1 / 43

Taxonomy of Botnet Threats

Taxonomy of Botnet Threats. Defense by the Wanderers Angel  Pia Jr., Wander Smelan, Koonal Bose, Scott Thompson. Botnet Debate. Resolve that the Trend Micro white paper: Taxonomy of Botnet Threats provided a better understanding of botnet behavior, detection and mitigation.

juan
Download Presentation

Taxonomy of Botnet Threats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Taxonomy of Botnet Threats Defense by the Wanderers Angel  Pia Jr., Wander Smelan, Koonal Bose, Scott Thompson

  2. Botnet Debate • Resolve that the Trend Micro white paper: Taxonomy of Botnet Threats provided a better understanding of botnet behavior, detection and mitigation.

  3. What this white paper is and what it is not. • It is not meant to be the most comprehensive, all inclusive, most definitive resource material for botnets and its future incarnations. • It is a working document meant to provide an organized and systematic approach to understanding botnets and its behavior to confront the threat that it poses. • And for this reason this white paper merits its intended goal above any minor and nit-picky blemishes it may have, if ever it has.

  4. Outline • Definition [Angel Pia] • History and background [Angel Pia] • Taxonomy of botnets • Attacking behavior [Wander Smelan] • Command and Control model [Wander Smelan] • Rallying mechanisms [Koonal Bose] • Communication Protocols [Koonal Bose] • Evasion Techniques [Scott Thompson] • Observable botnet activities [Scott Thompson] • Conclusion and Q&A

  5. Definition • Botnets (robot networks) • zombie computers/drones/armies • large number of compromised computers under the control of a botmaster • means to conduct various attacks ranging from Distributed Denial of Service (DDoS) to email-spamming, spreading new malware, etc. • harnessing immense computing power. Source: A typical botnet created from zombies (Credit: Cisco) http://www.macworld.co.uk/business/news/index.cfm?newsid=25756

  6. Definition • Bot • compromised host computer • also refer to the code planted on such computer. • Botmaster • one or a few computers used by the crackers to run command and control operations over the botnet. • Taxonomy • Science or technique of classification

  7. History and background • First bot PrettyPark worm (1999) • retrieved log-in names, email addresses, nicknames. • connects to a remote IRC server from which the botmaster can remotely control a large pool of infected hosts. • first time such command and control method was employed. • this concept soon spread to the rest of the black hat community and various variants of the botnet evolved through the years. • Rise of profit-driven attacks such as DDoS, spamming, phishing and identity theft of which botnets have proven to be a compelling vehicle over status-seeking and vandalism objectives.

  8. History and background DDoS, spamming, phishing and identity theft attacks from botnets.

  9. History and background

  10. History and background • Sophistication of attacks and now has evolved to one which poses the highest security threat in the internet. • In 2006, it cost $67.2B for US businesses to deal with malware.

  11. Taxonomy of botnets • Attacking behavior • means of compromising, propagating and launching attacks from a botnet • DDoS; scan; remote exploits; junk emails (phishing and virus attachments); phishing websites; spyware; identity theft; etc • Command & Control (C&C) models • classification of botnet topologies • centralized; distributed; P2P; etc • Rally mechanisms • methods of bot activation into the botnet for malware service. • hard-coded IP; Dynamic DNS; Distributed DNS; etc

  12. Taxonomy of botnets • Communication protocols • way of botnets communicating to each other and to the botmaster or C&C server • IRC; HTTP; IM; P2P; etc • Observable botnet activities • other observable techniques • DNS queries; burst short packets; abnormal system calls; etc • Evasion Techniques • ways botnets evade detection • HTTP/VOIP tunneling; IPv6 tunneling; P2P encrypted traffic; etc

  13. Attacking Behaviors

  14. Attacking Behaviors Purposes and techniques: • Infecting new hosts (propagation of botnets) • social engineering and distribution of malicious emails • Stealing Sensitive Information   • keylogger and Network traffic sniffers • Sending Spam and Phishing • botnets distribute untraceable emails • Distributed Denial of Service (DDoS) • large amount of synchronized requests to a particular server or service

  15. Command and Control (C&C) • Used to manage large-scale attacks • Essential for operation and support of botnets • Weakest links of botnets • 3 types: Centralized, Peer-to-Peer (P2P) and Random

  16. Attacking Behaviors Profile of a botnet mastermind • Name: Owen Thor Walker • Aka “AKILL” • Country: New Zealand • Started his “A-TEAM” botnet group when he was 16. By age 19, had 1.3mi+ computers • Had been diagnosed with Asperger's syndrome, a mild form of autism often characterized by social isolation, when he was 10 • Caused damaged of over $20mi • Caused computer to crash, stole private information and sold to e-criminals.

