(Georgia Institute of Technology, 2020-05)
Asdar, Ehsan Muzaffar
Systems infected with botnet malware often communicate with command and control (C&C) infrastructure, from which attackers can launch coordinated malicious attacks. Our research explores techniques for discovering vulnerabilities in C&C infrastructure when only given knowledge of a botnet client. We introduce a method for fingerprinting popular open source networking libraries found in botnet clients. When a networking library is detected on a botnet client, we use a compatibility table to infer a range of possible versions of the same library that may be running on the C&C infrastructure. In cases where the library used by the client is severely outdated, we show that the library used in C&C infrastructure may also be outdated and susceptible to unpatched security vulnerabilities. Using this technique, we find several previously undetected vulnerabilities in C&C infrastructure that could potentially be used to disrupt botnet operation.