1 / 74

Botnets

by Mehedy Masud. Botnets. Botnets. Introduction History How to they spread? What do they do? Why care about them? Detection and Prevention. Bot. The term 'bot' comes from 'robot'. In computing paradigm, 'bot' usually refers to an automated process. There are good bots and bad bots.

Download Presentation

Botnets

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. by Mehedy Masud Botnets

  2. Botnets • Introduction • History • How to they spread? • What do they do? • Why care about them? • Detection and Prevention

  3. Bot • The term 'bot' comes from 'robot'. • In computing paradigm, 'bot' usually refers to an automated process. • There are good bots and bad bots. • Example of good bots: • Google bot • Game bot • Example of bad bots: • Malicious software that steals information

  4. Botmaster IRC Server IRC channel Code Server IRC channel C&C traffic Updates Attack Vulnerable machines BotNet Botnet • Network of compromised/bot-infected machines (zombies) under the control of a human attacker (botmaster)

  5. History • In the beginning, there were only good bots. • ex: google bot, game bot etc. • Later, bad people thought of creating bad bots so that they may • Send Spam and Phishing emails • Control others pc • Launch attacks to servers (DDOS) • Many malicious bots were created • SDBot/Agobot/Phatbot etc. • Botnets started to emerge

  6. GT bots combined mIRC client, hacking scripts & tools (port -scanning, DDos) W32/Agobot bot family added modular design and significant functionality W32/Mytob hybrid bot, major e-mail outbreak GM (by Greg, Operator) recognized as first IRC bot. Entertained clients with games RPCSS W32/PrettyPark 1st worm to use IRC as C&C. DDoS capable W32/Sdbot First family of bots developed as a single binary Russian named sd W32/Spybot family emerged TimeLine 2006 1989 1999 2000 2001 2002 2003 2004 Present 2005

  7. Cases in the news • Axel Gembe • Author or Agobot (aka Gaobot, Polybot) • 21 yrs old • Arrested from Germany in 2004 under Germany’s computer Sabotage law • Jeffry Parson • Released a variation of Blaster Worm • Infected 48,000 computers worldwide • 18 yrs old • Arrested , sentenced to 18 month & 3yrs of supervised released

  8. How The Botnet Grows

  9. How The Botnet Grows

  10. How The Botnet Grows

  11. How The Botnet Grows

  12. Recruiting New Machines • Exploit a vulnerability to execute a short program (exploits) on victim’s machine • Buffer overflows, email viruses, Trojans etc. • Exploit downloads and installs actual bot • Bot disables firewall and A/V software • Bot locates IRC server, connects, joins • Typically need DNS to find out server’s IP address • Authentication password often stored in bot binary • Botmaster issues commands

  13. Recruiting New Machines

  14. What Is It Used For • Botnets are mainly used for only one thing

  15. How Are They Used • Distributed Denial of Service (DDoS) attacks • Sending Spams • Phishing (fake websites) • Addware (Trojan horse) • Spyware (keylogging, information harvesting) • Storing pirated materials

  16. Example : SDBot • Open-source Malware • Aliases • Mcafee: IRC-SDBot, Symantec: Backdoor.Sdbot • Infection • Mostly through network shares • Try to connect using password guessing (exploits weak passwords) • Signs of Compromise • SDBot copies itself to System folder - Known filenames: Aim95.exe, Syscfg32.exe etc.. • Registry entries modified • Unexpected traffic : port 6667 or 7000 • Known IRC channels: Zxcvbnmas.i989.net etc..

  17. Example : RBot • First of the Bot families to use encryption • Aliases • Mcafee: W32/SDbot.worm.gen.g, Symantec: W32.Spybot.worm • Infection • Network shares, exploiting weak passwords • Known s/w vulnerabilities in windows (e.g.: lsass buffer overflow vulnerability) • Signs of Compromise • copies itself to System folder - Known filenames: wuamgrd.exe, or random names • Registry entries modified • Terminate A/V processes • Unexpected traffic: 113 or other open ports

  18. Example : Agobot • Modular Functionality • Rather than infecting a system at once, it proceeds through three stages (3 modules) • infect a client with the bot & open backdoor • shut down A/V tools • block access to A/V and security related sites • After successful completion of one stage, the code for the next stage is downloaded • Advantage? • developer can update or modify one portion/module without having to rewrite or recompile entire code

