Transcript Botnets



Collection of connected programs
communicating with similar programs to
perform tasks
Legal
 IRC bots to moderate/administer channels
 Origin of term botnet

Illegal
 Bots usually added through infections
 Communicate through standard network
protocols

Named after malware that created the
botnet
 Multiple botnets can be created by same malware
▪ Controlled by different entities

“Bot master” can control entire group of
computers remotely through Command and
Control(C&C) system

Botnets used for various purposes
 Distributed Denial of Service Attacks(DDOS)
 SMTP mail relays for spam
 Click Fraud
▪ Simulating false clicks on advertisements to earn money
 Theft of information
▪
▪
▪
▪
Application serial numbers
Login information
Financial information
Personal information
 Bitcoin mining

Three main connection models
 Centralized
 P2P-based
 Unstructured


Central point(server) that forwards messages
to bots
Advantages
 Simple to implement
 Customizable

Disadvantages
 Easier to detect and destroy

Most botnets use this model


Mainly used to avoid problems with centralized
model
Does not use server as central location
 Instead the bots are connected to each other

Advantages
 Very hard to destroy
 Commands can be injected at any point
 Hard for researchers to find all bots

Disadvantages
 Harder to implement and design

Bots will not actively contact other bots or
botmaster
 Only listens for incoming connections

Botmsater randomly scans internet for bots
 When bot is found botmaster sends encrypted
commands

Botnets use well defined communication protocols
 Helps blend in with traffic

Protocol examples
 IRC
▪ Most common
▪ Used for one-to-many or one-on-one
 HTTP
▪ Difficult to be detected
▪ Allowed through most security devices by default
 P2P
▪ More advanced communication
▪ Not always allowed on network

Two main detection methods
 Signature-based
▪ Relies on knowing connection methods
▪ Cannot detect new threats
 Anomaly-based
▪ Relies on anomalies from base-line traffic
▪ High false-positive rates
▪ Not useful in cases where base-line traffic cannot be
established


Malware writers constantly looking for new
ways to avoid detection
Recent botnets employ new methods to
avoid detection
 Fast flux
 Domain flux



Use a set of IP addresses that all correspond
to one domain name
Use short TTL(Time To Live) and large IP
pools
Can be grouped in two categories.
 Single flux
 Double flux


Domain resolves to different IP in different
time ranges
User accesses same domain twice
 First time DNS query returns 11.11.11.11
 TTL expires on DNS query
 User performs another DNS query for domain
 DNS server returns 22.22.22.22


More sophisticated counter-detection
Repeated changes of both flux agents and
registration in DNS servers
 Authoritative DNS server part of fluxing

Provides extra redundancy

Critical step in detecting fast flux network is
to distinguish fast fluxing attack
network(FFAN) and fast fluxing service
network(FFSN)
 All agents in FFSN should be up 24/7
 Agents within FFAN have unpredictable alive time
▪ Botmaster does not have physical control over bots

Two metrics developed to distinguish these
 Average Online Rate(AOR)
 Minimum Available Rate(MAR)


Uses AOR and MAR to track FFANs and FFSNs
Broken up into four components
 Dig tool
▪ Gather information and add new IP addresses to database
 Agents monitor
▪ Sends HTTP requests records response
 IP lifespan records database
▪ Stores service status
 Detector
▪ Judges between FFAN and FFSN by using AOR and MAR


To avoid single point of failure domain flux
was created
Uses a set of domain names that are
constantly, and automatically, generated
 Occasionally correspond to IP address


Bots and server both run domain name
generation algorithm.
Bots try to contact C&C server by using
generated domain names
 If no answer is received at one, it moves on



Torpig was botnet that used domain flux
Eventually taken over by researchers
First calculated domain names by current
week and current year
 “weekyear.com” or “weekyear.net”


If those fail it moves on to calculated the daily
domain
If all other methods fail, a Torpig bot will try
to connect to a hard-coded domain within its
configuration files
Reverse-engineering domain generation
algorithm not always possible
 Only a few domains will resolve to IP addresses
 One detection method is to watch DNS query
failures

 Small percentage will be user error/poor configuration
 Larger part of errors will be from malicious activity

With enough data one should be able to find
patterns in DNS query errors

Fast Flux networks mitigated by blacklisting
domain name associated with flux
 Contact registrar
 ISP block requests in DNS
 ISP monitor DNS queries to domain

Domain flux is harder to mitigate
 In order to register domain names before attackers
one must know the algorithm used
 Automated techniques to block DNS queries not
always accurate
 Registrars used by attackers usually do not listen to
abuse reports

BredoLab
 Created May, 2009
 30,000,000 bots

Mariposa
 Created 2008
 12,000,000 bots

Zeus
 Banking credentials for all major banks
 3,600,000 bots in US alone
 Customizable