Taxonomy of Botnet Threats - Computer Science

Document Sample
Taxonomy of Botnet Threats - Computer Science Powered By Docstoc
					Taxonomy of Botnet
  Defense by the Wanderers
   Angel Pia Jr., Wander Smelan, Koonal Bose, Scott Thompson
Botnet Debate

 Resolve that the Trend Micro white paper: Taxonomy of
  Botnet Threats provided a better understanding of
  botnet behavior, detection and mitigation.
What this white paper is and what it is not.
 It is not meant to be the most comprehensive, all
  inclusive, most definitive resource material for botnets
  and its future incarnations.

 It is a working document meant to provide an organized
  and systematic approach to understanding botnets and
  its behavior to confront the threat that it poses.

 And for this reason this white paper merits its intended
  goal above any minor and nit-picky blemishes it may
  have, if ever it has.
 Definition [Angel Pia]

 History and background [Angel Pia]

 Taxonomy of botnets
    Attacking behavior [Wander Smelan]
    Command and Control model [Wander Smelan]
    Rallying mechanisms [Koonal Bose]
    Communication Protocols [Koonal Bose]
    Evasion Techniques [Scott Thompson]
    Observable botnet activities [Scott Thompson]

 Conclusion and Q&A
 Botnets (robot networks)
    zombie computers/drones/armies
    large number of compromised computers under the control of
     a botmaster
    means to conduct various attacks ranging from Distributed
     Denial of Service (DDoS) to email-spamming, spreading new
     malware, etc.
    harnessing immense computing power.

   Source: A typical botnet created from zombies (Credit: Cisco)
 Bot
    compromised host computer
    also refer to the code planted on such computer.

 Botmaster
    one or a few computers used by the crackers to run command
     and control operations over the botnet.

 Taxonomy
    Science or technique of classification
History and background
 First bot PrettyPark worm (1999)
    retrieved log-in names, email addresses, nicknames.
    connects to a remote IRC server from which the botmaster can
     remotely control a large pool of infected hosts.
    first time such command and control method was employed.
    this concept soon spread to the rest of the black hat
     community and various variants of the botnet evolved through
     the years.

 Rise of profit-driven attacks such as DDoS, spamming,
  phishing and identity theft of which botnets have
  proven to be a compelling vehicle over status-seeking
  and vandalism objectives.
History and background
DDoS, spamming, phishing and identity theft attacks from
History and background
History and background
 Sophistication of attacks and now has evolved to one
  which poses the highest security threat in the internet.

 In 2006, it cost $67.2B for US businesses to deal with
Taxonomy of botnets
 Attacking behavior
    means of compromising, propagating and launching attacks
     from a botnet
    DDoS; scan; remote exploits; junk emails (phishing and virus
     attachments); phishing websites; spyware; identity theft; etc

 Command & Control (C&C) models
   classification of botnet topologies
   centralized; distributed; P2P; etc

 Rally mechanisms
   methods of bot activation into the botnet for malware service.
   hard-coded IP; Dynamic DNS; Distributed DNS; etc
Taxonomy of botnets
 Communication protocols
   way of botnets communicating to each other and to the
    botmaster or C&C server
   IRC; HTTP; IM; P2P; etc

 Observable botnet activities
   other observable techniques
   DNS queries; burst short packets; abnormal system calls; etc

 Evasion Techniques
   ways botnets evade detection
   HTTP/VOIP tunneling; IPv6 tunneling; P2P encrypted traffic; etc
Attacking Behaviors
Attacking Behaviors
Purposes and techniques:

 Infecting new hosts (propagation of botnets)
    social engineering and distribution of malicious emails
 Stealing Sensitive Information
    keylogger and Network traffic sniffers
 Sending Spam and Phishing
    botnets distribute untraceable emails
 Distributed Denial of Service (DDoS)
    large amount of synchronized requests to a particular server or
Command and Control (C&C)
 Used to manage large-scale attacks

 Essential for operation and support of botnets

 Weakest links of botnets

 3 types: Centralized, Peer-to-Peer (P2P) and Random
Attacking Behaviors
Profile of a botnet mastermind
                                  Name: Owen Thor Walker

                                  Aka “AKILL”

                                  Country: New Zealand

                                  Started his “A-TEAM” botnet group
                                  when he was 16. By age 19, had
                                  1.3mi+ computers
                                  Had been diagnosed with Asperger's
                                  syndrome, a mild form of autism often
                                  characterized by social isolation, when
                                  he was 10
                                  Caused damaged of over $20mi

                                  Caused computer to crash, stole
                                  private information and sold to e-
Command and Control (C&C)
Centralized C&C Model

 Most commonly used
 Simple to implement and customize
 Easiest to eliminate
 Small message latency
 Botnet network size: 1,000++

Command and Control (C&C)
P2P C&C Model
 More resilient to failures
 Less common, hard to discover, and hard to defend
 Unreliable from the messaging system perspective
 Hard to launch large scale attacks
 Botnet network size: 10-50

