1 bot-network detection naist mitsuaki akiyama, takanori kawamoto teruaki yokoyama
TRANSCRIPT
1
Bot-network detection
NAISTMitsuaki Akiyama, Takanori
KawamotoTeruaki Yokoyama
2
What is the bot-net (1) Platform of Malicious Activities
Attempting login Sending DDoS traffic Submitting SPAM messages
Threat for the Internet and for AI3 network Necessary for avoiding be stepping-stone of
attacks Necessary for reducing wasting bandwidth
3
What is the bot-net (2) Bot-net characteristics:
Consisting of many victim hosts and few (or usually only One) master host(s) (or user(s))
Constructing command system among them Victims are controlled by the order from ma
ster Victims sometimes try to infect other hosts
4
Our project:Traffic monitoring and Analyzing AI3 network may work well as sensor for bot-
network extensive address space Backbone but easy for traffic capturing
Constructing traffic monitor mechanism Dump the whole traffic in AI3 network Mining anomaly from the traffic
Today Report Current situation Temporal results
5
Model of Bot-network
CommandSystem
Attacks
Infection
1st target (current):To find commandsystem
2nd target (future):To find attack behavior
2nd target (future):To find infection behavior
6
Our strategy Target – bot-net on IRC
Easy to be differentiated (TCP port 6667) Famous implementations of bot-net The Signature is well known
The bot-net on IRC is better as practical experiments To confirm to possible for its command system To obtain bot-net as host-crowd To analyze the behavior of the crowd
7
Experiment: Data
Target: bot-net on IRC Measure.: PC-router at SFC Date: 10, Aug, 2004 Amount: 24hour, 30Gbytes
As stored data (offline analysis)
8
Experiment: DetectionPractical detection:
Watching IRC traffic (TCP: 6667 )Obtaining pairs of IRC nick. and channelFinding the channels which keep a lot of users
For finding command system IRCIRC サーバサーバ
botnetbotnet clientclient
チャンネルチャンネル AA チャンネルチャンネル BB
9
Results
Channel# 394
User# 1741
Command#
83481
Channel
User
Conceptual graph
Channel which have many users (50-100users)
- Command system of bot-net ???
10
Confirmation: messagesFound bots
WORM_SDBOT.BRWORM_RBOT.GEWORM_RBOT.ZQ WORM_SDBOT.VQ
Examples of suspicious channel:
Channel:
#g3n1u5
Message:
:CSendFile(0x007E29C0h): Transfer to 167.205.38.93 finished.
Channel:
####splox####
Message:
:[TFTP]: File transfer started to IP: 203.159.46.120 (C:\WINDOWS\System32\WinGamed.exe).
Channel:
##rektp
Message:
:[FTP]: File transfer complete to IP: 167.205.12.195 (C:\WINDOWS\System32\serm32.exe).
Channel:
#admin
Message:
:[FTP]: File transfer complete to IP: 167.205.65.86 (C:\WINDOWS\System32\xpcd.exe).
Channel: #!ftpscan
Message:
:lsass: exploited (167.205.37.57)
Channel: #!ftpscan
Message:
:[lsass]: Exploiting IP: 167.205.106.17.
Channel Hosts# Address Spaces
#g3n1u5 108 167.205.0.0 - 167.205.255.255
##rektp 16 167.205.0.0 - 167.205.255.255
#!ftpscan 13 167.205.0.0 - 167.205.255.255
11
knowledge
Confirmed our assumption Command system can be found The bot-net has characteristic comm.
pattern The hosts crowd are found
Now planning next step…
12
Plans for future To obtain statistical data from the hosts crowd
To make their activities and behaviors clear To find the universality of bot behavior
To estimate computational requirement for the stateful analyzing memory and calculation requirements per the amount of bandwidth
To apply the method to realtime traffic To confirm the universality is true To watch the bot-net trend of the times Fixed point observation
To plan for possible countermeasure of bot-network Against improvement of their command system
Using cryptogram, Constructing p2p-like structure …