1 / 77

Introduction to Botnets

Introduction to Botnets. Instructors : Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of New Brunswick. Part 1: Intro to Botnets What are they?. In the news….

merry
Download Presentation

Introduction to Botnets

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of New Brunswick

  2. Part 1: Intro to BotnetsWhat are they?

  3. In the news… • July 29 2010 - Multi-Purpose Botnet Used in Major Check Counterfeiting Operation • Aug 4 2010 - Zeus v2 Botnet that owned 100,000 UK PCs taken out • Aug 12 2010 - dd_ssh Botnet attacks SSH servers • Aug 12 2010 - Zeus ‘Mumba’ Botnet Seizes Confidential Database sized 60GB • Aug 12 2010 - Zeus v3 botnet raid on UK bank accounts

  4. Introduction Attacker (Botmaster ) • Malwareis currently the major source of attacks and fraudulent activities on the Internet. • Malware is used to infect computers. • Botnet is a network of zombies, i.e. compromised computers under control of an attacker. • Bot is a program loaded on zombie computer that provides remote control mechanisms to an attacker. Zombies

  5. Bot • Bot - a small program to remotely control a computer • Characterized by • Remote control & communication (C&C) channels to command a victim • For ex., perform denial-of service attack, send spam • The implemented remote commands • For ex., update bot binary to a new version • The spreading mechanisms to propagate it further • For ex., port scanning, email

  6. http://en.wikipedia.org/wiki/Botnet

  7. C&C channel • Means of receiving and sending commands and information between the botmaster and the zombies. • Typical protocols • IRC • HTTP • Overnet (Kademlia) • Protocols imply (to an extend) a botnet’s communication topology. • The topology provides trades-off in terms of bandwidth, affectivity, stealth, and so forth.

  8. Botnet Infection Stages - Centralized

  9. Part 2 – How does a botnet operate?

  10. Popular Botnets Propagation Methods Spammed Messages Install Malware Become Bot Worm Social Networking Websites Removable Devices Malicious Websites

  11. Shift in the way that malware is distributed • Every 1.3 seconds a new web page is getting infected • Every month almost 2 million web pages across 210,000 websites are infected with Malware • Malware attacks have grown by 600% since 2008

  12. Spammed Messages

  13. Spammed Messages Storm Botnet

  14. Propagation Steps Step 1: Click Link Step 2: Link to malicious website Step 3: Download & Run Malware

  15. Sample subjects and attachments • Sample subjects: • A killer at 11, he's free at 21 and kill again! • British Muslims Genocide • Naked teens attack home director. • 230 dead as storm batters Europe. • Re: Your text • Radical Muslim drinking enemies's blood. • Saddam Hussein alive! • Fidel Castro dead. • FBI vs. Facebook Sample attachments: Postcard.exe ecard.jpg FullVideo.exe Full Story.exe Video.exe Read More.exe FullClip.exe GreetingPostcard.exe MoreHere.exe FlashPostcard.exe GreetingCard.exe ClickHere.exe ReadMore.exe FlashPostcard.exe FullNews.exe NflStatTracker.exe ArcadeWorld.exe Left-right-brain-test.gif

  16. Social Networking Websites e.g. Koobface

  17. Social Networking Websites Koobface Downloader http://us.trendmicro.com

  18. Koobface Spam Messages • A typical KOOBFACE infection starts with a spam sent through: • Facebook • Twitter • MySpace • Other social networking sites http://us.trendmicro.com

  19. Koobface Spam Messages http://us.trendmicro.com

  20. Koobface Spam Messages http://us.trendmicro.com

  21. Koobface Spam Messages http://us.trendmicro.com

  22. Koobface Malware Download Clicking the link will redirect the user to a website designed to mimic YouTube (but is actually named YuoTube), which asks the user to install an executable (.EXE) file to be able to watch the video. http://us.trendmicro.com

  23. Malicious Websites e.g. Gumblar Zeus

  24. Malicious Websites http://www.ipa.go.jp/security/english/virus/press/201001/E_PR201001.html

  25. Gumblar Compromised Website The malicious script embedded in the website. http://www.van-manen.info/weblog/2010/02/gumblar-virus-infecteert-microsoft-website/

