1 / 71

Botnet Introduction

Botnet Introduction. Definition History How Botnet works Botnet uses Botnet Taxonomy. Definition: Bots. Definition: autonomous programs automatically performing tasks, absent a real user. Benign bots countless examples at http://www.botknowledge.com/ Gray-area bots

tarala
Download Presentation

Botnet Introduction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Botnet Introduction • Definition • History • How Botnet works • Botnet uses • Botnet Taxonomy

  2. Definition: Bots • Definition: autonomous programs automatically performing tasks, absent a real user. • Benign bots • countless examples at http://www.botknowledge.com/ • Gray-area bots • Blogbots, e.g., wikipedia, xanga • Other examples: xdcc, fserve bots for IRC • Malicious bots • Key characteristics: process forking, with network and file access, and propagation potential. • Other attributes: Can be replicating, Able to run “third party” code

  3. Definition: Botnets • Definition: networks of autonomous programs capable of acting on instructions. • Again, gray areas: FServe bot farms, spider farms, etc. • Today, just a narrow definition: • organized network of malicious bot clients

  4. Definition: Botnets (Con’t) • “A Botnet is a collection of computers, connected to the internet, that interact to accomplish some distributed task.” • Typically refers to botnets used for illegal purposes. • Controlled by one person or a group of people (aka. the botmaster) • Under a command and control structure (C&C) • Other attributes: • Could be self spreading

  5. Comparison of Malware • Viruses: require the spreading of an infected host file • Worms: standalone software, file-transport • Trojans: tricked into loading and executing on systems • Bots: automate tasks and provide services

  6. C&C channel • Means of receiving and sending commands and information between the botmaster and the zombies. • Typical protocols • IRC • HTTP • Overnet (Kademlia) • Protocols imply (to an extend) a botnet’s communication topology. • The topology provides trades-off in terms of bandwidth, affectivity, stealth, and so forth.

  7. History • In the beginning, there were only good bots. • ex: google bot, game bot etc. • Later, bad people thought of creating bad bots so that they may • Send Spam and Phishing emails • Control others pc • Launch attacks to servers (DDOS) • Many malicious bots were created • SDBot/Agobot/Phatbot etc. • Botnets started to emerge • Bots started to become payloads for worms, and are big business!

  8. http://en.wikipedia.org/wiki/Botnet

  9. Botnet Propagation

  10. Botnet Propagation

  11. Botnet Propagation

  12. Botnet Propagation

  13. Why Botnets? • No “single” point of failure • Hard to backtrack, attribute and takedown • Capacity reasons (vast numbers) • Computing power and Network bandwidth • Distribution across whole network • Complicate jurisdictional issue • Launch malicious (criminal) activities

  14. Botnet Uses • “Real” money-making business behind • Organized crime moved to internet • Criminal business activities • Distributed Denial of Service (DDoS) attacks • Sending Spams • Phishing (fake websites) • Addware (Trojan horse) • Spyware (keylogging, information harvesting) • Click fraud • Storing pirated materials

  15. Botnet Taxonomy • Botnet has to have Command and Control server (C&C) • Topologies • Star, Multiserver, Hierarchical, Random • Communication channel • IRC, HTTP, IM, P2P Email • Rallying mechanisms • IP address, Dynamic DNS, Distributed DNS • Evasion techniques • Fast flux, Domain flux, Reverse proxies

  16. Botnet Detection • Host Based • Intrusion Detection Systems (IDS) • Anomaly Detection • IRC Nicknames • HoneyPot and HoneyNet

  17. Economics of Spam

  18. Overview • Spam is used for creating revenue by marketing products • How spam advertised sites work • Statistics of revenue from a case study • Purchasing Behavior • Revenue Estimation

  19. How Spam Works • Spam is a larger value chain classified into three distinct stages: • Advertising • Click support • Realization

  20. How Spam Works • Advertising • Email, Blog spam, Twitter spam, search engine optimization, sponsored advertising • Click Support • Redirection Sites, Domains, Name servers, Web Servers, Stores and Affiliate programs • Realization • Payment services, Fulfillment

  21. DNS Server How Spam Works Domain Registrar Affiliate Merchant’s Bank User’s Bank users Merchant Botnet spam advertising Web Proxy/Server

  22. Data Collection Methods • Methods for data collection • Collecting Spam-Advertised URLs, Crawler data, DNS Crawler, Web Crawler • Content clustering and tagging • Category tagging, Program tagging, Purchasing, Operational Protocol, Legal and ethical concerns

  23. Data Analysis Analyzing the degree to which affiliate programs share infrastructure, considering both the click support and phases of the spam value chain.