  19. Example : Agobot • Aliases • Mcafee: W32/Gaobot.worm, Symantec: W32.HLLW.Gaobot.gen • Infection • Network shares, password guessing • P2P systems: Kazaa etc.. • Protocol: WASTE • Signs of Compromise • System folder: svshost.exe, sysmgr.exe etc.. • Registry entries modification • Terminate A/V processes • Modify %System\drivers\etc\hosts file • Symantec/ Mcafee’s live update sites are redirected to 127.0.0.1

  20. Example : Agobot • Signs of Compromise (contd..) • Theft of information: seek and steal CD keys for popular games like “Half-Life”, “NFS” etc.. • Unexpected Traffic: open ports to IRC server etc.. • Scanning: Windows, SQL server etc..

  21. DDos Attack • Goal: overwhelm victim machine and deny service to its legitimate clients • DoS often exploits networking protocols • Smurf: ICMP echo request to broadcast address with spoofed victim’s address as source • Ping of death: ICMP packets with payloads greater than 64K crash older versions of Windows • SYN flood: “open TCP connection” request from a spoofed address • UDP flood: exhaust bandwidth by sending thousands of bogus UDP packets

  22. DDoS attack Attacker • Coordinated attack to specified host Master (IRC Server) machines Zombie machines Victim

  23. Why DDoS attack? • Extortion • Take down systems until they pay • Works sometimes too! • Example: 180 Solutions – Aug 2005 • Botmaster used bots to distribute 180solutions addware • 180solution shutdown botmaster • Botmaster threatened to take down 180solutions if not paid • When not paid, botmaster use DDoS • 180Solutions filed Civil Lawsuit against hackers

  24. Botnet Detection • Host Based • Intrusion Detection Systems (IDS) • Anomaly Detection • IRC Nicknames • HoneyPot and HoneyNet

  25. Host-based detection • Virus scanning • Watching for Symptoms • Modification of windows hosts file • Random unexplained popups • Machine slowness • Antivirus not working • Watching for Suspicious network traffic • Since IRC is not commonly used, any IRC traffic is suspicious. Sniff these IRC traffic • Check if the host is trying to communicate to any Command and Control (C&C) Center • Through firewall logs, denied connections

  26. Network Intrusion Detection Systems • Example Systems: Snort and Bro • Sniff network packets, looks for specific patterns (called signatures) • If any pattern matches that of a malicious binary, then block that traffic and raise alert • These systems can efficiently detect virus/worms having known signatures • Can't detect any malware whose signature is unknown (i.e., zero day attack)

  27. Anomaly Detection • Normal traffic has some patterns • Bandwidth/Port usage • Byte-level characteristics (histograms) • Protocol analysis – gather statistics about • TCP/UDP src, dest address • Start/end of flow, Byte count • DNS lookup • First learn normal traffic pattern • Then detect any anomaly in that pattern • Example systems: SNMP, NetFlow • Problems: • Poisoning • Stealth

  28. IRC Nicknames • Bots use weird nicknames • But they have certain pattern (really!) • If we can learn that pattern, we can detect bots & botnets • Example nicknames: • USA|016887436 or DE|028509327 • Country | Random number (9 digit) • RBOT|XP|48124 • Bot type | Machine Type | Random number • Problem: May be defeated by changing the nickname randomly

  29. HoneyPot and HoneyNet • HoneyPot is a vulnerable machine, ready to be attacked • Example: unpatched windows 2000 or windows XP • Once attacked, the malware is caught inside • The malware is analyzed, its activity is monitored • When it connects to the C&C server, the server’s identity is revealed

  30. HoneyPot and HoneyNet • Thus many information about the bot is obtained • C&C server address, master commands • Channel, Nickname, Password • Now Do the following • make a fake bot • join the same IRC channel with the same nickname/password • Monitor who else are in the channel, thus observer the botnet • Collect statistics – how many bots • Collect sensitive information – who is being attacked, when etc..

  31. HoneyPot and HoneyNet • Finally, take down the botnet • HoneyNet: a network of honeypots (see the ‘HoneyNet Project’) • Very effective, worked in many cases • They also pose great security risk • If not maintained properly - Hacker may use them to attack others • Must be monitored cautiously

  32. Summary • Today we have learned • What is botnet • How / why they are used • How to detect / prevent

  33. Questions ?

  34. M. Mehedy Masud Botnet detection using data mining

  35. M. Mehedy Masud Background Botnet detection • Botnet • Network of compromised machines • Under the control of a botmaster • Taxonomy: • C&C : Centralized, Distributed etc. • Protocol: IRC, HTTP, P2P etc. • Rallying mechanism: Hard-coded IP, Dynamic DNS etc.

