Transcript Lecture24

Botnets
by
Mehedy Masud
Botnets
●
●
●
●
●
●
Introduction
History
How to they spread?
What do they do?
Why care about them?
Detection and Prevention
Bot
●
●
●
●
The term 'bot' comes from 'robot'.
In computing paradigm, 'bot' usually
refers to an automated process.
There are good bots and bad bots.
Example of good bots:
–
Google bot
Game bot
–
Malicious software that steals information
–
●
Example of bad bots:
Botnet
●
Network of compromised/bot-infected
machines (zombies) under the control of
a human attacker (botmaster)
Botmaster
IRC Server
IRC channel
Code
Server
IRC channel
C&C traffic
Updates
Attack
Vulnerable
machines
BotNet
History
●
In the beginning, there were only good
bots.
–
●
Later, bad people thought of creating bad
bots so that they may
–
–
–
●
Send Spam and Phishing emails
Control others pc
Launch attacks to servers (DDOS)
Many malicious bots were created
–
●
ex: google bot, game bot etc.
SDBot/Agobot/Phatbot etc.
Botnets started to emerge
TimeLine
GM (by Greg,
Operator)
recognized as first
IRC bot.
Entertained clients
with games
RPCSS
1989
W32/PrettyPark
1st worm to
use IRC as
C&C.
DDoS capable
GT bots
combined
mIRC client,
hacking scripts &
tools (port scanning, DDos)
1999
2000
2001
2002
W32/Agobot bot
family added
modular
design and significant
functionality
2003
W32/Sdbot
First family
of bots developed
as a single binary
Russian named sd
2004
2005
W32/Mytob
hybrid bot,
major
e-mail outbreak
2006 Present
W32/Spybot
family emerged
Cases in the news
●
Axel Gembe
–
–
–
●
Author or Agobot (aka Gaobot, Polybot)
21 yrs old
Arrested from Germany in 2004 under
Germany’s computer Sabotage law
Jeffry Parson
–
–
–
–
Released a variation of Blaster Worm
Infected 48,000 computers worldwide
18 yrs old
Arrested , sentenced to 18 month & 3yrs of
supervised released
How The Botnet Grows
How The Botnet Grows
How The Botnet Grows
How The Botnet Grows
Recruiting New Machines
●
Exploit a vulnerability to execute a short
program (exploits) on victim’s machine
–
●
●
●
Exploit downloads and installs actual bot
Bot disables firewall and A/V software
Bot locates IRC server, connects, joins
–
–
●
Buffer overflows, email viruses, Trojans etc.
Typically need DNS to find out server’s IP
address
Authentication password often stored in bot
binary
Botmaster issues commands
Recruiting New Machines
What Is It Used For
●
Botnets are mainly used for only one thing
How Are They Used
●
●
●
●
●
●
Distributed Denial of Service (DDoS) attacks
Sending Spams
Phishing (fake websites)
Addware (Trojan horse)
Spyware (keylogging, information
harvesting)
Storing pirated materials
Example : SDBot
●
●
Open-source Malware
Aliases
–
●
Infection
–
–
●
Mcafee: IRC-SDBot, Symantec: Backdoor.Sdbot
Mostly through network shares
Try to connect using password guessing
(exploits weak passwords)
Signs of Compromise
–
–
–
–
SDBot copies itself to System folder - Known
filenames: Aim95.exe, Syscfg32.exe etc..
Registry entries modified
Unexpected traffic : port 6667 or 7000
Known IRC channels: Zxcvbnmas.i989.net etc..
Example : RBot
●
●
First of the Bot families to use encryption
Aliases
–
●
Infection
–
–
●
Mcafee: W32/SDbot.worm.gen.g, Symantec:
W32.Spybot.worm
Network shares, exploiting weak passwords
Known s/w vulnerabilities in windows (e.g.:
lsass buffer overflow vulnerability)
Signs of Compromise
–
–
–
–
copies itself to System folder - Known
filenames: wuamgrd.exe, or random names
Registry entries modified
Terminate A/V processes
Unexpected traffic: 113 or other open ports
Example : Agobot
●
Modular Functionality
–
Rather than infecting a system at once, it
proceeds through three stages (3 modules)
●
●
●
–
●
infect a client with the bot & open backdoor
shut down A/V tools
block access to A/V and security related sites
After successful completion of one stage, the
code for the next stage is downloaded
Advantage?
