Dispatcher: Enabling Active Botnet Infiltration using Automatic Protocol Reverse-Engineering

Automatic protocol reverse-engineering is important for many seemly applications. including the analysis and defense against botnets. Understanding the command-and-control (C&C) protocol used by a hornet is crucial for anticipating its repertoire of nefarious activity and to enable active botnet infiltration Frequently. security analysts need to rewrite messages sent and received by a bot in order to contain malicious activity and to provide the botmaster with an illusion of successful and unhampered operation To enable such rewriting, we need detailed information about the intent and structure of the messages in both directions of the communication despite the fact that we generally only have access to the implementation of one endpoint, namely the bot binary Current techniques cannot enable such rewriting In this paper, we propose techniques to extract the format of protocol messages sent by an application that implements a protocol specification. and to infer the field semantics for messages both sent and received by the application Our techniques enable applications such as rewriting the C&C messages for active hornet infiltration We implement our techniques into Dispatcher. a tool to extract the message format and field semantics of both received and sent messages. We use Dispatcher to analyze MegaD. a prevalent spam hornet employing a hitherto undocumented C&C protocol. and show that the protocol information extracted by Dispatcher can be used to rewrite the C&C messages