About BotnetsAlain Bindele matr:695164

Summary

Introduction & Definitions

Main characteristics

Botnet examples

Countermeasures

Testo

Part I Introduction & DefinitionsA Botnet is a collection of Internet-connected programs communicating with other similar programs in order to

perform tasks

Malware taxonomy:Virus Worm Trojan Botnet !

Malware taxonomy:Virus Worm Trojan Botnet !

(Let’s make some order)

Malware taxonomy:Virus Worm Trojan Botnet !

Virus

A virus is a self-replicating program that infect an host, often appending itself to other executables. It needs the user action that runs (often unintentionally) the infected executable file to start inflicting to the system any kind of damage (from unwanted behaviours like open windows or popups or the scrambling of the desktop icons to the complete freeze of the system).

Malware taxonomy:Virus Worm Trojan Botnet !

Worm

A worm just like a virus is a damaging autoreplicating software but unlike viruses it spread its copies exploiting systems vulnerabilities and therefore it doesn't necessary need the human interaction.

Malware taxonomy:Virus Worm Trojan Botnet !

Trojan

A trojan is just like the above malware but it typically hide a so called "backdoor": a server running in background waiting for a connection and giving to the attacker some level of remote control over the infected machine.

Malware taxonomy:Virus Worm Trojan Botnet !

Botnet

"Bot" is a term used to refer both the program and the machine running them (often referred as "zombie"). Notice that botnets have all charateristics of the previous malware types: damage, selfspreading and remote control but also has the ability to organize many bots to form a network.

–Agent Smith

“Never send a human to do a machine's job.”

Purposessteal personal data

abuse the victim’s CPU

abuse the network bandwidth

click frauds

spamming

phishing

espionage, intelligence and cyber-war

Personal data stealing

Some botnet are designed to scan computers files and monitor user interaction (generally using key loggers ) and browser activity to steal password, contacts email, check account etc

eg. Zeus, Waledac, Skynet

CPU abusing

Some botnet (eg. ZeroAccess and Skynet) uses victim’s CPU to perform bitcoin mining or brute force hash reversing and password attacks

eg. ZeroAccess, Skynet

Network bandwidth abusingMany bonnet uses victim’s network bandwidth to perform dDoS attacks.

A Denial of Service (DoS) is an offensive action wich prevent a single server or an entire network to supply a service. When the coordination many hosts (like a botnet) is used to attack some service host or network we talk about dDoS (distributed DoS)

eg. Waledac, Skynet, Storm, Mariposa and many others..

Click frauds

Controlling or implementing browser functionalities a bot could automatically browse and click links, scamming pay per click companies.

eg. ZeroAccess, Chameleon

Spamming

Botnet are widely used for spamming purpose. A 2004 survey estimated that lost productivity costs Internet users in the United States $21.58 billion annually, while another reported the cost at $17 billion, up from $11 billion in 2003.[wikipedia]

eg. Waledac, MegaD, Kraken, Lethic and many others..

Phishing frauds

Spam is also a medium for fraudsters to scam users into entering personal information on fake Web sites using emails forged to look like they are from banks or other organizations, such as PayPal. This is known as phishing. Targeted phishing, where known information about the recipient is used to create forged emails, is known as spear-phishing [wikipedia]

Botnet Lifecycle

initial infection

secondary injection

bootstrap

malicious C&C

update and maintenance

Initial infection

This phase starts when the attacker scans a system looking for some vulnerability to exploit. Many softwares (e.g. Metasploit) and techniques (e.g. social engineering) can be used to conduct this preliminary attack phase which ends when the malicious software (sometime referred as payload or shell-code) is successfully injected in the target machine.

Secondary Injection

The second phase starts with the code execution, when the malware is loaded in the computer memory and being processed i.e. when it actually runs on the target machine turning the target machine into a "zombie".

Bootstrap

In this phase the malware establishes a connection with the C&C and/or the rest of the network (depending on the network topology) that could include many other kind of servers. In that phase the bot become ready to serve the bot herder commands that are acquired in the next phase.

C&C instruction phase

In that phase the bot herder remotely instruct the bot to perform some task.

eg. perform a dDoS attack versus some target host, collect personal data etc.

Update & Mantainance

Many bots could update themselves automatically or programmatically. In the case of spamming botnet they could periodically update their mail templates.