–
developer can update or modify one
portion/module without having to rewrite or
recompile entire code
Example : Agobot
●
Aliases
–
●
Infection
–
–
–
●
Mcafee: W32/Gaobot.worm, Symantec:
W32.HLLW.Gaobot.gen
Network shares, password guessing
P2P systems: Kazaa etc..
Protocol: WASTE
Signs of Compromise
–
–
–
–
System folder: svshost.exe, sysmgr.exe etc..
Registry entries modification
Terminate A/V processes
Modify %System\drivers\etc\hosts file
●
Symantec/ Mcafee’s live update sites are redirected
to 127.0.0.1
Example : Agobot
●
Signs of Compromise (contd..)
–
–
–
Theft of information: seek and steal CD keys for
popular games like “Half-Life”, “NFS” etc..
Unexpected Traffic: open ports to IRC server
etc..
Scanning: Windows, SQL server etc..
DDos Attack
●
●
Goal: overwhelm victim machine and deny
service to its legitimate clients
DoS often exploits networking protocols
–
–
–
–
Smurf: ICMP echo request to broadcast address
with spoofed victim’s address as source
Ping of death: ICMP packets with payloads
greater than 64K crash older versions of
Windows
SYN flood: “open TCP connection” request from
a spoofed address
UDP flood: exhaust bandwidth by sending
thousands of bogus UDP packets
DDoS attack
●
Coordinated attack to specified host
Attacker
Master (IRC Server) machines
Zombie machines
Victim
Why DDoS attack?
●
Extortion
–
–
●
Take down systems until they pay
Works sometimes too!
Example: 180 Solutions – Aug 2005
–
–
–
–
–
Botmaster used bots to distribute
180solutions addware
180solution shutdown botmaster
Botmaster threatened to take down
180solutions if not paid
When not paid, botmaster use DDoS
180Solutions filed Civil Lawsuit against
hackers
Botnet Detection
●
●
●
●
●
Host Based
Intrusion Detection Systems (IDS)
Anomaly Detection
IRC Nicknames
HoneyPot and HoneyNet
Host-based detection
Virus scanning
Watching for Symptoms
Modification of windows hosts file
Random unexplained popups
Machine slowness
Antivirus not working
Watching for Suspicious network traffic
Since IRC is not commonly used, any IRC
traffic is suspicious. Sniff these IRC traffic
Check if the host is trying to communicate to
any Command and Control (C&C) Center
Through firewall logs, denied connections
Network Intrusion Detection
Systems
●
●
●
●
●
Example Systems: Snort and Bro
Sniff network packets, looks for specific
patterns (called signatures)
If any pattern matches that of a malicious
binary, then block that traffic and raise
alert
These systems can efficiently detect
virus/worms having known signatures
Can't detect any malware whose signature
is unknown (i.e., zero day attack)
Anomaly Detection
Normal traffic has some patterns
Bandwidth/Port usage
Byte-level characteristics (histograms)
Protocol analysis – gather statistics about
TCP/UDP src, dest address
Start/end of flow, Byte count
DNS lookup
First learn normal traffic pattern
Then detect any anomaly in that pattern
Example systems: SNMP, NetFlow
Problems:
Poisoning
Stealth
IRC Nicknames
Bots use weird nicknames
But they have certain pattern (really!)
If we can learn that pattern, we can detect
bots & botnets
Example nicknames:
USA|016887436 or DE|028509327
Country | Random number (9 digit)
RBOT|XP|48124
Bot type | Machine Type | Random number
Problem: May be defeated by changing
the nickname randomly
HoneyPot and HoneyNet
HoneyPot is a vulnerable machine, ready
to be attacked
Example: unpatched windows 2000 or
windows XP
Once attacked, the malware is caught
inside
The malware is analyzed, its activity is
monitored
When it connects to the C&C server, the
server’s identity is revealed
HoneyPot and HoneyNet
Thus many information about the bot is
obtained
C&C server address, master commands
Channel, Nickname, Password
Now Do the following
make a fake bot
join the same IRC channel with the same
nickname/password
Monitor who else are in the channel, thus
observer the botnet
Collect statistics – how many bots
Collect sensitive information – who is being
attacked, when etc..
