Document

Transcript Document

Introduction to Botnets

Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of New Brunswick

Part 1: Intro to Botnets

What are they?

In the news…

•

July 29 2010 -

Multi-Purpose Botnet Used in Major Check Counterfeiting Operation •

Aug 4 2010 -

Zeus v2 Botnet that owned 100,000 UK PCs taken out •

Aug 12 2010 -

dd_ssh Botnet attacks SSH servers •

Aug 12 2010 -

Zeus ‘Mumba’ Botnet Seizes Confidential Database sized 60GB •

Aug 12 2010 -

Zeus v3 botnet raid on UK bank accounts 3

•

Introduction

Malware

is currently the major source of attacks and fraudulent activities on the Internet.

• Malware is used to infect computers. •

Botnet

is a network of control of an attacker.

zombies , i.e. compromised computers under •

Bot

is a program loaded on zombie computer that provides remote control mechanisms to an attacker.

Zombies Attacker (

Botmaster

)

Bot

• • •

Bot - a small program to remotely control a computer

Characterized by – Remote control & communication (C&C) channels to command a victim •

For ex., perform denial-of service attack, send spam

– The implemented remote commands •

For ex., update bot binary to a new version

– The spreading mechanisms to propagate it further •

For ex., port scanning, email

http://en.wikipedia.org/wiki/Botnet 6

C&C channel

• • Means of receiving and sending commands and information between the botmaster and the zombies .

Typical protocols – IRC – HTTP – Overnet (Kademlia) • Protocols imply (to an extend) a botnet’s communication topology.

– The topology provides trades-off in terms of bandwidth, affectivity, stealth, and so forth.

Botnet Infection Stages - Centralized

Part 2 – How does a botnet

operate?

Popular Botnets Propagation Methods

Spammed Messages Social Networking Websites Install Malware Become Bot Worm Removable Devices Malicious Websites 10

Shift in the way that malware is distributed

• Every 1.3 seconds a new web page is getting infected • Every month almost 2 million web pages across 210,000 websites are infected with Malware • Malware attacks have grown by 600% since 2008 11

Spammed Messages 12

Storm Botnet

Spammed Messages

Step 2: Link to malicious website Step 3: Download & Run Malware

Propagation Steps

Step 1: Click Link 14

Sample subjects and attachments Sample subjects: Sample attachments:

• A killer at 11, he's free at 21 and kill again!

• British Muslims Genocide • Naked teens attack home director.

• 230 dead as storm batters Europe.

• Re: Your text • Radical Muslim drinking enemies's blood.

• Saddam Hussein alive!

• Fidel Castro dead.

• FBI vs. Facebook Postcard.exe

ecard.jpg

FullVideo.exe

Full Story.exe

Video.exe

Part 3 – How is a botnet

organized?

Traditional botnet

Attacker

Botnet topology mainly refers to the organization of C&C channels between zombies and an attacker.

Zombies

Commands & controls Infect

Your home computer

Attack

Victim

Topology

• Based on C&C channels, there are two typical botnet topologies: –

Centralized

–

Decentralized (P2P)

•

Traditional botnet metrics:

–

Resiliency

• A botnet ability to cope with a loss of members (zombies) or servers –

Latency

• Reliability in message transmission –

Enumeration

• • An ability to accurately estimate a botnet size Difficuly for security analysis –

Re-sale

• A possibility to carve off sections of the botnet for lease or resale to other operators. 30

Centralized botnet

• Communication between attacker and zombies goes via centralized server – Classical communication method IRC (Internet Relay Chat)

Centralized server

Centralized botnet topologies

• • Centralized topology can be represented in different shapes.

The exact organization of botnet depends on the bot operator – nothing prevents a bot operator to come up with a new topology. • Often seen topologies:

Star Multi-server Hierarchical

Star topology

• • Communication is directly between a single centralized server and ALL zombies. When new machine is infected, it is preconfigured to contact the server to announce its membership. • • Pros: Low latency – Each zombie is issued commands directly from the server. Cons: Low resilience – Only server needs to be blocked to neutralize the whole botnet 33

Example

• Koobface – Old variant employed start architecture: • Zombies connected to C&C server directly 34

• •

Multi-server topology

Similar to start topology Instead of one server, multiple servers are used to provide instructions to zombies.

• •

Pros :

Better resilience – No single point of failure Geographical distribution of servers – Communication speed up – More resistant to legal shut downs •

Cons :

Requires advance planning 35

Hierarchical topology

• Zombies are generally not aware of the server location • •

Pros :

Ease of re-sale – A botnet operator can easily carve off sections of their botnet for lease or resale to other operators. Hard to enumerate – Hard to evaluate the size and complexity of the botnet •

Cons :

High latency – makes some botnet attacks difficult.

