Botnets
by
Mehedy Masud
Botnets
● Introduction
● History
● How to they spread?
● What do they do?
● Why care about them?
● Detection and Prevention
Bot
● The term 'bot' comes from 'robot'.
● In computing paradigm, 'bot' usually
refers to an automated process.
● There are good bots and bad bots.
● Example of good bots:
– Google bot
– Game bot
● Example of bad bots:
– Malicious software that steals information
Botnet
● Network of compromised/bot-infected
machines (zombies) under the control of
a human attacker (botmaster)
Botmaster
IRC Server
IRC channel
Code
Server
IRC channel
C&C traffic
Updates
Attack
Vulnerable
machines
BotNet
History
● In the beginning, there were only good
bots.
– ex: google bot, game bot etc.
● Later, bad people thought of creating bad
bots so that they may
– Send Spam and Phishing emails
– Control others pc
– Launch attacks to servers (DDOS)
● Many malicious bots were created
– SDBot/Agobot/Phatbot etc.
● Botnets started to emerge
TimeLine
GT bots W32/Agobot bot W32/Mytob
GM (by Greg,
Operator)
RPCSS combined family added hybrid bot,
recognized as first mIRC client, modular major
IRC bot. hacking scripts & design and significant e-mail outbreak
tools (port - functionality
Entertained clients scanning, DDos)
with games
1989 1999 2000 2001 2002 2003 2004 2005 2006 Present
W32/PrettyPark W32/Sdbot W32/Spybot
1st worm to First family family emerged
use IRC as of bots developed
C&C. as a single binary
DDoS capable Russian named sd
Cases in the news
● Axel Gembe
– Author or Agobot (aka Gaobot, Polybot)
– 21 yrs old
– Arrested from Germany in 2004 under
Germany‟s computer Sabotage law
● Jeffry Parson
– Released a variation of Blaster Worm
– Infected 48,000 computers worldwide
– 18 yrs old
– Arrested , sentenced to 18 month & 3yrs of
supervised released
How The Botnet Grows
How The Botnet Grows
How The Botnet Grows
How The Botnet Grows
Recruiting New Machines
● Exploit a vulnerability to execute a short
program (exploits) on victim‟s machine
– Buffer overflows, email viruses, Trojans etc.
● Exploit downloads and installs actual bot
● Bot disables firewall and A/V software
● Bot locates IRC server, connects, joins
– Typically need DNS to find out server‟s IP
address
– Authentication password often stored in bot
binary
● Botmaster issues commands
Recruiting New Machines
What Is It Used For
● Botnets are mainly used for only one thing
How Are They Used
● Distributed Denial of Service (DDoS) attacks
● Sending Spams
● Phishing (fake websites)
● Addware (Trojan horse)
● Spyware (keylogging, information
harvesting)
● Storing pirated materials
Example : SDBot
● Open-source Malware
● Aliases
– Mcafee: IRC-SDBot, Symantec: Backdoor.Sdbot
● Infection
– Mostly through network shares
– Try to connect using password guessing
(exploits weak passwords)
● Signs of Compromise
– SDBot copies itself to System folder - Known
filenames: Aim95.exe, Syscfg32.exe etc..
– Registry entries modified
– Unexpected traffic : port 6667 or 7000
– Known IRC channels: Zxcvbnmas.i989.net etc..
Example : RBot
● First of the Bot families to use encryption
● Aliases
– Mcafee: W32/SDbot.worm.gen.g, Symantec:
W32.Spybot.worm
● Infection
– Network shares, exploiting weak passwords
– Known s/w vulnerabilities in windows (e.g.:
lsass buffer overflow vulnerability)
● Signs of Compromise
– copies itself to System folder - Known
filenames: wuamgrd.exe, or random names
– Registry entries modified
– Terminate A/V processes
– Unexpected traffic: 113 or other open ports
Example : Agobot
● Modular Functionality
– Rather than infecting a system at once, it
proceeds through three stages (3 modules)
● infect a client with the bot & open backdoor
● shut down A/V tools
● block access to A/V and security related sites
– After successful completion of one stage, the
code for the next stage is downloaded
● Advantage?
