1 understanding botnet phenomenon mitp 458 - kevin lynch, will fiedler, navin johri, sam annor, alex...
Post on 20-Dec-2015
216 Views
Preview:
TRANSCRIPT
1
Understanding Botnet Phenomenon
MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev
2
What is Botnet ?
Botnets is used to define networks of infectedend-hosts, called bots, that are under the control of a human operator commonly known as a bot master.
Command and control channels are used to disseminate the commands to the bots
IRC (Internet Relay Chat Protocols) is the main vehicle
3
IRC Concept – RFC 1459
IRC is an open protocol that uses TCP
green – normal clients
blue - bots
orange - bouncers
4
IRC Concept – RFC 1459
Example 1: A message between clients 1 and 2 is only seen by server A, which sends it straight to client 2.
Example 2: A message between clients 1 and 3 is seen by servers A & B, and client 3. No other clients or servers are allowed see the message.
Example 3: A message between clients 2 and 4 is seen by servers A, B, C & D and client 4 only. 1----\ A D---4 2--/ \ / B----C / \ 3 E
Servers: A, B, C, and D, E Clients: 1, 2, 3, 4
5
How to Analyze Botnets?
Develop a scalable and robust infrastructure to capture and concurrently track multiple Botnets
Must be benign – not used to infect others outside the testing environment
Analysis of measurements, structural and behavioral aspect of Botnets
IRC tracking, DNS Cache probing (minimal)
6
Birth of a Bot
Bots are born from program binaries that infect your PC
Self-replicating worms
E-mail viruses Shellcode (scripts)
7
Data collection methodology
Phase 1: Malware collection– Collect as many different binaries (bots)
Phase 2: Binary analysis via gray-box testing– Analyze the sophistication of each bot
Phase 3: Longitudinal tracking of IRC botnets through IRC and DNS trackers– Monitor the pervasiveness of each bot
8
Overview data collection
Malware collections (planet lab testbad) -darknet IP space /8
Capture missed from planetlab- parse
shellcode,binaries cllected is sent to botware anaylsis
engine
9
Malware Collection
Unpatched Windows XP are run which is base copy Nepenthes mimics the replies generated by
vulnerable services in order to collect the first stage exploit
Honeynets used to catches exploits missed by nepenthes
Infected honeypot compared with base to identify Botnet binary
10
Binary Analysis via graybox testing
Network fingerprint (DNS, IPs, Ports, scan) IRC (PASS, NICK, USER, MODE, JOIN) Learn the Botnet Dialect
11
Longitudinal Tracking of Botnets
The IRC tracker (also called a drone) filters traffic and acts as a Bot to trick the IRC room to iteratively probe to find the footprint of particular Botnets
– Uses DNS Probing– Acts as a spy
DNS Tracking– 800,000 Name Servers
12
Botnet Scanning
Worm-like – Immediately start scanning the IP space looking
for new victims after infection : 34 / 192
Variable scanning Botnets– Scan when issued some command by botmaster
13
Botnet Scanning
14
Botnet Growth
15
Botnet Growth
16
Botnet Phenomenon
17
Botnet Phenomenon
Traffic Problem– 70% of the sources during peak periods sent shell exploits similar
to those sent by the botnet spreaders.– 90% of all the traffic during a particular peak targeted ports used
by botnet spreaders– the amount of botnet-related traffic is certainly greater than 27%.
18
Botnet Statistics
60% were IRC bots– 70% of all the bots connect to a single IRC server
57,000 Active Bots per day for the first 6 months of 2006 ( Symantec )
4.7 million distinct computers being actively used in Botnets
Most Botnets are managed by a single server ( up to 15,000 bots )
Mocbot seized control of more than 7,700 machines within 24 hours
19
Botnet Characteristics
Diverse set of operating systems. Anti-virus programs can detect and fix most
bots
20
What is it that You say… You Do Here?
Log keystrokes for identity theft Installing Advertisement Addons Distributed Denial-of-Service Attacks Spamming Sniffing Traffic Keylogging Spreading new malware Google AdSense abuse Attacking IRC Chat Networks Manipulating online polls/games Mass identity theft
21
Bot Capabilities
DDoS: Flooding attack and DDoS extortion Scanning Exploitation Download and Installation Click Fraud Server Services- Bot Hosting e.g. phishing Gateway and Proxy Functions:-HTTP proxy Spyware,Keylogging, data theft and packet
capture
22
Conclusion
“the fight against botnets is a "war" that can only be won if all parties - regulators, governments, telecoms firms, computer users and hardware and software makers - work together. “
Botnets pose one of the most SEVERE threats to the Internet
– Are responsible for most of the unwanted traffic– Generators of SPAM
Ref http://news.bbc.co.uk/2/hi/business/6298641.stm
23
Conclusion
Business Implications– DDOS – bring e-commerce to a halt– Wasting of money on SPAM filtering– Wasting of corporate time and $$
24
Strengths of the paper
All aspects of a botnet analyzed No prior analysis of bots Ability to model various types of bots Ability to learn bot dialect and communicate with
them.
25
Botnet
Questions ?
top related