CenturyLink's Threat Research Labs blocks one-two punch of botnet

While some security measures rely on endpoints, CenturyLink's Threat Research Labs uses the company's vast network to detect and thwart malware and botnets.

The network approach was particularly effective against the Mylobot botnet, which contains a nasty surprise lurking inside. Mylobot has the ability to download other types of malware after it has infected a computer, according to Mike Benjamin, the head of Threat Research Labs.

Mylobot is equipped with antiviral and anti-sandboxing capabilities in order to avoid detection and analysis by cybersecurity measures. It lies dormant for 14 days and then stages a second attack by downloading and releasing Khaleesi malware, which proceeds to steal information from the infected computers.

"This particular malware family infects computers that run Windows," Benjamin said in an interview with FierceTelecom. "That first instance of infection was the Mylobot malware and then the secondary infection that we saw was the downloading of the Khaleesi information stealer."

RELATED: Managed security services a sweet spot for service providers—report

Mylobot was first discovered this past June by cybersecurity company Deep Instinct. Benjamin said that Threat Research Labs did its own sleuthing to find out the extent of Mylobot's capabilities.

"So we're constantly looking through the various data sets that we have for what could be the next point of malice to try and get better visibility around it," Benjamin said. "In this particular instance we were working on our honeypot network. We deploy hosts around the internet and quite frankly encourage people to break into them. Then we collect all of the data and behaviors about those break-ins and look to see if something broke in that IP address or host. More abstractly, we look for behavior that is common."

With Mylobot, Benjamin's team found that a group of hosts were doing domain name system (DNS) lookups against something that was behaviorally similar. Centurylink's Threat Research Labs observed 18,000 unique IPs communicating with Mylobot command and control servers (C2). For enterprises that are monitoring DNS, Mylobot can be detected through up to 60,000 DNS queries that infected hosts perform while attempting to contact the C2. 

"We used some machine learning methodologies to discern similarity and the similarity that we found was called a domain generation algorithm, or DGA," Benjamin said. "Effectively, the program spits out some random stuff and says, 'Go see if your command and control is there,' and it can create thousands of them. So therefore the bad guys can register domains whenever they need to control their botnet.

"Our algorithm detector said, 'Hey, this all looks like it was generated by the same DGA and the hosts were doing it together so we have a group of behavior that's similar.' We dove in from there and that's how we began the journey into this."

The next step was to look at the infrastructure that was behind the generated domains to find out the IP addresses where they sit and whether they were in the same networks. The top 10 countries where the infected IPs originated were Iraq, Iran, Argentina, Russia, Vietnam, China, India, Saudi Arabia, Chile and Egypt.

"Then we looked at the groups of hosts on the internet from our network data," Benjamin said. "So now we've flipped from DNS lookups and honeypots to the actual network data that we collect. We were able to discern that there was common connectivity amongst the infected hosts. The domains we saw looked grouped together, which proved to us there was interconnected botnet here.

"So it was the combination of honeypot data and earlier detection, then DNS data as a grouping mechanism and then the network as proof of the interconnectedness that we were able to discern that 'Hey, there's a botnet here and its doing something.'"

Next, Threat Research Labs monitors how the botnet operates by watching the ports that it's running its services on and how long the connections last, among other items.

"Ultimately, from a host that's not associated with our company, we'll reach out and ask it a question," Benjamin said. "We'll say, 'What do you do command and control?' We'll try to interact with it so we can understand it. In this case we were able to get it to respond to us with some encoded messages that we were able to decode and discern that there was a secondary malware payload contained in that message.

"It was sending encoded URLs like you would see in a web browser, and when we downloaded what was in the URLs, sure enough it was more malware in a secondary payload."

CenturyLink's Threat Research Labs blocked the Mylobot infrastructure on its network and notified the users of the infected devices that they needed to clean up their computers.

"Our team at CenturyLink really focuses on trying to detect malware from a network forensics perspective and not a host forensic perspective," Benjamin said. "When it sits there and lies dormant for 14 days the host has a problem detecting it, but the network still sees it. The network will still do the same DNS lookups.

"At the end of the day, from a network perspective we can still see it. With this particular type of malware, it's pretty clear that the network operators would have the strongest visibility into this malware family."

The Threat Research Labs unit was founded in 2011, and from day one the team agreed to be collaborative with the cybersecurity industry to the benefit of all. Benjamin said there are different types of threat detection—monitoring hosts, endpoints or the network—but cooperation was key to keeping up with ever evolving malware.

"We have a different way of thinking about it and the data set we have is very unique coming from a network operator perspective into this intelligence space," Benjamin said. "Most of the other people playing in the threat intelligence space do not have the data set that we have. So we knew we were bringing something valuable and we said if we can help them, they can help us, and that gives everyone more visibility into the malicious actors."