Attack vectors any medium, hardware or software used to subvert the normal execution of a computer system

USB drives

E-mail

Files

Buggy software

Open ports

…

dDoS attack

Volumetric Attacks

TCP State-Exhaustion Attacks

Application Layer Attacks

Volumetric attackThese attacks attempt to saturate the bandwidth of the targeted system (it could be a single host or an entire network service) and could be achieved by generating an enormous amount of traffic in the network. Examples of volumetric attacks include ICMP, Fragment and UDP floods.

These attempt to consume the connection state tables which are present in many infrastructure components such as load-balancers, firewalls and the application servers themselves.

Syn-flood attack is one of such techiques that could lead to the unusability of a misconfigured system.

TCP State-Exhaustion Attacks

Application Layer Attacks

These target some aspect of an application or service at Layer-7. Generating a relatively high volume of requests (HTTP GET/POST flood etc.) servers could be crammed with complex tasks and jobs queues.

Botnet characteristics

Topology

Lookup Resilience

Blind proxy redirection

Polymorphism

Topology

Centralized:

Star topology

Multi-server

Decentralized

P2P

Testo

Star topologyAll bots are connected to a central server

Testo

HierarchicalBots are connected to a backbone of intermediate servers that receives instructions from one or more C&C servers

Testo

P2PThere’s not a single C&C, every computer in the network communicates with a set of neighbors.

Lookup resiliencyIP fast Flux

Single Flux

Double Flux

Domain flux

Wildcarding

DGA

Fluxing

IP Flux: is the periodic change of ip address associates to a particular fully qualified domain name (FQDN).

Domain flux: is effectively the inverse of IP flux. Instead of change the ip, we change the name associated.

High frequency fluxing is named Fast-Flux

IP Flux (two flavors)

Single-flux is the simplest form: we have multiple (hundreds or even thousands) ip addresses associated with a domain name. These IP addresses are registered and de-registered rapidly on a particular DNS server using round-robin algorithms and very short Time-to-live (TTL) values.

Double-flux is the evolution of Single-flux wich not only fluxes the IP addresses associated with the fully-qualified domain name, but also fluxes the IP addresses of the DNS servers used to lookup the IP addresses of the FQDN.

Dns Wildcarding

Domain Wildcarding abuses the DNS functionality to wildcard an higher domain such that all FQDN’s point to the same IP address.

eg. *.domain.com could encapsulate both mypc.foo.domain.com and myserver.domain.com

Domain generation Algorithm

In Domain Generation Algorithms (DGA), a periodically changed list of FQDN’s is created, these names are then polled by the bot agent looking for the C&C infrastructure. Since the created domain names are dynamically generated in volume and typically have a short life of a single day, the turnover makes it very difficult to investigate or block every possible domain name

Blind proxy redirection

With this technique some host of the botnet acts like a proxy, interrupting the tracing attempts to discover and shutdown the flux services network (dns register, C&C etc.) Relay-nodes basically act as an intermediary between the slave-nodes and the master command-and-control servers, as well as for each other

Blind Proxy Redirection

Pro*

Anonymity

Con*

Lower Propagation Speed

*from a bot herder perspective, from a law enforcer’s perspective it’s exactly the opposite

Polymorphism

What is?

Server side

Repacking

PolymorphismEvery time an antivirus is updated it downloads the digital signature of known malware and then comparing the signature of the executables on the machine with the one stored on the database could detect and remove the threatening software.

As countermeasure to that, malware programmers uses to repack and encrypt the binaries of their software in order to diffuse it. Some of them also continuously downloads the new code to execute changing its signature and hence remaining hidden to the antivirus software that couldn't know a priori all possible signature of an encrypted executable .

Testo

Part II Case of studyBotnets real examples

Testo

Part III Countermeasures

Stakeholders

Institutions

Law enforcers

Research

Corporations

Single Users

Attack PointsC&C server

DNS denial

Takedown C&C

Infected Host

AV, firewalling

Botnet Communications

sinkholing

Steps

Detection

Cleaning

defensive strategies

offensive strategies

Detectors classificationSignature based

File monitoring

Connection monitoring

Anomaly based

Self-learning

Programmed

Compound

Signature basedThere is a database of known threat. Files or connection are scanned to search matching events.