HoneyPot and HoneyNet
Finally, take down the botnet
HoneyNet: a network of honeypots (see the
‘HoneyNet Project’)
Very effective, worked in many cases
They also pose great security risk
If not maintained properly - Hacker may use
them to attack others
Must be monitored cautiously
Summary
Today we have learned
What is botnet
How / why they are used
How to detect / prevent
Questions ?
BOTNET DETECTION USING
DATA MINING
February 6, 2008 M. Mehedy Masud
3
Botnet detection
Background
●
Botnet
–
–
●
Network of compromised machines
Under the control of a botmaster
Taxonomy:
–
–
–
C&C : Centralized, Distributed etc.
Protocol: IRC, HTTP, P2P etc.
Rallying mechanism: Hard-coded IP, Dynamic DNS
etc.
February 6, 2008 M. Mehedy Masud
3
Botnet detection
IRC Botnets
●
●
●
●
●
●
Centralized
IRC-based
Large
Easy to detect
CPF – IRC Server
Easy to destroy
Botmaster
IRC Server
IRC channel
Code
Server
IRC channel
C&C traffic
Updates
Attack
Vulnerable
machines
BotNet
February 6, 2008 M. Mehedy Masud
3
Botnet detection
P2P Botnets
●
●
●
●
●
●
Distributed
P2P protocol used
Small
Harder to detect
No CPF
Not easy to destroy
February 6, 2008 M. Mehedy Masud
3
Botnet detection
Botnet Research
●
IRC botnet detection (many)
–
–
–
●
Honeypot-based (Rajab et al. 2006)
Network traffic mining (Livadas et al. 2006)
Nickname/signature mining (Goebel & Holz, 2007)
P2P botnet detection (few)
–
–
–
P2P bot analysis (Grizzard et al. , 2007)
Some theoretical contributions (Wang et al., 2007)
Few research towards P2P botnet detection
February 6, 2008 M. Mehedy Masud
3
Weak Points – Rallying
Mechanism
Botnet detection

Hard coded IP
–
–
–
–
–

Trojan.Peacomm (Grizzard et al., 2007)
Nugache (Lemos, 2006)
Initial Peer list Hard Coded
Tries to contact initial peers after infection
Can be detected by analysis
Random IP
–
–
–
–
Sinit (L.T.I. group, 2004)
No initial Peer list
Probes Random IP
Generates a lot of ICMP error
February 6, 2008 M. Mehedy Masud
3
Botnet detection
Possible Detection Techniques
●
System monitoring
–
–
–
●
Looking for symptoms (e.g. change in “hosts” file)
Anti-virus
Unusual system calls
Network traffic monitoring
–
–
–
–
Open ports
Connection rate
Arp requests
ICMP errors
February 6, 2008 M. Mehedy Masud
4
Botnet detection
Port Scanning
●
Do we need to monitor all ports?
–
●
Fact 1: P2P bots must open a port to
communicate
–
●
No
So, monitor only open (i.e., server) ports
Fact 2: P2P bots must use TCP or UDP to
communicate
–
So, monitor only TCP/UDP ports
February 6, 2008 M. Mehedy Masud
4
Botnet detection
Detecting Open Ports
●
A port is open (server) if
–
–
●
It accepts a new connection
It is connected to multiple ports
Accepting a new TCP Connection
–
–
–
–
–
Client: SYN
Server: SYN, ACK
Client: ACK ----Connection Established!
The port accepting SYN is open port!!
Monitor all ports that accepts a connection
February 6, 2008 M. Mehedy Masud
4
Botnet detection
Detecting Open Ports (cont…)

Already existing connections
◦

A connection c is a 4-tuple




From each packet header, obtain the connection
(Host port, Host ip, Remote port, remote ip) (hp, hip, rp,
rip)
Create a list of connections C
If there are two connections c1, c2  C s.t.
◦
c1≠ c2
and c1.hp == c2.hp then hp is a Open port
◦
c1≠ c2
and c1.rp == c2.rp then rp is a Open port
If there are two connections c1, c2  C s.t.
February 6, 2008 M. Mehedy Masud
4
Botnet detection
What To Monitor?
●
●
Monitor Payload / Header?
Problems with payload monitoring
–
–
–
●
Privacy
Unavailability
Encryption/Obfuscation
Information extracted from Header
–
–
–
New connections (why?)
Packet size (why?)
Upload/Download bandwidth (why?)
February 6, 2008 M. Mehedy Masud
4
Botnet detection
How to Monitor?
