a multifaceted approach to understanding the botnet phenomenon n.
Skip this Video
Loading SlideShow in 5 Seconds..
A Multifaceted Approach to Understanding the Botnet Phenomenon PowerPoint Presentation
Download Presentation
A Multifaceted Approach to Understanding the Botnet Phenomenon

Loading in 2 Seconds...

  share
play fullscreen
1 / 27
Download Presentation

A Multifaceted Approach to Understanding the Botnet Phenomenon - PowerPoint PPT Presentation

arden-willis
120 Views
Download Presentation

A Multifaceted Approach to Understanding the Botnet Phenomenon

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. A Multifaceted Approach to Understanding the BotnetPhenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science Department Johns Hopkins University Presented at : Internet Measurement Conference, IMC'06, Brazil, October 2006 Presented By : Ramanarayanan Ramani

  2. Outline • Working of Botnets • Measuring Botnets • Inference from Measurement • Strengths • Weaknesses • Suggestions

  3. Botnets • A botnet is a network of infected end-hosts (bots) under the command of a botmaster. • 3 Different Protocols Used: • IRC • HTTP • P2P

  4. Botnets (contd.) 3 Steps of Authentication • Bot to IRC Server • IRC Server to Bot • Botmaster to Bot (*) : Optional Step

  5. Measuring Botnets • Three Distinct Phases • Malware Collection Collect as many bot binaries as possible • Binary analysis via gray-box testing Extract the features of suspicious binaries • Longitudinal tracking Track how bots spread and its reach

  6. Measuring Botnets Darknet : Denotes an allocated but unused portion of the IP address space.

  7. Malware Collection • Nepenthes is a low interaction honeypot • Nepenthes mimics the replies generated by vulnerable services in order to collect the first stage exploit • Modules in nepenthes • Resolve DNS asynchronous • Emulate vulnerabilities • Download files – Done here by the Download Station • Submit the downloaded files • Trigger events • Shellcode handler

  8. Malware Collection • Honeynets also used along with nepenthes • Catches exploits missed by nepenthes • Unpatched Windows XP are run which is base copy • Infected honeypot compared with base to identify Botnet binary

  9. Gateway • Routing to different components • Firewall : Prevent outbound attacks & self infection by honeypots • Detect & Analyze outgoing traffic for infections in honeypot • Only 1 infection in a honeypot • Several other functions

  10. Binary Analysis • Two logically distinct phases • Derive a network fingerprint of the binary • Derive IRC-specific features of the binary • IRC Server learns Botnet “dialect” - Template • Learn how to correctly mimic bot’s behavior - Subject bot to a barrage of commands

  11. IRC Tracker • Use template to mimic bot • Connect to real IRC server • Communicate with botmaster using bot “dialect” • Drones modified and used to act as IRC Client by the tracker to Cover lot of IP addresss

  12. DNS Tracker • Bots issue DNS queries to resolve the IP addresses of their IRC servers • Tracker uses DNS requests • Has 800,000 entries after reduction • Maintain hits to a server

  13. Measuring Botnets Darknet : Denotes an allocated but unused portion of the IP address space.

  14. Botnet Traffic Share

  15. Botnet Traffic Share

  16. DNS Tracker Results

  17. Bot Scan Method • 2 Types • Immediately start scanning the IP space looking for new victims after infection : 34 / 192 • Scan when issued some command by botmaster

  18. Botnet Growth - DNS

  19. Botnet Growth – IRC Tracker

  20. Botnet Online Population

  21. Botnet Online Population

  22. Botnet Software Taxonomy Services Launched in Victim Machine OS of Exploited Host

  23. Botmaster Analysis

  24. Strengths • All aspects of a botnet analyzed • No prior analysis of bots • Ability to model various types of bots

  25. Weakness • Only Microsoft Windows systems analyzed • Focus on IRC-based bots as they are predominant

  26. Suggestions • Use the analysis to model new bots • Use the analysis to model protection methods

  27. Questions