Transcript Roadrunners_Botnet

BOTNET
Kumar Mukherjee
Mike Ladd
Nazia Raoof
Rajesh Radhakrishnan
Bret Walker
Botnet Background
• network of infected hosts, under
control of a human operator
(botmaster)
•
tens of thousands of nodes
• victims claimed by remote exploits
Defining Characteristic
• use of Command & Control
(C&C) channels
• used to disseminate
botmaster's commands
Uses of Botnets
Spam
ID Theft
Piracy
DDOS
•
•
•
•
•
•
Ex. 1000 bots w/ 128KBit/s connection >
many corporate systems
IP distribution makes filtering difficult
Lifecycle of Botnet Infection
Why IRC?
• IRC designed for both point-to-point
and point-to-multipoint
communication
•
one-to-one, or one-to-group chat
• flexible, open-source protocol
Bot-to-IRC Communication
• authenticate to IRC server
via PASS message
• C&C channel authentication
• Botmaster authenticates to
bot population to issue
commands
Bot-News: Kraken
•
•
•
•
400,000+ nodes
50+ Forture 500 companies
2x the size of ‘Storm’
Used for spam (bots sending
500,000+ messages daily)
Bot-News: Kraken
• Designed as image file
• Regular updates to binary
• C&C communication via
customized UDP/TCP
• Able to generate new domain
names if C&C is disabled
Further Background
•
http://www.honeynet.org/papers/bots/
•
http://www.wired.com/wired/archive/14.11
/botnet_pr.html
•
http://en.wikipedia.org/wiki/Storm_botnet
Methodology: Malware Collection Phase
•Collection of as many bot binaries as possible
•Distributed darknet used
•14 nodes access the darknet
•Modified version of Nepenthes (a Malware collection framework) platform:
-- Mimics the replies generated by vulnerable services in order to collect
the first stage exploit or shellcodes
-- Generate URL that are to retrieve binaries
•Honeynet is used to compliment Nepenthes in order to catch exploits
missed.
-- Honeypots are unpatched Windows XP VM’s
-- Honeypots become infected and compared later to a clean Windows
XP image.
-- Infected Honey pots are also allowed to sustain IRC connections until
VM gets reimaged
Methodology: Data Collection Architecture
Methodology: Gateway
 Darknet routing to various parts of the internal network
 Cross-infection prevention among honeypots

configuring honeypots in separate VLANSs
 Termination of traffic across VLANs and gateways
 Monitor and Analyze the malware traffic for infections
 Dynamic rule insertion


block further inbound attack traffic towards honeypot that is infected
single malware instance honeypots due to lack of resources
 Other funcitons



Triggering re-imaging with clean Windows images
pre-filtering and control during downloads
local DNS to resolve queries
Methodology: Defense Points
 With the methodology we now have the
ability to model other types of bots.
 Although methodology utilized Windows
OS, we can model it for other platforms
 The methodology analyzes all aspects
of bots and botnets.
A multifaceted approach to
understanding the Botnet
Phenomenon
Results - I
Overall traffic
27% of total traffic are from
known botnet spreaders
73% of traffic includes traffic
from unknown botnet spreaders
60% of malicious binaries
were IRC bots
Only handful were HTTP
based
Authors concerns about botnets
spread are justifiable.
Traffic directed to vulnerable ports
76% of traffic targeted to
vulnerable ports are from
botnet spreaders
Malicious traffic to
vulnerable ports cannot be
differentiated between
botnet and non-botnet
traffic
How much of total traffic was directed
to vulnerable ports is desired.
Peak traffics
90% of total traffic during
the peak time targets ports
used by botnet spreaders
70% of traffic during the
peak time sent shell exploits
similar to those sent by
botnet spreaders.
Probed servers
Probed Servers
At least one botnet activity
No botnet activity
11% of probed servers had
at least one botnet activity
29% of probed .com
servers had at least one
cache hit
95% of probed .cn servers
had at least one cache hit.
Botnet Types
Total botnets captured 192
34 of 192 botnets captured
were type I botnets (worm-like)
158 of them were type II
Botnets and Network types
When channel was set to topic
80% of targeted scanning was aimed at
CLASS A networks
89% of localized scanning was aimed at
CLASS B networks
When channel was set to botmaster commands
88% of targeted scanning was aimed at
CLASS A networks
82% of localized scanning was aimed at
CLASS B networks
DNS & IRC tracker views
Both DNS & IRC tracker views demonstrated three
type of growth pattern:
 semi exponential growth
 Staircase type growth
 Linear growth
Semi-exponential growth exhibited random
scanning activity
Staircase type growth exhibited intermittent activity
Linear growth pattern exhibit time scoped activity
Key Points based on results
 Botnets pose serious threats to the internet
 Major contributor of unwanted traffic on the internet
 IRC is the dominant protocol used in the Botnet
communications
 Botnets have achieved a high degree of sophistication
in terms of self-protection mechanisms and modular
package structures
Effective Botnet Sizes
Footprint Size vs. Effective Size
• Significantly smaller
• At most 3,000 bots online w/ networks of
up to 10k bots
Smaller effective sizes limit certain activities:
• Timely commands
• DDoS attacks
Effective botnet sizes fluctuate with timezone
changes
Lifetime
Botnets have relatively long lifetimes
• Even after they’re shut down, live on average for 47
days
• 84% of servers up longer than the 3 month survey
• 55% of those botnets still scanning the Internet
• If taken offline, able to be brought back online quickly
Bots do not stay long on IRC channels
• Average time ~ 25 minutes
• 90% stayed less than 50 minutes
• High churn rate
Botmasters spend great lengths of time managing and
monitoring their botnets
Botnet Software Dissection
49% disable firewall and anti-virus software
Many run inetd, which is used to identify the user of a
computer. Used to verify bots joining an IRC channel
40% execute a System Security Monitor command,
securing client machines from further exploitation
Average of 15 exploits per botnet binary -- bots can
infect machines in a variety of ways
Windows XP constitutes 82.6% of observed exploited
hosts, with 99% of those hosts running SP1 or less
Insight from an “Insider’s View”
Botmasters range in skill level
Botmasters:
1. Share information about networks
2. Tweak their bots to use the network efficiently
3. Prune misbehaving bots and exploit “super-bots”
Botmasters are probably leasing their bots or attacking
each other
Most commands (75%) are for control, scanning and
cloning. 7% are for attacking.
Related Work
 Honeynet group was the first to do an informal study
 Freiling et al. on countering certain classes of DDoS attacks
 Cooke et al. on prevalence of botnets by measuring elapsed




time before an un-patched system was infected by a botnet
Barford et al. on an in-depth anaylsis on bot software
sourcecode
Vrable et al. presented Potemkin, a scalable virtual honeynet
system
Cui et al. presented RolePlayer—a protocol independent
lightweight responder that tries to overcome some of these
limitations by reverting to a real server when the responder fails
to produce the proper response
Dagon et al. provide an initial analytical model for capturing the
spreading behavior of botnets.
Conclusion





Long presence and few formal studies
One of the most severe threats to the Internet.
Our knowledge of botnet behavior is incomplete
To improve our understanding, we present a composite view
Results show that botnets are a major contributor to the overall
unwanted traffic on the Internet
 Botnet scanning behavior is markedly different from that seen by
autonomous malware (e.g., worms) because of its manual
orchestration
 IRC is still the dominant protocol used for C&C communications
 Use is adapted to satisfy different botmasters’ needs
 Botnet footprints are usually much larger
 Graybox testing technique enabled us to understand the level of
sophistication reached by bot software today