240 likes | 436 Views
Botnets. Botnets. Collection of connected programs communicating with similar programs to perform tasks Legal IRC bots to moderate/administer channels Origin of term botnet Illegal Bots usually added through infections Communicate through standard network protocols. Botnet.
E N D
Botnets • Collection of connected programs communicating with similar programs to perform tasks • Legal • IRC bots to moderate/administer channels • Origin of term botnet • Illegal • Bots usually added through infections • Communicate through standard network protocols
Botnet • Named after malware that created the botnet • Multiple botnets can be created by same malware • Controlled by different entities • “Bot master” can control entire group of computers remotely through Command and Control(C&C) system
Botnet Uses • Botnets used for various purposes • Distributed Denial of Service Attacks(DDOS) • SMTP mail relays for spam • Click Fraud • Simulating false clicks on advertisements to earn money • Theft of information • Application serial numbers • Login information • Financial information • Personal information • Bitcoin mining
Botnet Connection Models • Three main connection models • Centralized • P2P-based • Unstructured
Centralized • Central point(server) that forwards messages to bots • Advantages • Simple to implement • Customizable • Disadvantages • Easier to detect and destroy • Most botnets use this model
P2P-based • Mainly used to avoid problems with centralized model • Does not use server as central location • Instead the bots are connected to each other • Advantages • Very hard to destroy • Commands can be injected at any point • Hard for researchers to find all bots • Disadvantages • Harder to implement and design
Unstructured • Bots will not actively contact other bots or botmaster • Only listens for incoming connections • Botmsater randomly scans internet for bots • When bot is found botmaster sends encrypted commands
Communication • Botnets use well defined communication protocols • Helps blend in with traffic • Protocol examples • IRC • Most common • Used for one-to-many or one-on-one • HTTP • Difficult to be detected • Allowed through most security devices by default • P2P • More advanced communication • Not always allowed on network
Detection Methods • Two main detection methods • Signature-based • Relies on knowing connection methods • Cannot detect new threats • Anomaly-based • Relies on anomalies from base-line traffic • High false-positive rates • Not useful in cases where base-line traffic cannot be established
Methods to Avoid Detection • Malware writers constantly looking for new ways to avoid detection • Recent botnets employ new methods to avoid detection • Fast flux • Domain flux
Fast Flux • Use a set of IP addresses that all correspond to one domain name • Use short TTL(Time To Live) and large IP pools • Can be grouped in two categories. • Single flux • Double flux
Single Flux • Domain resolves to different IP in different time ranges • User accesses same domain twice • First time DNS query returns 11.11.11.11 • TTL expires on DNS query • User performs another DNS query for domain • DNS server returns 22.22.22.22
Double Flux • More sophisticated counter-detection • Repeated changes of both flux agents and registration in DNS servers • Authoritative DNS server part of fluxing • Provides extra redundancy
Detecting Botnets using Fast Flux • Critical step in detecting fast flux network is to distinguish fast fluxing attack network(FFAN) and fast fluxing service network(FFSN) • All agents in FFSN should be up 24/7 • Agents within FFAN have unpredictable alive time • Botmaster does not have physical control over bots • Two metrics developed to distinguish these • Average Online Rate(AOR) • Minimum Available Rate(MAR)
Flux Agent Monitoring System • Uses AOR and MAR to track FFANs and FFSNs • Broken up into four components • Dig tool • Gather information and add new IP addresses to database • Agents monitor • Sends HTTP requests records response • IP lifespan records database • Stores service status • Detector • Judges between FFAN and FFSN by using AOR and MAR
Domain Flux • To avoid single point of failure domain flux was created • Uses a set of domain names that are constantly, and automatically, generated • Occasionally correspond to IP address • Bots and server both run domain name generation algorithm. • Bots try to contact C&C server by using generated domain names • If no answer is received at one, it moves on
Domain Flux in Torpig • Torpig was botnet that used domain flux • Eventually taken over by researchers • First calculated domain names by current week and current year • “weekyear.com” or “weekyear.net” • If those fail it moves on to calculated the daily domain • If all other methods fail, a Torpig bot will try to connect to a hard-coded domain within its configuration files
Detecting Botnets using Domain Flux • Reverse-engineering domain generation algorithm not always possible • Only a few domains will resolve to IP addresses • One detection method is to watch DNS query failures • Small percentage will be user error/poor configuration • Larger part of errors will be from malicious activity • With enough data one should be able to find patterns in DNS query errors
Mitigation Techniques • Fast Flux networks mitigated by blacklisting domain name associated with flux • Contact registrar • ISP block requests in DNS • ISP monitor DNS queries to domain • Domain flux is harder to mitigate • In order to register domain names before attackers one must know the algorithm used • Automated techniques to block DNS queries not always accurate • Registrars used by attackers usually do not listen to abuse reports
Why should we care? • BredoLab • Created May, 2009 • 30,000,000 bots • Mariposa • Created 2008 • 12,000,000 bots • Zeus • Banking credentials for all major banks • 3,600,000 bots in US alone • Customizable