“A Multifaceted Approach to Understanding the Botnet Phenomenon”
description
Transcript of “A Multifaceted Approach to Understanding the Botnet Phenomenon”
By: Moheeb Abu Rajab, Jay Farfoss, Fabian Monrose & Andreas Terzis
Affiliation: Computer Science Department at Johns Hopkins University
Published: Internet Measurement Conference (IMC) 2006
Presented by: Andrew MantelPresentation date: April 9, 2009
Class: CAP6135 – Malware and Software Vulnerability Analysis (Spring 2009)Professor: Dr. Cliff Zou
Goal / Motivation Overview of botnets Data collection Results Author’s conclusions My review
Goal:◦ Get a better understanding of botnets
Motivation:◦ Botnets are dangerous◦ Malicious intent
Extortion of Internet businesses E-mail spamming Identity theft
◦ Increase in botnet activity in recent years◦ Despite all this, we don’t know enough details
about botnet behavior!
M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
Botnet Overview
(Rajab et al, 42, Figure 1)
Exploit software vulnerability of victim host
Same infection strategies as other malware◦ Worms◦ Malicious email code
M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
(Modified from: Rajab et al, 42, Figure 1)
Infected host executes shellcode to fetch bot binary from specified location◦ Usually the same
machine that infected it
After the download, the bot binary installs itself so it can auto start on reboot
M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
(Modified from: Rajab et al, 42, Figure 1)
Bot needs IP address of IRC server
Perform DNS Lookup Better than hard-
coding the server IP in case the IP gets blacklisted
M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
(Modified from: Rajab et al, 42, Figure 1)
Join server and channel specified in bot binary
May use authentication:1) Bot authenticates to join
server using password from bot binary
2) Bot authenticates to join channel using password from bot binary
3) Botmaster authenticates to bot population to send command
M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
(Modified from: Rajab et al, 42, Figure 1)
Bot parses and executes channel topic
Topic contains default command for all bots to execute
M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
(Modified from: Rajab et al, 42, Figure 1)
(Modified from: Rajab et al, 42, Figure 1)
Data Collection
(Modified from: Rajab et al, 43, Figure 2)
Three main phases:1) Malware collection
Goal: Collect bot binaries2) Binary analysis via gray-box testing
Goal: Analyze bot binaries3) Longitudinal tracking of botnets
Goal: Use binary analysis to track real botnets
M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
(Modified from: Rajab et al, 43, Figure 2)
Goal: Collect bot binaries Setup: Receive connections from distributed darknet
◦ Darknet = an allocated but unused portion of the IP address space
Two types of collectors:1)Nepenthes
Mimics replies of a vulnerable service to retrieve the shellcode
Pass URL in shellcode to download station to retrieve the bot binary
2)Honeypot Implemented to handle cases where nepenthes failed Windows XP running on VM connected by VLAN Collects the bot binary itself
M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
Gateway provides multiple functions:1) Route darknet traffic to local responders
(nepenthes) and honeypots About a 50/50 split
2) Firewall to stop honeypot from outgoing attack or cross infections
3) Allow honeypot to connect to IRC server but not do any further communication
4) Other miscellaneous functions
M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
(Modified from: Rajab et al, 43, Figure 2)
M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
(Modified from: Rajab et al, 43, Figure 2)
Goal: Analyze bot binaries Setup: Windows XP with bot binary on VM
connected to a network sink◦ Sink monitors all network traffic
Two steps:1)Network fingerprint2)IRC-related features
M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
Network fingerprint◦ fnet = {DNS, IPs, Ports, scan}
DNS = targets of any DNS requests IPs = destination IP addresses Ports = contacted ports Scan = whether the bot tried to IP scan
IRC-related features◦ Create IRC daemon to listen to all ports specified by fnet
◦ When bot tries to connect to IRC server, create IRC-fingerprint: firc = {PASS, NICK, USER, MODE, JOIN}
M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
fnet and firc provide enough information to join a real botnet However, still need botnet “dialect”
◦ dialect = “the syntax of the botmaster’s commands as well as the corresponding responses sent by the actual bot” (Rajab et al, 44)
To learn dialect:◦ Let bot connect to local IRC server◦ Bot connects to default channel◦ IRC query engine plays the role of the botmaster,
generating commands◦ What commands to generate?
