Andrew Walenstein University of Louisiana at Lafayette
download slides (PDF)
The presentation will focus on the evolutionary history of botnet trojans. Malware evolves over time. Like any software 'product', bugs are fixed, features are added, and changes are made as the operating systems evolve. Plus, like some other products, new malware projects may be based on previous ones, or may import software from other projects in the form of libraries or imported routines.
The presentation has three main sections, described in more detail below:
Part 1: Background & motivation. The background and motivation serves to ensure the audience understands the purpose of the talk. Thus it will briefly explain the basic problem, i.e. that malware evolves, that tracking this evolution is difficult and important, and that understanding how the malware evolves is important to knowing how to defend against it.
Part 2: Phylogenetic techniques. The phylogenetic techniques serves to introduce the necessary material to understand the primary content portion of the talk. It will introduce the key ideas behind phylogenetic model construction in malware, including the basic idea of how to reconstruct derivation trees or networks. Three main methods for doing so (including one presented at VB2002) will described, and references will be cited for those wishing to follow up on the techniques, including a link to our own free software to use in computing these phylogenies.
Part 3: Bot families & evolution. To ensure the presentation is focused and topical, it will focus on Agobot, since it has been used as a basis of several of the main bot families. It will also focus on application of phylogenies, unlike previous work in the area, which has primarily been proof-of-concept. First, the question of how 'good' the phylogeny models can be is raised. Using a lattice of generated Agobot descendants, the 'goodness' measures of two different phylogeny extraction techniques are measured. A basic recipe is given for how to use this lattice-based phylogeny evaluation method for any other malware that can be broken down into functional pieces. Second, the evolution of Agobot-related families is retraced using thousands of bot samples in addition to our generated Agobot descendants. Unlike prior proof-of-concept work, we use extracted phylogeny models to identify sub-families that are seen to be closely related, and to identify likely key evolution branch points.