– developer can update or modify one
portion/module without having to rewrite or
recompile entire code
Example : Agobot
● Aliases
– Mcafee: W32/Gaobot.worm, Symantec:
W32.HLLW.Gaobot.gen
● Infection
– Network shares, password guessing
– P2P systems: Kazaa etc..
– Protocol: WASTE
● Signs of Compromise
– System folder: svshost.exe, sysmgr.exe etc..
– Registry entries modification
– Terminate A/V processes
– Modify %System\drivers\etc\hosts file
● Symantec/ Mcafee‟s live update sites are redirected
to 127.0.0.1
Example : Agobot
● Signs of Compromise (contd..)
– Theft of information: seek and steal CD keys for
popular games like “Half-Life”, “NFS” etc..
– Unexpected Traffic: open ports to IRC server
etc..
– Scanning: Windows, SQL server etc..
DDos Attack
● Goal: overwhelm victim machine and deny
service to its legitimate clients
● DoS often exploits networking protocols
– Smurf: ICMP echo request to broadcast address
with spoofed victim‟s address as source
– Ping of death: ICMP packets with payloads
greater than 64K crash older versions of
Windows
– SYN flood: “open TCP connection” request from
a spoofed address
– UDP flood: exhaust bandwidth by sending
thousands of bogus UDP packets
DDoS attack
● Coordinated attack to specified host
Attacker
Master (IRC Server) machines
Zombie machines
Victim
Why DDoS attack?
● Extortion
– Take down systems until they pay
– Works sometimes too!
● Example: 180 Solutions – Aug 2005
– Botmaster used bots to distribute
180solutions addware
– 180solution shutdown botmaster
– Botmaster threatened to take down
180solutions if not paid
– When not paid, botmaster use DDoS
– 180Solutions filed Civil Lawsuit against
hackers
Botnet Detection
● Host Based
● Intrusion Detection Systems (IDS)
● Anomaly Detection
● IRC Nicknames
● HoneyPot and HoneyNet
Host-based detection
Virus scanning
Watching for Symptoms
Modification of windows hosts file
Random unexplained popups
Machine slowness
Antivirus not working
Watching for Suspicious network traffic
Since IRC is not commonly used, any IRC
traffic is suspicious. Sniff these IRC traffic
Check if the host is trying to communicate to
any Command and Control (C&C) Center
Through firewall logs, denied connections
Network Intrusion Detection
Systems
● Example Systems: Snort and Bro
● Sniff network packets, looks for specific
patterns (called signatures)
● If any pattern matches that of a malicious
binary, then block that traffic and raise
alert
● These systems can efficiently detect
virus/worms having known signatures
● Can't detect any malware whose signature
is unknown (i.e., zero day attack)
Anomaly Detection
Normal traffic has some patterns
Bandwidth/Port usage
Byte-level characteristics (histograms)
Protocol analysis – gather statistics about
TCP/UDP src, dest address
Start/end of flow, Byte count
DNS lookup
First learn normal traffic pattern
Then detect any anomaly in that pattern
Example systems: SNMP, NetFlow
Problems:
Poisoning
Stealth
IRC Nicknames
Bots use weird nicknames
But they have certain pattern (really!)
If we can learn that pattern, we can detect
bots & botnets
Example nicknames:
USA|016887436 or DE|028509327
Country | Random number (9 digit)
RBOT|XP|48124
Bot type | Machine Type | Random number
Problem: May be defeated by changing
the nickname randomly
HoneyPot and HoneyNet
HoneyPot is a vulnerable machine, ready
to be attacked
Example: unpatched windows 2000 or
windows XP
Once attacked, the malware is caught
inside
The malware is analyzed, its activity is
monitored
When it connects to the C&C server, the
server‟s identity is revealed
HoneyPot and HoneyNet
Thus many information about the bot is
obtained
C&C server address, master commands
Channel, Nickname, Password
Now Do the following
make a fake bot
join the same IRC channel with the same
nickname/password
Monitor who else are in the channel, thus
observer the botnet
Collect statistics – how many bots
Collect sensitive information – who is being
attacked, when etc..
