Transcript Bot-network detection

Bot-network detection
NAIST
Mitsuaki Akiyama, Takanori Kawamoto
Teruaki Yokoyama
1
What is the bot-net (1)

Platform of Malicious Activities




Attempting login
Sending DDoS traffic
Submitting SPAM messages
Threat for the Internet and for AI3 network


Necessary for avoiding be stepping-stone of
attacks
Necessary for reducing wasting bandwidth
2
What is the bot-net (2)

Bot-net characteristics:




Consisting of many victim hosts and few
(or usually only One) master host(s) (or
user(s))
Constructing command system among
them
Victims are controlled by the order from
master
Victims sometimes try to infect other hosts
3
Our project:
Traffic monitoring and Analyzing

AI3 network may work well as sensor for bot-network



Constructing traffic monitor mechanism



extensive address space
Backbone but easy for traffic capturing
Dump the whole traffic in AI3 network
Mining anomaly from the traffic
Today Report


Current situation
Temporal results
4
Model of Bot-network
1st target (current):
To find command
system
Command
System
2nd target (future):
To find infection
behavior
Infection
2nd target (future):
To find attack
behavior
Attacks
5
Our strategy

Target – bot-net on IRC




Easy to be differentiated (TCP port 6667)
Famous implementations of bot-net
The Signature is well known
The bot-net on IRC is better as practical
experiments



To confirm to possible for its command system
To obtain bot-net as host-crowd
To analyze the behavior of the crowd
6
Experiment: Data

Target:
Measure.:
Date:
Amount:

As stored data (offline analysis)



bot-net on IRC
PC-router at SFC
10, Aug, 2004
24hour, 30Gbytes
7
Experiment: Detection
Practical detection:

Watching IRC traffic (TCP:６６６７)
Obtaining pairs of IRC nick. and channel
Finding the channels which keep a lot of users


For finding command system
IRCサーバ
チャンネルA
botnet
チャンネルB
client
8
Results
Channel
User
Channel#
User#
Command#
394
1741
83481
Channel which have many
users (50-100users)
- Command system of botnet ???
Conceptual graph
9
Confirmation: messages

Found bots
WORM_SDBOT.BR
WORM_RBOT.GE
WORM_RBOT.ZQ
WORM_SDBOT.VQ


Examples of suspicious channel:
Channel:
#!ftpscan
Message:
:lsass: exploited (167.205.37.57)
Channel:
#!ftpscan
Message:
:[lsass]: Exploiting IP:
167.205.106.17.
Channel
Hosts#
Channel:
#g3n1u5
Message:
:CSendFile(0x007E29C0h): Transfer to
167.205.38.93 finished.
Channel:
####splox####
Message:
:[TFTP]: File transfer started to IP:
203.159.46.120
(C:\WINDOWS\System32\WinGamed.exe).
Channel:
##rektp
Message:
:[FTP]: File transfer complete to IP:
167.205.12.195
(C:\WINDOWS\System32\serm32.exe).
Channel:
#admin
Message:
:[FTP]: File transfer complete to IP:
167.205.65.86
(C:\WINDOWS\System32\xpcd.exe).
Address Spaces
#g3n1u5
108
167.205.0.0 - 167.205.255.255
##rektp
16
167.205.0.0 - 167.205.255.255
#!ftpscan
13
167.205.0.0 - 167.205.255.255
10
knowledge

Confirmed our assumption


Command system can be found
The bot-net has characteristic comm.
pattern

The hosts crowd are found

Now planning next step…
11
Plans for future

To obtain statistical data from the hosts crowd



To estimate computational requirement for the stateful
analyzing


memory and calculation requirements per the amount of bandwidth
To apply the method to realtime traffic




To make their activities and behaviors clear
To find the universality of bot behavior
To confirm the universality is true
To watch the bot-net trend of the times
Fixed point observation
To plan for possible countermeasure of bot-network

Against improvement of their command system

Using cryptogram, Constructing p2p-like structure …
12