microsoft’s Coordinated Malware Eradication campaign (CME) against the Win32/Dorkbot malware family. Dorkbot was a kit, available for sale in underground forums, that infected over one million PCs spanning multiple, independent botnets. The objective of this CME campaign was to massively disrupt as many of those botnets as possible by taking down the related C&C infrastructures simultaneously.
In support of this operation, ESET malware researchers automated the process of extracting C&C information from Dorkbot binaries. We applied this process to our flow of both existing and new Dorkbot samples. We then manually sanitized the results by removing known sinkholes and clean domains/IPs to mitigate the risk of taking down legitimate resources. Microsoft merged that information with their own data to create an exhaustive list of all the active C&C nodes to target. This complete list was then relayed to law enforcement agencies all around the world, such as the Canadian Radio-television and Telecommunications Commission (CRTC), the Department of Homeland Security’s United States Computer Emergency Readiness Team (DHS/US‑CERT), Europol, the Federal Bureau of Investigation (FBI), Interpol, and the Royal Canadian Mounted Police (RCMP). On disruption day, warrants and takedown notices were executed in a coordinated maneuver.
Since then, we have seen a sharp decline in Dorkbot activity worldwide, indicating that the CME campaign succeeded.
Windigo and the Ebury botnet
ESET first published an exhaustive technical analysis of what we dubbed Operation Windigo in 2014. Briefly, Windigo was supported by a credential-stealing backdoor that infected tens of thousands of Linux servers, on which one or more additional malicious components were installed and used to monetize the botnet by, for instance, sending spam or redirecting HTTP traffic. After publication, we started collaborating with the FBI on their investigation into the cybercriminals behind Operation Windigo.
Our contribution was to share technical information stemming from our malware research, such as infected IPs, information taken from the spam messages sent by the botnet, and other relevant and publicly-available information such as domain registry information.
Equipped with that information, the FBI was able to do its part, slowly but surely. In early 2015, a Russian citizen named Maxim Senakh was identified as one of the co-conspirators behind Operation Windigo and formally indicted in the USA. Senakh was later arrested by Finnish authorities at the Russian border as he was returning to Russia from a vacation, and then extradited to the U.S. in February 2016. Senakh ended up pleading guilty to conspiracy to commit wire fraud being in violation of the Computer Fraud and Abuse Act. He was sentenced to 46 months in prison.
More details on this story are available in our blogpost: ESET research team assists FBI in Windigo case.
Why should we care?
Spending time and energy to make the life of cybercriminals harder is worth it. We believe it’s one of the best ways to help prevent cybercrime activity and to make the internet a safer place. We also think it is the Right Thing To Do.
There are various theories behind classic crime prevention and we will certainly not pretend to be criminologists. However, there is neat mapping between what we do to combat cybercrime and the theory of “situational crime prevention”, which is defined as:
“Situational crime prevention is based upon the premise that crime is often opportunistic and aims to modify contextual factors to limit the opportunities for offenders to engage in criminal behaviour.”
Situational crime prevention techniques can be grouped into various broad categories, three of which are connected to what we do.
Increasing the effort involved in offending
Executing coordinated disruption campaigns, such as the one directed against Dorkbot, forces the attackers to regroup and pivot to new strategies and techniques, such as creating new malware or changing communication protocols, clearly increasing the effort needed to maintain an ongoing criminal operation.
Reducing the rewards that come from committing a crime
(A corollary to 1.) is that disrupting malicious operations necessarily increases the cost of committing the crime, reducing the net profit proportionally.
Increasing the risk associated with offending
Providing technical information to law enforcement officers helps them steer their investigations in the proper direction and build stronger cases. More cybercriminal investigations with increased cooperation from malware researchers will lead to more arrests and convictions, hence increasing the risk to cybercriminals that they will be caught.
Some people think the reason so few cybercrimes go punished is that it is easy to perform criminal activities on the internet anonymously, without much chance of being traced. It is actually pretty much the opposite: maintaining perfect operational security (OPSEC) consistently is pretty hard. Think about all that has to be done in order to exploit a malicious operation: launch infection campaigns, monitor the status of the botnet, update the malicious components, register domain names or hosting services, monetize the operation itself, and so on. In order to perform the perfect cybercrime, each and every step must be executed perfectly, all the time. Cybercriminals are humans and humans make mistakes. All it takes is one bad day where an attacker connects to the wrong server before enabling a VPN or TOR connection and a giant arrow pointing back to him or her will be stored in a log file somewhere, waiting for somebody to find it.
Some people also give up going after cybercriminals because even when identified, cybercriminals remain out of reach. Maybe they live in a jurisdiction that has no effective laws against cybercrime, or that has no mutual extradition treaty with the countries investigating them? But there again, humans make mistakes. All it might take to be caught is for a known cybercriminal to leave his country to take some vacation time abroad.
2017 has been marked by a large number of arrests in various cybercrime operations, as outlined in Stephen Cobb’s excellent summary. As major law enforcement entities gain experience in working with private entities such as ESET to track cybercriminals, we can predict with some confidence that 2018 will bring more and more successful investigations that will contribute to making the internet a safer place for everyone. Except for cybercriminals.