Download Multifaceted Approach to Understanding the Botnet Phenomenon

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
Document related concepts

Server Message Block wikipedia , lookup

AppleTalk wikipedia , lookup

Computer network wikipedia , lookup

Dynamic Host Configuration Protocol wikipedia , lookup

Wireless security wikipedia , lookup

Network tap wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Remote Desktop Services wikipedia , lookup

Airborne Networking wikipedia , lookup

Distributed firewall wikipedia , lookup

Lag wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Storm botnet wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Transcript 
Multifaceted Approach to
Understanding the Botnet
Phenomenon
●
Christos P. Margiolas University of Crete
A brief presentation for the paper:
Multifaceted Approach to Understanding the
Botnet Phenomenon
Basic concepts
●
●
●
Botnet is a set of connected end
hosts(bots), which are infected by malicious
software and controlled by the
botmaster(attacker).
Honeynet is a network of security
vulnerable end hosts (honeypots).
The shell code is small binary or script code
which is used to download the real bot
binaries
●
●
●
Nepenthes is a special software which
mimics known vulnerabilities in order to
collect shell codes.
Planetlab is a group of computers available
as a testbed for computer networking and
distributed systems research.
UnrealIRC mimics the operations of an IRC
server.
Efforts
●
●
●
The construction and evaluation of a multifaceted infrastructure for
capturing and tracking the botnets. The infrastructure is a distributed
system which collects as many bots as possible and tracks the
botnets with an IRC tracker(internal behavior) and an DNS prober (for
footprint).
The structural and behavioral analysis based on the data collected by
the multifaceted infrastructure.
They present results for 192 botnets.
Bot characteristics.
●
●
One host( the hostmaster) controls and
checks every infected host over a
Command and Control channel (C&C). This
channel is implemented over well known
and used Internet protocols like Http and
IRC protocols(or p2p protocols)
Most popular is the IRC because it supports
large number of clients, different network
topologies, extendable protocol design
Typical botnet communication
Botnet security choices.
●
●
●
●
Bot authentication to the server with a pass
protocol message (IRC supported).
Bot authentication to the channel with the
password defined by the botmaster(IRC
supported).
Botmaster authentication to the
bots(supported by bot creator).
Every botnet can use any combination of
them.
●
●
After the join the bot parses and executes
the default package message.
In some cases the bot can see every
exchanged message. It depends on the
channel modes.
The measurement consists of:
●
Malware Collection
●
Binary analysis
●
Tracking with the usage of IRC tracker and
DNS prober
.
Collection Infrastructure
●
●
●
Darknet based on local network and 14
Planetlab nodes with IP address space (10
different /8 prefixes).
Nepenthes.
HoneyNet with Windows XP images
running on virtual machines and VLANS.
Binary Analysis – gray box
method
●
●
●
●
Usage of private network.
Network fingerprint, looking for IPs, ports,
DNS requests.
IRC fingerprint, looking for PASS, NICK
format, USERnames and autojoined
channels. This state also creates a dialect
template with the help of UnrealIRC
Special tactics for managing botmaster
authentication
Tracking
●
●
IRC tracking based on the dialect template
of the binary analysis and the network and
irc fingerprints. It applies filter on the dialect
template to avoid 'bad' replies. It offers
special handling for statefull nature of the
bots.
DNS probing on a cleaned list of DNS
servers. The results refer to the lower
bound of the footprint because we don't
check every DNS server and a cache hit
doesn't give information about the number
of requests.
Infrastructure Architecture
Contribution to the unwanted
traffic.
●
●
●
About the 27% of the unwanted transfers is
generated by the botnet activities.
They present the SYN packets number in
comparison with the SYN packets
generated only by the botnet, over the time.
The peak values for them are aligned and in
this period the botnet usually generates the
90% of the cumulative traffic
The two bot groups
●
●
The worm like bots. These bots attack
continuously specific ports with a single
algorithm. Many times try to connect a
hardcoded list of unreached servers. The
result is a botnet without master.
The current approach, bot supports a
number of algorithms and scans only after
botmaster's command or if the channel's
message requests it. Their behavior can be
rescheduled on the fly and they support
modification options. They usually scans \8
or \16 IP prefixes.
