Botnets
by Mehedy Masud
�Botnets
● ● ● ● ● ●
Introduction History How to they spread? What do they do? Why care about them? Detection and Prevention
�Bot
●
The term 'bot' comes from 'robot'.
In computing paradigm, 'bot' usually refers to an automated process. There are good bots and bad bots.
●
● ●
Example of good bots:
– –
●
Example of bad bots:
–
Google bot Game bot
Malicious software that steals information
�Botnet
●
Network of compromised/bot-infected machines (zombies) under the control of a human attacker (botmaster)
Botmaster
IRC Server IRC channel Code Server IRC channel C&C traffic Updates
Attack Vulnerable machines BotNet
�●
In the beginning, there were only good bots.
–
History
ex: google bot, game bot etc.
●
Later, bad people thought of creating bad bots so that they may
– – –
Send Spam and Phishing emails Control others pc Launch attacks to servers (DDOS) SDBot/Agobot/Phatbot etc.
●
Many malicious bots were created
–
●
Botnets started to emerge
�TimeLine
GM (by Greg, Operator) recognized as first IRC bot. Entertained clients with games
RPCSS
GT bots combined mIRC client, hacking scripts & tools (port scanning, DDos)
W32/Agobot bot family added modular design and significant functionality
W32/Mytob hybrid bot, major e-mail outbreak
1989
1999
2000
2001
2002
2003
2004
2005
2006 Present
W32/PrettyPark 1st worm to use IRC as C&C. DDoS capable
W32/Sdbot First family of bots developed as a single binary Russian named sd
W32/Spybot family emerged
�●
Axel Gembe
– – –
Cases in the news
Author or Agobot (aka Gaobot, Polybot) 21 yrs old Arrested from Germany in 2004 under Germany‟s computer Sabotage law Released a variation of Blaster Worm Infected 48,000 computers worldwide 18 yrs old Arrested , sentenced to 18 month & 3yrs of supervised released
●
Jeffry Parson
– – – –
�How The Botnet Grows
�How The Botnet Grows
�How The Botnet Grows
�How The Botnet Grows
�Recruiting New Machines
●
Exploit a vulnerability to execute a short program (exploits) on victim‟s machine
–
Buffer overflows, email viruses, Trojans etc.
● ● ●
Exploit downloads and installs actual bot Bot disables firewall and A/V software Bot locates IRC server, connects, joins
– –
Typically need DNS to find out server‟s IP address Authentication password often stored in bot binary
●
Botmaster issues commands
�Recruiting New Machines
�What Is It Used For
●
Botnets are mainly used for only one thing
�How Are They Used
● ● ● ● ●
●
Distributed Denial of Service (DDoS) attacks Sending Spams Phishing (fake websites) Addware (Trojan horse) Spyware (keylogging, information harvesting) Storing pirated materials
�● ●
Open-source Malware Aliases Infection
– –
Example : SDBot
Mcafee: IRC-SDBot, Symantec: Backdoor.Sdbot Mostly through network shares Try to connect using password guessing (exploits weak passwords)
●
–
●
Signs of Compromise
–
– – –
SDBot copies itself to System folder - Known filenames: Aim95.exe, Syscfg32.exe etc.. Registry entries modified Unexpected traffic : port 6667 or 7000 Known IRC channels: Zxcvbnmas.i989.net etc..
�● ●
First of the Bot families to use encryption Aliases
–
Example : RBot
●
Infection
–
Mcafee: W32/SDbot.worm.gen.g, Symantec: W32.Spybot.worm
–
●
Signs of Compromise
– – – –
Network shares, exploiting weak passwords Known s/w vulnerabilities in windows (e.g.: lsass buffer overflow vulnerability)
copies itself to System folder - Known filenames: wuamgrd.exe, or random names Registry entries modified Terminate A/V processes Unexpected traffic: 113 or other open ports
�Example : Agobot
●
Modular Functionality
–
Rather than infecting a system at once, it proceeds through three stages (3 modules)
●
● ●
–
After successful completion of one stage, the code for the next stage is downloaded
infect a client with the bot & open backdoor shut down A/V tools block access to A/V and security related sites
●
Advantage?
