740 likes | 967 Views
Botnet Introduction. Definition History How Botnet works Botnet uses Botnet Taxonomy. Definition: Bots. Definition: autonomous programs automatically performing tasks, absent a real user. Benign bots countless examples at http://www.botknowledge.com/ Gray-area bots
E N D
Botnet Introduction • Definition • History • How Botnet works • Botnet uses • Botnet Taxonomy
Definition: Bots • Definition: autonomous programs automatically performing tasks, absent a real user. • Benign bots • countless examples at http://www.botknowledge.com/ • Gray-area bots • Blogbots, e.g., wikipedia, xanga • Other examples: xdcc, fserve bots for IRC • Malicious bots • Key characteristics: process forking, with network and file access, and propagation potential. • Other attributes: Can be replicating, Able to run “third party” code
Definition: Botnets • Definition: networks of autonomous programs capable of acting on instructions. • Again, gray areas: FServe bot farms, spider farms, etc. • Today, just a narrow definition: • organized network of malicious bot clients
Definition: Botnets (Con’t) • “A Botnet is a collection of computers, connected to the internet, that interact to accomplish some distributed task.” • Typically refers to botnets used for illegal purposes. • Controlled by one person or a group of people (aka. the botmaster) • Under a command and control structure (C&C) • Other attributes: • Could be self spreading
Comparison of Malware • Viruses: require the spreading of an infected host file • Worms: standalone software, file-transport • Trojans: tricked into loading and executing on systems • Bots: automate tasks and provide services
C&C channel • Means of receiving and sending commands and information between the botmaster and the zombies. • Typical protocols • IRC • HTTP • Overnet (Kademlia) • Protocols imply (to an extend) a botnet’s communication topology. • The topology provides trades-off in terms of bandwidth, affectivity, stealth, and so forth.
History • In the beginning, there were only good bots. • ex: google bot, game bot etc. • Later, bad people thought of creating bad bots so that they may • Send Spam and Phishing emails • Control others pc • Launch attacks to servers (DDOS) • Many malicious bots were created • SDBot/Agobot/Phatbot etc. • Botnets started to emerge • Bots started to become payloads for worms, and are big business!
Why Botnets? • No “single” point of failure • Hard to backtrack, attribute and takedown • Capacity reasons (vast numbers) • Computing power and Network bandwidth • Distribution across whole network • Complicate jurisdictional issue • Launch malicious (criminal) activities
Botnet Uses • “Real” money-making business behind • Organized crime moved to internet • Criminal business activities • Distributed Denial of Service (DDoS) attacks • Sending Spams • Phishing (fake websites) • Addware (Trojan horse) • Spyware (keylogging, information harvesting) • Click fraud • Storing pirated materials
Botnet Taxonomy • Botnet has to have Command and Control server (C&C) • Topologies • Star, Multiserver, Hierarchical, Random • Communication channel • IRC, HTTP, IM, P2P Email • Rallying mechanisms • IP address, Dynamic DNS, Distributed DNS • Evasion techniques • Fast flux, Domain flux, Reverse proxies
Botnet Detection • Host Based • Intrusion Detection Systems (IDS) • Anomaly Detection • IRC Nicknames • HoneyPot and HoneyNet
Overview • Spam is used for creating revenue by marketing products • How spam advertised sites work • Statistics of revenue from a case study • Purchasing Behavior • Revenue Estimation
How Spam Works • Spam is a larger value chain classified into three distinct stages: • Advertising • Click support • Realization
How Spam Works • Advertising • Email, Blog spam, Twitter spam, search engine optimization, sponsored advertising • Click Support • Redirection Sites, Domains, Name servers, Web Servers, Stores and Affiliate programs • Realization • Payment services, Fulfillment
DNS Server How Spam Works Domain Registrar Affiliate Merchant’s Bank User’s Bank users Merchant Botnet spam advertising Web Proxy/Server
Data Collection Methods • Methods for data collection • Collecting Spam-Advertised URLs, Crawler data, DNS Crawler, Web Crawler • Content clustering and tagging • Category tagging, Program tagging, Purchasing, Operational Protocol, Legal and ethical concerns
Data Analysis Analyzing the degree to which affiliate programs share infrastructure, considering both the click support and phases of the spam value chain.
