Transcript Botnets

Botnets
Dr. Neminath Hubballi
IIT Indore © Neminath Hubballi
Introduction
 Bot: A program performing automated task
 A bot itself is not bad
 A botnet is a collection of computers, which are
connected and work under the instruction of a master in
order to accomplish something
 Typically botnets are used for committing computer crimes
 A botnet is controlled by a person or a group of people
 Usually has monetary interests
 Advertisement companies
 Spam sending companies: outsource the work to bots
IIT Indore © Neminath Hubballi
Motivation
 A report from Dhamballa, 2010 – number of infections increased at
the rate of 8% per week
 Almost every botnet newly created overtaking the previous largest
 Financial profits
 User credential stealing
 Click fraud
 Political interests
 Illegal activity include






DDoS attacks
Spamming
Traffic sniffing
Spreading malware
Port scanning
Key loggers etc..
IIT Indore © Neminath Hubballi
Components of a Botnet
Infrastructure
 Command and Control Infrastructure
 Centralized
 Client server model
 Distributed
 Works more autonomously
 Also called as peer to peer botnets
 Crucial
 Have to maintain a stable connectivity
 Robust
 Stable
 Reaction time
 Communication protocol
IIT Indore © Neminath Hubballi
Centralized Control
 Multiple
communication
channels with
master
Courtesy: Botnets: Detection, Measurement, Disinfection & Defense, Europian Network and Information Security Agency
IIT Indore © Neminath Hubballi
Decentralized Control
 Each bot will
propagate
commands to
others
Courtesy: Botnets: Detection, Measurement, Disinfection & Defense, Europian Network and Information Security Agency
IIT Indore © Neminath Hubballi
Botnets Types
 There are 2 types of botnets
 Operate through IRC
 Operate through web server
 Operate as Peer-to-Peer network
IIT Indore © Neminath Hubballi
Internet Relay Chat (IRC) based
 Uses a Push model of communication
 Master pushes commands for execution to the Bots
 All Bots receive commands through IRC PRIVMSG, understand the
instruction and execute the command and send back results
 In order to issue commands Botmaster first authenticates herself with a
username and password
 Advantages
 Open source
 Easy for modification
 Two way communication
 Real-time connectivity
 Public and private mode interaction

Disadvantages


Single point of failure
Easily detectable
IIT Indore © Neminath Hubballi
Communication Over IRC
 Sequence of Events
 Master authenticates
 Master queries info about
botnet –version number
 Master queries system
information
 Issue instruction to scan
other potentially vulnerable
machines
 Bot replies with scan
results
Courtesy: Botsniffer: Detecting Botnet Command and Control Channels in Network Traffic
IIT Indore © Neminath Hubballi
HTTP based
 This type of Botnet uses HTTP as a communication medium
 Uses a pull method of interaction
 Bots periodically poll the master requesting new commands to be
issued
 Through a HTTP post method Bots connect to the master
 Usually used for form submissions
 Advantage of using HTTP
 It becomes difficult to detect
 Port 80 is open in all firewalls
 Normally encryption is used to avoid detection and eavesdropping
IIT Indore © Neminath Hubballi
Role of DNS in Botnet
 DNS has an important role to play in Botent networks
 It allows changes to be done to the Botnet infrastructure
transparently
 Fast Flux Networks





Create a domain evil.com
Authoritative DNS server for the network evil.com is owned by attacker
Attacker has multiple infected machines in her possession
The RR mapping is changed at a very high frequency
Each time the client connects to a different infected machine or Bot
machine
 All of these machines or Bots act as a proxy to the Bot server
 Increases the resiliency of Botnet infrastructure
IIT Indore © Neminath Hubballi
Fast Flux Network
Courtesy: Botnets: Detection, Measurement, Disinfection & Defense, Europian Network and Information Security Agency
IIT Indore © Neminath Hubballi
Who Suffers from Botnet
 Three entities
 Victim – suffers directly
 ISP – have to carry lot of malicious traffic
 Third party – effect of malware
 Defense
 Victim- corporates have to protect their IT assets
 ISP – detect malicious traffic
 Third party – keep the machine clean
IIT Indore © Neminath Hubballi
Threat Characterization
 Botnet Size and Origin
 Footprint- Number of infected machines indicates scaling factor
 Live Population – How many of infected machines are able to
interact using CC infrastructure currently
 Spam throughput: Received spam emails per unit of time
 Freshness of IP address in spam emails –fresh one is
better
 Bandwidth usable for DDoS attacks
 Harvested personal data – more data approximately
leads to more financial gain
IIT Indore © Neminath Hubballi
Botnet Detection
 There are two types of detection
mechanisms
 Passive techniques
 Activity can be tracked without interfering with
environment
 No disturbance
 Active techniques
 Blocking malicious domains and identifying
infected machines
IIT Indore © Neminath Hubballi
Source of Data for Passive Detection
 Packet analysis
 Shell code detection
 Protocol filed
 Combination of some fields etc.
 Drawbacks




Full packet inspection is difficult
Scaling is a factor
Only known patterns are detected
If the attack code is split across multiple packets, streams it is far more
difficult to detect
IIT Indore © Neminath Hubballi
Source of Data for Passive Detection
 Flow Record Analysis
 Flow is a summary of what transpired in communication
 Typical attributes are:
 Source and destination address
 Related port numbers
 Protocol used inside the packets
 Duration of the session
 Cumulative size and
 Number of transmitted packets.
 Drawbacks
 Payload is ignored
 Keep track of all sessions
 Switches and routers do it for you
Courtesy: BotGrep
IIT Indore © Neminath Hubballi
Source of Data for Passive Detection
 Use of DNS Data
 Identify Fast Flux Networks
 Collect DNS queries and responses and do an offline analysis
 Identify “typo squatting” domain names in the data
 Ex. Goggle.com
 Malicious domain name can be blocked by domain
registrars
 Currently not happening
 If a domain is identified as a malicious domain
 In all likelihood the queries to that domain are from infected
machines
 It helps to track down even those machines
IIT Indore © Neminath Hubballi
Source of Data for Passive Detection
 Use of spam email analysis
 Botnets often run spam campaigns
 All spam emails will have similarity




In contents
Pattern
Length of mail
Source IP address used (often they reuse the IP addresses)
 Antivirus software feedback
 Collect information from many sensors
IIT Indore © Neminath Hubballi
Active Countermeasures
 Shinkholing –Changing the records of
malicious domain to point to a good node
Courtesy: Botnets: Detection, Measurement, Disinfection & Defense, Europian Network and Information Security Agency
IIT Indore © Neminath Hubballi
Active Countermeasures
 Identifying infected Machines through DNS
Cache Snooping
 This will help identify whether any machines in the
local network are part of a malicious domain
 Issue a query to a DNS server for a domain which is
suspicious
 Verify the TTL value
 If any other machine has already visited that domain,
it is likely that TTL value has decreased w.r.t the
default TTL value given by authoritative name server
 Another variation is through by setting RD flag off
IIT Indore © Neminath Hubballi
Active Countermeasures
Courtesy: Botnets: Detection, Measurement, Disinfection & Defense, Europian Network and Information Security Agency
IIT Indore © Neminath Hubballi