–
developer can update or modify one portion/module without having to rewrite or recompile entire code
�Example : Agobot
●
Aliases
–
●
Infection
– – – –
Mcafee: W32/Gaobot.worm, Symantec: W32.HLLW.Gaobot.gen Network shares, password guessing P2P systems: Kazaa etc.. Protocol: WASTE System folder: svshost.exe, sysmgr.exe etc.. Registry entries modification Terminate A/V processes Modify %System\drivers\etc\hosts file
●
●
Signs of Compromise
–
– –
Symantec/ Mcafee‟s live update sites are redirected to 127.0.0.1
�Example : Agobot
●
Signs of Compromise (contd..)
–
– –
Theft of information: seek and steal CD keys for popular games like “Half-Life”, “NFS” etc.. Unexpected Traffic: open ports to IRC server etc.. Scanning: Windows, SQL server etc..
�DDos Attack
●
●
Goal: overwhelm victim machine and deny service to its legitimate clients DoS often exploits networking protocols
– –
–
–
Smurf: ICMP echo request to broadcast address with spoofed victim‟s address as source Ping of death: ICMP packets with payloads greater than 64K crash older versions of Windows SYN flood: “open TCP connection” request from a spoofed address UDP flood: exhaust bandwidth by sending thousands of bogus UDP packets
�DDoS attack
●
Coordinated attack to specified host
Attacker
Master (IRC Server) machines
Zombie machines
Victim
�Why DDoS attack?
●
Extortion
–
●
Example: 180 Solutions – Aug 2005
– – –
–
Take down systems until they pay Works sometimes too!
–
–
Botmaster used bots to distribute 180solutions addware 180solution shutdown botmaster Botmaster threatened to take down 180solutions if not paid When not paid, botmaster use DDoS 180Solutions filed Civil Lawsuit against hackers
�Botnet Detection
● ● ● ● ●
Host Based Intrusion Detection Systems (IDS) Anomaly Detection IRC Nicknames HoneyPot and HoneyNet
�Host-based detection
Virus scanning Watching for Symptoms
Watching for Suspicious network traffic
Modification of windows hosts file Random unexplained popups Machine slowness Antivirus not working
Since IRC is not commonly used, any IRC traffic is suspicious. Sniff these IRC traffic Check if the host is trying to communicate to any Command and Control (C&C) Center
Through firewall logs, denied connections
�● ●
●
●
●
Example Systems: Snort and Bro Sniff network packets, looks for specific patterns (called signatures) If any pattern matches that of a malicious binary, then block that traffic and raise alert These systems can efficiently detect virus/worms having known signatures Can't detect any malware whose signature is unknown (i.e., zero day attack)
Network Intrusion Detection Systems
�Normal traffic has some patterns
Anomaly Detection
Bandwidth/Port usage Byte-level characteristics (histograms) Protocol analysis – gather statistics about
TCP/UDP src, dest address Start/end of flow, Byte count DNS lookup
First learn normal traffic pattern Then detect any anomaly in that pattern Example systems: SNMP, NetFlow Problems:
Poisoning Stealth
�Bots use weird nicknames But they have certain pattern (really!) If we can learn that pattern, we can detect bots & botnets Example nicknames:
USA|016887436 or DE|028509327 Country | Random number (9 digit) RBOT|XP|48124 Bot type | Machine Type | Random number
IRC Nicknames
Problem: May be defeated by changing the nickname randomly
�HoneyPot and HoneyNet
HoneyPot is a vulnerable machine, ready to be attacked Example: unpatched windows 2000 or windows XP Once attacked, the malware is caught inside The malware is analyzed, its activity is monitored When it connects to the C&C server, the server‟s identity is revealed
�Thus many information about the bot is obtained
Now Do the following
C&C server address, master commands Channel, Nickname, Password
HoneyPot and HoneyNet
make a fake bot join the same IRC channel with the same nickname/password Monitor who else are in the channel, thus observer the botnet Collect statistics – how many bots Collect sensitive information – who is being attacked, when etc..
