Presentations‎ > ‎

Bladerunner: Adventures in Tracking Botnets



The problem of tracking botnets is not a new one, but still proves to be an important and fruitful research topic. ASERT has been tracking many botnets for years using an internally built tracking system - codename 'BladeRunner' -  whose original goal was to track DDoS attacks. The system has evolved over many years and now tracks web-injects from banking trojans and dropped malware from any family that supports  - this also includes updates to the “installed” malware. This allows for better insight about how malware families are used by botmasters, how often a malware author issues updated code to his buyers, and the more general question 'what is this malware primarily used to do' - context that is lost when a particular sample is only dynamically analyzed a handful of times. In addition to tracking those metrics, each time a C2 contact attempt is made the success / failure of the attempt is tracked along with the network metadata. This allows for us to track location over time and whether some locations may be 'decoys', whether malware families exhibit clustering in specific regions or netblocks and average uptime of C2s in families. This presentation will give a brief overview of the system, current malware families monitored and delve into the intelligence we have been able to derive from the behaviors of the malware families that we are currently tracking.