1 / 22

Botnets

Botnets. Botnets. Collection of connected programs communicating with similar programs to perform tasks Legal IRC bots to moderate/administer channels Origin of term botnet Illegal Bots usually added through infections Communicate through standard network protocols. Botnet.

shante
Download Presentation

Botnets

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Botnets

  2. Botnets • Collection of connected programs communicating with similar programs to perform tasks • Legal • IRC bots to moderate/administer channels • Origin of term botnet • Illegal • Bots usually added through infections • Communicate through standard network protocols

  3. Botnet • Named after malware that created the botnet • Multiple botnets can be created by same malware • Controlled by different entities • “Bot master” can control entire group of computers remotely through Command and Control(C&C) system

  4. Botnet Uses • Botnets used for various purposes • Distributed Denial of Service Attacks(DDOS) • SMTP mail relays for spam • Click Fraud • Simulating false clicks on advertisements to earn money • Theft of information • Application serial numbers • Login information • Financial information • Personal information • Bitcoin mining

  5. Botnet Connection Models • Three main connection models • Centralized • P2P-based • Unstructured

  6. Centralized • Central point(server) that forwards messages to bots • Advantages • Simple to implement • Customizable • Disadvantages • Easier to detect and destroy • Most botnets use this model

  7. P2P-based • Mainly used to avoid problems with centralized model • Does not use server as central location • Instead the bots are connected to each other • Advantages • Very hard to destroy • Commands can be injected at any point • Hard for researchers to find all bots • Disadvantages • Harder to implement and design

  8. Unstructured • Bots will not actively contact other bots or botmaster • Only listens for incoming connections • Botmsater randomly scans internet for bots • When bot is found botmaster sends encrypted commands

  9. Communication • Botnets use well defined communication protocols • Helps blend in with traffic • Protocol examples • IRC • Most common • Used for one-to-many or one-on-one • HTTP • Difficult to be detected • Allowed through most security devices by default • P2P • More advanced communication • Not always allowed on network

  10. Detection Methods • Two main detection methods • Signature-based • Relies on knowing connection methods • Cannot detect new threats • Anomaly-based • Relies on anomalies from base-line traffic • High false-positive rates • Not useful in cases where base-line traffic cannot be established

  11. Methods to Avoid Detection • Malware writers constantly looking for new ways to avoid detection • Recent botnets employ new methods to avoid detection • Fast flux • Domain flux

  12. Fast Flux • Use a set of IP addresses that all correspond to one domain name • Use short TTL(Time To Live) and large IP pools • Can be grouped in two categories. • Single flux • Double flux

  13. Single Flux • Domain resolves to different IP in different time ranges • User accesses same domain twice • First time DNS query returns 11.11.11.11 • TTL expires on DNS query • User performs another DNS query for domain • DNS server returns 22.22.22.22

  14. Double Flux • More sophisticated counter-detection • Repeated changes of both flux agents and registration in DNS servers • Authoritative DNS server part of fluxing • Provides extra redundancy

  15. Detecting Botnets using Fast Flux • Critical step in detecting fast flux network is to distinguish fast fluxing attack network(FFAN) and fast fluxing service network(FFSN) • All agents in FFSN should be up 24/7 • Agents within FFAN have unpredictable alive time • Botmaster does not have physical control over bots • Two metrics developed to distinguish these • Average Online Rate(AOR) • Minimum Available Rate(MAR)

  16. Flux Agent Monitoring System • Uses AOR and MAR to track FFANs and FFSNs • Broken up into four components • Dig tool • Gather information and add new IP addresses to database • Agents monitor • Sends HTTP requests records response • IP lifespan records database • Stores service status • Detector • Judges between FFAN and FFSN by using AOR and MAR

  17. Domain Flux • To avoid single point of failure domain flux was created • Uses a set of domain names that are constantly, and automatically, generated • Occasionally correspond to IP address • Bots and server both run domain name generation algorithm. • Bots try to contact C&C server by using generated domain names • If no answer is received at one, it moves on

  18. Domain Flux in Torpig • Torpig was botnet that used domain flux • Eventually taken over by researchers • First calculated domain names by current week and current year • “weekyear.com” or “weekyear.net” • If those fail it moves on to calculated the daily domain • If all other methods fail, a Torpig bot will try to connect to a hard-coded domain within its configuration files

  19. Detecting Botnets using Domain Flux • Reverse-engineering domain generation algorithm not always possible • Only a few domains will resolve to IP addresses • One detection method is to watch DNS query failures • Small percentage will be user error/poor configuration • Larger part of errors will be from malicious activity • With enough data one should be able to find patterns in DNS query errors

  20. Mitigation Techniques • Fast Flux networks mitigated by blacklisting domain name associated with flux • Contact registrar • ISP block requests in DNS • ISP monitor DNS queries to domain • Domain flux is harder to mitigate • In order to register domain names before attackers one must know the algorithm used • Automated techniques to block DNS queries not always accurate • Registrars used by attackers usually do not listen to abuse reports

  21. Why should we care? • BredoLab • Created May, 2009 • 30,000,000 bots • Mariposa • Created 2008 • 12,000,000 bots • Zeus • Banking credentials for all major banks • 3,600,000 bots in US alone • Customizable

  22. Questions?

More Related