�HoneyPot and HoneyNet
Finally, take down the botnet HoneyNet: a network of honeypots (see the „HoneyNet Project‟) Very effective, worked in many cases They also pose great security risk
If not maintained properly - Hacker may use them to attack others Must be monitored cautiously
�Summary
Today we have learned
What is botnet How / why they are used How to detect / prevent
�Questions ?
�BOTNET DETECTION USING DATA MINING
February 6, 2008 M. Mehedy Masud
3
�Botnet detection
Background
●
Botnet
– –
Network of compromised machines Under the control of a botmaster
●
Taxonomy:
– –
–
C&C : Centralized, Distributed etc. Protocol: IRC, HTTP, P2P etc. Rallying mechanism: Hard-coded IP, Dynamic DNS etc.
February 6, 2008 M. Mehedy Masud
3
�Botnet detection
IRC Botnets
●
● ● ● ● ●
Centralized IRC-based Large Easy to detect CPF – IRC Server Easy to destroy
Botmaster IRC Server IRC channel Code Server IRC channel C&C traffic Updates
Attack Vulnerable machines
BotNet
February 6, 2008 M. Mehedy Masud
3
�Botnet detection
P2P Botnets
●
● ● ● ● ●
Distributed P2P protocol used Small Harder to detect No CPF Not easy to destroy
February 6, 2008 M. Mehedy Masud
3
�Botnet detection
Botnet Research
●
IRC botnet detection (many)
– – –
Honeypot-based (Rajab et al. 2006) Network traffic mining (Livadas et al. 2006) Nickname/signature mining (Goebel & Holz, 2007)
●
P2P botnet detection (few)
– – –
P2P bot analysis (Grizzard et al. , 2007) Some theoretical contributions (Wang et al., 2007) Few research towards P2P botnet detection
February 6, 2008 M. Mehedy Masud
3
�Weak Points – Rallying Mechanism
Botnet detection
Hard coded IP
– – – – –
Trojan.Peacomm (Grizzard et al., 2007) Nugache (Lemos, 2006) Initial Peer list Hard Coded Tries to contact initial peers after infection Can be detected by analysis
Random IP
– – – –
Sinit (L.T.I. group, 2004) No initial Peer list Probes Random IP Generates a lot of ICMP error
February 6, 2008 M. Mehedy Masud 3
�Botnet detection
Possible Detection Techniques
●
System monitoring
– – –
Looking for symptoms (e.g. change in “hosts” file) Anti-virus Unusual system calls Open ports Connection rate Arp requests ICMP errors
●
Network traffic monitoring
– – – –
February 6, 2008 M. Mehedy Masud
4
�Botnet detection
Port Scanning
●
Do we need to monitor all ports?
–
No
●
Fact 1: P2P bots must open a port to communicate
–
So, monitor only open (i.e., server) ports
●
Fact 2: P2P bots must use TCP or UDP to communicate
–
So, monitor only TCP/UDP ports
February 6, 2008 M. Mehedy Masud
4
�Botnet detection
Detecting Open Ports
●
A port is open (server) if
– –
It accepts a new connection It is connected to multiple ports Client: SYN Server: SYN, ACK Client: ACK ----Connection Established! The port accepting SYN is open port!! Monitor all ports that accepts a connection
●
Accepting a new TCP Connection
– – – – –
February 6, 2008 M. Mehedy Masud
4
�Detecting Open Ports (cont…)
Botnet detection
Already existing connections
◦
From each packet header, obtain the connection (Host port, Host ip, Remote port, remote ip) (hp, hip, rp, rip)
A connection c is a 4-tuple
Create a list of connections C If there are two connections c1, c2 C s.t.
◦
If there are two connections c1, c2 C s.t.
c1≠ c2
c1≠ c2
and c1.hp == c2.hp then hp is a Open port and c1.rp == c2.rp then rp is a Open port
◦
February 6, 2008 M. Mehedy Masud
4
�Botnet detection
What To Monitor?
●
●
Monitor Payload / Header? Problems with payload monitoring
– – –
Privacy Unavailability Encryption/Obfuscation New connections (why?) Packet size (why?) Upload/Download bandwidth (why?)
●
Information extracted from Header
– – –
February 6, 2008 M. Mehedy Masud
4
�Botnet detection
How to Monitor?