  17. Command and Control (C&C) Centralized C&C Model • Most commonly used • Simple to implement and customize • Easiest to eliminate • Small message latency • Botnet network size: 1,000++ Source: http://mrcracker.com/2009/09/botnet/

  18. Command and Control (C&C) P2P C&C Model • More resilient to failures • Less common, hard to discover, and hard to defend • Unreliable from the messaging system perspective • Hard to launch large scale attacks • Botnet network size: 10-50 Source: http://mrcracker.com/2009/09/botnet/

  19. Command and Control (C&C) Random C&C Model • Described by Evan Cooke – but still not in use in real world botnets • Model: Bot waits (listens) for incoming connection. • Easy implementation • Highly resilient to discovery and destruction. • Scalability limitations make it difficult to coordinate large attacks.

  20. Rallying Mechanisms

  21. Rallying Mechanisms • Hard-coded IP address • Dynamic Domain Name Server • Distributed DNS service

  22. Rallying Mechanisms Hard-coded IP address • The bot includes hard-coded C&C server IP address in its binary. • Easy to defend against if ip addresses is detected • channel is blocked • botnet is deactivated

  23. Rallying Mechanisms Dynamic DNS • Hard-coded domain names, assigned by dynamical DNS providers • If C&C Server is deactivated, botmaster can resume control by assigning a new IP address to corresponding DNS entry • Makes it harder to detect

  24. Rallying Mechanisms Distributed DNS service • Botnets run their own distributed DNS service • Many are run at high port numbers in order to avoid detection by security devices • Hardest to identify and destroy

  25. Communication Protocols • Botnets communicate with each other and their Botmasters following well defined network protocols • Importance of discovering communication has 2 main advantages • understanding Botnets origin, and possible software tools used • helps security groups decode conversations between bots and between bots and their master • Main Communication Protocols being used • IRC (Internet Relay Chat) • HTTP (Hypertext Transfer – www) • P2P (Peer to Peer) • IM (Instant Messaging)

  26. Communication Protocols IRC Protocol • IRC based Botnets are most frequently used • IRC is mainly designed for group communication but can also handle private messages between two people • Botnet C&C Server runs an IRC service that is no different from a standard IRC server • Inbound vs Outbound IRC traffic • inbound usually indicates local host is being recruited by Botnet • outbound usually indicates local host has been compromised and is being used as a C&C server of a Botnet • Firewalls can be configured to block IRC traffic • IRC botnets have scripts that parse messages and will execute malicious functions accordingly

  27. + Botmaster Communication Protocols IRC Protocol • Botnet C&C Server running IRC service IRC Server

  28. + Botnet user Communication Protocols IRC Protocol • Once detected can easily be blocked

  29. Communication Protocols HTTP and Other Protocols • 2 main advantages of using HTTP Protocol • Blends with normal Internet traffic • Abnormal ports are normally blocked at firewall, HTTP allows botnet to communicate back with the C&C Server • HTTP is harder to detect but not impossible since response header fields and page payload would be different from normal HTTP traffic. • P2P and IM are more recent protocols being used by Botnets • Still relatively small number compared to HTTP and IRC

  30. Communication Protocols • P2P Protocol • Distributed control

  31. Communication Protocols • P2P Protocol • Distributed control • Even if one is detected it is hard to disable

  32. Evasion and Detection Techniques

  33. Detection and Evasion Techniques Detection Techniques Antivirus & Intrusion Detection Systems (IDS) These antivirus systems are based on virus signature. Anomaly-based detection systems  Monitor communication traffic 

  34. Detection and Evasion Techniques Evasion Techniques • From Signature-based Detection • Executable Packers • Rootkits • Protocol evasion techniques • From Anomaly-based detection systems  • New / modified communication protocols: IRC, HTTP, VoIP • Utilize secure channels to hide communications • Alternative channels: ICMP or IPv6 tunneling • Potentially use SKYPE or IM

  35. Detection and Evasion Techniques Effective Detection Alternative Combination of Techniques: Detect connections to C&C centers Monitor for Communication Traffic Monitor for Anomalous Behavior

  36. Detection and Evasion Techniques Combating Botnets focusing on Detectable Behavior  • Global Correlation Behavior • Network-based Behavior • Host-Based Behavior

  37. Detection and Evasion Techniques Network-based Behaviors • Observable Communications: • Monitor IRC & HTTP traffic to servers that don't require these protocols • IRC traffic that is not “human readable” • DNS queries (lookups for C&C controllers) • Frequency changes in IP for DNS lookups • Long idle periods followed by very rapid responses • Very bursty traffic patterns • Attack Traffic: • Denial of Service: TCP SYN packets (invalid source) • Internal system sending emails (Phishing)

  38. Detection and Evasion Techniques Host-based Behaviors Detectable activity on an infected host: Disabled Anti-virus Large numbers of updates to system registry Specific system/library call sequences

  39. Detection and Evasion Techniques Global Correlated Behaviors Common across different Botnet implementations: • Detect DNS changes for C&C host • Large numbers of DNS queries

  40. Conclusion

  41. Conclusion • Botnets are a dangerous evolution in the malware world • They are being used to damage systems, steal information and comprise systems • They are hard to detect and eliminate • The taxonomy approach allowed us an organized and systematic means to understanding the nature of botnets and their behaviors. This will allow us to mitigate the threat with corrective measures.

  42. Q&A

  43. Conclusion The Wanderers

More Related