Those observed by honeynet Known commands of observed botnets
M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
(Modified from: Rajab et al, 43, Figure 2)
(Modified from: Rajab et al, 43, Figure 2)
Two mechanisms:1) IRC tracking2) DNS tracking
IRC tracker (drone)◦ Drone is given firc and template◦ Connects to real IRC server and pretends to
participate◦ Must be intelligent enough to mimic a real bot◦ Can have multiple drones per machine
Have drone periodically disconnect from server Change drone external IP
M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
DNS tracking◦ Exploits the fact that most bots issue DNS queries to
resolve IP address of IRC server◦ Probe caches of large number of DNS servers (800,000)
for botnet domain name◦ Record number of hits as the DNS footprint of the botnet◦ This is merely a lower bound
Bot must have DNS queried within TTL time-span of DNS server
Only indicates a single hit to that DNS server, but could have been many hits
◦ Still, a good relative measure
M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
(Modified from: Rajab et al, 43, Figure 2)
(Modified from: Rajab et al, 43, Figure 2)
Results
Mapped total # of incoming SYN packets to local darknet vs. those originating from known botnet spreaders◦ Known botnet spreader = any source observed
to have delivered a bot binary Approximately 27% of incoming SYNs came from
known botnet spreaders This is a lower-bound estimate
M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
Overview:◦During DNS probing experiments, tracked
65 IRC server domain names◦Of the 800,000 probed servers, 85,000
(11%) had at least one botnet activity Let’s take a closer look at globally tracking
a single botnet IRC server
M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
(star is the IRC server, clouds are connections)
M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
(Rajab et al, 47, Figure 6)
Two types of spreaders:◦ Type I: worm-like botnets
17.7% of observed botnets Continuously scan certain ports following a given
target selection algorithm◦ Type II: variable scanning botnet
Majority botnet type Use different algorithms to scan Only scan when commanded to Different growth patterns (semi-exponential,
staircase, linear)… harder to track
M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
(Cropped from: Rajab et al, 48, Figure 7)
M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
effective size = # of bots connected to the IRC server at a specific time
Observed that a botnet’s effective size is much smaller than its footprint◦ Bots usually only stay connected for about 25
minutes◦ May be due to client instability as a result of
infection◦ More likely, botmaster tells them to leave
M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
Botnets have a long lifetime◦ 84% of the observed IRC servers were still up at the end
of their study Bots can disable anti-virus/firewall processes and protect
itself from being disabled Infection frequency by OS:
M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
(Rajab et al, 50, Table 4)
Botnets are very dangerous Botnets are a major contributor to
unwanted traffic on the Internet By understanding botnets, we will be better
able to deal with them
M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
My Review
Good overview of botnet basics Detailed botnet analyzing architecture Architecture attacked the problem from multiple fronts
◦ nepenthes + honeypots◦ IRC tracking + DNS tracking
Graphs/tables for most data Results supported by cross referencing data Even more data made publically available:
<http://hinrg.cs.jhu.edu/botnets/>
Not many weaknesses… authors were very thorough
Architecture was completely automated, so missed out on smarter botnets
How accurate is “botnet traffic share” based only on traffic to a darknet?
One important piece of data they should have reported in the paper: average botnet fingerprint sizes
Improve intelligence of:◦ nepenthes◦ Botmaster IRC query engine◦ Bot dialect template acquisition
Update data to keep track of current botnets
Monitor botnet traffic share within used IP space
Discuss ways to apply this data to prevent botnet formation
[1] M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.