Download
by mehedy masud n.
Skip this Video
Loading SlideShow in 5 Seconds..
Botnets PowerPoint Presentation

Botnets

224 Views Download Presentation
Download Presentation

Botnets

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. by Mehedy Masud Botnets

  2. Botnets • Introduction • History • How to they spread? • What do they do? • Why care about them? • Detection and Prevention

  3. Bot • The term 'bot' comes from 'robot'. • In computing paradigm, 'bot' usually refers to an automated process. • There are good bots and bad bots. • Example of good bots: • Google bot • Game bot • Example of bad bots: • Malicious software that steals information

  4. Botmaster IRC Server IRC channel Code Server IRC channel C&C traffic Updates Attack Vulnerable machines BotNet Botnet • Network of compromised/bot-infected machines (zombies) under the control of a human attacker (botmaster)

  5. History • In the beginning, there were only good bots. • ex: google bot, game bot etc. • Later, bad people thought of creating bad bots so that they may • Send Spam and Phishing emails • Control others pc • Launch attacks to servers (DDOS) • Many malicious bots were created • SDBot/Agobot/Phatbot etc. • Botnets started to emerge

  6. GT bots combined mIRC client, hacking scripts & tools (port -scanning, DDos) W32/Agobot bot family added modular design and significant functionality W32/Mytob hybrid bot, major e-mail outbreak GM (by Greg, Operator) recognized as first IRC bot. Entertained clients with games RPCSS W32/PrettyPark 1st worm to use IRC as C&C. DDoS capable W32/Sdbot First family of bots developed as a single binary Russian named sd W32/Spybot family emerged TimeLine 2006 1989 1999 2000 2001 2002 2003 2004 Present 2005

  7. Cases in the news • Axel Gembe • Author or Agobot (aka Gaobot, Polybot) • 21 yrs old • Arrested from Germany in 2004 under Germany’s computer Sabotage law • Jeffry Parson • Released a variation of Blaster Worm • Infected 48,000 computers worldwide • 18 yrs old • Arrested , sentenced to 18 month & 3yrs of supervised released

  8. How The Botnet Grows

  9. How The Botnet Grows

  10. How The Botnet Grows

  11. How The Botnet Grows

  12. Recruiting New Machines • Exploit a vulnerability to execute a short program (exploits) on victim’s machine • Buffer overflows, email viruses, Trojans etc. • Exploit downloads and installs actual bot • Bot disables firewall and A/V software • Bot locates IRC server, connects, joins • Typically need DNS to find out server’s IP address • Authentication password often stored in bot binary • Botmaster issues commands

  13. Recruiting New Machines

  14. What Is It Used For • Botnets are mainly used for only one thing

  15. How Are They Used • Distributed Denial of Service (DDoS) attacks • Sending Spams • Phishing (fake websites) • Addware (Trojan horse) • Spyware (keylogging, information harvesting) • Storing pirated materials

  16. Example : SDBot • Open-source Malware • Aliases • Mcafee: IRC-SDBot, Symantec: Backdoor.Sdbot • Infection • Mostly through network shares • Try to connect using password guessing (exploits weak passwords) • Signs of Compromise • SDBot copies itself to System folder - Known filenames: Aim95.exe, Syscfg32.exe etc.. • Registry entries modified • Unexpected traffic : port 6667 or 7000 • Known IRC channels: Zxcvbnmas.i989.net etc..

  17. Example : RBot • First of the Bot families to use encryption • Aliases • Mcafee: W32/SDbot.worm.gen.g, Symantec: W32.Spybot.worm • Infection • Network shares, exploiting weak passwords • Known s/w vulnerabilities in windows (e.g.: lsass buffer overflow vulnerability) • Signs of Compromise • copies itself to System folder - Known filenames: wuamgrd.exe, or random names • Registry entries modified • Terminate A/V processes • Unexpected traffic: 113 or other open ports

  18. Example : Agobot • Modular Functionality • Rather than infecting a system at once, it proceeds through three stages (3 modules) • infect a client with the bot & open backdoor • shut down A/V tools • block access to A/V and security related sites • After successful completion of one stage, the code for the next stage is downloaded • Advantage? • developer can update or modify one portion/module without having to rewrite or recompile entire code

  19. Example : Agobot • Aliases • Mcafee: W32/Gaobot.worm, Symantec: W32.HLLW.Gaobot.gen • Infection • Network shares, password guessing • P2P systems: Kazaa etc.. • Protocol: WASTE • Signs of Compromise • System folder: svshost.exe, sysmgr.exe etc.. • Registry entries modification • Terminate A/V processes • Modify %System\drivers\etc\hosts file • Symantec/ Mcafee’s live update sites are redirected to 127.0.0.1

  20. Example : Agobot • Signs of Compromise (contd..) • Theft of information: seek and steal CD keys for popular games like “Half-Life”, “NFS” etc.. • Unexpected Traffic: open ports to IRC server etc.. • Scanning: Windows, SQL server etc..

