1 / 27

A Multifaceted Approach to Understanding the Botnet Phenomenon

A Multifaceted Approach to Understanding the Botnet Phenomenon. Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science Department Johns Hopkins University Presented at : Internet Measurement Conference, IMC'06, Brazil, October 2006 Presented By :

Download Presentation

A Multifaceted Approach to Understanding the Botnet Phenomenon

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A Multifaceted Approach to Understanding the BotnetPhenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science Department Johns Hopkins University Presented at : Internet Measurement Conference, IMC'06, Brazil, October 2006 Presented By : Ramanarayanan Ramani

  2. Outline • Working of Botnets • Measuring Botnets • Inference from Measurement • Strengths • Weaknesses • Suggestions

  3. Botnets • A botnet is a network of infected end-hosts (bots) under the command of a botmaster. • 3 Different Protocols Used: • IRC • HTTP • P2P

  4. Botnets (contd.) 3 Steps of Authentication • Bot to IRC Server • IRC Server to Bot • Botmaster to Bot (*) : Optional Step

  5. Measuring Botnets • Three Distinct Phases • Malware Collection Collect as many bot binaries as possible • Binary analysis via gray-box testing Extract the features of suspicious binaries • Longitudinal tracking Track how bots spread and its reach

  6. Measuring Botnets Darknet : Denotes an allocated but unused portion of the IP address space.

  7. Malware Collection • Nepenthes is a low interaction honeypot • Nepenthes mimics the replies generated by vulnerable services in order to collect the first stage exploit • Modules in nepenthes • Resolve DNS asynchronous • Emulate vulnerabilities • Download files – Done here by the Download Station • Submit the downloaded files • Trigger events • Shellcode handler

  8. Malware Collection • Honeynets also used along with nepenthes • Catches exploits missed by nepenthes • Unpatched Windows XP are run which is base copy • Infected honeypot compared with base to identify Botnet binary

  9. Gateway • Routing to different components • Firewall : Prevent outbound attacks & self infection by honeypots • Detect & Analyze outgoing traffic for infections in honeypot • Only 1 infection in a honeypot • Several other functions

  10. Binary Analysis • Two logically distinct phases • Derive a network fingerprint of the binary • Derive IRC-specific features of the binary • IRC Server learns Botnet “dialect” - Template • Learn how to correctly mimic bot’s behavior - Subject bot to a barrage of commands

  11. IRC Tracker • Use template to mimic bot • Connect to real IRC server • Communicate with botmaster using bot “dialect” • Drones modified and used to act as IRC Client by the tracker to Cover lot of IP addresss

  12. DNS Tracker • Bots issue DNS queries to resolve the IP addresses of their IRC servers • Tracker uses DNS requests • Has 800,000 entries after reduction • Maintain hits to a server

  13. Measuring Botnets Darknet : Denotes an allocated but unused portion of the IP address space.

  14. Botnet Traffic Share

  15. Botnet Traffic Share

  16. DNS Tracker Results

  17. Bot Scan Method • 2 Types • Immediately start scanning the IP space looking for new victims after infection : 34 / 192 • Scan when issued some command by botmaster

  18. Botnet Growth - DNS

  19. Botnet Growth – IRC Tracker

  20. Botnet Online Population

  21. Botnet Online Population

  22. Botnet Software Taxonomy Services Launched in Victim Machine OS of Exploited Host

  23. Botmaster Analysis

  24. Strengths • All aspects of a botnet analyzed • No prior analysis of bots • Ability to model various types of bots

  25. Weakness • Only Microsoft Windows systems analyzed • Focus on IRC-based bots as they are predominant

  26. Suggestions • Use the analysis to model new bots • Use the analysis to model protection methods

  27. Questions

More Related