Docstoc

Taxonomy of Botnet Threats - Computer Science

Document Sample
Taxonomy of Botnet Threats - Computer Science Powered By Docstoc
					Taxonomy of Botnet
     Threats
  Defense by the Wanderers
   Angel Pia Jr., Wander Smelan, Koonal Bose, Scott Thompson
Botnet Debate


 Resolve that the Trend Micro white paper: Taxonomy of
  Botnet Threats provided a better understanding of
  botnet behavior, detection and mitigation.
What this white paper is and what it is not.
 It is not meant to be the most comprehensive, all
  inclusive, most definitive resource material for botnets
  and its future incarnations.

 It is a working document meant to provide an organized
  and systematic approach to understanding botnets and
  its behavior to confront the threat that it poses.

 And for this reason this white paper merits its intended
  goal above any minor and nit-picky blemishes it may
  have, if ever it has.
Outline
 Definition [Angel Pia]


 History and background [Angel Pia]


 Taxonomy of botnets
    Attacking behavior [Wander Smelan]
    Command and Control model [Wander Smelan]
    Rallying mechanisms [Koonal Bose]
    Communication Protocols [Koonal Bose]
    Evasion Techniques [Scott Thompson]
    Observable botnet activities [Scott Thompson]


 Conclusion and Q&A
Definition
 Botnets (robot networks)
    zombie computers/drones/armies
    large number of compromised computers under the control of
     a botmaster
    means to conduct various attacks ranging from Distributed
     Denial of Service (DDoS) to email-spamming, spreading new
     malware, etc.
    harnessing immense computing power.




   Source: A typical botnet created from zombies (Credit: Cisco) http://www.macworld.co.uk/business/news/index.cfm?newsid=25756
Definition
 Bot
    compromised host computer
    also refer to the code planted on such computer.


 Botmaster
    one or a few computers used by the crackers to run command
     and control operations over the botnet.

 Taxonomy
    Science or technique of classification
History and background
 First bot PrettyPark worm (1999)
    retrieved log-in names, email addresses, nicknames.
    connects to a remote IRC server from which the botmaster can
     remotely control a large pool of infected hosts.
    first time such command and control method was employed.
    this concept soon spread to the rest of the black hat
     community and various variants of the botnet evolved through
     the years.


 Rise of profit-driven attacks such as DDoS, spamming,
  phishing and identity theft of which botnets have
  proven to be a compelling vehicle over status-seeking
  and vandalism objectives.
History and background
DDoS, spamming, phishing and identity theft attacks from
botnets.
History and background
History and background
 Sophistication of attacks and now has evolved to one
  which poses the highest security threat in the internet.

 In 2006, it cost $67.2B for US businesses to deal with
  malware.
Taxonomy of botnets
 Attacking behavior
    means of compromising, propagating and launching attacks
     from a botnet
    DDoS; scan; remote exploits; junk emails (phishing and virus
     attachments); phishing websites; spyware; identity theft; etc

 Command & Control (C&C) models
   classification of botnet topologies
   centralized; distributed; P2P; etc


 Rally mechanisms
   methods of bot activation into the botnet for malware service.
   hard-coded IP; Dynamic DNS; Distributed DNS; etc
Taxonomy of botnets
 Communication protocols
   way of botnets communicating to each other and to the
    botmaster or C&C server
   IRC; HTTP; IM; P2P; etc


 Observable botnet activities
   other observable techniques
   DNS queries; burst short packets; abnormal system calls; etc


 Evasion Techniques
   ways botnets evade detection
   HTTP/VOIP tunneling; IPv6 tunneling; P2P encrypted traffic; etc
Attacking Behaviors
Attacking Behaviors
Purposes and techniques:

 Infecting new hosts (propagation of botnets)
    social engineering and distribution of malicious emails
 Stealing Sensitive Information
    keylogger and Network traffic sniffers
 Sending Spam and Phishing
    botnets distribute untraceable emails
 Distributed Denial of Service (DDoS)
    large amount of synchronized requests to a particular server or
     service
Command and Control (C&C)
 Used to manage large-scale attacks


 Essential for operation and support of botnets


 Weakest links of botnets


 3 types: Centralized, Peer-to-Peer (P2P) and Random
Attacking Behaviors
Profile of a botnet mastermind
                                  Name: Owen Thor Walker

                                  Aka “AKILL”

                                  Country: New Zealand

                                  Started his “A-TEAM” botnet group
                                  when he was 16. By age 19, had
                                  1.3mi+ computers
                                  Had been diagnosed with Asperger's
                                  syndrome, a mild form of autism often
                                  characterized by social isolation, when
                                  he was 10
                                  Caused damaged of over $20mi

                                  Caused computer to crash, stole
                                  private information and sold to e-
                                  criminals.
Command and Control (C&C)
Centralized C&C Model

 Most commonly used
 Simple to implement and customize
 Easiest to eliminate
 Small message latency
 Botnet network size: 1,000++




Source: http://mrcracker.com/2009/09/botnet/
Command and Control (C&C)
P2P C&C Model
 More resilient to failures
 Less common, hard to discover, and hard to defend
 Unreliable from the messaging system perspective
 Hard to launch large scale attacks
 Botnet network size: 10-50




Source: http://mrcracker.com/2009/09/botnet/
Command and Control (C&C)
Random C&C Model
 Described by Evan Cooke – but still not in use in real
    world botnets
   Model: Bot waits (listens) for incoming connection.
   Easy implementation
   Highly resilient to discovery and destruction.
   Scalability limitations make it difficult to coordinate
    large attacks.
Rallying Mechanisms
Rallying Mechanisms
 Hard-coded IP address


 Dynamic Domain Name Server


 Distributed DNS service
Rallying Mechanisms
Hard-coded IP address

 The bot includes hard-coded C&C server IP address in its
  binary.