  21. DDos Attack • Goal: overwhelm victim machine and deny service to its legitimate clients • DoS often exploits networking protocols • Smurf: ICMP echo request to broadcast address with spoofed victim’s address as source • Ping of death: ICMP packets with payloads greater than 64K crash older versions of Windows • SYN flood: “open TCP connection” request from a spoofed address • UDP flood: exhaust bandwidth by sending thousands of bogus UDP packets

  22. DDoS attack Attacker • Coordinated attack to specified host Master (IRC Server) machines Zombie machines Victim

  23. Why DDoS attack? • Extortion • Take down systems until they pay • Works sometimes too! • Example: 180 Solutions – Aug 2005 • Botmaster used bots to distribute 180solutions addware • 180solution shutdown botmaster • Botmaster threatened to take down 180solutions if not paid • When not paid, botmaster use DDoS • 180Solutions filed Civil Lawsuit against hackers

  24. Botnet Detection • Host Based • Intrusion Detection Systems (IDS) • Anomaly Detection • IRC Nicknames • HoneyPot and HoneyNet

  25. Host-based detection • Virus scanning • Watching for Symptoms • Modification of windows hosts file • Random unexplained popups • Machine slowness • Antivirus not working • Watching for Suspicious network traffic • Since IRC is not commonly used, any IRC traffic is suspicious. Sniff these IRC traffic • Check if the host is trying to communicate to any Command and Control (C&C) Center • Through firewall logs, denied connections

  26. Network Intrusion Detection Systems • Example Systems: Snort and Bro • Sniff network packets, looks for specific patterns (called signatures) • If any pattern matches that of a malicious binary, then block that traffic and raise alert • These systems can efficiently detect virus/worms having known signatures • Can't detect any malware whose signature is unknown (i.e., zero day attack)

  27. Anomaly Detection • Normal traffic has some patterns • Bandwidth/Port usage • Byte-level characteristics (histograms) • Protocol analysis – gather statistics about • TCP/UDP src, dest address • Start/end of flow, Byte count • DNS lookup • First learn normal traffic pattern • Then detect any anomaly in that pattern • Example systems: SNMP, NetFlow • Problems: • Poisoning • Stealth

  28. IRC Nicknames • Bots use weird nicknames • But they have certain pattern (really!) • If we can learn that pattern, we can detect bots & botnets • Example nicknames: • USA|016887436 or DE|028509327 • Country | Random number (9 digit) • RBOT|XP|48124 • Bot type | Machine Type | Random number • Problem: May be defeated by changing the nickname randomly

  29. HoneyPot and HoneyNet • HoneyPot is a vulnerable machine, ready to be attacked • Example: unpatched windows 2000 or windows XP • Once attacked, the malware is caught inside • The malware is analyzed, its activity is monitored • When it connects to the C&C server, the server’s identity is revealed

  30. HoneyPot and HoneyNet • Thus many information about the bot is obtained • C&C server address, master commands • Channel, Nickname, Password • Now Do the following • make a fake bot • join the same IRC channel with the same nickname/password • Monitor who else are in the channel, thus observer the botnet • Collect statistics – how many bots • Collect sensitive information – who is being attacked, when etc..

  31. HoneyPot and HoneyNet • Finally, take down the botnet • HoneyNet: a network of honeypots (see the ‘HoneyNet Project’) • Very effective, worked in many cases • They also pose great security risk • If not maintained properly - Hacker may use them to attack others • Must be monitored cautiously

  32. Summary • Today we have learned • What is botnet • How / why they are used • How to detect / prevent

  33. Questions ?

  34. M. Mehedy Masud Botnet detection using data mining

  35. M. Mehedy Masud Background Botnet detection • Botnet • Network of compromised machines • Under the control of a botmaster • Taxonomy: • C&C : Centralized, Distributed etc. • Protocol: IRC, HTTP, P2P etc. • Rallying mechanism: Hard-coded IP, Dynamic DNS etc.