Purchasing Behavior Factors considered to find out the pattern in purchasing behavior • Basket inference • Product Popularity • Customer Distribution
Purchasing Behavior Among various countries
Revenue Estimation • Combining the results of data collection, the estimate was done based on average price per order • range from $2M/day for one spam botnet • Russian spammers earned 3.7 billion rubles (roughly $125 million) in 2009 • Consistency of results
References • C. Kanich, N. Weaver, D. McCoy and T. Halvorson, C. Kreibich, K. Levchenko, V. Paxson, G. Voelker, S. Savage, "Show Me the Money: Characterizing Spam-advertised Revenue", Usenix Sec'11 • Stefan Savage, and Geoffrey M. Voelker., No Plan Survives Contact: Experience with Cybercrime Measurement., Proceedings of Workshop on Cyber Security Experimentation and Test (CSET), August 2011. • Geoffrey M. Voelker, and Stefan Savage et al., Click Trajectories: End-to-End Analysis of the Spam Value Chain, Proceedings of the IEEE Symposium and Security and Privacy, Oakland, CA, May 2011, pages 431–446. • Marti Motoyama, Damon McCoy, Kirill Levchenko,StefanSavage, and Geoffrey M. Voelker, Dirty Jobs: The Role of Freelance Labor in Web Service Abuse, Proceedings of the USENIX Security Symposium, San Francisco, CA, August 2011.
Outline • Examine current techniques used to detect and defeat Botnets. • Explore what Botnets might do to avoid these techniques. • Look at Kopis, a high-level DNS traffic monitor that detects malware domains by analyzing DNS query patterns.
Towards Systematic Evaluation of the Evadabilityof Bot/Botnet Detection Methods Elizabeth Stinson John Mitchell
Syntax Detection • Use the contents of network traffic to identify whether the traffic was generated by a Bot. • Example: • Rishi
Example - Rishi RedBlueUSA|2775728384RBOT|XP|1248525FooBarFrank[03|DE|125252] Things to Check for: Country Prefix Common Prefixes Strings of Numbers Operating System Regexes: ˆ\[[0-9]{1,2}\|[A-Z]{2,3}\|[0-9]{4,}\]$
Evading from Syntax Attacks Encryption
Traffic Analysis Detection • Detect botnets by looking for traffic that looks like it is from a botnet. • Looks at characteristics of traffic, not content. • Connection duration • Packet size • Packet rate • Example: • Strayer - Applies a pipeline of traffic analysis, resulting in a set of traffic that looks the most bot-like.
Example - Strayer Filters Classifier Timing Correlator Topological Analysis
Hiding from Traffic Analysis • Perturbing Flows - Modify Botnet communications to disguise traffic. • Padding messages with junk • Stripe commands across packets • Modify connection duration and timing.
Timing Detection • Uses timing information to correlate and/or identify bot traffic. • Example: • Strayer
Disguising Timings • Delays can be built into different actions, spacing out the various botnet traffic so it is more difficult to correlate and group.
Tainted Command Detection • Remote control commands from the Bot controller demonstrate a flow of information • Example: • Botswat
Example - Botswat Host Bot OS Controller
Sanitizing Tainted Commands • Bot can launder commands before attempting to execute them.
Detecting Malware Domains at the Upper DNS Hierarchy Manos Antonakakis, Roberto Perdisci, Wenke Lee, Nikolaos Vasiloglou II, and David Dagon
Kopis Kopis is a system the provides the ability to detect new malware domains as they appear, at some of the highest levels in the DNS hierarchy.
DNS Refresher/Intro Root Top Level Domains (accessed through name servers) www.cs.umn.edu User
Kopis – Training Mode • In its training mode, Kopis makes use of a set of known domain names and their features called its knowledge base (KB). • Kopis is trained on the knowledge base, to try to make it capable of predicting whether a domain name is legitimate or malicious.
DNS Request Features • Kopis gathers a number of features of DNS requests while active. • These features include: • Epoch • IP of query initiator • Queried domain • Set of resolved to IP addresses
Derived Features • Kopis then calculates a number of features based on these stored results. • These features include: • Requester Diversity • Requester Profile • Resolved-IPs Reputation