HoneyPot and HoneyNet
Finally, take down the botnet
HoneyNet: a network of honeypots (see the
„HoneyNet Project‟)
Very effective, worked in many cases
They also pose great security risk
If not maintained properly - Hacker may use
them to attack others
Must be monitored cautiously
Summary
Today we have learned
What is botnet
How / why they are used
How to detect / prevent
Questions ?
BOTNET DETECTION USING
DATA MINING
February 6, 2008 M. Mehedy Masud 3
Botnet detection
Background
● Botnet
– Network of compromised machines
– Under the control of a botmaster
● Taxonomy:
– C&C : Centralized, Distributed etc.
– Protocol: IRC, HTTP, P2P etc.
– Rallying mechanism: Hard-coded IP, Dynamic DNS
etc.
February 6, 2008 M. Mehedy Masud 3
Botnet detection
IRC Botnets
● Centralized
Botmaster
● IRC-based IRC Server
● Large IRC channel
Code
● Easy to detect Server
● CPF – IRC Server IRC channel
C&C traffic
● Easy to destroy Updates
Attack
Vulnerable
machines
BotNet
February 6, 2008 M. Mehedy Masud 3
Botnet detection
P2P Botnets
● Distributed
● P2P protocol used
● Small
● Harder to detect
● No CPF
● Not easy to destroy
February 6, 2008 M. Mehedy Masud 3
Botnet detection
Botnet Research
● IRC botnet detection (many)
– Honeypot-based (Rajab et al. 2006)
– Network traffic mining (Livadas et al. 2006)
– Nickname/signature mining (Goebel & Holz, 2007)
● P2P botnet detection (few)
– P2P bot analysis (Grizzard et al. , 2007)
– Some theoretical contributions (Wang et al., 2007)
– Few research towards P2P botnet detection
February 6, 2008 M. Mehedy Masud 3
Weak Points – Rallying Botnet detection
Mechanism
Hard coded IP
– Trojan.Peacomm (Grizzard et al., 2007)
– Nugache (Lemos, 2006)
– Initial Peer list Hard Coded
– Tries to contact initial peers after infection
– Can be detected by analysis
Random IP
– Sinit (L.T.I. group, 2004)
– No initial Peer list
– Probes Random IP
– Generates a lot of ICMP error
February 6, 2008 M. Mehedy Masud 3
Botnet detection
Possible Detection Techniques
● System monitoring
– Looking for symptoms (e.g. change in “hosts” file)
– Anti-virus
– Unusual system calls
● Network traffic monitoring
– Open ports
– Connection rate
– Arp requests
– ICMP errors
February 6, 2008 M. Mehedy Masud 4
Botnet detection
Port Scanning
● Do we need to monitor all ports?
– No
● Fact 1: P2P bots must open a port to
communicate
– So, monitor only open (i.e., server) ports
● Fact 2: P2P bots must use TCP or UDP to
communicate
– So, monitor only TCP/UDP ports
February 6, 2008 M. Mehedy Masud 4
Botnet detection
Detecting Open Ports
● A port is open (server) if
– It accepts a new connection
– It is connected to multiple ports
● Accepting a new TCP Connection
– Client: SYN
– Server: SYN, ACK
– Client: ACK ----Connection Established!
– The port accepting SYN is open port!!
– Monitor all ports that accepts a connection
February 6, 2008 M. Mehedy Masud 4
Botnet detection
Detecting Open Ports (cont…)
Already existing connections
◦ From each packet header, obtain the connection
A connection c is a 4-tuple
(Host port, Host ip, Remote port, remote ip) (hp, hip, rp,
rip)
Create a list of connections C
If there are two connections c1, c2 C s.t.
◦ c1≠ c2 and c1.hp == c2.hp then hp is a Open port
If there are two connections c1, c2 C s.t.
◦ c1≠ c2 and c1.rp == c2.rp then rp is a Open port
February 6, 2008 M. Mehedy Masud 4
Botnet detection
What To Monitor?
● Monitor Payload / Header?
● Problems with payload monitoring
– Privacy
– Unavailability
– Encryption/Obfuscation
● Information extracted from Header
– New connections (why?)
– Packet size (why?)
– Upload/Download bandwidth (why?)
February 6, 2008 M. Mehedy Masud 4
Botnet detection
How to Monitor?
