Virtualized Testbed Environment to Analyze Botnet Agent and Communications

Botnet Analysis

Botnets are a particular problem, where bot agents may infect machines inside an organisation’s network and connect back to a botnet controller out on the Internet, to receive commands and undertake malicious activities. The focus of this coursework is to create a virtualized testbed environment to analyse a particular botnet agent and the communications to its controller, to create and test a detection system to detect its activities, and then to mitigate its use in future with some firewall based defences.

• Configure a working perimeter network topology with a firewall, DMZ, and host systems as a testbed for the coursework. Secure the VMs by changing login passwords.
• Analyse the operation of the running Bot agent and Botnet controller, including any network scanning by the bot, activity on the host, network connections created, and any communications between the bot and controller.
• Create and test a detection system for the Botnet agent and controller using an IDS sensor.
• Create a closed perimeter, firewall policy configuration to prevent future communications for this particular botnet, but allow certain valid traffic, specified in next section.

Configure a working perimeter network topology with a firewall, DMZ, and host systems as a testbed for the coursework. Secure the VMs by changing login passwords.

Analyse the operation of the running Bot agent and Botnet controller, including any network scanning by the bot, activity on the host, network connections created, and any communications between the bot and controller.

Create and test a detection system for the Botnet agent and controller using an IDS sensor.

Create a closed perimeter, firewall policy configuration to prevent future communications for this particular botnet, but allow certain valid traffic, specified in next section.

A brief literature review towards your botnet analysis method and IDS rule development, demonstrating an understanding of the topics and using research from a variety of quality sources (cited in the text). Try to include some critical analysis - for example strengths and weaknesses, justification, and highlighting findings which inform the later work - and possibly recent examples and how they were analysed.

Botnet Analysis

Configure a working perimeter network topology with a firewall, DMZ, and host systems as a testbed for the coursework. For example annotated network diagram, and some basic configuration/connectivity testing shown and discussed briefly. Discuss methods informed from the research, and aply these to analyse the operation of the running Bot agent and Botnet controller, including any connections created by the bot, possible host activities on the victim, communicationsbetween the bot and controller, and anyother bot behaviour. For example screen shots and brief discussion for: botnet components running, analysis tools, outputs and interesting data, tools and outputs of cracking codes, with brief discussion.

Dynamic analysis of bot and botnet controller could include identifying botnet network connections and traffic, filtering out unrelated traffic using appropriate tools, identify types of traffic generated, identify specific botnet commands and responses, decoing botnet traffic if necessary. Challenge: create your own bot traffic so individual command can be sent and analysed separately.

Static Analysis Challenge

To verify your findings from the dynamic analysis of the botnet behavior, try to reverse engineer the bot agent code and statically analyse the code.

A brief literature review towards your botnet analysis method and IDS rule development, demonstrating an understanding of the topics and using research from a variety of quality sources (cited in the text). Try to include some critical analysis - for example strengths and weaknesses, justification, and highlighting findings which inform the later work - and possibly recent examples and how they were analysed.

Configure a working perimeter network topology with a firewall, DMZ, and host systems as a testbed for the coursework. For example annotated network diagram, and some basic configuration/connectivity testing shown and discussed briefly. Discuss methods informed from the research, and aply these to analyse the operation of the running Bot agent and Botnet controller,including any connections created by the bot, possible host activities on the victim, communicationsbetween the bot and controller, and anyother bot behaviour. For example screen shots and brief discussion for: botnet components running, analysis tools, outputs and interesting data, tools and outputs of cracking codes, with brief discussion.

Dynamic analysis of bot and botnet controller could include identifying botnet network connections and traffic, filtering out unrelated traffic using appropriate tools, identify types of traffic generated, identify specific botnet commands and responses, decoing botnet traffic if necessary. Challenge: create your own bot traffic so individual command can be sent and analysed separately.

Static Analysis Challenge: To verify your findings from the dynamic analysis of the botnet behavior, try to reverse engineer the bot agent code and statically analyse the code.

Prototype Defenses Implementation and Testing

Create a closed perimeter firewall configuration to prevent/highlight future communications for this particular botnet, but allow certain valid traffic (specified in requirements spec’). Again show the configuration/rules and testing using screen shot snippets with brief explanation, and any discussion on the findings/outputs.