1

Understanding Botnet Phenomenon

MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev

2

What is Botnet ?

Botnets is used to define networks of infectedend-hosts, called bots, that are under the control of a human operator commonly known as a bot master.

Command and control channels are used to disseminate the commands to the bots

IRC (Internet Relay Chat Protocols) is the main vehicle

3

IRC Concept – RFC 1459

IRC is an open protocol that uses TCP

green – normal clients

blue - bots

orange - bouncers

4

IRC Concept – RFC 1459

Example 1: A message between clients 1 and 2 is only seen by server A, which sends it straight to client 2.

Example 2: A message between clients 1 and 3 is seen by servers A & B, and client 3. No other clients or servers are allowed see the message.

Example 3: A message between clients 2 and 4 is seen by servers A, B, C & D and client 4 only. 1----\ A D---4 2--/ \ / B----C / \ 3 E

Servers: A, B, C, and D, E Clients: 1, 2, 3, 4

5

How to Analyze Botnets?

Develop a scalable and robust infrastructure to capture and concurrently track multiple Botnets

Must be benign – not used to infect others outside the testing environment

Analysis of measurements, structural and behavioral aspect of Botnets

IRC tracking, DNS Cache probing (minimal)

6

Birth of a Bot

Bots are born from program binaries that infect your PC

Self-replicating worms

E-mail viruses Shellcode (scripts)

7

Data collection methodology

Phase 1: Malware collection– Collect as many different binaries (bots)

Phase 2: Binary analysis via gray-box testing– Analyze the sophistication of each bot

Phase 3: Longitudinal tracking of IRC botnets through IRC and DNS trackers– Monitor the pervasiveness of each bot

8

Overview data collection

Malware collections (planet lab testbad) -darknet IP space /8

Capture missed from planetlab- parse

shellcode,binaries cllected is sent to botware anaylsis

engine

9

Malware Collection

Unpatched Windows XP are run which is base copy Nepenthes mimics the replies generated by

vulnerable services in order to collect the first stage exploit

Honeynets used to catches exploits missed by nepenthes

Infected honeypot compared with base to identify Botnet binary

10

Binary Analysis via graybox testing

Network fingerprint (DNS, IPs, Ports, scan) IRC (PASS, NICK, USER, MODE, JOIN) Learn the Botnet Dialect

11

Longitudinal Tracking of Botnets

The IRC tracker (also called a drone) filters traffic and acts as a Bot to trick the IRC room to iteratively probe to find the footprint of particular Botnets

– Uses DNS Probing– Acts as a spy

DNS Tracking– 800,000 Name Servers

12

Botnet Scanning

Worm-like – Immediately start scanning the IP space looking

for new victims after infection : 34 / 192

Variable scanning Botnets– Scan when issued some command by botmaster

13

Botnet Scanning

14

Botnet Growth

15

Botnet Growth

16

Botnet Phenomenon

17

Botnet Phenomenon

Traffic Problem– 70% of the sources during peak periods sent shell exploits similar

to those sent by the botnet spreaders.– 90% of all the traffic during a particular peak targeted ports used

by botnet spreaders– the amount of botnet-related traffic is certainly greater than 27%.

18

Botnet Statistics

60% were IRC bots– 70% of all the bots connect to a single IRC server

57,000 Active Bots per day for the first 6 months of 2006 ( Symantec )

4.7 million distinct computers being actively used in Botnets

Most Botnets are managed by a single server ( up to 15,000 bots )

Mocbot seized control of more than 7,700 machines within 24 hours

19

Botnet Characteristics

Diverse set of operating systems. Anti-virus programs can detect and fix most

bots

20

What is it that You say… You Do Here?

Log keystrokes for identity theft Installing Advertisement Addons Distributed Denial-of-Service Attacks Spamming Sniffing Traffic Keylogging Spreading new malware Google AdSense abuse Attacking IRC Chat Networks Manipulating online polls/games Mass identity theft

21

Bot Capabilities

DDoS: Flooding attack and DDoS extortion Scanning Exploitation Download and Installation Click Fraud Server Services- Bot Hosting e.g. phishing Gateway and Proxy Functions:-HTTP proxy Spyware,Keylogging, data theft and packet

capture

22

Conclusion

“the fight against botnets is a "war" that can only be won if all parties - regulators, governments, telecoms firms, computer users and hardware and software makers - work together. “

Botnets pose one of the most SEVERE threats to the Internet

– Are responsible for most of the unwanted traffic– Generators of SPAM

Ref http://news.bbc.co.uk/2/hi/business/6298641.stm

23

Conclusion

Business Implications– DDOS – bring e-commerce to a halt– Wasting of money on SPAM filtering– Wasting of corporate time and $$

24

Strengths of the paper

All aspects of a botnet analyzed No prior analysis of bots Ability to model various types of bots Ability to learn bot dialect and communicate with

them.

25

Botnet

Questions ?