Growth Patterns (Based on IRC
tracker and DNS prober)
●
●
The semi-exponential model, the bots apply
permanent scanning on random selected
ports. The attacking method is permanent,
same port and it attacks always..
The pattern of the botnets with intermittent
activity profile. In this category we have bot
designs where they are almost stable when
the IRC server is down but if it turns on the
botnet starts expanding itself again
●
Time scoped botnets. In this case the
botnet is active for attacking and
spreading for a specific time period. This
kind of botnets target specific IP prefixes.
Bot IRC structure
All the bots connect to a single IRC server.
This approach is good only for small infected
network because an effective vulnerability
attack can easily 'catch' the server's client
capacity.
Unexpected similarities on different bots, as
the name conventions, channel names and
operators ids refer to the same bot master –
creator.
●
●
Multiple servers consist an IRC network
(IRC server farm). The bridging could been
done in different ways, but the principal idea
is identical, the servers share the
overhead. For checking if the bot net uses
multiple servers they either read the status
message of the connected servers or or
check for equality between the local and the
connected users number.
A group of bots has the feature to download
updated binaries of themselves, feature
which is mainly used for migration to other
servers.
Common bot thread services
●
●
●
●
The AV/FW killer which is located to the
50% of the bots it deactivates anti-virus and
firewall processes.
Identd server (40%) is a tcp based server
which is used for the identification of the
user over the connection.
Register monitor (38%), monitors the
register and informs if someone tries to
disable or limit the bot.
The system security monitor(40%), uses known vulnerability issues
and with calls to secure() function achieves to deactivate system
services.
●
●
Every binary use from 3 to 29 vulnerabilities
and the average number is 15. The modular
design of the bots in conjunction with
exploits' variations and combination reports
the same results.
For testing the protection level of the end
systems, they tried to classify each of the
192 bots with the ClamAv and Norton's
Antivirus, the first classified the 137 and the
second the 179.
Effective Size
The footprint of the botnets is usually much larger from the number of the
connected bots on the IRC server(effective size) , this is not something
unexpected because the networking infrastructure of the IRC server(s) is
poor for serving thousands of connected bots, this means that a bot
connects to the IRC network periodically, fact which has not any impact for
the relatively permanent commands(ex the channel's status), but this point
is significant for instantly-on the fly instructions, because only the
connected bots at the current time execute this kind of instructions. The
difference between the footprint and the lifetime of botnets is important
because the life of a bot is much bigger tha the time it stays connected to
the IRC server. A bot usually joins a channel in an average period of 25
minutes (the 90% stays less than 50 minutes) but it exists as a host to the
infected network for about 47 days. Also death (stop of execution) which
can be caused by a number of reasons like patching, system shutdown
and network failure can unstabilize the difference between footprint and
effective size.
The client who stays the biggest time connected at the C&C channel is
the bot master, for two reasons, for giving new commands and for
keeping the operator privileges. A noticed paradox is the fact that
botnets which use directly static IP have bigger lifetime than the others
which use domain names.
The paper presents some special characteristics that many botmaster shares. They
share information about incapable prefixes and they don't scan them, guide the
bots in order to do all only the necessary communication and investigate for fake
bots in order to limit them and seeks for bots with big resources. A botmaster also is
able to migrate bots from one network to another, in order do it, they request them
to download an updated version of the binary code.
Related documents
Ryan Whitehead Bot Talk In my project, “Bot Talk” we see the
Ryan Whitehead Bot Talk In my project, “Bot Talk” we see the
Lecture25
Lecture25
Artificial intelligence
Artificial intelligence
Lecture 17
Lecture 17
Multifaceted Conversational Systems
Multifaceted Conversational Systems
Botnets: Infrastructure and Attacks
Botnets: Infrastructure and Attacks
Defense
Defense
botnet
botnet
paper - acsac
paper - acsac
adam - Stanford Crypto group
adam - Stanford Crypto group
Botnets: Infrastructure and Attacks
Botnets: Infrastructure and Attacks
botnet_detection
botnet_detection