“A Multifaceted Approach to Understanding the Botnet Phenomenon”

By: Moheeb Abu Rajab, Jay Farfoss, Fabian Monrose & Andreas Terzis

Affiliation: Computer Science Department at Johns Hopkins University

Published: Internet Measurement Conference (IMC) 2006

Presented by: Andrew MantelPresentation date: April 9, 2009

Class: CAP6135 – Malware and Software Vulnerability Analysis (Spring 2009)Professor: Dr. Cliff Zou

Goal / Motivation Overview of botnets Data collection Results Author’s conclusions My review

Goal:◦ Get a better understanding of botnets

Motivation:◦ Botnets are dangerous◦ Malicious intent

Extortion of Internet businesses E-mail spamming Identity theft

◦ Increase in botnet activity in recent years◦ Despite all this, we don’t know enough details

about botnet behavior!

M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.

Botnet Overview

(Rajab et al, 42, Figure 1)

Exploit software vulnerability of victim host

Same infection strategies as other malware◦ Worms◦ Malicious email code


(Modified from: Rajab et al, 42, Figure 1)

Infected host executes shellcode to fetch bot binary from specified location◦ Usually the same

machine that infected it

After the download, the bot binary installs itself so it can auto start on reboot



Bot needs IP address of IRC server

Perform DNS Lookup Better than hard-

coding the server IP in case the IP gets blacklisted



Join server and channel specified in bot binary

May use authentication:1) Bot authenticates to join

server using password from bot binary

2) Bot authenticates to join channel using password from bot binary

3) Botmaster authenticates to bot population to send command



Bot parses and executes channel topic

Topic contains default command for all bots to execute



Data Collection

Three main phases:1) Malware collection

Goal: Collect bot binaries2) Binary analysis via gray-box testing

Goal: Analyze bot binaries3) Longitudinal tracking of botnets

Goal: Use binary analysis to track real botnets


Goal: Collect bot binaries Setup: Receive connections from distributed darknet

◦ Darknet = an allocated but unused portion of the IP address space

Two types of collectors:1)Nepenthes

Mimics replies of a vulnerable service to retrieve the shellcode

Pass URL in shellcode to download station to retrieve the bot binary

2)Honeypot Implemented to handle cases where nepenthes failed Windows XP running on VM connected by VLAN Collects the bot binary itself


Gateway provides multiple functions:1) Route darknet traffic to local responders

(nepenthes) and honeypots About a 50/50 split

2) Firewall to stop honeypot from outgoing attack or cross infections

3) Allow honeypot to connect to IRC server but not do any further communication

4) Other miscellaneous functions


Goal: Analyze bot binaries Setup: Windows XP with bot binary on VM

connected to a network sink◦ Sink monitors all network traffic

Two steps:1)Network fingerprint2)IRC-related features


Network fingerprint◦ fnet = {DNS, IPs, Ports, scan}

DNS = targets of any DNS requests IPs = destination IP addresses Ports = contacted ports Scan = whether the bot tried to IP scan

IRC-related features◦ Create IRC daemon to listen to all ports specified by fnet

◦ When bot tries to connect to IRC server, create IRC-fingerprint: firc = {PASS, NICK, USER, MODE, JOIN}


fnet and firc provide enough information to join a real botnet However, still need botnet “dialect”

◦ dialect = “the syntax of the botmaster’s commands as well as the corresponding responses sent by the actual bot” (Rajab et al, 44)

To learn dialect:◦ Let bot connect to local IRC server◦ Bot connects to default channel◦ IRC query engine plays the role of the botmaster,

generating commands◦ What commands to generate?

Those observed by honeynet Known commands of observed botnets


Two mechanisms:1) IRC tracking2) DNS tracking

IRC tracker (drone)◦ Drone is given firc and template◦ Connects to real IRC server and pretends to

participate◦ Must be intelligent enough to mimic a real bot◦ Can have multiple drones per machine

Have drone periodically disconnect from server Change drone external IP


DNS tracking◦ Exploits the fact that most bots issue DNS queries to

resolve IP address of IRC server◦ Probe caches of large number of DNS servers (800,000)

for botnet domain name◦ Record number of hits as the DNS footprint of the botnet◦ This is merely a lower bound

Bot must have DNS queried within TTL time-span of DNS server

Only indicates a single hit to that DNS server, but could have been many hits

◦ Still, a good relative measure


Results

Mapped total # of incoming SYN packets to local darknet vs. those originating from known botnet spreaders◦ Known botnet spreader = any source observed

to have delivered a bot binary Approximately 27% of incoming SYNs came from

known botnet spreaders This is a lower-bound estimate


Overview:◦During DNS probing experiments, tracked

65 IRC server domain names◦Of the 800,000 probed servers, 85,000

(11%) had at least one botnet activity Let’s take a closer look at globally tracking

a single botnet IRC server


(star is the IRC server, clouds are connections)


(Rajab et al, 47, Figure 6)

Two types of spreaders:◦ Type I: worm-like botnets

17.7% of observed botnets Continuously scan certain ports following a given

target selection algorithm◦ Type II: variable scanning botnet

Majority botnet type Use different algorithms to scan Only scan when commanded to Different growth patterns (semi-exponential,

staircase, linear)… harder to track


(Cropped from: Rajab et al, 48, Figure 7)


effective size = # of bots connected to the IRC server at a specific time

Observed that a botnet’s effective size is much smaller than its footprint◦ Bots usually only stay connected for about 25

minutes◦ May be due to client instability as a result of

infection◦ More likely, botmaster tells them to leave


Botnets have a long lifetime◦ 84% of the observed IRC servers were still up at the end

of their study Bots can disable anti-virus/firewall processes and protect

itself from being disabled Infection frequency by OS:


(Rajab et al, 50, Table 4)

Botnets are very dangerous Botnets are a major contributor to

unwanted traffic on the Internet By understanding botnets, we will be better

able to deal with them


My Review

Good overview of botnet basics Detailed botnet analyzing architecture Architecture attacked the problem from multiple fronts

◦ nepenthes + honeypots◦ IRC tracking + DNS tracking

Graphs/tables for most data Results supported by cross referencing data Even more data made publically available:

<http://hinrg.cs.jhu.edu/botnets/>

Not many weaknesses… authors were very thorough

Architecture was completely automated, so missed out on smarter botnets

How accurate is “botnet traffic share” based only on traffic to a darknet?

One important piece of data they should have reported in the paper: average botnet fingerprint sizes

Improve intelligence of:◦ nepenthes◦ Botmaster IRC query engine◦ Bot dialect template acquisition

Update data to keep track of current botnets

Monitor botnet traffic share within used IP space

Discuss ways to apply this data to prevent botnet formation

[1] M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.

“A Multifaceted Approach to Understanding the Botnet Phenomenon”

Documents

Transcript of “A Multifaceted Approach to Understanding the Botnet Phenomenon”