1 / 42

“A Multifaceted Approach to Understanding the Botnet Phenomenon”

“A Multifaceted Approach to Understanding the Botnet Phenomenon”. By: Moheeb Abu Rajab, Jay Farfoss, Fabian Monrose & Andreas Terzis Affiliation: Computer Science Department at Johns Hopkins University Published: Internet Measurement Conference (IMC) 2006 Presented by: Andrew Mantel

fayre
Download Presentation

“A Multifaceted Approach to Understanding the Botnet Phenomenon”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. “A Multifaceted Approach to Understanding the Botnet Phenomenon” By: Moheeb Abu Rajab, Jay Farfoss, Fabian Monrose & Andreas Terzis Affiliation: Computer Science Department at Johns Hopkins University Published: Internet Measurement Conference (IMC) 2006 Presented by: Andrew Mantel Presentation date: April 9, 2009 Class: CAP6135 – Malware and Software Vulnerability Analysis (Spring 2009) Professor: Dr. Cliff Zou

  2. Outline • Goal / Motivation • Overview of botnets • Data collection • Results • Author’s conclusions • My review

  3. Goal / Motivation • Goal: • Get a better understanding of botnets • Motivation: • Botnets are dangerous • Malicious intent • Extortion of Internet businesses • E-mail spamming • Identity theft • Increase in botnet activity in recent years • Despite all this, we don’t know enough details about botnet behavior! M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.

  4. Botnet Overview

  5. (Rajab et al, 42, Figure 1)

  6. Step 1: Exploit • Exploit software vulnerability of victim host • Same infection strategies as other malware • Worms • Malicious email code (Modified from: Rajab et al, 42, Figure 1) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.

  7. Step 2: Download bot binary • Infected host executes shellcode to fetch bot binary from specified location • Usually the same machine that infected it • After the download, the bot binary installs itself so it can auto start on reboot (Modified from: Rajab et al, 42, Figure 1) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.

  8. Step 3: DNS lookup • Bot needs IP address of IRC server • Perform DNS Lookup • Better than hard-coding the server IP in case the IP gets blacklisted (Modified from: Rajab et al, 42, Figure 1) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.

  9. Step 4: Join IRC server • Join server and channel specified in bot binary • May use authentication: • Bot authenticates to join server using password from bot binary • Bot authenticates to join channel using password from bot binary • Botmaster authenticates to bot population to send command (Modified from: Rajab et al, 42, Figure 1) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.

  10. Step 5: Execute commands • Bot parses and executes channel topic • Topic contains default command for all bots to execute (Modified from: Rajab et al, 42, Figure 1) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.

  11. (Modified from: Rajab et al, 42, Figure 1)

  12. Data Collection

  13. (Modified from: Rajab et al, 43, Figure 2)

  14. Overview of Data Collection • Three main phases: • Malware collection • Goal: Collect bot binaries • Binary analysis via gray-box testing • Goal: Analyze bot binaries • Longitudinal tracking of botnets • Goal: Use binary analysis to track real botnets M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.

  15. Phase 1: Malware Collection (Modified from: Rajab et al, 43, Figure 2) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.

  16. Malware Collection • Goal: Collect bot binaries • Setup: Receive connections from distributed darknet • Darknet = an allocated but unused portion of the IP address space • Two types of collectors: • Nepenthes • Mimics replies of a vulnerable service to retrieve the shellcode • Pass URL in shellcode to download station to retrieve the bot binary • Honeypot • Implemented to handle cases where nepenthes failed • Windows XP running on VM connected by VLAN • Collects the bot binary itself M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.

  17. Malware Collection • Gateway provides multiple functions: • Route darknet traffic to local responders (nepenthes) and honeypots • About a 50/50 split • Firewall to stop honeypot from outgoing attack or cross infections • Allow honeypot to connect to IRC server but not do any further communication • Other miscellaneous functions M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.

  18. Phase 1: Malware Collection (Modified from: Rajab et al, 43, Figure 2) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.

  19. Phase 2: Binary Analysis (Modified from: Rajab et al, 43, Figure 2) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.

  20. Phase 2: Binary Analysis • Goal: Analyze bot binaries • Setup: Windows XP with bot binary on VM connected to a network sink • Sink monitors all network traffic • Two steps: • Network fingerprint • IRC-related features M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.

  21. Phase 2: Binary Analysis • Network fingerprint • fnet = {DNS, IPs, Ports, scan} • DNS = targets of any DNS requests • IPs = destination IP addresses • Ports = contacted ports • Scan = whether the bot tried to IP scan • IRC-related features • Create IRC daemon to listen to all ports specified by fnet • When bot tries to connect to IRC server, create IRC-fingerprint: • firc = {PASS, NICK, USER, MODE, JOIN} M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.

