botnet kumar mukherjee mike ladd nazia raoof rajesh radhakrishnan bret walker
TRANSCRIPT
![Page 1: BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker](https://reader035.vdocuments.us/reader035/viewer/2022062308/56649de85503460f94ae283b/html5/thumbnails/1.jpg)
BOTNET
Kumar Mukherjee
Mike Ladd
Nazia Raoof
Rajesh Radhakrishnan
Bret Walker
![Page 2: BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker](https://reader035.vdocuments.us/reader035/viewer/2022062308/56649de85503460f94ae283b/html5/thumbnails/2.jpg)
• network of infected hosts, under control of a human operator (botmaster)
• tens of thousands of nodes
• victims claimed by remote exploits
Botnet Background
![Page 3: BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker](https://reader035.vdocuments.us/reader035/viewer/2022062308/56649de85503460f94ae283b/html5/thumbnails/3.jpg)
• use of Command & Control (C&C) channels
• used to disseminate botmaster's commands
Defining Characteristic
![Page 4: BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker](https://reader035.vdocuments.us/reader035/viewer/2022062308/56649de85503460f94ae283b/html5/thumbnails/4.jpg)
• Spam• ID Theft• Piracy• DDOS
• Ex. 1000 bots w/ 128KBit/s connection > many corporate systems
• IP distribution makes filtering difficult
Uses of Botnets
![Page 5: BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker](https://reader035.vdocuments.us/reader035/viewer/2022062308/56649de85503460f94ae283b/html5/thumbnails/5.jpg)
Lifecycle of Botnet Infection
![Page 6: BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker](https://reader035.vdocuments.us/reader035/viewer/2022062308/56649de85503460f94ae283b/html5/thumbnails/6.jpg)
• IRC designed for both point-to-point and point-to-multipoint communication
• one-to-one, or one-to-group chat
• flexible, open-source protocol
Why IRC?
![Page 7: BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker](https://reader035.vdocuments.us/reader035/viewer/2022062308/56649de85503460f94ae283b/html5/thumbnails/7.jpg)
• authenticate to IRC server via PASS message
• C&C channel authentication
• Botmaster authenticates to bot population to issue commands
Bot-to-IRC Communication
![Page 8: BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker](https://reader035.vdocuments.us/reader035/viewer/2022062308/56649de85503460f94ae283b/html5/thumbnails/8.jpg)
• 400,000+ nodes• 50+ Forture 500
companies• 2x the size of ‘Storm’• Used for spam (bots
sending 500,000+ messages daily)
Bot-News: Kraken
![Page 9: BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker](https://reader035.vdocuments.us/reader035/viewer/2022062308/56649de85503460f94ae283b/html5/thumbnails/9.jpg)
• Designed as image file• Regular updates to binary• C&C communication via
customized UDP/TCP• Able to generate new
domain names if C&C is disabled
Bot-News: Kraken
![Page 10: BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker](https://reader035.vdocuments.us/reader035/viewer/2022062308/56649de85503460f94ae283b/html5/thumbnails/10.jpg)
• http://www.honeynet.org/papers/bots/
• http://www.wired.com/wired/archive/14.11/botnet_pr.html
• http://en.wikipedia.org/wiki/Storm_botnet
Further Background
![Page 11: BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker](https://reader035.vdocuments.us/reader035/viewer/2022062308/56649de85503460f94ae283b/html5/thumbnails/11.jpg)
•Collection of as many bot binaries as possible•Distributed darknet used •14 nodes access the darknet•Modified version of Nepenthes (a Malware collection framework) platform:
-- Mimics the replies generated by vulnerable services in order to collect the first stage exploit or shellcodes-- Generate URL that are to retrieve binaries
•Honeynet is used to compliment Nepenthes in order to catch exploits missed.
