Transcript presentation source

Threat infrastructure: proxies,
botnets, fast-flux
Botnets
• Concept
“network of infected systems controlled by an
administrator called Botmaster”
• Centralized infrastructure
– Basic Botmaster (only one Command and Control server)
– Multi-server Botmaster (one Botmaster but many C&C
servers) Asprox botnet an example.
– Hierachical Botmaster (use Proxy servers to hide Botmaster
location) Waledac botnet an example.
Botnets (centralized)
Proxy servers
Botnets
• Command and Control communications
– Most bots do not listen on ports, because administrators
could block these ports.
– Bots will initiate communications with C&C server to
appear legitimate.
– How bots locate C&C server:
• fixed IP list (weak) and
• DNS lookup of the C&C server (reliable).
– Defense beyond anti-virus: take down the domain (s) ,
block DNS access (?!?!).
– The economics of botnets.
Botnets
• Decentralized Botnet architecture (P2P)
– No C&C server, rather uses peer-to-peer
communications to send commands
Source: Wang et al
P2P Botnet stages
• Recruiting: P2P malware such as Gnuman , WORM_PITUPI.K , and
Koobface.
• Forming the botnet:
– parasite P2P botnet: all the bots are from an existing P2P network, and it
uses this available P2P network for command and control.
– leeching P2P botnet: bot members join an existing P2P network and
depend on this P2P network for C&C communication.
– bot-only P2P botnet: builds its own network, all members are bots, such as
Storm botnet and Nugache.
• Standing by for instructions (using P2P Protocols):
– P2P file-sharing have a file index used by peers to locate the desired
content, may be centralized (e.g., Napster), distributed over part of the filesharing nodes (e.g., Gnutella), or distributed over all or a large fraction of the
nodes (e.g., Overnet).
– Design a new P2P communication protocol to be used in a bot-only P2P
Fast-flux
• Concept
“The ability to quickly move the location of a web, email, DNS or generally
any Internet or distributed service from one or more computers connected to
the Internet to a different set of computers to delay or evade detection.”
• What it does: utilizes DNS to continually update valid domain names
with A and NS records that resolve to an ever-changing set of of IP addresses
of infected computers (a botnet).
• The motherships: command and control servers that issue commands to
bots and add and remove IP addresses from DNS records. By cycling IP
addresses of infected computers in and out of DNS records, the mothership is
able to use active bots to host content and services.
• Action:
To stop the constantly rotating IP addresses in the DNS server we
need to take down the Fast-Flux domain. A domain Registrar needs to do so.
Fast-flux (single flux in action)
Fast-flux types
• Single-flux: utilizes static name servers to update DNS records,
as seen in previous image.
• Double-flux and hydra-flux:
include two or multiple
motherships managing the rotating IP numbers, services and content.
• Mothership protection: The infected computers (botnet) form
a protective barrier in front of the motherships. The only visible part of
the attack are the bots.
• Fast-Flux Domains: to be able to change DNS records the
motherships need to be located in Domains owned by the attackers.
Only their domain Registrar can remove access to the Domain, but the
Domain could easily be created in another Registrar.
•
Possible attacks: phishing campaigns,
e-mail spam campaigns, etc.
bot recruiting malware,
Fast-flux mechanics
• The mothership and DNS: To cycle bot IP addresses
and
bypass caching features, fast-flux domains use short TTL (Time to live
(TTL) values in the DNS to force clients to frequently query the name
server for a new set of A addresses.
• The bots and content: the bots act as reverse proxies by
sending requests to the mothership and relaying the malicious content
hosted by the mothership.
• Multiple motherships: use of a single DNS server and
mothership provides a single point to focus to stop the malicious
action. Double or hydra flux addresses this “flaw” by providing
multiple DNS, Domains, etc.
• References : Wikipedia, ICANN Advisory, Detection of Fast-flux,
Recently discovered, Fast-flux Primer,