Command and Control (C&C)
Random C&C Model
 Described by Evan Cooke – but still not in use in real
    world botnets
   Model: Bot waits (listens) for incoming connection.
   Easy implementation
   Highly resilient to discovery and destruction.
   Scalability limitations make it difficult to coordinate
    large attacks.
Rallying Mechanisms
Rallying Mechanisms
 Hard-coded IP address

 Dynamic Domain Name Server

 Distributed DNS service
Rallying Mechanisms
Hard-coded IP address

 The bot includes hard-coded C&C server IP address in its

 Easy to defend against if ip addresses is detected
    channel is blocked
    botnet is deactivated
Rallying Mechanisms
Dynamic DNS

 Hard-coded domain names, assigned by dynamical DNS

 If C&C Server is deactivated, botmaster can resume
  control by assigning a new IP address to corresponding
  DNS entry

 Makes it harder to detect
Rallying Mechanisms
Distributed DNS service

 Botnets run their own distributed DNS service

 Many are run at high port numbers in order to
  avoid detection by security devices

 Hardest to identify and destroy
Communication Protocols
 Botnets communicate with each other and their
  Botmasters following well defined network protocols
 Importance of discovering communication has 2 main
   understanding Botnets origin, and possible software tools used
   helps security groups decode conversations between bots and
    between bots and their master
 Main Communication Protocols being used
   IRC (Internet Relay Chat)
   HTTP (Hypertext Transfer – www)
   P2P (Peer to Peer)
   IM (Instant Messaging)
Communication Protocols
IRC Protocol
 IRC based Botnets are most frequently used
 IRC is mainly designed for group communication but can
  also handle private messages between two people
 Botnet C&C Server runs an IRC service that is no
  different from a standard IRC server
 Inbound vs Outbound IRC traffic
    inbound usually indicates local host is being recruited by Botnet
    outbound usually indicates local host has been compromised
     and is being used as a C&C server of a Botnet
 Firewalls can be configured to block IRC traffic
 IRC botnets have scripts that parse messages and will
  execute malicious functions accordingly
Communication Protocols
IRC Protocol

 Botnet C&C Server running IRC service      IRC Server

Communication Protocols
IRC Protocol

 Once detected can easily be blocked

                                 Botnet user
Communication Protocols
HTTP and Other Protocols
 2 main advantages of using HTTP Protocol
    Blends with normal Internet traffic
    Abnormal ports are normally blocked at firewall, HTTP allows
     botnet to communicate back with the C&C Server

 HTTP is harder to detect but not impossible since
  response header fields and page payload would be
  different from normal HTTP traffic.

 P2P and IM are more recent protocols being used by
    Still relatively small number compared to HTTP and IRC
Communication Protocols
 P2P Protocol
    Distributed control
Communication Protocols
 P2P Protocol
    Distributed control
    Even if one is detected it is hard to disable
Evasion and Detection Techniques
Detection and Evasion Techniques
Detection Techniques

 Antivirus & Intrusion Detection
  Systems (IDS)
    These antivirus systems are based
     on virus signature.

 Anomaly-based detection
    Monitor communication traffic
Detection and Evasion Techniques
Evasion Techniques

 From Signature-based Detection
    Executable Packers
    Rootkits
    Protocol evasion techniques

 From Anomaly-based detection systems
    New / modified communication protocols: IRC, HTTP, VoIP
    Utilize secure channels to hide communications
    Alternative channels: ICMP or IPv6 tunneling
    Potentially use SKYPE or IM
 Detection and Evasion Techniques
Effective Detection Alternative

 Combination of Techniques:
    Detect connections to C&C centers
    Monitor for Communication Traffic
    Monitor for Anomalous Behavior
Detection and Evasion Techniques
Combating Botnets focusing on Detectable Behavior

 Global Correlation

 Network-based

 Host-Based Behavior
Detection and Evasion Techniques
Network-based Behaviors

 Observable Communications:
   Monitor IRC & HTTP traffic to servers that don't require these
   IRC traffic that is not “human readable”
   DNS queries (lookups for C&C controllers)
   Frequency changes in IP for DNS lookups
   Long idle periods followed by very rapid responses
   Very bursty traffic patterns

 Attack Traffic:
    Denial of Service: TCP SYN packets (invalid source)
    Internal system sending emails (Phishing)
Detection and Evasion Techniques
Host-based Behaviors

 Detectable activity on an
  infected host:

    Disabled Anti-virus
    Large numbers of updates to
     system registry
    Specific system/library call
Detection and Evasion Techniques
Global Correlated Behaviors
 Common across different Botnet implementations:

    Detect DNS changes for
     C&C host
    Large numbers of DNS
 Botnets are a dangerous evolution in the malware

 They are being used to damage systems, steal
  information and comprise systems

 They are hard to detect and eliminate

 The taxonomy approach allowed us an organized and
  systematic means to understanding the nature of
  botnets and their behaviors. This will allow us to
  mitigate the threat with corrective measures.

Shared By: