Transcript Botnets
Botnets
Dr. Neminath Hubballi
IIT Indore © Neminath Hubballi
Introduction
Bot: A program performing automated task A bot itself is not bad A botnet is a collection of computers, which are connected and work under the instruction of a master in order to accomplish something Typically botnets are used for committing computer crimes A botnet is controlled by a person or a group of people Usually has monetary interests Advertisement companies Spam sending companies: outsource the work to bots IIT Indore © Neminath Hubballi
Motivation
A report from Dhamballa, 2010 – number of infections increased at the rate of 8% per week Almost every botnet newly created overtaking the previous largest Financial profits User credential stealing Click fraud Political interests Illegal activity include DDoS attacks Spamming Traffic sniffing Spreading malware Port scanning Key loggers etc..
IIT Indore © Neminath Hubballi
Components of a Botnet Infrastructure
Command and Control Infrastructure Centralized Client server model Distributed Works more autonomously Also called as peer to peer botnets Crucial Have to maintain a stable connectivity Robust Stable Reaction time Communication protocol IIT Indore © Neminath Hubballi
Centralized Control
Multiple communication channels with master Courtesy:
Botnets: Detection, Measurement, Disinfection & Defense, Europian Network and Information Security Agency
IIT Indore © Neminath Hubballi
Decentralized Control
Each bot will propagate commands to others Courtesy:
Botnets: Detection, Measurement, Disinfection & Defense, Europian Network and Information Security Agency
IIT Indore © Neminath Hubballi
Botnets Types
There are 2 types of botnets Operate through IRC Operate through web server Operate as Peer-to-Peer network IIT Indore © Neminath Hubballi
Internet Relay Chat (IRC) based
Uses a Push model of communication Master pushes commands for execution to the Bots All Bots receive commands through IRC PRIVMSG, understand the instruction and execute the command and send back results In order to issue commands Botmaster first authenticates herself with a username and password Advantages Open source Easy for modification Two way communication Real-time connectivity Public and private mode interaction Disadvantages Single point of failure Easily detectable IIT Indore © Neminath Hubballi
Communication Over IRC
Sequence of Events
Master authenticates Master queries info about botnet –version number Master queries system information Issue instruction to scan other potentially vulnerable machines Bot replies with scan results Courtesy: Botsniffer: Detecting Botnet Command and Control Channels in Network Traffic IIT Indore © Neminath Hubballi
HTTP based
This type of Botnet uses HTTP as a communication medium Uses a pull method of interaction Bots periodically poll the master requesting new commands to be issued Through a HTTP post method Bots connect to the master Usually used for form submissions Advantage of using HTTP It becomes difficult to detect Port 80 is open in all firewalls Normally encryption is used to avoid detection and eavesdropping IIT Indore © Neminath Hubballi
Role of DNS in Botnet
DNS has an important role to play in Botent networks It allows changes to be done to the Botnet infrastructure transparently Fast Flux Networks Create a domain evil.com Authoritative DNS server for the network evil.com is owned by attacker Attacker has multiple infected machines in her possession The RR mapping is changed at a very high frequency Each time the client connects to a different infected machine or Bot machine All of these machines or Bots act as a proxy to the Bot server Increases the resiliency of Botnet infrastructure IIT Indore © Neminath Hubballi
Fast Flux Network
Courtesy:
Botnets: Detection, Measurement, Disinfection & Defense, Europian Network and Information Security Agency
IIT Indore © Neminath Hubballi
Who Suffers from Botnet
Three entities Victim – suffers directly ISP – have to carry lot of malicious traffic Third party – effect of malware Defense Victim- corporates have to protect their IT assets ISP – detect malicious traffic Third party – keep the machine clean IIT Indore © Neminath Hubballi
Threat Characterization
Botnet Size and Origin Footprint- Number of infected machines indicates scaling factor Live Population – How many of infected machines are able to interact using CC infrastructure currently Spam throughput: Received spam emails per unit of time Freshness of IP address in spam emails –fresh one is better Bandwidth usable for DDoS attacks Harvested personal data – more data approximately leads to more financial gain IIT Indore © Neminath Hubballi
Botnet Detection
There are two types of detection mechanisms
Passive techniques Activity can be tracked without interfering with environment No disturbance Active techniques Blocking malicious domains and identifying infected machines IIT Indore © Neminath Hubballi
Source of Data for Passive Detection
Packet analysis Shell code detection Protocol filed Combination of some fields etc.
Drawbacks Full packet inspection is difficult Scaling is a factor Only known patterns are detected If the attack code is split across multiple packets, streams it is far more difficult to detect IIT Indore © Neminath Hubballi
Source of Data for Passive Detection
Flow Record Analysis Flow is a summary of what transpired in communication Typical attributes are: Source and destination address Related port numbers Protocol used inside the packets Duration of the session Cumulative size and Number of transmitted packets. Drawbacks Payload is ignored Keep track of all sessions Switches and routers do it for you Courtesy: BotGrep IIT Indore © Neminath Hubballi
Source of Data for Passive Detection
Use of DNS Data Identify Fast Flux Networks Collect DNS queries and responses and do an offline analysis Identify “typo squatting” domain names in the data Ex. Goggle.com Malicious domain name can be blocked by domain registrars Currently not happening If a domain is identified as a malicious domain In all likelihood the queries to that domain are from infected machines It helps to track down even those machines IIT Indore © Neminath Hubballi
Source of Data for Passive Detection
Use of spam email analysis
Botnets often run spam campaigns All spam emails will have similarity In contents Pattern Length of mail Source IP address used (often they reuse the IP addresses)
Antivirus software feedback
Collect information from many sensors IIT Indore © Neminath Hubballi
Active Countermeasures
Shinkholing –Changing the records of malicious domain to point to a good node
Courtesy:
Botnets: Detection, Measurement, Disinfection & Defense, Europian Network and Information Security Agency
IIT Indore © Neminath Hubballi
Active Countermeasures
Identifying infected Machines through DNS Cache Snooping This will help identify whether any machines in the local network are part of a malicious domain Issue a query to a DNS server for a domain which is suspicious Verify the TTL value If any other machine has already visited that domain, it is likely that TTL value has decreased w.r.t the default TTL value given by authoritative name server Another variation is through by setting RD flag off IIT Indore © Neminath Hubballi
Active Countermeasures
Courtesy:
Botnets: Detection, Measurement, Disinfection & Defense, Europian Network and Information Security Agency
IIT Indore © Neminath Hubballi