  36. M. Mehedy Masud Botmaster IRC Server IRC channel Code Server IRC channel C&C traffic Updates Attack Vulnerable machines BotNet IRC Botnets Botnet detection • Centralized • IRC-based • Large • Easy to detect • CPF – IRC Server • Easy to destroy

  37. M. Mehedy Masud P2P Botnets Botnet detection • Distributed • P2P protocol used • Small • Harder to detect • No CPF • Not easy to destroy

  38. M. Mehedy Masud Botnet Research Botnet detection • IRC botnet detection (many) • Honeypot-based (Rajab et al. 2006) • Network traffic mining (Livadas et al. 2006) • Nickname/signature mining (Goebel & Holz, 2007) • P2P botnet detection (few) • P2P bot analysis (Grizzard et al. , 2007) • Some theoretical contributions (Wang et al., 2007) • Few research towards P2P botnet detection

  39. M. Mehedy Masud Weak Points – Rallying Mechanism Botnet detection • Hard coded IP • Trojan.Peacomm (Grizzard et al., 2007) • Nugache (Lemos, 2006) • Initial Peer list Hard Coded • Tries to contact initial peers after infection • Can be detected by analysis • Random IP • Sinit (L.T.I. group, 2004) • No initial Peer list • Probes Random IP • Generates a lot of ICMP error

  40. M. Mehedy Masud Possible Detection Techniques Botnet detection • System monitoring • Looking for symptoms (e.g. change in “hosts” file) • Anti-virus • Unusual system calls • Network traffic monitoring • Open ports • Connection rate • Arp requests • ICMP errors

  41. M. Mehedy Masud Port Scanning Botnet detection • Do we need to monitor all ports? • No • Fact 1: P2P bots must open a port to communicate • So, monitor only open (i.e., server) ports • Fact 2: P2P bots must use TCP or UDP to communicate • So, monitor only TCP/UDP ports

  42. M. Mehedy Masud Detecting Open Ports Botnet detection • A port is open (server) if • It accepts a new connection • It is connected to multiple ports • Accepting a new TCP Connection • Client: SYN • Server: SYN, ACK • Client: ACK ----Connection Established! • The port accepting SYN is open port!! • Monitor all ports that accepts a connection

  43. M. Mehedy Masud Detecting Open Ports (cont…) Botnet detection • Already existing connections • From each packet header, obtain the connection • A connection c is a 4-tuple • (Host port, Host ip, Remote port, remote ip) (hp, hip, rp, rip) • Create a list of connections C • If there are two connections c1,c2  C s.t. • c1≠ c2 and c1.hp == c2.hpthen hp is a Open port • If there are two connections c1,c2  C s.t. • c1≠ c2 and c1.rp == c2.rpthen rp is a Open port

  44. M. Mehedy Masud What To Monitor? Botnet detection • Monitor Payload / Header? • Problems with payload monitoring • Privacy • Unavailability • Encryption/Obfuscation • Information extracted from Header • New connections (why?) • Packet size (why?) • Upload/Download bandwidth (why?)

  45. M. Mehedy Masud How to Monitor? Botnet detection • Traffic patterns vary with time • Special (distinguishing) patterns may appear for a short while • E.g. new connections • Sudden burst of traffic • Fig: Trojan.Peacomm connections after infection • (Grizzard, et al., 2007)

  46. M. Mehedy Masud How to Monitor?(continued) Botnet detection • Solution 1: Time-series analysis • Each feature is a time series • Sampled at a frequent interval • Problem: feature space-too large/impractical • Solution 2: Histogram analysis • Each feature is a histogram • Samples are collected at a frequent interval • Bins are filled-up periodically • Problem: size, number of bins?

  47. M. Mehedy Masud Mapping to Stream Mining Botnet detection • Network traffic can be thought of as a stream data • Detecting botnet traffic inside network traffic can be mapped as a classification problem • Botnet characteristic may change over time • Thus, botnet traffic detection can be mapped as: • Concept-drifting stream data classification problem

  48. by Mehedy Masud Peer to Peer Botnets

  49. Botnets • Introduction • History • Taxonomy • Overview • Case studies • New technique • Detection and Prevention

  50. Taxonomy

More Related