Defense - Computer Science Division
Download
Report
Transcript Defense - Computer Science Division
Taxonomy of Botnet
Threats
Defense by the Wanderers
Angel Pia Jr., Wander Smelan, Koonal Bose, Scott Thompson
Botnet Debate
Resolve that the Trend Micro white paper: Taxonomy of
Botnet Threats provided a better understanding of
botnet behavior, detection and mitigation.
What this white paper is and what it is not.
It is not meant to be the most comprehensive, all
inclusive, most definitive resource material for botnets
and its future incarnations.
It is a working document meant to provide an organized
and systematic approach to understanding botnets and
its behavior to confront the threat that it poses.
And for this reason this white paper merits its intended
goal above any minor and nit-picky blemishes it may
have, if ever it has.
Outline
Definition [Angel Pia]
History and background [Angel Pia]
Taxonomy of botnets
Attacking behavior [Wander Smelan]
Command and Control model [Wander Smelan]
Rallying mechanisms [Koonal Bose]
Communication Protocols [Koonal Bose]
Evasion Techniques [Scott Thompson]
Observable botnet activities [Scott Thompson]
Conclusion and Q&A
Definition
Botnets (robot networks)
zombie computers/drones/armies
large number of compromised computers under the control of
a botmaster
means to conduct various attacks ranging from Distributed
Denial of Service (DDoS) to email-spamming, spreading new
malware, etc.
harnessing immense computing power.
Source: A typical botnet created from zombies (Credit: Cisco) http://www.macworld.co.uk/business/news/index.cfm?newsid=25756
Definition
Bot
compromised host computer
also refer to the code planted on such computer.
Botmaster
one or a few computers used by the crackers to run command
and control operations over the botnet.
Taxonomy
Science or technique of classification
History and background
First bot PrettyPark worm (1999)
retrieved log-in names, email addresses, nicknames.
connects to a remote IRC server from which the botmaster can
remotely control a large pool of infected hosts.
first time such command and control method was employed.
this concept soon spread to the rest of the black hat community
and various variants of the botnet evolved through the years.
Rise of profit-driven attacks such as DDoS, spamming,
phishing and identity theft of which botnets have
proven to be a compelling vehicle over status-seeking
and vandalism objectives.
History and background
DDoS, spamming, phishing and identity theft attacks from
botnets.
History and background
History and background
Sophistication of attacks and now has evolved to one
which poses the highest security threat in the internet.
In 2006, it cost $67.2B for US businesses to deal with
malware.
Taxonomy of botnets
Attacking behavior
means of compromising, propagating and launching attacks
from a botnet
DDoS; scan; remote exploits; junk emails (phishing and virus
attachments); phishing websites; spyware; identity theft; etc
Command & Control (C&C) models
classification of botnet topologies
centralized; distributed; P2P; etc
Rally mechanisms
methods of bot activation into the botnet for malware service.
hard-coded IP; Dynamic DNS; Distributed DNS; etc
Taxonomy of botnets
Communication protocols
way of botnets communicating to each other and to the
botmaster or C&C server
IRC; HTTP; IM; P2P; etc
Observable botnet activities
other observable techniques
DNS queries; burst short packets; abnormal system calls; etc
Evasion Techniques
ways botnets evade detection
HTTP/VOIP tunneling; IPv6 tunneling; P2P encrypted traffic; etc
Attacking Behaviors
Attacking Behaviors
Purposes and techniques:
Infecting new hosts (propagation of botnets)
social engineering and distribution of malicious emails
Stealing Sensitive Information
keylogger and Network traffic sniffers
Sending Spam and Phishing
botnets distribute untraceable emails
Distributed Denial of Service (DDoS)
large amount of synchronized requests to a particular server or
service
Command and Control (C&C)
Used to manage large-scale attacks
Essential for operation and support of botnets
Weakest links of botnets
3 types: Centralized, Peer-to-Peer (P2P) and Random
Attacking Behaviors
Profile of a botnet mastermind
Name: Owen Thor Walker
Aka “AKILL”
Country: New Zealand
Started his “A-TEAM” botnet group
when he was 16. By age 19, had
1.3mi+ computers
Had been diagnosed with Asperger's
syndrome, a mild form of autism often
characterized by social isolation, when
he was 10
Caused damaged of over $20mi
Caused computer to crash, stole
private information and sold to ecriminals.
Command and Control (C&C)
Centralized C&C Model
Most commonly used
Simple to implement and customize
Easiest to eliminate
Small message latency
Botnet network size: 1,000++
Source: http://mrcracker.com/2009/09/botnet/
Command and Control (C&C)
P2P C&C Model
More resilient to failures
Less common, hard to discover, and hard to defend
Unreliable from the messaging system perspective
Hard to launch large scale attacks
Botnet network size: 10-50
Source: http://mrcracker.com/2009/09/botnet/
Command and Control (C&C)
Random C&C Model
Described by Evan Cooke – but still not in use in real
world botnets
Model: Bot waits (listens) for incoming connection.
