Defense - Computer Science Division

Download Report

Transcript Defense - Computer Science Division

Taxonomy of Botnet
Threats
Defense by the Wanderers
Angel Pia Jr., Wander Smelan, Koonal Bose, Scott Thompson
Botnet Debate
 Resolve that the Trend Micro white paper: Taxonomy of
Botnet Threats provided a better understanding of
botnet behavior, detection and mitigation.
What this white paper is and what it is not.
 It is not meant to be the most comprehensive, all
inclusive, most definitive resource material for botnets
and its future incarnations.
 It is a working document meant to provide an organized
and systematic approach to understanding botnets and
its behavior to confront the threat that it poses.
 And for this reason this white paper merits its intended
goal above any minor and nit-picky blemishes it may
have, if ever it has.
Outline
 Definition [Angel Pia]
 History and background [Angel Pia]
 Taxonomy of botnets
 Attacking behavior [Wander Smelan]
 Command and Control model [Wander Smelan]
 Rallying mechanisms [Koonal Bose]
 Communication Protocols [Koonal Bose]
 Evasion Techniques [Scott Thompson]
 Observable botnet activities [Scott Thompson]
 Conclusion and Q&A
Definition
 Botnets (robot networks)
 zombie computers/drones/armies
 large number of compromised computers under the control of
a botmaster
 means to conduct various attacks ranging from Distributed
Denial of Service (DDoS) to email-spamming, spreading new
malware, etc.
 harnessing immense computing power.
Source: A typical botnet created from zombies (Credit: Cisco) http://www.macworld.co.uk/business/news/index.cfm?newsid=25756
Definition
 Bot
 compromised host computer
 also refer to the code planted on such computer.
 Botmaster
 one or a few computers used by the crackers to run command
and control operations over the botnet.
 Taxonomy
 Science or technique of classification
History and background
 First bot PrettyPark worm (1999)
 retrieved log-in names, email addresses, nicknames.
 connects to a remote IRC server from which the botmaster can
remotely control a large pool of infected hosts.
 first time such command and control method was employed.
 this concept soon spread to the rest of the black hat community
and various variants of the botnet evolved through the years.
 Rise of profit-driven attacks such as DDoS, spamming,
phishing and identity theft of which botnets have
proven to be a compelling vehicle over status-seeking
and vandalism objectives.
History and background
DDoS, spamming, phishing and identity theft attacks from
botnets.
History and background
History and background
 Sophistication of attacks and now has evolved to one
which poses the highest security threat in the internet.
 In 2006, it cost $67.2B for US businesses to deal with
malware.
Taxonomy of botnets
 Attacking behavior
 means of compromising, propagating and launching attacks
from a botnet
 DDoS; scan; remote exploits; junk emails (phishing and virus
attachments); phishing websites; spyware; identity theft; etc
 Command & Control (C&C) models
 classification of botnet topologies
 centralized; distributed; P2P; etc
 Rally mechanisms
 methods of bot activation into the botnet for malware service.
 hard-coded IP; Dynamic DNS; Distributed DNS; etc
Taxonomy of botnets
 Communication protocols
 way of botnets communicating to each other and to the
botmaster or C&C server
 IRC; HTTP; IM; P2P; etc
 Observable botnet activities
 other observable techniques
 DNS queries; burst short packets; abnormal system calls; etc
 Evasion Techniques
 ways botnets evade detection
 HTTP/VOIP tunneling; IPv6 tunneling; P2P encrypted traffic; etc
Attacking Behaviors
Attacking Behaviors
Purposes and techniques:
 Infecting new hosts (propagation of botnets)
 social engineering and distribution of malicious emails
 Stealing Sensitive Information
 keylogger and Network traffic sniffers
 Sending Spam and Phishing
 botnets distribute untraceable emails
 Distributed Denial of Service (DDoS)
 large amount of synchronized requests to a particular server or
service
Command and Control (C&C)
 Used to manage large-scale attacks
 Essential for operation and support of botnets
 Weakest links of botnets
 3 types: Centralized, Peer-to-Peer (P2P) and Random
Attacking Behaviors
Profile of a botnet mastermind
 Name: Owen Thor Walker
 Aka “AKILL”
 Country: New Zealand
 Started his “A-TEAM” botnet group
when he was 16. By age 19, had
1.3mi+ computers
 Had been diagnosed with Asperger's
syndrome, a mild form of autism often
characterized by social isolation, when
he was 10
 Caused damaged of over $20mi
 Caused computer to crash, stole
private information and sold to ecriminals.
Command and Control (C&C)
Centralized C&C Model
 Most commonly used
 Simple to implement and customize
 Easiest to eliminate
 Small message latency
 Botnet network size: 1,000++
Source: http://mrcracker.com/2009/09/botnet/
Command and Control (C&C)
P2P C&C Model
 More resilient to failures
 Less common, hard to discover, and hard to defend
 Unreliable from the messaging system perspective
 Hard to launch large scale attacks
 Botnet network size: 10-50
Source: http://mrcracker.com/2009/09/botnet/
Command and Control (C&C)
Random C&C Model
 Described by Evan Cooke – but still not in use in real




