VisiBot - Automated Detection of IoT Botnets

_{Icon generated by https://loading.io/}

Project Information

• Level 4 Individual Project - SoCS - University of Glasgow
• Author: Daniel Arthur (2086380a)
• Supervisor: Angelos Marnerides
• License: MIT

Installation Instructions and Timelog

• Please refer to MANUAL.md for setup/installation instructions.
• Please refer to TIMELOG.md for a full time-log of activity throughout development.
• Please refer to LICENSE for MIT License information

Project Outline

VisiBot is an automated IoT botnet detection system used for real-time identification and visualisation of Internet of Things (IoT) Botnets.

VisiBot Processing System

The VisIBot Processing System automatically collects Bad Packets honeypot data and extracts, executes and analyses botnet malware payloads using the LiSa sandbox in real-time. Through combined static, dynamic, and heuristic-based analysis of malware payloads, the proposed system is capable of identifying potential (candidate) Command & Control (C2) servers and Peer-to-Peer networks for IoT Botnets. Contained in various docker images, celery tasks are created from collected Bad Packets results and are processed using a scalable number of celery workers. The task queue is maintained using redis and is designed to work with various celery workers. This ensures that even if a single worker fails, the task queue will not be halted and processing will continue.

Tools and Frameworks:

• Python - Interpreted, high-level programming language
• Celery - Python-based distributable task queueing system
• Flower - Celery Monitoring Tool
• Redis - In-memory data store used as a broker for Celery
• Docker - Platform and container service

Services

• Bad Packets - Cyber-threat Intelligence honeypot service
• VirusTotal - Anti-virus vendor aggregation
• MaxMind GeoIP2 - Locally maintained databases for IP geographic information
• IPInfo - IP address data API service

VisiBot Web Application

The VisiBot web-application is a browser-based visualisation tool that maps geo-location of identified potential bots, payload servers, peer-to-peer nodes and command-and-control servers. Written in Nuxt.js and hosted using Express.js, the main service uses Leaflet.js to cluster and annotate the geo-locations of any identified botnet activity.

VisiBot Web Application - Geo-location clustering using LeafletJS

Tools and Frameworks:

• NodeJS - JavaScript runtime
• Nuxt.js - Frontend JavaScript Framework
• Express.js - Backend Web Server for Node.js
• Mongoose - MongoDB object modelling framework for Node.js
• Leaflet.js - JavaScript library for interactive maps
• BootstrapVue - Bootstrap CSS/JS Framework vue integration

LiSa Sandbox

LiSa is a Linux Sandbox project created by Daniel Uhříček which provides automated Linux malware analysis on various CPU architectures. I have modified this project here to allow for the following additional features:

• Ability to create analysis tasks by submitting a malware URL instead of uploading a file
• Added binary unpacking for any binaries packed using the UPX packer software
• Added ability to provide external service API endpoints. POST requests are made to these endpoints when a given task fails/succeeds.

Acknowledgements

• Bad Packets provided access to distributed honeypot data through their Cyber Threat Intelligence API service
• IPInfo provided access to their Privacy Detection API
• VirusTotal provided access to an academic API with increased request limits
• LiSa is used for automated linux malware analysis
• MaxMind GeoIP2 is used for performing IP geo-location look-ups