●
●
Traffic patterns vary with time Special (distinguishing) patterns may appear for a short while
– – –
–
E.g. new connections Sudden burst of traffic Fig: Trojan.Peacomm connections after infection (Grizzard, et al., 2007)
February 6, 2008 M. Mehedy Masud
4
�Botnet detection
How to Monitor?(continued)
●
Solution 1: Time-series analysis
– – –
Each feature is a time series Sampled at a frequent interval Problem: feature space-too large/impractical Each feature is a histogram Samples are collected at a frequent interval Bins are filled-up periodically Problem: size, number of bins?
●
Solution 2: Histogram analysis
– – – –
February 6, 2008 M. Mehedy Masud
4
�Botnet detection
Mapping to Stream Mining
●
●
● ● ●
Network traffic can be thought of as a stream data Detecting botnet traffic inside network traffic can be mapped as a classification problem Botnet characteristic may change over time Thus, botnet traffic detection can be mapped as: Concept-drifting stream data classification problem
February 6, 2008 M. Mehedy Masud
4
�Peer to Peer Botnets
by Mehedy Masud
�Botnets
● ● ● ● ● ● ●
Introduction History Taxonomy Overview Case studies New technique Detection and Prevention
�Taxonomy
�Peer2Peer Bots: Overview & Case Studies
●
Jullian B Grizzard
–
John Hopkins
North Carolina, Chappel Hill Georgia Institute of Technology
●
Vikram Sharma, Chris Nunnery, and Brent ByungHoon Kang
–
●
David Dagon
–
HotBots - 2007
�Peer2Peer BotNets: History
●
Napster: earliest Peer2Peer protocol
– –
Not completely P2P Shutdown because found illegal Completely decentralized
Chord Kademila
●
Gnutella
–
●
Recent Protocols
– –
�Botnet Goals
●
All kinds of botnet have the same goals
– – –
Information dispersion Information harvesting Information processing
●
Information dispersion
– –
●
Information harvesting
– –
–
Spam, phishing, DOS etc. Economic benefit
●
Information processing
Cracking passwords
Identity data, password, relationship data etc Direct economic benefit
�Case Study: Trojan.Peacomm
●
Uses the Overnet p2p protocol Overnet implements a distributed hash table based on Kademila algorithm After infection, secondary injections are automatically downloaded from p2p net
●
●
●
This enables hacker to arbitrarily upgrade, control, or command bots
�●
Trojan.Peacomm was executed within a honeypot in UNCC HoneyNet Lab Honeypot was running VMWare virtual machine running windows XP
Experimental Setup
●
●
Connections to the internet was controlled by a HoneyWall PerylEyez malware analysis tool was used to detect changes in the system
Pcap logs were kept, speciment ran for two weeks
●
●
�Initial bot
● ●
● ●
●
The executable is installed Connects to p2p and downloads secondary injection Distributed as a trojan horse email PerilEyez tool is used to Capture system state before and after infection (file system/open port/services) It adds system driver “wincomm32.sys” to the host
–
Driver is injected into windows process “services.exe”
�Initial bot (continued)
–
–
This service acts as a p2p client that downloads secondary injection Initial peer list saved in %system%\wincom.ini
● ●
Windows Firewall is disabled Ports opened:
– –
● ●
Initial Peer List is Hard-coded This could be a central point-of failure
TCP 139, 12474 UDP 123, 137 etc.