-- Honeypots are unpatched Windows XP VM’s-- Honeypots become infected and compared later to a clean Windows XP image. -- Infected Honey pots are also allowed to sustain IRC connections until VM gets reimaged
Methodology: Malware Collection Phase
![Page 12: BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker](https://reader035.vdocuments.us/reader035/viewer/2022062308/56649de85503460f94ae283b/html5/thumbnails/12.jpg)
Methodology: Data Collection Architecture
![Page 13: BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker](https://reader035.vdocuments.us/reader035/viewer/2022062308/56649de85503460f94ae283b/html5/thumbnails/13.jpg)
Methodology: Gateway
Darknet routing to various parts of the internal network Cross-infection prevention among honeypots
configuring honeypots in separate VLANSs Termination of traffic across VLANs and gateways Monitor and Analyze the malware traffic for infections Dynamic rule insertion
block further inbound attack traffic towards honeypot that is infected single malware instance honeypots due to lack of resources
Other funcitons Triggering re-imaging with clean Windows images pre-filtering and control during downloads local DNS to resolve queries
![Page 14: BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker](https://reader035.vdocuments.us/reader035/viewer/2022062308/56649de85503460f94ae283b/html5/thumbnails/14.jpg)
Methodology: Defense Points
With the methodology we now have the ability to model other types of bots.
Although methodology utilized Windows OS, we can model it for other platforms
The methodology analyzes all aspects of bots and botnets.
![Page 15: BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker](https://reader035.vdocuments.us/reader035/viewer/2022062308/56649de85503460f94ae283b/html5/thumbnails/15.jpg)
A multifaceted approach to understanding the Botnet Phenomenon
Results - I
![Page 16: BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker](https://reader035.vdocuments.us/reader035/viewer/2022062308/56649de85503460f94ae283b/html5/thumbnails/16.jpg)
Overall traffic27% of total traffic are from known botnet spreaders
73% of traffic includes traffic from unknown botnet spreaders
60% of malicious binaries were IRC bots
Only handful were HTTP based
Authors concerns about botnets spread are justifiable.
![Page 17: BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker](https://reader035.vdocuments.us/reader035/viewer/2022062308/56649de85503460f94ae283b/html5/thumbnails/17.jpg)
Traffic directed to vulnerable ports
76% of traffic targeted to vulnerable ports are from botnet spreaders
Malicious traffic to vulnerable ports cannot be differentiated between botnet and non-botnet traffic
How much of total traffic was directed to vulnerable ports is desired.
![Page 18: BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker](https://reader035.vdocuments.us/reader035/viewer/2022062308/56649de85503460f94ae283b/html5/thumbnails/18.jpg)
Peak traffics
90% of total traffic during the peak time targets ports used by botnet spreaders
70% of traffic during the peak time sent shell exploits similar to those sent by botnet spreaders.
![Page 19: BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker](https://reader035.vdocuments.us/reader035/viewer/2022062308/56649de85503460f94ae283b/html5/thumbnails/19.jpg)
Probed servers
11% of probed servers had at least one botnet activity
29% of probed .com servers had at least one cache hit
95% of probed .cn servers had at least one cache hit.
