Starting development of the Kay Bot

Kleissner & Associates is happy to announce the first (to us known) research bot. We will use this research/educational bot to assist our entire sinkhole and virus infection detection system. Essentialy it comes down to using some of the same techniques as the criminals (e.g. fast flux) but for a better reason, with a different objective and realization (especially looking towards the legal aspect).

With our current system we have come down to a couple of (current) limitations – can we scan the entire IPv4 and IPv6 address space “safely” from our datacenters? Safely by the meaning of the impact to our servers (and IPs, domains) and other customers at the datacenter. The next reason is time reasons and simply infrastructural considerations.

Our ZeroAccess 2 crawler for example has always roughly 1 million IPs (= unique infections over past 30 hours) loaded – and it tries to contact all 1 million each within 10 minutes. In the ZeroAccess 1 and 2 botnets there are a lot disconnected peers – finding them would require scanning the IPv4 address space all the time, contacting each IP, knocking at the door and saying “hello, ZeroAccess infection here?”. There are simple limitations here such as the max. port limit (64k by design, then there’s the max. user port value in Windows registry). Even when raised, 50.000 connections at once are not a lot considering that some machines might keep the TCP connection open for multiple seconds or longer.

Blacklisting of sinkhole and analysis systems is another topic relevant here. For example Sinowal was successfully blacklisting the IP addresses of various sinkholes (including our own). Setting up a new server with a new IP is a traditional cat and mouse game (they will just add the new IP to the blacklist and prevent you from doing your job). The solution is proxying the relevant communication through one of many peers, which just acts itself as proxy/relay to the (real) sinkhole server.

The solution: Kay Bot

The solution to the above problems is something for which we might receive some critics from pseudo white-hats (we kindly refer anyone to Group-IB first). A simple bot – Kay bot – will help us in finding virus infections on the internet.

These are the first tasks that we want to use the new Kay Bot for:

  • Scanning the IPv4 and IPv6 space for infections: In the beginning ZeroAccess 1, 2 and Conficker C (all p2p)
  • Act as HTTP proxy for Sinowal, being part in a fast flux system

Essentially you can think of the Kay bot as of nothing else than one of our servers. Or of SETI@home, just looking for virus infections out there instead of aliens.

Malware AG? Staying on the legal side

There are a couple of serious legal considerations in such a project. First of all, most countries have laws against malware, in Europe they are based on the “Convention on Cybercrime” from 2001. One of the key actions that are illegal by law is (unwanted) data manipulation, theft of passwords and data in general and also bypassing security obstacles such as logins.

Our policy of the Kay Bot will include,

  • Not to touch (read or modify) any existing files
  • Not to harm the system in any way
  • No excessive data download/upload or CPU usage
  • Not hiding the presence of Kay Bot
  • Making the Kay Bot easily removable (just deleting the file in explorer will be enough)
  • Signing the executable with the Kleissner & Associates Authenticode key
  • Providing an uninstallation program
  • Providing a terms of use of the program

Furthermore it has to be pointed out that the installations for the Kay Bot have to come from a legal source (for example such as voluntary installations, comparable to SETI). The intention is to fight computer crime, not to (even if indirectly) support it.

1 2

Open Source

We will keep the source code closed for now. Companies, universities or researchers interested in this project are welcome to drop us a note.