ByungHoon Kang GMU Botnets A Network of Compromised Computers on the Internet IP locations of the Waledac botnet Borrowed from Brent ByungHoon Kang GMU Networks of compromised machines under the control of ID: 275616
Download Presentation The PPT/PDF document "Borrowed from Brent" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Borrowed from Brent ByungHoon Kang, GMU
BotnetsSlide2
A Network of Compromised Computers on the Internet
IP
locations
of the
Waledac
botnet.
Borrowed from Brent ByungHoon Kang, GMU
Slide3
Networks of compromised machines under the control of hacker, “bot-master”
Used for a variety of malicious purposes
:
Sending Spam/Phishing Emails
Launching Denial of Service attacks
Hosting Servers (e.g., Malware download site)
Proxying
Services (e.g., FastFlux network)
Information Harvesting (credit card, bank credentials, passwords, sensitive data.)
Botnets
Borrowed from Brent ByungHoon Kang, GMU
Slide4
After resolving the IP address for the IRC server, bot-infected machines CONNECT to the server, JOIN a channel, then wait for commands.
Botnet
with Central Control Server
Borrowed from Brent ByungHoon Kang, GMU
Slide5
The botmaster sends a command to the channel. This will tell the bots to perform an action. Botnet with Central Control Server
Borrowed from Brent ByungHoon Kang, GMU
Slide6
The IRC server sends (broadcasts) the message to bots listening on the channel.Botnet with Central Control Server
Borrowed from Brent ByungHoon Kang, GMU
Slide7
The bots perform the command. In this example: attacking / scanning CNN.COM.Botnet with Central Control Server
Borrowed from Brent
ByungHoon
Kang, GMU
Slide8
Unfortunately, the detection, analysis and mitigation of botnets has proven to be quite challenging Supported by a thriving underground economy Professional quality sophistication in creating malware codes Highly adaptive to existing mitigation efforts such as taking down of central control server.
8
Botnet
Sophistication Fueled by Underground Economy
Borrowed from Brent
ByungHoon
Kang, GMU
Slide9
Traditional botnet communicationCentral IRC server for Command & Control (C&C)Single point of mitigation:C&C Server can be taken down or blacklistedBotnets
with peer to peer C&C
No single point of failure.
E.g.,
Waldedac
, Storm, and
NugacheMulti-layered Architecture to obfuscate and hide control servers in upper tiers.
Emerging Decentralized
Peer to Peer Multi-layered
Botnets
Borrowed from Brent
ByungHoon
Kang, GMU
Slide10
Expected Use of DHT P2P Network Publish and Search
Botmaster
publishes
commands under the key.
Bots are searching for this key
periodically
Bots download the
commands
=>Asynchronous C&C
Borrowed from Brent
ByungHoon
Kang, GMU
Slide11
Multi-Layered Command and Control Architecture Through P2PEach
Supernode
(server) publishes its location (IP address) under the key 1 and
key 2
Subcontrollers
search
for key 1
Subnodes
(workers) search
for key 2
to open connection
to the
Supernodes
=> Synchronous C&C
Borrowed from Brent
ByungHoon
Kang, GMU
Slide12
Virus Scanner at Local HostPolymorphic binaries against signature scanningNot installed even though it is almost freeRootkitNetwork Intrusion Detection SystemsKeeping states for network flowsDeep packet inspection is expensiveDeployed at LAN, and not scalable to ISP-level Requires Well-Trained Net-Security
SysAdmin
Current Approaches to
Botnet
Borrowed from Brent
ByungHoon
Kang, GMU
Slide13
13Conficker infections are still increasing after one year!!!
There are millions of computers on the Internet
that do not have virus scanner nor IDS
Borrowed from Brent
ByungHoon
Kang, GMU
Slide14
Used for spam blocking, firewall configuration, DNS rewriting, and alerting sys-admins regarding local infections.Fundamentally differs from existing Intrusion Detection System (IDS) approaches IDS protects local hosts within its perimeter (LAN) An enumerator would identify both local as well as remote infections
Identifying remote infections is crucial
There are numerous computers on the Internet that are not under the protection of IDS-based systems.
14
Botnet
Enumeration Approach
Borrowed from Brent
ByungHoon
Kang, GMU
Slide15
Need to know the method and protocols for how a bot communicates with its peersUsing sand-box techniqueRun bot binary in a controlled environmentNetwork behaviors are captured/analyzed
Investigating the binary code itself
Reversing the binary into high level codes
C&C Protocol knowledge and operation details can be accurately obtained
How to Enumerate
Botnet
Borrowed from Brent
ByungHoon
Kang, GMU
Slide16
Given network protocol knowledge, crawlers:collect list of initial bootstrap peers into queuechoose a peer node from the queuesend to the node look-up or get-peer requestsadd newly discovered peers to the queue
repeat 2-5 until no more peer to be contacted
Can’t enumerate a node behind NAT/Firewall
Would miss
bot
-infected hosts at home/office!
Simple Crawler Approach
Borrowed from Brent
ByungHoon
Kang, GMU
Slide17
Given P2P protocol knowledge that bot usesA collection of “routing-only” nodes that Act as peer in the P2P network, butControlled by us, the defenderPPM nodes can observe the traffic from the peer infected hosts
PPM node can be contacted by the infected hosts behind NAT/Firewall
Passive P2P Monitor (PPM)
Borrowed from Brent
ByungHoon
Kang, GMU
Slide18
Crawler and Passive P2P Monitor (PPM)Crawler
PPM
PPM
PPM
Borrowed from Brent
ByungHoon
Kang, GMU
Slide19
Crawler vs. PPM: # of IPs found
Borrowed from Brent
ByungHoon
Kang, GMU
Slide20
DHCPNATsNon-uniform bot distribution
Churn
Most estimates put size of largest
botnets
at tens of millions of bots
Actual size may be much smaller if we account for all of the above
Botnet
Enumeration ChallengesSlide21
Botnets use a lot of newly-created domains for phishing and malware deliveryFast flux: changing name-to-IP mapping very quickly, using various IPs to thwart defense attempts to bring down botnet
Single-flux: changing name-to-IP mapping for individual machines, e.g., a Web server
Double-flux: changing name-to-IP mapping for DNS
nameserver
too
Proxies on compromised nodes fetch content from backend servers
Fast FluxSlide22
Advantages for the attacker:Simplicity: only one back end server is needed to deliver contentLayers of protection through disposable proxy nodesVery resilient to attempts for takedownFast FluxSlide23
Look for domain names where mapping to IP changes oftenMay be due to load balancingMay have other (non-botnet) cause, e.g., adult content deliveryEasy to fabricate domain names
Look for DNS records with short-lived domain names, with lots of A records, lots of NS records and diverse IP addresses (
wrt
AS and network access type)
Look for proxy nodes by poking them
Fast Flux DetectionSlide24
They have been known to fight backDDoS IPs that poke them (even if low workers are scanned)They have been known to fabricate data for honeynets
Honeynet
is a network of computers that sits in otherwise unused (dark) address space and is meant to be compromised by attackers
Poking
Botnets
is Dangerous