Transcript Defense - Northwestern Networks Group

Botlab
Presented by Aaron Ballew
Context
• Prior Work
– Analyze incoming spam
• Characterizes aggregate behavior
– Reverse engineer a few bots
• Not timely or scalable, due to all the clever ways
bad guys use to obfuscate their bots
– Botlab analyzes incoming spam, but also
compares it to outgoing spam generated by
captive bots
Botlab
• Real-time monitoring
• Consumes incoming spam to get the latest & greatest “binaries”
• Uses captive bots to send outgoing spam as ground-truth
• Correlate the two to determine which botnets are most active at the
moment, among other things
– Network fingerprint [protocol, ip, dns addy, port] based on current
behavior, rather than reverse engineering. Things change too fast to
reverse engineer everything.
• To be safe, the captive bots are sandboxed
– Still have to let a little traffic out to reach C&C (bad guy) servers
– That traffic is run through an anonymizer first, so the bad guys
don’t know they’re being monitored.
Results
• Better spam filtering
– Created a Firefox plugin that blocked 40,000
malicious links, while two traditional blacklist
techniques missed them all.
– Similar result with Google mail
• Found that 6 botnets generate 79% of the spam
hitting UW
• Estimated the size of the spam lists at 4 major
botnets
Botlab Conclusion
• Determines what botnets are doing what
• Adapts to changes in botnets’ behavior
• Produces info on the fly
• Causes no harm