  24. Purchasing Behavior Factors considered to find out the pattern in purchasing behavior • Basket inference • Product Popularity • Customer Distribution

  25. Purchasing Behavior Among various countries

  26. Revenue Estimation • Combining the results of data collection, the estimate was done based on average price per order • range from $2M/day for one spam botnet • Russian spammers earned 3.7 billion rubles (roughly $125 million) in 2009 • Consistency of results

  27. Revenue Estimation

  28. Revenue in Pharmaceuticals

  29. References • C. Kanich, N. Weaver, D. McCoy and T. Halvorson, C. Kreibich, K. Levchenko, V. Paxson, G. Voelker, S. Savage, "Show Me the Money: Characterizing Spam-advertised Revenue", Usenix Sec'11 • Stefan Savage, and Geoffrey M. Voelker., No Plan Survives Contact: Experience with Cybercrime Measurement., Proceedings of Workshop on Cyber Security Experimentation and Test (CSET), August 2011. • Geoffrey M. Voelker, and Stefan Savage et al., Click Trajectories: End-to-End Analysis of the Spam Value Chain, Proceedings of the IEEE Symposium and Security and Privacy, Oakland, CA, May 2011, pages 431–446. •  Marti Motoyama, Damon McCoy, Kirill Levchenko,StefanSavage, and Geoffrey M. Voelker, Dirty Jobs: The Role of Freelance Labor in Web Service Abuse, Proceedings of the USENIX Security Symposium, San Francisco, CA, August 2011.

  30. Detecting Botnets: A Cyber Arms Race

  31. Outline • Examine current techniques used to detect and defeat Botnets. • Explore what Botnets might do to avoid these techniques. • Look at Kopis, a high-level DNS traffic monitor that detects malware domains by analyzing DNS query patterns.

  32. Towards Systematic Evaluation of the Evadabilityof Bot/Botnet Detection Methods Elizabeth Stinson John Mitchell

  33. Syntax Detection • Use the contents of network traffic to identify whether the traffic was generated by a Bot. • Example: • Rishi

  34. Example - Rishi RedBlueUSA|2775728384RBOT|XP|1248525FooBarFrank[03|DE|125252] Things to Check for: Country Prefix Common Prefixes Strings of Numbers Operating System Regexes: ˆ\[[0-9]{1,2}\|[A-Z]{2,3}\|[0-9]{4,}\]$

  35. Evading from Syntax Attacks Encryption

  36. Traffic Analysis Detection • Detect botnets by looking for traffic that looks like it is from a botnet. • Looks at characteristics of traffic, not content. • Connection duration • Packet size • Packet rate • Example: • Strayer - Applies a pipeline of traffic analysis, resulting in a set of traffic that looks the most bot-like.

  37. Example - Strayer Filters Classifier Timing Correlator Topological Analysis

  38. Hiding from Traffic Analysis • Perturbing Flows - Modify Botnet communications to disguise traffic. • Padding messages with junk • Stripe commands across packets • Modify connection duration and timing.

  39. Timing Detection • Uses timing information to correlate and/or identify bot traffic. • Example: • Strayer

  40. Disguising Timings • Delays can be built into different actions, spacing out the various botnet traffic so it is more difficult to correlate and group.

  41. Tainted Command Detection • Remote control commands from the Bot controller demonstrate a flow of information • Example: • Botswat

  42. Example - Botswat Host Bot OS Controller

  43. Sanitizing Tainted Commands • Bot can launder commands before attempting to execute them.

  44. Detecting Malware Domains at the Upper DNS Hierarchy Manos Antonakakis, Roberto Perdisci, Wenke Lee, Nikolaos Vasiloglou II, and David Dagon

  45. Kopis Kopis is a system the provides the ability to detect new malware domains as they appear, at some of the highest levels in the DNS hierarchy.

  46. DNS Refresher/Intro Root Top Level Domains (accessed through name servers) www.cs.umn.edu User

  47. Kopis – Training Mode • In its training mode, Kopis makes use of a set of known domain names and their features called its knowledge base (KB). • Kopis is trained on the knowledge base, to try to make it capable of predicting whether a domain name is legitimate or malicious.

  48. DNS Request Features • Kopis gathers a number of features of DNS requests while active. • These features include: • Epoch • IP of query initiator • Queried domain • Set of resolved to IP addresses

  49. Derived Features • Kopis then calculates a number of features based on these stored results. • These features include: • Requester Diversity • Requester Profile • Resolved-IPs Reputation

More Related