● Traffic patterns vary with time
● Special (distinguishing) patterns may appear for
a short while
– E.g. new connections
– Sudden burst of traffic
– Fig: Trojan.Peacomm
connections after
infection
– (Grizzard, et al., 2007)
February 6, 2008 M. Mehedy Masud 4
Botnet detection
How to Monitor?(continued)
● Solution 1: Time-series analysis
– Each feature is a time series
– Sampled at a frequent interval
– Problem: feature space-too large/impractical
● Solution 2: Histogram analysis
– Each feature is a histogram
– Samples are collected at a frequent interval
– Bins are filled-up periodically
– Problem: size, number of bins?
February 6, 2008 M. Mehedy Masud 4
Botnet detection
Mapping to Stream Mining
● Network traffic can be thought of as a stream
data
● Detecting botnet traffic inside network traffic can
be mapped as a classification problem
● Botnet characteristic may change over time
● Thus, botnet traffic detection can be mapped as:
● Concept-drifting stream data classification
problem
February 6, 2008 M. Mehedy Masud 4
Peer to Peer Botnets
by
Mehedy Masud
Botnets
● Introduction
● History
● Taxonomy
● Overview
● Case studies
● New technique
● Detection and
Prevention
Taxonomy
Peer2Peer Bots: Overview & Case
Studies
● Jullian B Grizzard
– John Hopkins
● Vikram Sharma, Chris Nunnery, and Brent
ByungHoon Kang
– North Carolina, Chappel Hill
● David Dagon
– Georgia Institute of Technology
HotBots - 2007
Peer2Peer BotNets: History
● Napster: earliest Peer2Peer protocol
– Not completely P2P
– Shutdown because found illegal
● Gnutella
– Completely decentralized
● Recent Protocols
– Chord
– Kademila
Botnet Goals
● All kinds of botnet have the same goals
– Information dispersion
– Information harvesting
– Information processing
● Information dispersion
– Spam, phishing, DOS etc.
– Economic benefit
● Information harvesting
– Identity data, password, relationship data etc
– Direct economic benefit
● Information processing
– Cracking passwords
Case Study: Trojan.Peacomm
● Uses the Overnet p2p protocol
● Overnet implements a distributed hash
table based on Kademila algorithm
● After infection, secondary injections are
automatically downloaded from p2p net
● This enables hacker to arbitrarily
upgrade, control, or command bots
Experimental Setup
● Trojan.Peacomm was executed within a
honeypot in UNCC HoneyNet Lab
● Honeypot was running VMWare virtual
machine running windows XP
● Connections to the internet was
controlled by a HoneyWall
● PerylEyez malware analysis tool was used
to detect changes in the system
● Pcap logs were kept, speciment ran for
two weeks
Initial bot
● The executable is installed
● Connects to p2p and downloads
secondary injection
● Distributed as a trojan horse email
● PerilEyez tool is used to Capture system
state before and after infection (file
system/open port/services)
● It adds system driver “wincomm32.sys” to
the host
– Driver is injected into windows process
“services.exe”
Initial bot (continued)
– This service acts as a p2p client that
downloads secondary injection
– Initial peer list saved in %system%\wincom.ini
● Windows Firewall is disabled
● Ports opened:
– TCP 139, 12474
– UDP 123, 137 etc.