�●
Protocol Summary
– – – – –
Communication Protocol
Overnet, implementing Kademila 128-bit numeric space is used Values are mapped to numeric space with keys Key/value pairs are stored in the nearest pair, computed by XOR function List of nodes are kept for each bucket in the numeric space
●
Steps
– – – – –
Connect to overnet Download secondary injection URL Decrypt secondary injection URL Download secondary injection Execute secondary injection
�●
Types of secondary injection
– – – –
Secondary Injection
●
●
●
All of these can be rooted from one injection Can periodically update itself by searching through the P2P net This provides the basic Command and Control functionality
–
Downloader and rootkit component SMTP spamming component Email address harvester Email propagation component DDoS tool
�●
●
● ●
A search key is generated in the bot using an algorithm that Uses system date and a random number (0..31) So the botmaster needs to publish a new URL under 32 different keys on a particular day It searches for this key in its initial peer list If it is not found in a peer, the request is forwarded to other peers
Searching the Download URL
�Searching the Download URL
●
If a match is found, a result is returned:
●
●
●
●
The “result” hash is used as as decryption key, paired with another key is hardcoded in bot Also, the response packet contains a single meta-tag named “id” The body of the tag contains the encrypted URL
�●
●
●
●
●
P2P networks contain indexes corresponding to each content Index poisoning means adding bogus records to indexes For example, adding a fake ip/port corresponding to a file Trojan.peacomm has index poisoning capability Possible motive: slowing down infection or measuring number of bots
Index Poisoning
�●
Number of Remote IPv4 Addresses Contacted Over Time for Duration of Infection
Network Trace Analysis
Slowing down (saturation) Steep slope (initial connections) Start of infection
�Network Trace Analysis (Contd…)
● ●
●
● ●
●
Network traces are parsed It is found that the bot searches for five keys. Key1 is the hash of its own IP – It periodically searches key1 to find the nearest peers Key2 and Key4 are never found Key3 and Key5 are found after small search Key3 is found in 6 seconds, key5 is found in 3 seconds
�Network Trace Analysis (Contd…)
●
●
●
●
This indicates that “command latency” for P2P bots is low (but higher than Centralized) Number of unique hosts contacted directly: 4200 Total unique IPs found in overnet packets: 10,105 Same search requests appeared from another machine
–
Possibly infected by Trojan.peacomm
�●
●
●
This paper describes a case study of Trojan.Peacomm – a p2p Describes how it propagates and contacts with C&C Analysis of network trace presented
Conclusion
�Detecting P2P Botnets
●
Reinier Schoof & Ralph Koning
–
University of Amsterdam
Appeared in a technical report. Feb 2007
�●
Spreading
– – –
Overview
●
Command and Control
–
– – –
File sharing over P2P network Uses popular filenames to entice download Unlike IRC, bots do not wait for command Botmaster joins the network as a peer Passes command along its peers
●
Protocols
Phatbot uses WASTE protocol Nugache and Spamthru uses home-made protocols
�●
Two bots are analysed in a controlled environment
– –
Experiments
Nugache Sinit
●
Test environment consists of
– – –
Four computers Three running Windows XP One running FreeBSD. This runs softflowd to act as a software router for connecting three machines, collecting all netflows
�●
Sinit
–
Bot analysis
–
–
– –
–
– –
Trojan horse Uses P2P to spread itself Tries to reach other Sinit infected hosts by sending discovery packets to port 53 of random IPs Establishes connection when it receives a discovery response packet Two hosts exchange list of peers Connects to those peers Runs a web server to publish /kx.exe, which is the Sinit binary Random IP scan generates a lot of ICMP 3 (host unreachable)
�●
Nugache
– – –
Bot analysis (Contd…)
–
– – – – –
Trojan horse Opens TCP port 8, connects to hard-coded list of peers Exchange peer list after connection Starts DDoS when commanded Command is encrypted/obfuscated Spreads over AIM Installs initial peer list in windows registry This list is updated dynamically Uses obfuscated communication channel
�●
PhatBot
– – – – – –
Bot analysis (Contd…)
A cousin of AgoBot Uses WASTE protocol It is an encrypted Open-source P2P Network Bot finds other peers by using cache servers on Gnutella P2P network Looks for clients identified by GNUT, a gnutella client Has a list of processes to kill when it runs Consisting of antivirus and competing malware
�●
Open ports
– – –
Detection
–
●
Connection failures Peer Discovery
– – –
A specific port/range of ports must be opened Monitoring those ports may enable detection May result in false positive (when other applications use specific ports) or False negative (when normal ports are used for bot communication) May result in a lot of ICMP 3 error Static peer list may be central point of failure Random scan is very inefficient
●
�Conclusion
P2P botnets pose significant threat to future internet community Although current P2P protocols used by the bots are inefficient, they are likely to be made efficient There are some detection techniques, but none of them are too reliable
