200 likes | 357 Views
Botnet Research Survey. Zhaosheng Zhu. et al July 28-August 01 2008. Speaker: Hom-Jay Hom Date:2009/10/20. Outline. Introduction Understanding Botnet Detecting and Tracking Botnet Defenses Against Botnet Conclusion and Possible Future Work. Introduction(1/2).
E N D
Botnet Research Survey Zhaosheng Zhu.et al July 28-August 01 2008 Speaker:Hom-Jay Hom Date:2009/10/20
Outline • Introduction • Understanding Botnet • Detecting and Tracking Botnet • Defenses Against Botnet • Conclusion and Possible Future Work
Introduction(1/2) • Botnet is a term for a collection of software robots, or bots. • They run on groups of zombie computers controlled remotely by attackers. • A typical bot can be created and maintained in four phases.
Introduction(2/2) 1. Initial Infection: • vulnerability , web pages , email , USB autorun 2. Secondary Injection: • infected hosts download and run the bot code, • The download can be via be ftp, http and P2P. 3. Malicious Activities: • The bot communicates to its controller (spam , DDoS) • IRC or HTTP or DNS-based and P2P protocol 4. Maintenance and Upgrade: • continuously upgrades
Understanding Botnet • Most current research focuses on understanding botnets. There are mainly three types area: • Bot Anatomy: • analysis mainly focuses on its network-level • use of binary analysis tools. • Wide-area Measurement Study: • through tracking botnets to reveal different aspects • such as botnet size, traffic generated. • Botnet Modeling and Future Botnet Prediction:
Bot Anatomy IRC Bot • it analyzed the source code for four bots. • Agobot,SDBot, SpyBot and GT bot, ( IRC-based bots ) • only Agobot is a fully-developed bot. • Agobot has provided the following five features.
AgoBot five features • Exploits: • exploit OS vulnerabilities and back doors. • Delivery: • Shell on the remote host to download bot binary encoded. • Deception: • If it detected VMWare it stopped running. • Function: • steal system information and monitorlocal network traffic. • Recruiting: • BotmasterRecruits horizontal and vertical scannings.
HTTP Bot • Analyzed the HTTP-based spam bot module • The command and control (C&C) is http-based. • The communication channel is encrypted. • IDA Pro Tool is used to analyze the binary and find the encryption key.
P2P-based • The author claims that centralized control of botnets offers a single point of failure for the botnet. • So mare stable architectures, like P2P-based architecture.
Fast-flux Networks(1/2) • The fast-flux networks are increasingly used as botnets. • phishing websites. • These websites are valuable assets. • hide their IP addresses. • let a user first connect to a compromised computer. • which serves as a proxy. • To forward the user requests to a real server and the response from the server to the user.
Fast-flux Networks(2/2) • New type of techniques called Fast-flux service networks. • round-robin IP addresses. • very short Time-To-Live.
Wide-area Measurement Study • a honeynet-based botnet detection system as well as some findings on botnets across the Internet • The systems are composed of three module: • malware collection: • nepenthes and unpatched WindowsXPin a virtualized environment. • Graybox testing: • learn botnet ”dialect”. • Botnets tracking: • an IRC tracker lurk in IRC channel and record commands.
Botnet Modeling and Future Botnet Prediction • It creates a diurnal propagation model based on the fact that computers that are offline are not infectious. • we still have no idea how close these models are to the botnets in the real world.
Detecting and Tracking Botnet • honeynet based • first, there are several tools available to collect malware, but no tool for tracking the botnet. • Secondly,the tracking tool needs to understand the botnet’s ”jargon” in order to be accepted by the botmaster. • Moreover, the increasing use of anti-analysis techniques used by the blackhat circle. • makes the development of the tool even more challenging.
Traffic monitoring • Identify botmasters based on transport layer • The core idea is based on the attack and control chain of the botnet. • The major steps are listed as follows: • Identify bots based on their attack activities. • Analyze the flows of these bots to find candidate controller connections. • Analyze the candidate controller connections to locate the botmaster.
Defenses Against Botnet • Enterprise Solutions • Trend Micro provided Botnet Identification Service • provide the customers the real-time botnet C&C botmaster address list.
Conclusion and Possible FutureWork • HTTP/P2P Botnet • The existing works are anatomy of some samples. • Fast-flux Network • Who do them serve? • What’s the structure of its network? • Is it the same as a typical IRC botnet or not? • Is their botmaster also fast-fluxed? • The binary analysis of its code will be extremely helpful.