  36. M. Mehedy Masud Botmaster IRC Server IRC channel Code Server IRC channel C&C traffic Updates Attack Vulnerable machines BotNet IRC Botnets Botnet detection • Centralized • IRC-based • Large • Easy to detect • CPF – IRC Server • Easy to destroy

  37. M. Mehedy Masud P2P Botnets Botnet detection • Distributed • P2P protocol used • Small • Harder to detect • No CPF • Not easy to destroy

  38. M. Mehedy Masud Botnet Research Botnet detection • IRC botnet detection (many) • Honeypot-based (Rajab et al. 2006) • Network traffic mining (Livadas et al. 2006) • Nickname/signature mining (Goebel & Holz, 2007) • P2P botnet detection (few) • P2P bot analysis (Grizzard et al. , 2007) • Some theoretical contributions (Wang et al., 2007) • Few research towards P2P botnet detection

  39. M. Mehedy Masud Weak Points – Rallying Mechanism Botnet detection • Hard coded IP • Trojan.Peacomm (Grizzard et al., 2007) • Nugache (Lemos, 2006) • Initial Peer list Hard Coded • Tries to contact initial peers after infection • Can be detected by analysis • Random IP • Sinit (L.T.I. group, 2004) • No initial Peer list • Probes Random IP • Generates a lot of ICMP error

  40. M. Mehedy Masud Possible Detection Techniques Botnet detection • System monitoring • Looking for symptoms (e.g. change in “hosts” file) • Anti-virus • Unusual system calls • Network traffic monitoring • Open ports • Connection rate • Arp requests • ICMP errors

  41. M. Mehedy Masud Port Scanning Botnet detection • Do we need to monitor all ports? • No • Fact 1: P2P bots must open a port to communicate • So, monitor only open (i.e., server) ports • Fact 2: P2P bots must use TCP or UDP to communicate • So, monitor only TCP/UDP ports

  42. M. Mehedy Masud Detecting Open Ports Botnet detection • A port is open (server) if • It accepts a new connection • It is connected to multiple ports • Accepting a new TCP Connection • Client: SYN • Server: SYN, ACK • Client: ACK ----Connection Established! • The port accepting SYN is open port!! • Monitor all ports that accepts a connection

  43. M. Mehedy Masud Detecting Open Ports (cont…) Botnet detection • Already existing connections • From each packet header, obtain the connection • A connection c is a 4-tuple • (Host port, Host ip, Remote port, remote ip) (hp, hip, rp, rip) • Create a list of connections C • If there are two connections c1,c2  C s.t. • c1≠ c2 and c1.hp == c2.hpthen hp is a Open port • If there are two connections c1,c2  C s.t. • c1≠ c2 and c1.rp == c2.rpthen rp is a Open port

  44. M. Mehedy Masud What To Monitor? Botnet detection • Monitor Payload / Header? • Problems with payload monitoring • Privacy • Unavailability • Encryption/Obfuscation • Information extracted from Header • New connections (why?) • Packet size (why?) • Upload/Download bandwidth (why?)

  45. M. Mehedy Masud How to Monitor? Botnet detection • Traffic patterns vary with time • Special (distinguishing) patterns may appear for a short while • E.g. new connections • Sudden burst of traffic • Fig: Trojan.Peacomm connections after infection • (Grizzard, et al., 2007)

  46. M. Mehedy Masud How to Monitor?(continued) Botnet detection • Solution 1: Time-series analysis • Each feature is a time series • Sampled at a frequent interval • Problem: feature space-too large/impractical • Solution 2: Histogram analysis • Each feature is a histogram • Samples are collected at a frequent interval • Bins are filled-up periodically • Problem: size, number of bins?

  47. M. Mehedy Masud Mapping to Stream Mining Botnet detection • Network traffic can be thought of as a stream data • Detecting botnet traffic inside network traffic can be mapped as a classification problem • Botnet characteristic may change over time • Thus, botnet traffic detection can be mapped as: • Concept-drifting stream data classification problem

  48. by Mehedy Masud Peer to Peer Botnets

  49. Botnets • Introduction • History • Taxonomy • Overview • Case studies • New technique • Detection and Prevention

  50. Taxonomy