The present invention relates to a system and method for investigating the effects of malicious software programs on a computer system. In some cases knowledge of those effects can directly identify computers compromised by the malicious software—for example where the effect is the sending of a message from one compromised computer to another compromised computer's address.
The invention has particular utility in relation to so-called ‘botnets’—a botnet being a network of compromised computers that can be remotely controlled by an attacker through some predefined communication channel to carry out some malicious act on other computers accessible to the compromised computers. Examples of such malicious acts include sending spam e-mail, phishing, carrying out a distributed Denial of Service attack, port scanning—i.e. seeking other computers which an attacker is able to compromise.
A computer becomes part of a botnet when it gets infected by a component of a malicious distributed program (that component often being called a software robot or “bot”), which can be remotely controlled by an attacker, mostly to instigate malicious activities on the Internet.
Studies carried out by various research groups show the presence of hundreds and thousands of such compromised computers across the Internet. The sheer presence of such a large number of bots poses a serious threat to the Internet community. There have already been a number of well-documented incidents where a large group of bots have been used to launch Distributed Denial of Service (DDOS) attacks against corporate networks. Research carried out by various bot activity-monitoring groups also indicates that in recent months there has been a shift towards using these bots and botnets for extortion.
The threat posed by bots and botnets is real and serious. As such, telecom operators and Internet service providers across the globe are looking at ways and means to clean up their network and place detective and preventive mechanisms to counter the threat posed by botnets.
Given the scale of the problem presented by malicious distributed programs such as botnets there is a need to provide a method of discovering botnets which is rapid and involves as little labour as possible.
According to a first aspect of the present invention, there is provided a method (by executing a computer program stored on a computer readable medium) of investigating the effects of malicious software on a distributed computer system comprising a plurality of interconnected computers including a test computer, said method comprising the steps of    a) storing a plurality of local components of respective distributed malicious programs;    b) trialling each of said plurality of local components in turn by:            i) running, on said test computer, an execution environment program to provide an execution environment for said local component;        ii) running, in said execution environment, said local component; and        iii) recording messages generated by said test computer when under control of each of said local components for transmission to one or more computers involved in the malicious distributed program of which said local component forms a part; and            c) automatically replacing said execution environment with a clean copy thereof in between each trial.
It is to be noted that automatically here means that the test computer is programmed to replace the execution environment after each trial.
It is to be noted that the word ‘component’ is to be understood in its broad sense of ‘a part of’ rather than being given a narrower meaning sometimes used by computer programmers—namely a re-usable part of a program whose services are made available to future programmers via a predefined interface.
In some embodiments, said computer system comprises a single computer, said recording step comprising recording the system files on said test computer following the running of said malicious program.
This allows the effects of the malicious software on persistently stored files (which might be programs) to be found. Doing this provides a means of testing for the presence of the malicious software on other computers in the future.
Like other application programs, bots will normally only run in the execution environment for which they are written (as used in this specification the term execution environment means an operating system program, or a program which emulates an operating system program). Operating system programs offer a programmer a means for running programs, organising file systems, and controlling I/O devices such as network cards and printers. A problem arises in that bots will often amend the operation of the operating system or system files, thereby preventing other bots from running normally or at all.
By programming a test computer to automatically run through a list of bots, run each bot and monitor the messages it generates for other computers in the botnet, and to refresh the execution environment before running the next bot in the list, a method of automatically monitoring messages generated by bots which can run through a list of bots whilst requiring little or no user intervention is provided.
The messages generated by the test computer might contain some indication of the computer(s) to which they are intended to be sent. In that case, the messages can thus be analysed to identify one or more other computers running the malicious distributed program. In cases where the operation of the distributed malicious program is controlled via a central computer, the messages might reveal the identity of that computer.
In some embodiments, said execution environment program comprises an operating system emulation program running on top of said test computer's operating system program.
In these embodiments, a plurality of instances of operating system emulation programs can be run simultaneously (using the pseudo-parallelism offered by most modern operating system programs). However, a programmer writing a bot could quite easily have it detect when it is run in an emulated environment, and program it to function abnormally or not at all in that case.
To address this problem, in other embodiments, said test computer is a dual boot computer, said execution environment program is a first operating system program executable by said test computer, and said replacement step comprises:    a) re-booting the computer to run a second operating system;    b) running a refresh program on top of said second operating system program to replace said first operating system program with a clean copy thereof;    c) configuring said boot loader program to load said first operating system program when said test computer is re-booted; and    d) re-booting said test computer.
According to a second aspect of the present invention, there is provided a system for monitoring messages transferred between computers involved in a malicious distributed program, said system comprising:                a test computer;        a repository accessible to said test computer, said repository storing local components of respective malicious distributed programs executable to cause a computer to co-operate with one or more other computers in carrying out some malicious act;        a program store accessible by said test computer, said program store storing a clean copy of an execution environment program runnable on said test computer;        said test computer being arranged in operation to carry out the following steps for each of said local components in said repository:        a) load and run an execution environment for said local component;        b) run said local component in said execution environment; and        c) refresh said execution environment program by re-loading it from said program store;        means for monitoring messages generated by said computer whilst under the control of said local components.        
It is to be understood that ‘system’ as used in this document means a physical apparatus, as opposed to a method for achieving a given end.
By having a test computer load and run an execution environment, load a bot from a bot repository, and then run that bot in that execution environment, and thereafter replace that execution environment with a clean copy from a program store before loading and running the next bot from the bot repository, whilst monitoring messages generated by said test computer, a method of monitoring messages produced by a plurality of bot programs which does not require time-consuming and expensive intervention by skilled IT personnel is provided.
In some embodiments, said execution environment comprises an operating system program, whereas in other environments said execution environment comprising an operating system emulator.
In preferred embodiments, said system further comprises a network to which said test computer is connected, and said monitoring means comprises a computer also connected to said network and arranged in operation to monitor traffic on said network.
This has the advantage that the monitoring of the messages is less likely to be detected by the bot and result in the bot stopping or altering its operation.