Easy implementation
Highly resilient to discovery and destruction.
Scalability limitations make it difficult to coordinate
large attacks.
Rallying Mechanisms
Rallying Mechanisms
Hard-coded IP address
Dynamic Domain Name Server
Distributed DNS service
Rallying Mechanisms
Hard-coded IP address
The bot includes hard-coded C&C server IP address in its
binary.
Easy to defend against if ip addresses is detected
channel is blocked
botnet is deactivated
Rallying Mechanisms
Dynamic DNS
Hard-coded domain names, assigned by dynamical DNS
providers
If C&C Server is deactivated, botmaster can resume
control by assigning a new IP address to corresponding
DNS entry
Makes it harder to detect
Rallying Mechanisms
Distributed DNS service
Botnets run their own distributed DNS service
Many are run at high port numbers in order to
avoid detection by security devices
Hardest to identify and destroy
Communication Protocols
Botnets communicate with each other and their
Botmasters following well defined network protocols
Importance of discovering communication has 2 main
advantages
understanding Botnets origin, and possible software tools used
helps security groups decode conversations between bots and
between bots and their master
Main Communication Protocols being used
IRC (Internet Relay Chat)
HTTP (Hypertext Transfer – www)
P2P (Peer to Peer)
IM (Instant Messaging)
Communication Protocols
IRC Protocol
IRC based Botnets are most frequently used
IRC is mainly designed for group communication but can
also handle private messages between two people
Botnet C&C Server runs an IRC service that is no
different from a standard IRC server
Inbound vs Outbound IRC traffic
inbound usually indicates local host is being recruited by Botnet
outbound usually indicates local host has been compromised
and is being used as a C&C server of a Botnet
Firewalls can be configured to block IRC traffic
IRC botnets have scripts that parse messages and will
execute malicious functions accordingly
Communication Protocols
IRC Protocol
Botnet C&C Server running IRC service
Botmaster
IRC Server
Communication Protocols
IRC Protocol
Once detected can easily be blocked
Botnet user
Communication Protocols
HTTP and Other Protocols
2 main advantages of using HTTP Protocol
Blends with normal Internet traffic
Abnormal ports are normally blocked at firewall, HTTP allows
botnet to communicate back with the C&C Server
HTTP is harder to detect but not impossible since
response header fields and page payload would be
different from normal HTTP traffic.
P2P and IM are more recent protocols being used by
Botnets
Still relatively small number compared to HTTP and IRC
Communication Protocols
P2P Protocol
Distributed control
Communication Protocols
P2P Protocol
Distributed control
Even if one is detected it is hard to disable
Evasion and Detection Techniques
Detection and Evasion Techniques
Detection Techniques
Antivirus & Intrusion Detection
Systems (IDS)
These antivirus systems are based
on virus signature.
Anomaly-based detection
systems
Monitor communication traffic
Detection and Evasion Techniques
Evasion Techniques
From Signature-based Detection
Executable Packers
Rootkits
Protocol evasion techniques
From Anomaly-based detection systems
New / modified communication protocols: IRC, HTTP, VoIP
Utilize secure channels to hide communications
Alternative channels: ICMP or IPv6 tunneling
Potentially use SKYPE or IM
Detection and Evasion Techniques
Effective Detection Alternative
Combination of Techniques:
Detect connections to C&C centers
Monitor for Communication Traffic
Monitor for Anomalous Behavior
Detection and Evasion Techniques
Combating Botnets focusing on Detectable Behavior
Global Correlation
Behavior
Network-based
Behavior
Host-Based Behavior
Detection and Evasion Techniques
Network-based Behaviors
Observable Communications:
Monitor IRC & HTTP traffic to servers that don't require these
protocols
IRC traffic that is not “human readable”
DNS queries (lookups for C&C controllers)
Frequency changes in IP for DNS lookups
Long idle periods followed by very rapid responses
Very bursty traffic patterns
Attack Traffic:
Denial of Service: TCP SYN packets (invalid source)
Internal system sending emails (Phishing)
Detection and Evasion Techniques
Host-based Behaviors
Detectable activity on an
infected host:
Disabled Anti-virus
Large numbers of updates to
system registry
Specific system/library call
sequences
Detection and Evasion Techniques
Global Correlated Behaviors
Common across different Botnet implementations:
Detect DNS changes for
C&C host
Large numbers of DNS
queries
Conclusion
Conclusion
Botnets are a dangerous evolution in the malware
world
They are being used to damage systems, steal
information and comprise systems
They are hard to detect and eliminate
The taxonomy approach allowed us an organized and
systematic means to understanding the nature of
botnets and their behaviors. This will allow us to
mitigate the threat with corrective measures.
Q&A
Conclusion