130 likes | 148 Views
A Multifaceted Approach to Understanding the Botnet Phenomenon. Aurthors: Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Publication: Internet Measurement Conference, IMC'06, Brazil, October 2006 Presenter : Richard Bares. What Is A Botnet?.
E N D
A Multifaceted Approach to Understanding the Botnet Phenomenon Aurthors: Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Publication: Internet Measurement Conference, IMC'06, Brazil, October 2006 Presenter : Richard Bares
What Is A Botnet? • Botnet is used to define Networks of infected end-hosts, called bots, that are under the control of a human operator commonly known • Botnets like other malware use software vulnerabilities to infect or recruit other machines
What Makes A Botnet Different From Other Malware? • Their defining characteristic is the use of a command and control channels. • These channels include • IRC Internet Relay Chat • P2P Peer to Peer • HTTP
How To Find Out More about Botnets? • Malware collection of Binary code • Binary analysis via grey-box testing • Longitudinal tracking of IRC Botnets Through IRC and DNS tracking
Malware Collection • Use of a modified Nepethes Platform • Mimics replies of vulnerable services • Used to collect data on Botnets using known exploits • HoneyPot Made of up VMware • To collect data Botnets using unknown exploits
Binary Analysis • Creation of a Network Fingerprint • Monitored VMware Windows XP • Collect IP’s, DNS, Ports, and scans • Extraction of IRC-related features • Used UnrealIRC daemon • Monitored infected VMware to find IRC channel passwords • Learns botnet dialect and commands
Tracking of Botnets • IRC Tracker • Modified IRC Client that mimics an infected PC • Responses to C&C while connecting data • DNS Tracker • Monitors major DNS Severs • Keeps track of requests for Domain names found in Botnet code
Botnet Structure • 318 Botnet Observed, 60% of those IRC • 70% of IRC Botnets connected to one server • 30% of IRC Botnets connected to multiple servers • IRC severs connected together • Allowing for large number of bots to be controlled
Botnet Software Taxonomy • Turns off anti-virus/firewalls • Installs TCP Identification software • Installs System Security Monitor • Installs Registry Monitor • Support for multiple exploits • Code allows for updates from Botmaster and add new exploits to Botnet code
Contributions • Expanded knowledge of Botnet • Formulated way to Tracked and Estimated growth and size of Botnet • Formulated way to capture Botnet code • Examined common Botnet code
Weaknesses • Did not cover HTTP or P2P Botnets even though both of these make up 30% of the Botnets they observed • Would need considerable amount of research to find ways to track these Botnets