Upload
deborah-york
View
219
Download
0
Tags:
Embed Size (px)
Citation preview
Botnets
Botnets
Collection of connected programs communicating with similar programs to perform tasks
Legal IRC bots to moderate/administer channels Origin of term botnet
Illegal Bots usually added through infections Communicate through standard network
protocols
Botnet
Named after malware that created the botnet Multiple botnets can be created by same
malware▪ Controlled by different entities
“Bot master” can control entire group of computers remotely through Command and Control(C&C) system
Botnet Uses
Botnets used for various purposes Distributed Denial of Service Attacks(DDOS) SMTP mail relays for spam Click Fraud▪ Simulating false clicks on advertisements to earn
money Theft of information▪ Application serial numbers▪ Login information▪ Financial information▪ Personal information
Bitcoin mining
Botnet Connection Models
Three main connection models Centralized P2P-based Unstructured
Centralized
Central point(server) that forwards messages to bots
Advantages Simple to implement Customizable
Disadvantages Easier to detect and destroy
Most botnets use this model
P2P-based
Mainly used to avoid problems with centralized model
Does not use server as central location Instead the bots are connected to each other
Advantages Very hard to destroy Commands can be injected at any point Hard for researchers to find all bots
Disadvantages Harder to implement and design
Unstructured
Bots will not actively contact other bots or botmaster Only listens for incoming connections
Botmsater randomly scans internet for bots When bot is found botmaster sends
encrypted commands
Communication
Botnets use well defined communication protocols Helps blend in with traffic
Protocol examples IRC▪ Most common▪ Used for one-to-many or one-on-one
HTTP▪ Difficult to be detected▪ Allowed through most security devices by default
P2P▪ More advanced communication▪ Not always allowed on network
Detection Methods
Two main detection methods Signature-based▪ Relies on knowing connection methods▪ Cannot detect new threats
Anomaly-based▪ Relies on anomalies from base-line traffic▪ High false-positive rates▪ Not useful in cases where base-line traffic
cannot be established
Methods to Avoid Detection
Malware writers constantly looking for new ways to avoid detection
Recent botnets employ new methods to avoid detection Fast flux Domain flux
Fast Flux
Use a set of IP addresses that all correspond to one domain name
Use short TTL(Time To Live) and large IP pools
Can be grouped in two categories. Single flux Double flux
Single Flux
Domain resolves to different IP in different time ranges
User accesses same domain twice First time DNS query returns 11.11.11.11 TTL expires on DNS query User performs another DNS query for
domain DNS server returns 22.22.22.22
Double Flux
More sophisticated counter-detection Repeated changes of both flux
agents and registration in DNS servers Authoritative DNS server part of fluxing
Provides extra redundancy
Detecting Botnets using Fast Flux
Critical step in detecting fast flux network is to distinguish fast fluxing attack network(FFAN) and fast fluxing service network(FFSN) All agents in FFSN should be up 24/7 Agents within FFAN have unpredictable alive
time▪ Botmaster does not have physical control over bots
Two metrics developed to distinguish these Average Online Rate(AOR) Minimum Available Rate(MAR)
Flux Agent Monitoring System Uses AOR and MAR to track FFANs and FFSNs Broken up into four components
Dig tool▪ Gather information and add new IP addresses to
database Agents monitor▪ Sends HTTP requests records response
IP lifespan records database▪ Stores service status
Detector▪ Judges between FFAN and FFSN by using AOR and MAR
Domain Flux
To avoid single point of failure domain flux was created
Uses a set of domain names that are constantly, and automatically, generated Occasionally correspond to IP address
Bots and server both run domain name generation algorithm.
Bots try to contact C&C server by using generated domain names If no answer is received at one, it moves on
Domain Flux in Torpig
Torpig was botnet that used domain flux Eventually taken over by researchers First calculated domain names by
current week and current year “weekyear.com” or “weekyear.net”
If those fail it moves on to calculated the daily domain
If all other methods fail, a Torpig bot will try to connect to a hard-coded domain within its configuration files
Detecting Botnets using Domain Flux
Reverse-engineering domain generation algorithm not always possible
Only a few domains will resolve to IP addresses
One detection method is to watch DNS query failures Small percentage will be user error/poor
configuration Larger part of errors will be from malicious activity
With enough data one should be able to find patterns in DNS query errors
Mitigation Techniques
Fast Flux networks mitigated by blacklisting domain name associated with flux Contact registrar ISP block requests in DNS ISP monitor DNS queries to domain
Domain flux is harder to mitigate In order to register domain names before attackers
one must know the algorithm used Automated techniques to block DNS queries not
always accurate Registrars used by attackers usually do not listen to
abuse reports
Why should we care?
BredoLab Created May, 2009 30,000,000 bots
Mariposa Created 2008 12,000,000 bots
Zeus Banking credentials for all major banks 3,600,000 bots in US alone Customizable
Questions?