Botnet Callbacks: Detection & Analysis

G5 Cyber Security

2 weeks ago

TL;DR

Botnets often use predictable patterns when checking in with their command and control (C&C) servers – these are called callbacks. This guide shows you how to spot those patterns using network traffic analysis, log investigation, and basic scripting.

1. Understanding Botnet Callbacks

Botnet callbacks are regular connections made by infected machines (bots) to the C&C server. These connections serve several purposes:

Receiving Instructions: Bots download new commands from the C&C server.
Reporting Status: Bots send information about their environment or completed tasks back to the C&C server.
Maintaining Persistence: Regular callbacks help bots stay connected and avoid detection.

These connections often follow a schedule, making them detectable.

2. Network Traffic Analysis

Capture Network Traffic: Use tools like Wireshark or tcpdump to capture network traffic on your network. For example:
```
tcpdump -i eth0 -w botnet_traffic.pcap
```
Filter for Suspicious Connections: Look for connections to unusual IP addresses or ports. Pay attention to:
Connections on non-standard ports (e.g., not 80, 443).
Frequent connections from the same internal IP address to a single external IP address.
Small packet sizes – often indicative of command and control communication.
Analyze Connection Timings: Botnet callbacks are frequently scheduled. Use Wireshark’s time-sequence graph or similar tools to visualize connection timings.
- Look for regular intervals between connections (e.g., every 5 minutes, every hour).
- Identify any patterns in the timing of connections.

3. Log Investigation

Examine Firewall Logs: Check your firewall logs for outbound connections to suspicious IP addresses or ports.
- Filter logs by source and destination IP address, port number, and protocol.
- Look for repeated connection attempts from the same internal host.
Review DNS Logs: Investigate DNS queries made by infected machines.
- Look for queries to unusual or newly registered domains.
- Identify any patterns in the timing of DNS queries.
Check System Logs (Windows Event Logs): Look for suspicious processes making network connections.
- Filter logs by event ID and process name.
- Look for unexpected or unknown processes initiating outbound connections.

4. Scripting for Pattern Detection

You can use scripting languages like Python to automate the analysis of log files.

Parse Log Files: Read and parse your firewall or DNS logs.

import re
with open('firewall.log', 'r') as f:
    for line in f:
        if 'connection' in line:
            # Extract IP addresses, ports, etc.
            print(line)

Identify Frequent Connections: Count the number of connections from each internal IP address to external destinations.

from collections import Counter
connections = []
with open('firewall.log', 'r') as f:
    for line in f:
        if 'connection' in line:
            # Extract source and destination IPs
            source_ip, dest_ip = extract_ips(line)
            connections.append((source_ip, dest_ip))

counts = Counter(connections)
for ip, count in counts.most_common(10):
    print(f'{ip}: {count}')

Detect Scheduled Callbacks: Calculate the time difference between connections from each internal IP address.

import datetime
# ... (parse log file and extract timestamps)
intervals = []
for i in range(1, len(timestamps)):
    interval = timestamps[i] - timestamps[i-1]
    intervals.append(interval.total_seconds())

5. Further Investigation

VirusTotal: Submit suspicious IP addresses and domains to VirusTotal for analysis.
Threat Intelligence Feeds: Compare identified IPs and domains against threat intelligence feeds.
Sandboxing: Analyze suspicious files in a sandbox environment to determine their behavior.