Probed Servers
At least one botnet activity
No botnet activity
![Page 20: BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker](https://reader035.vdocuments.us/reader035/viewer/2022062308/56649de85503460f94ae283b/html5/thumbnails/20.jpg)
Botnet Types
Total botnets captured 192
34 of 192 botnets captured were type I botnets (worm-like)
158 of them were type II
![Page 21: BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker](https://reader035.vdocuments.us/reader035/viewer/2022062308/56649de85503460f94ae283b/html5/thumbnails/21.jpg)
Botnets and Network types
When channel was set to topic
80% of targeted scanning was aimed at CLASS A networks
89% of localized scanning was aimed at CLASS B networks
When channel was set to botmaster commands
88% of targeted scanning was aimed at CLASS A networks
82% of localized scanning was aimed at CLASS B networks
![Page 22: BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker](https://reader035.vdocuments.us/reader035/viewer/2022062308/56649de85503460f94ae283b/html5/thumbnails/22.jpg)
DNS & IRC tracker views
Both DNS & IRC tracker views demonstrated three type of growth pattern:
semi exponential growth
Staircase type growth
Linear growth
Semi-exponential growth exhibited random scanning activity
Staircase type growth exhibited intermittent activity
Linear growth pattern exhibit time scoped activity
![Page 23: BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker](https://reader035.vdocuments.us/reader035/viewer/2022062308/56649de85503460f94ae283b/html5/thumbnails/23.jpg)
Key Points based on results
Botnets pose serious threats to the internet
Major contributor of unwanted traffic on the internet
IRC is the dominant protocol used in the Botnet communications
Botnets have achieved a high degree of sophistication in terms of self-protection mechanisms and modular package structures
![Page 24: BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker](https://reader035.vdocuments.us/reader035/viewer/2022062308/56649de85503460f94ae283b/html5/thumbnails/24.jpg)
Effective Botnet Sizes
Footprint Size vs. Effective Size• Significantly smaller• At most 3,000 bots online w/ networks of up to 10k bots
Smaller effective sizes limit certain activities:• Timely commands• DDoS attacks
Effective botnet sizes fluctuate with timezone changes
![Page 25: BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker](https://reader035.vdocuments.us/reader035/viewer/2022062308/56649de85503460f94ae283b/html5/thumbnails/25.jpg)
Lifetime
Botnets have relatively long lifetimes• Even after they’re shut down, live on average for 47 days• 84% of servers up longer than the 3 month survey• 55% of those botnets still scanning the Internet• If taken offline, able to be brought back online quickly
Bots do not stay long on IRC channels• Average time ~ 25 minutes• 90% stayed less than 50 minutes• High churn rate
Botmasters spend great lengths of time managing and monitoring their botnets
![Page 26: BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker](https://reader035.vdocuments.us/reader035/viewer/2022062308/56649de85503460f94ae283b/html5/thumbnails/26.jpg)
Botnet Software Dissection
49% disable firewall and anti-virus software
Many run inetd, which is used to identify the user of a computer. Used to verify bots joining an IRC channel
40% execute a System Security Monitor command, securing client machines from further exploitation
Average of 15 exploits per botnet binary -- bots can infect machines in a variety of ways
Windows XP constitutes 82.6% of observed exploited hosts, with 99% of those hosts running SP1 or less
![Page 27: BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker](https://reader035.vdocuments.us/reader035/viewer/2022062308/56649de85503460f94ae283b/html5/thumbnails/27.jpg)
Insight from an “Insider’s View”
Botmasters range in skill level
Botmasters:1. Share information about networks2. Tweak their bots to use the network efficiently3. Prune misbehaving bots and exploit “super-bots”
Botmasters are probably leasing their bots or attacking each other
Most commands (75%) are for control, scanning and cloning. 7% are for attacking.
![Page 28: BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker](https://reader035.vdocuments.us/reader035/viewer/2022062308/56649de85503460f94ae283b/html5/thumbnails/28.jpg)
Related Work
Honeynet group was the first to do an informal study Freiling et al. on countering certain classes of DDoS attacks Cooke et al. on prevalence of botnets by measuring elapsed
time before an un-patched system was infected by a botnet Barford et al. on an in-depth anaylsis on bot software
sourcecode Vrable et al. presented Potemkin, a scalable virtual honeynet
system Cui et al. presented RolePlayer—a protocol independent
lightweight responder that tries to overcome some of these limitations by reverting to a real server when the responder fails to produce the proper response
Dagon et al. provide an initial analytical model for capturing the spreading behavior of botnets.
![Page 29: BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker](https://reader035.vdocuments.us/reader035/viewer/2022062308/56649de85503460f94ae283b/html5/thumbnails/29.jpg)
Conclusion
Long presence and few formal studies One of the most severe threats to the Internet. Our knowledge of botnet behavior is incomplete To improve our understanding, we present a composite view Results show that botnets are a major contributor to the overall
unwanted traffic on the Internet Botnet scanning behavior is markedly different from that seen
by autonomous malware (e.g., worms) because of its manual orchestration
IRC is still the dominant protocol used for C&C communications Use is adapted to satisfy different botmasters’ needs Botnet footprints are usually much larger Graybox testing technique enabled us to understand the level ofsophistication reached by bot software today