Example - Gumblar

• Gumblar’s architecture is not well studied, fully built on zombies • Website visitors are infected with the Windows executable, it grabs FTP credentials from the victim machines. The FTP account is then used to infect every webpage on new webserver. 37

Decentralized botnet

• P2P (peer-to-peer) communication – zombies talking to each other – no central server

Pros

: Very high resilience

Cons

: – High latency – Difficult for enumeration 38

Hybrid topologies

• • High resilience Low latency • Example, – – Hierarchical P2P Centralized P2P Centralized Peer-to-peer 39

Storm botnet

• A three-level self organizing hierarchy: – – master servers proxy bots • transfers traffic between workers and master servers. – worker bots • responsible for sending the spam, proxy bots • Once a Storm binary is downloaded, an infected host might become a worker bot (if not reachable from the Internet) or a proxy 40

Detection

•

Complicated organization of botnets & variety of cover-up techniques make detection of botnets challenging

Part 4 – How do they hide?

Outline 43 / 15

Encryption Botnet malware use encryption techniques to avoid being detected by

signature-based

Intrusion detection system

Matched

Snort Example Without encryption, Snort can successfully detect attack: Packet Without encryption Snort Rule 12/30-22:59:59.368544 192.168.1.92:138 -> 192.168.1.255:138 UDP TTL:64 TOS:0x0 ID:33092 IpLen:20 DgmLen:234 Len: 214 ..l....F...... EEEBEGEGFJCACACACACACACACACACAAA. ABACFPFPENFDECF CEPFHFDEFFPFPACAB..SMB%..............................&.......... .........&.V.........7.\

MAILSLOT

\BROWSE.......METALGODS......... ......U.DAFFY. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= +=+ alert udp $EXTERNAL_NET any -> 192.168.1.255 138 (msg:"SAMBA server identified on local subnet!"; content: "SMB"; content: "

MAILSLOT

";) Snort Alert [**] [1:0:0] SAMBA server identified on local subnet! [**] 01/06 02:21:23.465726 192.168.1.92:138 -> 192.168.1.255:138 UDP TTL:64 TOS:0x0 ID:64503 IpLen:20 DgmLen:262 Len: 242 46

Snort Example Snort cannot detect attack from encrypted traffic: Encrypted Packet 12/30-22:59:59.368544 192.168.1.92:138 -> 192.168.1.255:138 UDP TTL:64 TOS:0x0 ID:33092 IpLen:20 DgmLen:234 Len: Li5sLi4uLkYuLi4uLi4gRUVFQkVHRUdGSkNBQ0FDQUNBQ0FDQUNBQ0FDQUNBQUEuIEFCQUNG UEZQRU5GREVDRiBDRkNBQ0FDQUNBQ0FDQUNBQ0FDQUVBGSEZERUZGUEZQQUNBQi4uU01 CJS4uLi4uLi4uLi4uLg== =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Snort Rule alert udp $EXTERNAL_NET any -> 192.168.1.255 138 (msg:"SAMBA server identified on local subnet!"; content: "SMB"; content: "

MAILSLOT

";) 47

Fast Flux IP addresses that are rotated in seconds against the same domain.

For example: [QUESTION] Website name: www.lijg.ru

[ANSWER] IP Addresses: www.lijg.ru

www.lijg.ru

     68.124.161.76

69.14.27.151

70.251.45.186

71.12.89.105

71.235.251.99

www.lijg.ru

  75.11.10.101

75.75.104.133

www.lijg.ru

 97.104.40.246

www.lijg.ru

 173.16.99.131

………………… 49

Advantages for the attacker  Simplicity Only one suitably powerful backend server (or mothership) host is needed to serve the master content and DNS information.

 Resilience A layer of protection from ongoing investigative response or legal action  Extend the operational lifespan of the critical backend core servers that are hidden by the front-end nodes 50

An Example of Fast Flux http://old.honeynet.org/papers/ff/index.html

Rootkit  A

rootkit

is a tool that is designed to hide itself and other processes, data, and/or activity on a system  To hide what is taking place an attacker wants to: •Survive system restart •Hide processes •Hide services •Hide listening TCP/UDP ports •Hide kernel modules •Hide drivers 53

How Rootkit Works • Overwrite first few bytes of target function with a jump to rootkit code • Create “trampoline” function that first executes overwritten bytes from original function, then jumps back to original function • When function is called, rootkit code executes • Rootkit code calls trampoline, which executes original function 54

Rootkit Usage Example – Hide process Process list BEFOR the rootkit is launched.

Process list AFTER the rootkit is launched.

Part 5 – What do botnets do?

Botnet Activities The least damage

caused by Botnets:

Bandwidth Consumption

Other things: • DDOS attacks • Spam • Click Fraud • Data Theft • Phishing • Mistrustful services 57 / 4

DDOS attacks

Attacker Brazil Russia US China e.g. Google.com

http://en.wikipedia.org/wiki/Denial-of-service_attack 58

Click Fraud

• • Pay per Click (PPC) is an Internet advertising model used on websites in which advertisers pay their host only when an ad is clicked.