  22. Phase 2: Binary Analysis • fnet and firc provide enough information to join a real botnet • However, still need botnet “dialect” • dialect = “the syntax of the botmaster’s commands as well as the corresponding responses sent by the actual bot” (Rajab et al, 44) • To learn dialect: • Let bot connect to local IRC server • Bot connects to default channel • IRC query engine plays the role of the botmaster, generating commands • What commands to generate? • Those observed by honeynet • Known commands of observed botnets M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.

  23. Phase 2: Binary Analysis (Modified from: Rajab et al, 43, Figure 2) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.

  24. Phase 3: Longitudinal Tracking of Botnets (Modified from: Rajab et al, 43, Figure 2)

  25. Phase 3: Longitudinal Tracking of Botnets • Two mechanisms: • IRC tracking • DNS tracking • IRC tracker (drone) • Drone is given firc and template • Connects to real IRC server and pretends to participate • Must be intelligent enough to mimic a real bot • Can have multiple drones per machine • Have drone periodically disconnect from server • Change drone external IP M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.

  26. Phase 3: Longitudinal Tracking of Botnets • DNS tracking • Exploits the fact that most bots issue DNS queries to resolve IP address of IRC server • Probe caches of large number of DNS servers (800,000) for botnet domain name • Record number of hits as the DNS footprint of the botnet • This is merely a lower bound • Bot must have DNS queried within TTL time-span of DNS server • Only indicates a single hit to that DNS server, but could have been many hits • Still, a good relative measure M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.

  27. Phase 3: Longitudinal Tracking of Botnets (Modified from: Rajab et al, 43, Figure 2)

  28. (Modified from: Rajab et al, 43, Figure 2)

  29. Results

  30. Botnet Traffic Share • Mapped total # of incoming SYN packets to local darknet vs. those originating from known botnet spreaders • Known botnet spreader = any source observed to have delivered a bot binary • Approximately 27% of incoming SYNs came from known botnet spreaders • This is a lower-bound estimate M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.

  31. Global look at botnetprevalance • Overview: • During DNS probing experiments, tracked 65 IRC server domain names • Of the 800,000 probed servers, 85,000 (11%) had at least one botnet activity • Let’s take a closer look at globally tracking a single botnet IRC server M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.

  32. Global look at botnetprevalance (star is the IRC server, clouds are connections) (Rajab et al, 47, Figure 6) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.

  33. Botnet Spreading & Growth Patterns • Two types of spreaders: • Type I: worm-like botnets • 17.7% of observed botnets • Continuously scan certain ports following a given target selection algorithm • Type II: variable scanning botnet • Majority botnet type • Use different algorithms to scan • Only scan when commanded to • Different growth patterns (semi-exponential, staircase, linear)… harder to track M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.

  34. Botnet Spreading & Growth Patterns (Cropped from: Rajab et al, 48, Figure 7) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.

  35. Effective Botnet Sizes • effective size = # of bots connected to the IRC server at a specific time • Observed that a botnet’s effective size is much smaller than its footprint • Bots usually only stay connected for about 25 minutes • May be due to client instability as a result of infection • More likely, botmaster tells them to leave M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.

  36. Some other results • Botnets have a long lifetime • 84% of the observed IRC servers were still up at the end of their study • Bots can disable anti-virus/firewall processes and protect itself from being disabled • Infection frequency by OS: (Rajab et al, 50, Table 4) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.

  37. Author’s Conclusions • Botnets are very dangerous • Botnets are a major contributor to unwanted traffic on the Internet • By understanding botnets, we will be better able to deal with them M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.

  38. My Review

  39. Strengths • Good overview of botnet basics • Detailed botnet analyzing architecture • Architecture attacked the problem from multiple fronts • nepenthes + honeypots • IRC tracking + DNS tracking • Graphs/tables for most data • Results supported by cross referencing data • Even more data made publically available: <http://hinrg.cs.jhu.edu/botnets/>

  40. Weaknesses • Not many weaknesses… authors were very thorough • Architecture was completely automated, so missed out on smarter botnets • How accurate is “botnet traffic share” based only on traffic to a darknet? • One important piece of data they should have reported in the paper: average botnet fingerprint sizes

  41. Extensions/Improvements • Improve intelligence of: • nepenthes • Botmaster IRC query engine • Bot dialect template acquisition • Update data to keep track of current botnets • Monitor botnet traffic share within used IP space • Discuss ways to apply this data to prevent botnet formation

  42. References • [1] M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.

More Related