●
●
Traffic patterns vary with time
Special (distinguishing) patterns may appear for
a short while
–
–
–
–
E.g. new connections
Sudden burst of traffic
Fig: Trojan.Peacomm
connections after
infection
(Grizzard, et al., 2007)
February 6, 2008 M. Mehedy Masud
4
Botnet detection
How to Monitor?(continued)
●
Solution 1: Time-series analysis
–
–
–
●
Each feature is a time series
Sampled at a frequent interval
Problem: feature space-too large/impractical
Solution 2: Histogram analysis
–
–
–
–
Each feature is a histogram
Samples are collected at a frequent interval
Bins are filled-up periodically
Problem: size, number of bins?
February 6, 2008 M. Mehedy Masud
4
Botnet detection
Mapping to Stream Mining
●
●
●
●
●
Network traffic can be thought of as a stream
data
Detecting botnet traffic inside network traffic can
be mapped as a classification problem
Botnet characteristic may change over time
Thus, botnet traffic detection can be mapped as:
Concept-drifting stream data classification
problem
February 6, 2008 M. Mehedy Masud
4
Peer to Peer Botnets
by
Mehedy Masud
Botnets
●
●
●
●
●
●
●
Introduction
History
Taxonomy
Overview
Case studies
New technique
Detection and
Prevention
Taxonomy
Peer2Peer Bots: Overview & Case
Studies
●
Jullian B Grizzard
–
●
Vikram Sharma, Chris Nunnery, and Brent
ByungHoon Kang
–
●
John Hopkins
North Carolina, Chappel Hill
David Dagon
–
Georgia Institute of Technology
HotBots - 2007
Peer2Peer BotNets: History
●
Napster: earliest Peer2Peer protocol
–
–
●
Gnutella
–
●
Not completely P2P
Shutdown because found illegal
Completely decentralized
Recent Protocols
–
–
Chord
Kademila
Botnet Goals
●
All kinds of botnet have the same goals
–
–
–
●
●
●
Information dispersion
Information harvesting
Information processing
Information dispersion
–
–
Spam, phishing, DOS etc.
Economic benefit
–
–
Identity data, password, relationship data etc
Direct economic benefit
–
Cracking passwords
Information harvesting
Information processing
Case Study: Trojan.Peacomm
●
●
●
●
Uses the Overnet p2p protocol
Overnet implements a distributed hash
table based on Kademila algorithm
After infection, secondary injections are
automatically downloaded from p2p net
This enables hacker to arbitrarily
upgrade, control, or command bots
Experimental Setup
●
Trojan.Peacomm was executed within a
honeypot in UNCC HoneyNet Lab
●
Honeypot was running VMWare virtual
machine running windows XP
●
Connections to the internet was
controlled by a HoneyWall
●
PerylEyez malware analysis tool was used
to detect changes in the system
●
Pcap logs were kept, speciment ran for
two weeks
Initial bot
●
●
●
●
●
The executable is installed
Connects to p2p and downloads
secondary injection
Distributed as a trojan horse email
PerilEyez tool is used to Capture system
state before and after infection (file
system/open port/services)
It adds system driver “wincomm32.sys” to
the host
–
Driver is injected into windows process
“services.exe”
Initial bot (continued)
–
–
●
●
Windows Firewall is disabled
Ports opened:
–
–
●
●
This service acts as a p2p client that
downloads secondary injection
Initial peer list saved in %system%\wincom.ini
TCP 139, 12474
UDP 123, 137 etc.