world botnets
Model: Bot waits (listens) for incoming connection.
Easy implementation
Highly resilient to discovery and destruction.
Scalability limitations make it difficult to coordinate
large attacks.
Rallying Mechanisms
Rallying Mechanisms
 Hard-coded IP address
 Dynamic Domain Name Server
 Distributed DNS service
Rallying Mechanisms
Hard-coded IP address
 The bot includes hard-coded C&C server IP address in its
binary.
 Easy to defend against if ip addresses is detected
 channel is blocked
 botnet is deactivated
Rallying Mechanisms
Dynamic DNS
 Hard-coded domain names, assigned by dynamical DNS
providers
 If C&C Server is deactivated, botmaster can resume
control by assigning a new IP address to corresponding
DNS entry
 Makes it harder to detect
Rallying Mechanisms
Distributed DNS service
 Botnets run their own distributed DNS service
 Many are run at high port numbers in order to
avoid detection by security devices
 Hardest to identify and destroy
Communication Protocols
 Botnets communicate with each other and their
Botmasters following well defined network protocols
 Importance of discovering communication has 2 main
advantages
 understanding Botnets origin, and possible software tools used
 helps security groups decode conversations between bots and
between bots and their master
 Main Communication Protocols being used
 IRC (Internet Relay Chat)
 HTTP (Hypertext Transfer – www)
 P2P (Peer to Peer)
 IM (Instant Messaging)
Communication Protocols
IRC Protocol
 IRC based Botnets are most frequently used
 IRC is mainly designed for group communication but can
also handle private messages between two people
 Botnet C&C Server runs an IRC service that is no
different from a standard IRC server
 Inbound vs Outbound IRC traffic
 inbound usually indicates local host is being recruited by Botnet
 outbound usually indicates local host has been compromised
and is being used as a C&C server of a Botnet
 Firewalls can be configured to block IRC traffic
 IRC botnets have scripts that parse messages and will
execute malicious functions accordingly
Communication Protocols
IRC Protocol
 Botnet C&C Server running IRC service
Botmaster
IRC Server
Communication Protocols
IRC Protocol
 Once detected can easily be blocked
Botnet user
Communication Protocols
HTTP and Other Protocols
 2 main advantages of using HTTP Protocol
 Blends with normal Internet traffic
 Abnormal ports are normally blocked at firewall, HTTP allows
botnet to communicate back with the C&C Server
 HTTP is harder to detect but not impossible since
response header fields and page payload would be
different from normal HTTP traffic.
 P2P and IM are more recent protocols being used by
Botnets
 Still relatively small number compared to HTTP and IRC
Communication Protocols
 P2P Protocol
 Distributed control
Communication Protocols
 P2P Protocol
 Distributed control
 Even if one is detected it is hard to disable
Evasion and Detection Techniques
Detection and Evasion Techniques
Detection Techniques
 Antivirus & Intrusion Detection
Systems (IDS)
 These antivirus systems are based
on virus signature.
 Anomaly-based detection
systems
 Monitor communication traffic
Detection and Evasion Techniques
Evasion Techniques
 From Signature-based Detection
 Executable Packers
 Rootkits
 Protocol evasion techniques
 From Anomaly-based detection systems
 New / modified communication protocols: IRC, HTTP, VoIP
 Utilize secure channels to hide communications
 Alternative channels: ICMP or IPv6 tunneling
 Potentially use SKYPE or IM
Detection and Evasion Techniques
Effective Detection Alternative
 Combination of Techniques:
 Detect connections to C&C centers
 Monitor for Communication Traffic
 Monitor for Anomalous Behavior
Detection and Evasion Techniques
Combating Botnets focusing on Detectable Behavior
 Global Correlation
Behavior
 Network-based
Behavior
 Host-Based Behavior
Detection and Evasion Techniques
Network-based Behaviors
 Observable Communications:
 Monitor IRC & HTTP traffic to servers that don't require these
protocols
 IRC traffic that is not “human readable”
 DNS queries (lookups for C&C controllers)
 Frequency changes in IP for DNS lookups
 Long idle periods followed by very rapid responses
 Very bursty traffic patterns
 Attack Traffic:
 Denial of Service: TCP SYN packets (invalid source)
 Internal system sending emails (Phishing)
Detection and Evasion Techniques
Host-based Behaviors
 Detectable activity on an
infected host:
 Disabled Anti-virus
 Large numbers of updates to
system registry
 Specific system/library call
sequences
Detection and Evasion Techniques
Global Correlated Behaviors
 Common across different Botnet implementations:
 Detect DNS changes for
C&C host
 Large numbers of DNS
queries
Conclusion
Conclusion
 Botnets are a dangerous evolution in the malware
world
 They are being used to damage systems, steal
information and comprise systems
 They are hard to detect and eliminate
 The taxonomy approach allowed us an organized and
systematic means to understanding the nature of
botnets and their behaviors. This will allow us to
mitigate the threat with corrective measures.
Q&A
Conclusion