Kumar Mukherjee
                    Mike Ladd
                  Nazia Raoof
         Rajesh Radhakrishnan
                  Bret Walker
Botnet Background

• network of infected hosts, under
      control of a human operator

  •    tens of thousands of nodes

• victims claimed by remote exploits
Defining Characteristic

 • use of Command & Control
  (C&C) channels

 • used to disseminate
  botmaster's commands
Uses of Botnets

 •       Spam
 •       ID Theft
 •       Piracy
 •       DDOS
     •     Ex. 1000 bots w/ 128KBit/s connection >
           many corporate systems
     •     IP distribution makes filtering difficult
Lifecycle of Botnet Infection
Why IRC?

• IRC designed for both point-to-point
  and point-to-multipoint
  •   one-to-one, or one-to-group chat

• flexible, open-source protocol
Bot-to-IRC Communication

 • authenticate to IRC server
   via PASS message
 • C&C channel authentication
 • Botmaster authenticates to
   bot population to issue
Bot-News: Kraken

 •   400,000+ nodes
 •   50+ Forture 500 companies
 •   2x the size of ‘Storm’
 •   Used for spam (bots sending
     500,000+ messages daily)
Bot-News: Kraken

 • Designed as image file
 • Regular updates to binary
 • C&C communication via
   customized UDP/TCP
 • Able to generate new domain
   names if C&C is disabled
Further Background



Methodology: Malware Collection Phase

•Collection of as many bot binaries as possible
•Distributed darknet used
•14 nodes access the darknet
•Modified version of Nepenthes (a Malware collection framework) platform:
     -- Mimics the replies generated by vulnerable services in order to collect
     the first stage exploit or shellcodes
     -- Generate URL that are to retrieve binaries
•Honeynet is used to compliment Nepenthes in order to catch exploits
     -- Honeypots are unpatched Windows XP VM’s
     -- Honeypots become infected and compared later to a clean Windows
     XP image.
     -- Infected Honey pots are also allowed to sustain IRC connections until
     VM gets reimaged
Methodology: Data Collection Architecture
Methodology: Gateway
 Darknet routing to various parts of the internal network
 Cross-infection prevention among honeypots
       configuring honeypots in separate VLANSs
 Termination of traffic across VLANs and gateways
 Monitor and Analyze the malware traffic for infections
 Dynamic rule insertion
       block further inbound attack traffic towards honeypot that is infected
       single malware instance honeypots due to lack of resources
 Other funcitons
       Triggering re-imaging with clean Windows images
       pre-filtering and control during downloads
       local DNS to resolve queries
Methodology: Defense Points
 With the methodology we now have the
  ability to model other types of bots.
 Although methodology utilized Windows
  OS, we can model it for other platforms
 The methodology analyzes all aspects
  of bots and botnets.
A multifaceted approach to
understanding the Botnet

          Results - I
Overall traffic
                   27% of total traffic are from
                   known botnet spreaders
                   73% of traffic includes traffic
                   from unknown botnet spreaders
                   60% of malicious binaries
                   were IRC bots

                   Only handful were HTTP

                  Authors concerns about botnets
                  spread are justifiable.
Traffic directed to vulnerable ports
                   76% of traffic targeted to
                   vulnerable ports are from
                   botnet spreaders

                   Malicious traffic to
                   vulnerable ports cannot be
                   differentiated between
                   botnet and non-botnet
                How much of total traffic was directed
                to vulnerable ports is desired.
Peak traffics
                90% of total traffic during
                the peak time targets ports
                used by botnet spreaders

                70% of traffic during the
                peak time sent shell exploits
                similar to those sent by
                botnet spreaders.
Probed servers
    Probed Servers                      11% of probed servers had
                                        at least one botnet activity

         At least one botnet activity   29% of probed .com
         No botnet activity             servers had at least one
                                        cache hit

                                        95% of probed .cn servers
                                        had at least one cache hit.
   Botnet Types

Total botnets captured 192

34 of 192 botnets captured
were type I botnets (worm-like)

158 of them were type II
   Botnets and Network types
When channel was set to topic
   80% of targeted scanning was aimed at
   CLASS A networks
   89% of localized scanning was aimed at
   CLASS B networks
When channel was set to botmaster commands
   88% of targeted scanning was aimed at
   CLASS A networks
   82% of localized scanning was aimed at
   CLASS B networks
   DNS & IRC tracker views
Both DNS & IRC tracker views demonstrated three
type of growth pattern:
       semi exponential growth
       Staircase type growth
       Linear growth
Semi-exponential growth exhibited random
scanning activity
Staircase type growth exhibited intermittent activity
Linear growth pattern exhibit time scoped activity
   Key Points based on results
 Botnets pose serious threats to the internet
 Major contributor of unwanted traffic on the internet
 IRC is the dominant protocol used in the Botnet
 Botnets have achieved a high degree of sophistication
in terms of self-protection mechanisms and modular
package structures
Effective Botnet Sizes

Footprint Size vs. Effective Size
  • Significantly smaller
  • At most 3,000 bots online w/ networks of
  up to 10k bots

Smaller effective sizes limit certain activities:
  • Timely commands
  • DDoS attacks

Effective botnet sizes fluctuate with timezone
Botnets have relatively long lifetimes
   • Even after they’re shut down, live on average for 47
   • 84% of servers up longer than the 3 month survey
   • 55% of those botnets still scanning the Internet
   • If taken offline, able to be brought back online quickly

Bots do not stay long on IRC channels
   • Average time ~ 25 minutes
   • 90% stayed less than 50 minutes
   • High churn rate

Botmasters spend great lengths of time managing and
monitoring their botnets
Botnet Software Dissection
49% disable firewall and anti-virus software

Many run inetd, which is used to identify the user of a
computer. Used to verify bots joining an IRC channel

40% execute a System Security Monitor command,
securing client machines from further exploitation

Average of 15 exploits per botnet binary -- bots can
infect machines in a variety of ways

Windows XP constitutes 82.6% of observed exploited
hosts, with 99% of those hosts running SP1 or less
Insight from an “Insider’s View”
Botmasters range in skill level

   1. Share information about networks
   2. Tweak their bots to use the network efficiently
   3. Prune misbehaving bots and exploit “super-bots”

Botmasters are probably leasing their bots or attacking
  each other

Most commands (75%) are for control, scanning and
  cloning. 7% are for attacking.
Related Work
 Honeynet group was the first to do an informal study
 Freiling et al. on countering certain classes of DDoS attacks
 Cooke et al. on prevalence of botnets by measuring elapsed
    time before an un-patched system was infected by a botnet
   Barford et al. on an in-depth anaylsis on bot software
   Vrable et al. presented Potemkin, a scalable virtual honeynet
   Cui et al. presented RolePlayer—a protocol independent
    lightweight responder that tries to overcome some of these
    limitations by reverting to a real server when the responder fails
    to produce the proper response
   Dagon et al. provide an initial analytical model for capturing the
    spreading behavior of botnets.
  Long presence and few formal studies
  One of the most severe threats to the Internet.
  Our knowledge of botnet behavior is incomplete
  To improve our understanding, we present a composite view
  Results show that botnets are a major contributor to the overall
   unwanted traffic on the Internet
 Botnet scanning behavior is markedly different from that seen by
   autonomous malware (e.g., worms) because of its manual
 IRC is still the dominant protocol used for C&C communications
 Use is adapted to satisfy different botmasters’ needs
 Botnet footprints are usually much larger
 Graybox testing technique enabled us to understand the level of
sophistication reached by bot software today

To top