Famous Bots: ClickBot(100k), Bahama Botnet (200k) 59

Click Fraud - FFSearcher

http://blog.trendmicro.com/click-fraud-takes-a-step-forward-with-troj_ffsearch/ 60

Data Theft

• • • Accounts for a great deal of botnet activity.

Purpose: Harvesting user data – Screen captures – Typed data – Files Anti-Spyware software – Highly controversial.

– Has resulted in Scareware.

61 http://www.antiphishing.org/reports/apwg_report_h1_2009.pdf

Data Theft-Mumba Zeus Botnet

http://avg.typepad.com/files/revised-mumba-botnet-whitepaper_approved_yi_fv-2.pdf

Phishing

• A deceptive email/website/etc. to harvest confidential information.

http://library.thinkquest.org/06aug/00446/Phishing.html

64 http://www.antiphishing.org/reports/apwg_report_h1_2009.pdf

Part 6 – How difficult is it to

create a botnet?

Botnet business is booming

• • The primary reason for rapid botnet evolution is the

underground market

Botnet services has reached a professional level –

Software, zombies or even botnet service can be purchased

– – – – –

Customization & professional support

http://www.hackforums.net/showthread.php?tid=569629 http://www.hackforums.net/showthread.php?tid=507030&highlight=bot http://www.hackforums.net/showthread.php?tid=611998 http://www.hackforums.net/showthread.php?tid=611678 66

Reality

• To obtain a simple botnet or botnet services DOES NOT require – Great technical knowledge – Special hardware

… unless you’re planning to make it your primary source of income

What is needed to create a simple botnet

1. A bot, i.e.,

a small program that can remotely perform certain functions

2. C&C server 3. A network of zombies 68

Step 1: Creating a bot

• Where to find a bot: – Find a script on the Internet – Purchase a ready-to-go bot • Prices vary from $5 to $1000 depending on the bot functionality – Write yourself 69

Step 2: C&C server

• C&C server is simply a powerful computer which will give you direct access to zombies, or if needed will store stolen data.

• For example, to install IRC server – Dedicated computer with installed software (fairly legal) – Buy a domain , since it should be set up as a web server – Hosting - to make the server accessible from the Internet, it should be hosted by a hosting company 70

•

Step 3: Creating zombies Options:

– Purchase/rent a network of zombies – Compromise computers yourself • Using software packages such as Mpack, Icepack and WebAttacker • Using your brains 71

Thank You!

Extra Slides

Social Aspects of Botnets

• • Malware in general is written by some, contributed by others and used by many more.

Incentives – Challenge Seeking (C:H N:L) – Fame Seeking (C:A N:A) – Revenge Seeking (C:? N:L) – Gain Seeking 74

Fight-back

• Centralized C&C – C&C migration – Random Domain Names – E.g. McColo takedown • Peer-to-peer – New protocols http://gadgets.boingboing.net/2008/11/13/colo-shutdown-takes.html

• SpamThru 75

Botnet Detection

• • • • Every interaction between two entities requires the flow of information.

This can utilized to detect the interaction.

The problem is that this interaction is generally obfuscated and mixed with others with similar behaviour.

Traditionally work in botnet detection has been categorized by either detection methodology (behavioural/signature) or C&C infrastructure.

References

• • • • • The Gumblar system, http://www.securelist.com/en/weblog?discuss=208187897&return=1 C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, S. Savage. Spamalytics: An Empirical Analysis of Spam Marketing Conversion. 15th ACM Conference on Computer and Communications Security 2008, Alexandria, VA, USA.

The Koobface botnet, http://us.trendmicro.com

Malicious websites, http://www.ipa.go.jp/security/english/virus/press/201001/E_PR201001.html

The fast flux techniques, http://old.honeynet.org/papers/ff/index.html

Document

Transcript Document

Introduction to Botnets

Part 1: Intro to Botnets

What are they?

In the news…

Introduction

Bot

C&C channel

Botnet Infection Stages - Centralized

Part 2 – How does a botnet

operate?

Part 3 – How is a botnet

organized?

Traditional botnet

Topology

Centralized botnet

Centralized botnet topologies

Star topology

Example

Multi-server topology

Hierarchical topology

Example - Gumblar

Decentralized botnet

Hybrid topologies

Storm botnet

Detection

Part 4 – How do they hide?

Part 5 – What do botnets do?

Botnet Activities The least damage

DDOS attacks

Click Fraud

Click Fraud - FFSearcher

Data Theft

Data Theft-Mumba Zeus Botnet

Phishing

Part 6 – How difficult is it to

create a botnet?

Botnet business is booming

Reality

What is needed to create a simple botnet

Step 1: Creating a bot

Step 2: C&C server

Step 3: Creating zombies Options:

Thank You!

Extra Slides

Social Aspects of Botnets

Fight-back

Botnet Detection

References

Directory