● Initial Peer List is Hard-coded
● This could be a central point-of failure
Communication Protocol
● Protocol Summary
– Overnet, implementing Kademila
– 128-bit numeric space is used
– Values are mapped to numeric space with
keys
– Key/value pairs are stored in the nearest
pair, computed by XOR function
– List of nodes are kept for each bucket in the
numeric space
● Steps
– Connect to overnet
– Download secondary injection URL
– Decrypt secondary injection URL
– Download secondary injection
– Execute secondary injection
Secondary Injection
● Types of secondary injection
– Downloader and rootkit component
– SMTP spamming component
– Email address harvester
– Email propagation component
– DDoS tool
● All of these can be rooted from one
injection
● Can periodically update itself by
searching through the P2P net
● This provides the basic Command and
Control functionality
Searching the Download URL
● A search key is generated in the bot using
an algorithm that Uses system date and a
random number (0..31)
● So the botmaster needs to publish a new
URL under 32 different keys on a particular
day
● It searches for this key in its initial peer list
● If it is not found in a peer, the request is
forwarded to other peers
Searching the Download URL
● If a match is found, a result is returned:
●
● The “result” hash is used as as decryption key, paired
with another key is hardcoded in bot
● Also, the response packet contains a single meta-tag
named “id”
● The body of the tag contains the encrypted URL
Index Poisoning
● P2P networks contain indexes
corresponding to each content
● Index poisoning means adding bogus
records to indexes
● For example, adding a fake ip/port
corresponding to a file
● Trojan.peacomm has index poisoning
capability
● Possible motive: slowing down infection
or measuring number of bots
Network Trace Analysis
● Number of Remote IPv4 Addresses
Contacted Over Time for Duration of
Infection
Slowing down
(saturation)
Steep slope
(initial connections)
Start of infection
Network Trace Analysis (Contd…)
● Network traces are parsed
● It is found that the bot searches for five
keys.
● Key1 is the hash of its own IP
– It periodically searches key1 to find
the nearest peers
● Key2 and Key4 are never found
● Key3 and Key5 are found after small
search
● Key3 is found in 6 seconds, key5 is
found in 3 seconds
Network Trace Analysis (Contd…)
● This indicates that “command latency”
for P2P bots is low (but higher than
Centralized)
● Number of unique hosts contacted
directly: 4200
● Total unique IPs found in overnet
packets: 10,105
● Same search requests appeared from
another machine
– Possibly infected by Trojan.peacomm
Conclusion
● This paper describes a case study of
Trojan.Peacomm – a p2p
● Describes how it propagates and
contacts with C&C
● Analysis of network trace presented
Detecting P2P Botnets
● Reinier Schoof & Ralph Koning
– University of Amsterdam
Appeared in a technical report. Feb 2007
Overview
● Spreading
– File sharing over P2P network
– Uses popular filenames to entice download
● Command and Control
– Unlike IRC, bots do not wait for command
– Botmaster joins the network as a peer
– Passes command along its peers
● Protocols
– Phatbot uses WASTE protocol
– Nugache and Spamthru uses home-made
protocols
Experiments
● Two bots are analysed in a controlled
environment
– Nugache
– Sinit
● Test environment consists of
– Four computers
– Three running Windows XP
– One running FreeBSD. This runs softflowd to
act as a software router for connecting three
machines, collecting all netflows
Bot analysis
● Sinit
– Trojan horse
– Uses P2P to spread itself
– Tries to reach other Sinit infected hosts by
sending discovery packets to port 53 of
random IPs
– Establishes connection when it receives a
discovery response packet
– Two hosts exchange list of peers
– Connects to those peers
– Runs a web server to publish /kx.exe, which
is the Sinit binary
– Random IP scan generates a lot of ICMP 3
(host unreachable)
Bot analysis (Contd…)
● Nugache
– Trojan horse
– Opens TCP port 8, connects to hard-coded
list of peers
– Exchange peer list after connection
– Starts DDoS when commanded
– Command is encrypted/obfuscated
– Spreads over AIM
– Installs initial peer list in windows registry
– This list is updated dynamically
– Uses obfuscated communication channel
Bot analysis (Contd…)
● PhatBot
– A cousin of AgoBot
– Uses WASTE protocol
– It is an encrypted Open-source P2P Network
– Bot finds other peers by using cache servers
on Gnutella P2P network
– Looks for clients identified by GNUT, a
gnutella client
– Has a list of processes to kill when it runs
Consisting of antivirus and competing
malware
Detection
● Open ports
– A specific port/range of ports must be opened
– Monitoring those ports may enable detection
– May result in false positive (when other
applications use specific ports) or
– False negative (when normal ports are used for
bot communication)
● Connection failures
– May result in a lot of ICMP 3 error
● Peer Discovery
– Static peer list may be central point of failure
– Random scan is very inefficient
Conclusion
P2P botnets pose significant threat to future
internet community
Although current P2P protocols used by the
bots are inefficient, they are likely to be
made efficient
There are some detection techniques, but
none of them are too reliable