1 / 25

Understanding Botnet Phenomenon

Understanding Botnet Phenomenon. MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev. What is Botnet ?. Botnets is used to define networks of infectedend-hosts, called bots , that are under the control of a human operator commonly known as a bot master.

turner
Download Presentation

Understanding Botnet Phenomenon

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev

  2. What is Botnet ? • Botnets is used to define networks of infectedend-hosts, called bots, that are under the control of a human operator commonly known as a bot master. • Command and control channels are used to disseminate the commands to the bots • IRC (Internet Relay Chat Protocols) is the main vehicle

  3. IRC Concept – RFC 1459 • IRC is an open protocol that uses TCP green – normal clients blue - bots orange - bouncers

  4. IRC Concept – RFC 1459 • Example 1: A message between clients 1 and 2 is only seen by server A, which sends it straight to client 2. • Example 2: A message between clients 1 and 3 is seen by servers A & B, and client 3. No other clients or servers are allowed see the message. • Example 3: A message between clients 2 and 4 is seen by servers A, B, C & D and client 4 only.

  5. How to Analyze Botnets? • Develop a scalable and robust infrastructure to capture and concurrently track multiple Botnets • Must be benign – not used to infect others outside the testing environment • Analysis of measurements, structural and behavioral aspect of Botnets • IRC tracking, DNS Cache probing (minimal)

  6. Birth of a Bot • Bots are born from program binaries that infect your PC • Self-replicating worms • E-mail viruses • Shellcode (scripts)

  7. Data collection methodology • Phase 1: Malware collection • Collect as many different binaries (bots) • Phase 2: Binary analysis via gray-box testing • Analyze the sophistication of each bot • Phase 3: Longitudinal tracking of IRC botnets through IRC and DNS trackers • Monitor the pervasiveness of each bot

  8. Overview data collection

  9. Malware Collection • Unpatched Windows XP are run which is base copy • Nepenthes mimics the replies generated by vulnerable services in order to collect the first stage exploit • Honeynets used to catches exploits missed by nepenthes • Infected honeypot compared with base to identify Botnet binary

  10. Binary Analysis via graybox testing • Network fingerprint (DNS, IPs, Ports, scan) • IRC (PASS, NICK, USER, MODE, JOIN) • Learn the Botnet Dialect

  11. Longitudinal Tracking of Botnets • The IRC tracker (also called a drone) filters traffic and acts as a Bot to trick the IRC room to iteratively probe to find the footprint of particular Botnets • Uses DNS Probing • Acts as a spy • DNS Tracking • 800,000 Name Servers

  12. Botnet Scanning • Worm-like • Immediately start scanning the IP space looking for new victims after infection : 34 / 192 • Variable scanning Botnets • Scan when issued some command by botmaster

  13. Botnet Scanning

  14. Botnet Growth

  15. Botnet Growth

  16. Botnet Phenomenon

  17. Botnet Phenomenon • Traffic Problem • 70% of the sources during peak periods sent shell exploits similar to those sent by the botnet spreaders. • 90% of all the traffic during a particular peak targeted ports used by botnet spreaders • the amount of botnet-related traffic is certainly greater than 27%.

  18. Botnet Statistics • 60% were IRC bots • 70% of all the bots connect to a single IRC server • 57,000 Active Bots per day for the first 6 months of 2006 ( Symantec ) • 4.7 million distinct computers being actively used in Botnets • Most Botnets are managed by a single server ( up to 15,000 bots ) • Mocbot seized control of more than 7,700 machines within 24 hours

  19. Botnet Characteristics • Diverse set of operating systems. • Anti-virus programs can detect and fix most bots

  20. What is it that You say… You Do Here? • Log keystrokes for identity theft • Installing Advertisement Addons • Distributed Denial-of-Service Attacks • Spamming • Sniffing Traffic • Keylogging • Spreading new malware • Google AdSense abuse • Attacking IRC Chat Networks • Manipulating online polls/games • Mass identity theft

  21. Bot Capabilities • DDoS: Flooding attack and DDoS extortion • Scanning Exploitation • Download and Installation • Click Fraud • Server Services- Bot Hosting e.g. phishing • Gateway and Proxy Functions:-HTTP proxy • Spyware,Keylogging, data theft and packet capture

  22. Conclusion • “the fight against botnets is a "war" that can only be won if all parties - regulators, governments, telecoms firms, computer users and hardware and software makers - work together. “ • Botnets pose one of the most SEVERE threats to the Internet • Are responsible for most of the unwanted traffic • Generators of SPAM • Ref http://news.bbc.co.uk/2/hi/business/6298641.stm

  23. Conclusion • Business Implications • DDOS – bring e-commerce to a halt • Wasting of money on SPAM filtering • Wasting of corporate time and $$

  24. Strengths of the paper • All aspects of a botnet analyzed • No prior analysis of bots • Ability to model various types of bots • Ability to learn bot dialect and communicate with them.

  25. Botnet • Questions ?

More Related