The tool, ECHO, turns malware against itself by exploiting its built-in update mechanisms and preventing botnets from rebuilding. ECHO is 75% effective at removing botnets. Removing malware used to take days or weeks to fix, but can now be resolved in a few minutes. Once a security team realizes their system is compromised, they can now deploy ECHO, which works fast enough to prevent the botnet from taking down an entire network.

“Understanding the behavior of the malware is usually very hard with little reward for the engineer, so we’ve made an automatic solution,” said Runze Zhang, a Ph.D. student in the School of Cybersecurity and Privacy (SCP) and the School of Electrical and Computer Engineering. 

The researchers presented the paper, “Hitchhiking Vaccine: Enhancing Botnet Remediation With Remote Code Deployment Reuse,” at February’s Network and Distributed System Security  (NDSS) Symposium. ECHO’s open-source code is available online.

Botnet Backstory

Botnets have been a problem since the 1980s and have grown in potency recently. In 2019, for example, a vicious malware called Retadup compromised Windows systems throughout Latin America. A Czech cybersecurity company, Avast, partnered with the French government to take down this bot. They reverse-engineered the malware, effectively creating a “vaccine” for it in the process. As effective as that solution was, it wasn’t easily replicable.

Brendan Saltaformaggio saw an opportunity, though. 

“This is a really good approach, but it was extremely labor-intensive,” said Saltaformaggio, an associate professor in SCP. “So, my group got together and realized we have the research to make this a scientific, systematic, reproducible technique, rather than a one-off, human-driven, miserable effort.”

Botnet Breakdown

ECHO eradicates malware in three stages. First, it determines how the malware deploys its malicious code. Then, ECHO identifies the capabilities of this deployment mechanism and discovers how they can be repurposed for remediation. Next, it builds a remediation code that leverages these same mechanisms to disable the malware. That code is then tested and eventually pushed out to the system. The team tested ECHO on 702 Android malware samples and successfully stopped malware in 523 of them. 

They hope ECHO’s success will halt attackers in their tracks. 

“A way we approach problems in our lab is to find the tradeoff between the attackers’ effort versus our effort to fight them,” Saltaformaggio said. “We can never achieve a perfect solution, but we can raise the bar high enough for an attacker that it wouldn't be worth it for them to use malware this way.”

With tools like ECHO, botnets can be removed before they cause economic and operational damage. Malware is ever-evolving, but Saltaformaggio and his team are improving their methods along with it. The next malware attack is imminent — but so is the solution. 

Funding from the Office of Naval Research, the Defense Advanced Research Projects Agency, and the National Science Foundation.