Pro: zero false positives

Con: unable to detect unknown malware

Self-Learning detectionThe system first learns from an initial condition (usually safe) and, in a second phase, controls if the system behave accordingly to that condition. If the observed system diverges from the "normal" condition it will be notified.

Pro: could detect zero-days attack

Con: could give false positives

Programmed detectionStatistics, rules and thresholds are used to define some anomaly condition. If system matches anomaly conditions alert will be raised.

Pro: could detect zero-days attack

Con: doesn’t scales very well

Anomaly based detectors “something that is abnormal is probably suspicious”

Self-learning systems learn by example what constitutes normal for the installation typically by observing traffic for an extended period of time and building some model of the underlying process. [2]

(stocastic models, machine learning, hidden markov models, neural network, hybrid models)

Other methodsHoney-Pot

Honeypot refers to a decoy system to entice the attention of attackers to attack this computer system to having an aim of protecting the critical targets. Honeypots are computer systems which don't have any production value. According to this concept, a resource that expects no data, so any traffic to or from it is most likely suspicious activity and must be investigated [3]

Other methods

DNS based DNS-based detection techniques are based on particular DNS information generated by a Botnet. DNS-based detection techniques are similar to anomaly detection techniques as similar anomaly detection algorithms are applied on DNS traffic [4][6][9]

Countermeasures a proposed taxonomy [3]

Signature based

Honey-Pot based

Anomaly based

DNS based

Mining based

Network based

Testo

Detectors taxonomySome detectors described in [2] grouped by features (march 2000)

Other detectorsBot-hunter [7]

Cisco® Cyber Threat Defense Solution1.0 [8]

Snort [10]

ETPro™ Ruleset (works with Snort) [11]

The Botnets [12]

RUBotted [13]

Offensive strategiesMitigation

C&C takedown

Block botnet traffic at ISP level (sinkholing, BGP blackholing …)

Manipulation

Leverage bot command layer

Infiltration & Poisoning

Exploitation

Leverage bot leaks

Mitigation

Strategies for mitigation are offensive, technical means that slow botnets down, by consuming resources for instance. Examples can be temporary DoS attempts against C&C servers, trapping and holding connections from infected machines, or blocking of malicious domains. [5]

Manipulation

Possible manipulation can be the alteration or removal of DDoS or Spam commands as well as commands to download and execute programs, which allows a remote cleanup of infected machine. Less invasive options include dropping collected personal data, like credit card or banking details, replacing them by fake information, or issuing commands to make bots stop the collection [5].

Exploitation

is a special strategy that makes use of bugs found in bots. Like bugs in other products, these can be used to perform actions on the infected machines. Even though, this category is the most powerful, it is the one with the highest risk involved because exploits can easily crash and damage systems if not designed carefully [5].

Questions?.

Testo

The end…(?)

Bibliography[1] http://en.wikipedia.org/wiki/Botnet

[2] Axelsson, Stefan. Intrusion detection systems: A survey and taxonomy. Vol. 99. Technical report, 2000.

[3] Raghava, N. S., Divya Sahgal, and Seema Chandna. "Classification of Botnet Detection Based on Botnet Architechture." Communication Systems and Network Technologies (CSNT), 2012 International Conference on. IEEE, 2012

[4] Feily, Maryam, Alireza Shahrestani, and Sureswaran Ramadass. "A survey of botnet and botnet detection." Emerging Security Information, Systems and Technologies, 2009. SECURWARE'09. Third International Conference on. IEEE, 2009.

[5] Leder, Felix, Tillmann Werner, and Peter Martini. "Proactive botnet countermeasures–an offensive approach." The Virtual Battlefield: Perspectives on Cyber Warfare 3 (2009):

[6] Hu, Xin, Matthew Knysz, and Kang G. Shin. "RB-Seeker: Auto-detection of Redirection Botnets." NDSS. 2009.

[7] http://www.bothunter.net/

Bibliography

[8] http://www.cisco.com/c/en/us/solutions/enterprise-networks/threat-defense/index.html

[9] Schiller, Craig, and James R. Binkley. Botnets: The killer web applications. Syngress, 2011.

[10] http://www.snort.org/

[11] http://www.emergingthreats.net/

[12] https://code.google.com/p/botnets/

[13] http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1777&lang_loc=1