1 / 29

BOTNET

BOTNET. Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker. Botnet Background. network of infected hosts, under control of a human operator (botmaster) tens of thousands of nodes victims claimed by remote exploits. Defining Characteristic.

alfordk
Download Presentation

BOTNET

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker

  2. Botnet Background • network of infected hosts, under control of a human operator (botmaster) • tens of thousands of nodes • victims claimed by remote exploits

  3. Defining Characteristic • use of Command & Control (C&C) channels • used to disseminate botmaster's commands

  4. Uses of Botnets • Spam • ID Theft • Piracy • DDOS • Ex. 1000 bots w/ 128KBit/s connection > many corporate systems • IP distribution makes filtering difficult

  5. Lifecycle of Botnet Infection

  6. Why IRC? • IRC designed for both point-to-point and point-to-multipoint communication • one-to-one, or one-to-group chat • flexible, open-source protocol

  7. Bot-to-IRC Communication • authenticate to IRC server via PASS message • C&C channel authentication • Botmaster authenticates to bot population to issue commands

  8. Bot-News: Kraken • 400,000+ nodes • 50+ Forture 500 companies • 2x the size of ‘Storm’ • Used for spam (bots sending 500,000+ messages daily)

  9. Bot-News: Kraken • Designed as image file • Regular updates to binary • C&C communication via customized UDP/TCP • Able to generate new domain names if C&C is disabled

  10. Further Background • http://www.honeynet.org/papers/bots/ • http://www.wired.com/wired/archive/14.11/botnet_pr.html • http://en.wikipedia.org/wiki/Storm_botnet

  11. Methodology: Malware Collection Phase • Collection of as many bot binaries as possible • Distributed darknet used • 14 nodes access the darknet • Modified version of Nepenthes (a Malware collection framework) platform: • -- Mimics the replies generated by vulnerable services in order to collect the first stage exploit or shellcodes • -- Generate URL that are to retrieve binaries • Honeynet is used to compliment Nepenthes in order to catch exploits missed. • -- Honeypots are unpatched Windows XP VM’s • -- Honeypots become infected and compared later to a clean Windows XP image. • -- Infected Honey pots are also allowed to sustain IRC connections until VM gets reimaged

  12. Methodology: Data Collection Architecture

  13. Methodology: Gateway • Darknet routing to various parts of the internal network • Cross-infection prevention among honeypots • configuring honeypots in separate VLANSs • Termination of traffic across VLANs and gateways • Monitor and Analyze the malware traffic for infections • Dynamic rule insertion • block further inbound attack traffic towards honeypot that is infected • single malware instance honeypots due to lack of resources • Other funcitons • Triggering re-imaging with clean Windows images • pre-filtering and control during downloads • local DNS to resolve queries

  14. Methodology: Defense Points • With the methodology we now have the ability to model other types of bots. • Although methodology utilized Windows OS, we can model it for other platforms • The methodology analyzes all aspects of bots and botnets.

  15. A multifaceted approach to understanding the Botnet Phenomenon Results - I

  16. Overall traffic • 27% of total traffic are from known botnet spreaders • 73% of traffic includes traffic from unknown botnet spreaders • 60% of malicious binaries were IRC bots • Only handful were HTTP based Authors concerns about botnets spread are justifiable.

  17. Traffic directed to vulnerable ports • 76% of traffic targeted to vulnerable ports are from botnet spreaders • Malicious traffic to vulnerable ports cannot be differentiated between botnet and non-botnet traffic How much of total traffic was directed to vulnerable ports is desired.

  18. Peak traffics • 90% of total traffic during the peak time targets ports used by botnet spreaders • 70% of traffic during the peak time sent shell exploits similar to those sent by botnet spreaders.

  19. Probed servers • 11% of probed servers had at least one botnet activity • 29% of probed .com servers had at least one cache hit • 95% of probed .cn servers had at least one cache hit.

  20. Botnet Types • Total botnets captured 192 • 34 of 192 botnets captured were type I botnets (worm-like) • 158 of them were type II

  21. Botnets and Network types When channel was set to topic • 80% of targeted scanning was aimed at CLASS A networks • 89% of localized scanning was aimed at CLASS B networks When channel was set to botmaster commands • 88% of targeted scanning was aimed at CLASS A networks • 82% of localized scanning was aimed at CLASS B networks

  22. DNS & IRC tracker views Both DNS & IRC tracker views demonstrated three type of growth pattern: • semi exponential growth • Staircase type growth • Linear growth • Semi-exponential growth exhibited random scanning activity • Staircase type growth exhibited intermittent activity • Linear growth pattern exhibit time scoped activity

  23. Key Points based on results • Botnets pose serious threats to the internet • Major contributor of unwanted traffic on the internet • IRC is the dominant protocol used in the Botnet communications • Botnets have achieved a high degree of sophistication in terms of self-protection mechanisms and modular package structures

  24. Effective Botnet Sizes • Footprint Size vs. Effective Size • Significantly smaller • At most 3,000 bots online w/ networks of up to 10k bots • Smaller effective sizes limit certain activities: • Timely commands • DDoS attacks • Effective botnet sizes fluctuate with timezone changes

  25. Lifetime • Botnets have relatively long lifetimes • Even after they’re shut down, live on average for 47 days • 84% of servers up longerthan the 3 month survey • 55% of those botnets still scanning the Internet • If taken offline, able to be brought back online quickly • Bots do not stay long on IRC channels • Average time ~ 25 minutes • 90% stayed less than 50 minutes • High churn rate • Botmasters spend great lengths of time managing and monitoring their botnets

  26. Botnet Software Dissection 49% disable firewall and anti-virus software Many run inetd, which is used to identify the user of a computer. Used to verify bots joining an IRC channel 40% execute a System Security Monitor command, securing client machines from further exploitation Average of 15exploits per botnet binary -- bots can infect machines in a variety of ways Windows XP constitutes 82.6% of observed exploited hosts, with 99% of those hosts runningSP1 or less

  27. Insight from an “Insider’s View” • Botmasters range in skill level • Botmasters: • Share information about networks • Tweak their bots to use the network efficiently • Prune misbehaving bots and exploit “super-bots” Botmasters are probably leasing their bots or attacking each other Most commands (75%) are for control, scanning and cloning. 7% are for attacking.

  28. Related Work • Honeynet group was the first to do an informal study • Freiling et al. on countering certain classes of DDoS attacks • Cooke et al. on prevalence of botnets by measuring elapsed time before an un-patched system was infected by a botnet • Barford et al. on an in-depth anaylsis on bot software sourcecode • Vrable et al. presented Potemkin, a scalable virtual honeynet system • Cui et al. presented RolePlayer—a protocol independent lightweight responder that tries to overcome some of these limitations by reverting to a real server when the responder fails to produce the proper response • Dagon et al. provide an initial analytical model for capturing the spreading behavior of botnets.

  29. Conclusion • Long presence and few formal studies • One of the most severe threats to the Internet. • Our knowledge of botnet behavior is incomplete • To improve our understanding, we present a composite view • Results show that botnets are a major contributor to the overall unwanted traffic on the Internet • Botnet scanning behavior is markedly different from that seen by autonomous malware (e.g., worms) because of its manual orchestration • IRC is still the dominant protocol used for C&C communications • Use is adapted to satisfy different botmasters’ needs • Botnet footprints are usually much larger • Graybox testing technique enabled us to understand the level of sophistication reached by bot software today

More Related