  26. Zeus Malware Download

  27. Zeus Compromised host

  28. Part 3 – How is a botnet organized?

  29. Traditional botnet Attacker Botnet topology mainly refers to the organization of C&C channels between zombies and an attacker. Your home computer Commands & controls Zombies Infect Attack Victim

  30. Topology • Based on C&C channels, there are two typical botnet topologies: • Centralized • Decentralized (P2P) • Traditional botnet metrics: • Resiliency • A botnet ability to cope with a loss of members (zombies) or servers • Latency • Reliability in message transmission • Enumeration • An ability to accurately estimate a botnet size • Difficuly for security analysis • Re-sale • A possibility to carve off sections of the botnet for lease or resale to other operators.

  31. Centralized botnet • Communication between attacker and zombies goes via centralized server • Classical communication method IRC (Internet Relay Chat) Centralized server

  32. Centralized botnet topologies • Centralized topology can be represented in different shapes. • The exact organization of botnet depends on the bot operator • nothing prevents a bot operator to come up with a new topology. • Often seen topologies: Star Multi-server Hierarchical

  33. Star topology • Communication is directly between a single centralized server and ALL zombies. • When new machine is infected, it is preconfigured to contact the server to announce its membership. • Pros: Low latency • Each zombie is issued commands directly from the server. • Cons: Low resilience • Only server needs to be blocked to neutralize the whole botnet

  34. Example • Koobface • Old variant employed start architecture: • Zombies connected to C&C server directly

  35. Multi-server topology • Similar to start topology • Instead of one server, multiple servers are used to provide instructions to zombies. Pros: • Better resilience • No single point of failure • Geographical distribution of servers • Communication speed up • More resistant to legal shut downs Cons: • Requires advance planning

  36. Hierarchical topology • Zombies are generally not aware of the server location Pros: • Ease of re-sale • A botnet operator can easily carve off sections of their botnet for lease or resale to other operators. • Hard to enumerate • Hard to evaluate the size and complexity of the botnet Cons: • High latency • makes some botnet attacks difficult.

  37. Example - Gumblar • Gumblar’s architecture is not well studied, fully built on zombies • Website visitors are infected with the Windows executable, it grabs FTP credentials from the victim machines. The FTP account is then used to infect every webpage on new webserver.

  38. Decentralized botnet • P2P (peer-to-peer) communication • zombies talking to each other • no central server Pros: Very high resilience Cons: • High latency • Difficult for enumeration

  39. Hybrid topologies • High resilience • Low latency • Example, • Hierarchical P2P • Centralized P2P Centralized Peer-to-peer

  40. Storm botnet • A three-level self-organizing hierarchy: • master servers • proxy bots • transfers traffic between workers and master servers. • worker bots • responsible for sending the spam, proxy bots • Once a Storm binary is downloaded, an infected host might become a worker bot (if not reachable from the Internet) or a proxy

  41. Detection • Complicated organization of botnets & variety of cover-up techniques make detection of botnets challenging

  42. Part 4 – How do they hide?

  43. Outline

  44. Encryption Botnet malware use encryption techniques to avoid being detected by signature-based Intrusion detection system Matched

  45. Snort Example Without encryption, Snort can successfully detect attack: Packet Without encryption Snort Rule Snort Alert

  46. Snort Example Snort cannot detect attack from encrypted traffic: Encrypted Packet Snort Rule

  47. Fast Flux IP addresses that are rotated in seconds against the same domain. For example: [QUESTION] Website name:www.lijg.ru[ANSWER] IP Addresses:www.lijg.ru 68.124.161.76www.lijg.ru 69.14.27.151www.lijg.ru 70.251.45.186www.lijg.ru 71.12.89.105www.lijg.ru 71.235.251.99www.lijg.ru 75.11.10.101www.lijg.ru 75.75.104.133www.lijg.ru 97.104.40.246www.lijg.ru 173.16.99.131 …………………

  48. Advantages for the attacker • Simplicity • Only one suitably powerful backend server (or mothership) host is needed to serve the master content and DNS information. • Resilience • A layer of protection from ongoing investigative response or legal action • Extend the operational lifespan of the critical backend core servers that are • hidden by the front-end nodes

More Related