Initial Peer List is Hard-coded
This could be a central point-of failure
Communication Protocol
●
Protocol Summary
–
–
–
–
–
●
Overnet, implementing Kademila
128-bit numeric space is used
Values are mapped to numeric space with
keys
Key/value pairs are stored in the nearest
pair, computed by XOR function
List of nodes are kept for each bucket in the
numeric space
Steps
–
–
–
–
–
Connect to overnet
Download secondary injection URL
Decrypt secondary injection URL
Download secondary injection
Execute secondary injection
Secondary Injection
●
Types of secondary injection
–
–
–
–
–
●
●
●
Downloader and rootkit component
SMTP spamming component
Email address harvester
Email propagation component
DDoS tool
All of these can be rooted from one
injection
Can periodically update itself by
searching through the P2P net
This provides the basic Command and
Control functionality
Searching the Download URL
●
●
●
●
A search key is generated in the bot using
an algorithm that Uses system date and a
random number (0..31)
So the botmaster needs to publish a new
URL under 32 different keys on a particular
day
It searches for this key in its initial peer list
If it is not found in a peer, the request is
forwarded to other peers
Searching the Download URL
●
If a match is found, a result is returned:
●
●
●
●
The “result” hash is used as as decryption key, paired
with another key is hardcoded in bot
Also, the response packet contains a single meta-tag
named “id”
The body of the tag contains the encrypted URL
Index Poisoning
●
●
●
●
●
P2P networks contain indexes
corresponding to each content
Index poisoning means adding bogus
records to indexes
For example, adding a fake ip/port
corresponding to a file
Trojan.peacomm has index poisoning
capability
Possible motive: slowing down infection
or measuring number of bots
Network Trace Analysis
●
Number of Remote IPv4 Addresses
Contacted Over Time for Duration of
Infection
Slowing down
(saturation)
Steep slope
(initial connections)
Start of infection
Network Trace Analysis (Contd…)
●
●
●
●
●
●
Network traces are parsed
It is found that the bot searches for five
keys.
Key1 is the hash of its own IP
– It periodically searches key1 to find
the nearest peers
Key2 and Key4 are never found
Key3 and Key5 are found after small
search
Key3 is found in 6 seconds, key5 is
found in 3 seconds
Network Trace Analysis (Contd…)
●
●
●
●
This indicates that “command latency”
for P2P bots is low (but higher than
Centralized)
Number of unique hosts contacted
directly: 4200
Total unique IPs found in overnet
packets: 10,105
Same search requests appeared from
another machine
–
Possibly infected by Trojan.peacomm
Conclusion
●
●
●
This paper describes a case study of
Trojan.Peacomm – a p2p
Describes how it propagates and
contacts with C&C
Analysis of network trace presented
Detecting P2P Botnets
●
Reinier Schoof & Ralph Koning
–
University of Amsterdam
Appeared in a technical report. Feb 2007
●
Spreading
–
–
●
File sharing over P2P network
Uses popular filenames to entice download
Command and Control
–
–
–
●
Overview
Unlike IRC, bots do not wait for command
Botmaster joins the network as a peer
Passes command along its peers
Protocols
–
–
Phatbot uses WASTE protocol
Nugache and Spamthru uses home-made
protocols
Experiments
●
Two bots are analysed in a controlled
environment
–
–
●
Nugache
Sinit
Test environment consists of
–
–
–
Four computers
Three running Windows XP
One running FreeBSD. This runs softflowd to
act as a software router for connecting three
machines, collecting all netflows
●
Sinit
–
–
–
–
–
–
–
–
Bot analysis
Trojan horse
Uses P2P to spread itself
Tries to reach other Sinit infected hosts by
sending discovery packets to port 53 of
random IPs
Establishes connection when it receives a
discovery response packet
Two hosts exchange list of peers
Connects to those peers
Runs a web server to publish /kx.exe, which
is the Sinit binary
Random IP scan generates a lot of ICMP 3
(host unreachable)
Bot analysis (Contd…)
●
Nugache
–
–
–
–
–
–
–
–
–
Trojan horse
Opens TCP port 8, connects to hard-coded
list of peers
Exchange peer list after connection
Starts DDoS when commanded
Command is encrypted/obfuscated
Spreads over AIM
Installs initial peer list in windows registry
This list is updated dynamically
Uses obfuscated communication channel
Bot analysis (Contd…)
●
PhatBot
–
–
–
–
–
–
A cousin of AgoBot
Uses WASTE protocol
It is an encrypted Open-source P2P Network
Bot finds other peers by using cache servers
on Gnutella P2P network
Looks for clients identified by GNUT, a
gnutella client
Has a list of processes to kill when it runs
Consisting of antivirus and competing
malware
●
Open ports
–
–
–
–
●
A specific port/range of ports must be opened
Monitoring those ports may enable detection
May result in false positive (when other
applications use specific ports) or
False negative (when normal ports are used for
bot communication)
Connection failures
–
●
Detection
May result in a lot of ICMP 3 error
Peer Discovery
–
–
Static peer list may be central point of failure
Random scan is very inefficient
Conclusion
P2P botnets pose significant threat to future
internet community
Although current P2P protocols used by the
bots are inefficient, they are likely to be
made efficient
There are some detection techniques, but
none of them are too reliable