 Easy to defend against if ip addresses is detected
    channel is blocked
    botnet is deactivated
Rallying Mechanisms
Dynamic DNS

 Hard-coded domain names, assigned by dynamical DNS
  providers

 If C&C Server is deactivated, botmaster can resume
  control by assigning a new IP address to corresponding
  DNS entry

 Makes it harder to detect
Rallying Mechanisms
Distributed DNS service

 Botnets run their own distributed DNS service


 Many are run at high port numbers in order to
  avoid detection by security devices

 Hardest to identify and destroy
Communication Protocols
 Botnets communicate with each other and their
  Botmasters following well defined network protocols
 Importance of discovering communication has 2 main
  advantages
   understanding Botnets origin, and possible software tools used
   helps security groups decode conversations between bots and
    between bots and their master
 Main Communication Protocols being used
   IRC (Internet Relay Chat)
   HTTP (Hypertext Transfer – www)
   P2P (Peer to Peer)
   IM (Instant Messaging)
Communication Protocols
IRC Protocol
 IRC based Botnets are most frequently used
 IRC is mainly designed for group communication but can
  also handle private messages between two people
 Botnet C&C Server runs an IRC service that is no
  different from a standard IRC server
 Inbound vs Outbound IRC traffic
    inbound usually indicates local host is being recruited by Botnet
    outbound usually indicates local host has been compromised
     and is being used as a C&C server of a Botnet
 Firewalls can be configured to block IRC traffic
 IRC botnets have scripts that parse messages and will
  execute malicious functions accordingly
Communication Protocols
IRC Protocol

 Botnet C&C Server running IRC service      IRC Server




                                 Botmaster
Communication Protocols
IRC Protocol

 Once detected can easily be blocked




                                 Botnet user
Communication Protocols
HTTP and Other Protocols
 2 main advantages of using HTTP Protocol
    Blends with normal Internet traffic
    Abnormal ports are normally blocked at firewall, HTTP allows
     botnet to communicate back with the C&C Server


 HTTP is harder to detect but not impossible since
  response header fields and page payload would be
  different from normal HTTP traffic.

 P2P and IM are more recent protocols being used by
  Botnets
    Still relatively small number compared to HTTP and IRC
Communication Protocols
 P2P Protocol
    Distributed control
Communication Protocols
 P2P Protocol
    Distributed control
    Even if one is detected it is hard to disable
Evasion and Detection Techniques
Detection and Evasion Techniques
Detection Techniques

 Antivirus & Intrusion Detection
  Systems (IDS)
    These antivirus systems are based
     on virus signature.


 Anomaly-based detection
  systems
    Monitor communication traffic
Detection and Evasion Techniques
Evasion Techniques

 From Signature-based Detection
    Executable Packers
    Rootkits
    Protocol evasion techniques


 From Anomaly-based detection systems
    New / modified communication protocols: IRC, HTTP, VoIP
    Utilize secure channels to hide communications
    Alternative channels: ICMP or IPv6 tunneling
    Potentially use SKYPE or IM
 Detection and Evasion Techniques
Effective Detection Alternative

 Combination of Techniques:
    Detect connections to C&C centers
    Monitor for Communication Traffic
    Monitor for Anomalous Behavior
Detection and Evasion Techniques
Combating Botnets focusing on Detectable Behavior

 Global Correlation
   Behavior

 Network-based
   Behavior

 Host-Based Behavior
Detection and Evasion Techniques
Network-based Behaviors

 Observable Communications:
   Monitor IRC & HTTP traffic to servers that don't require these
    protocols
   IRC traffic that is not “human readable”
   DNS queries (lookups for C&C controllers)
   Frequency changes in IP for DNS lookups
   Long idle periods followed by very rapid responses
   Very bursty traffic patterns


 Attack Traffic:
    Denial of Service: TCP SYN packets (invalid source)
    Internal system sending emails (Phishing)
Detection and Evasion Techniques
Host-based Behaviors

 Detectable activity on an
  infected host:

    Disabled Anti-virus
    Large numbers of updates to
     system registry
    Specific system/library call
     sequences
Detection and Evasion Techniques
Global Correlated Behaviors
 Common across different Botnet implementations:

    Detect DNS changes for
     C&C host
    Large numbers of DNS
     queries
Conclusion
Conclusion
 Botnets are a dangerous evolution in the malware
  world

 They are being used to damage systems, steal
  information and comprise systems

 They are hard to detect and eliminate

 The taxonomy approach allowed us an organized and
  systematic means to understanding the nature of
  botnets and their behaviors. This will allow us to
  mitigate the threat with corrective measures.
Q&A
Conclusion

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:6
posted:10/20/2011
language:English
pages:43