Article presentation for: The Dark Cloud: Understanding …€“Rxbot –SDBot –Spybot...
Transcript of Article presentation for: The Dark Cloud: Understanding …€“Rxbot –SDBot –Spybot...
![Page 1: Article presentation for: The Dark Cloud: Understanding …€“Rxbot –SDBot –Spybot –Others… Search for BotNet.Source.Codes.rar How are Botnets controlled? ...](https://reader031.fdocuments.net/reader031/viewer/2022022517/5b08e7007f8b9a51508c8a7a/html5/thumbnails/1.jpg)
Article presentation for:
The Dark Cloud: Understanding
and Defending against Botnets
and Stealthy Malware
Based on article by:Jaideep Chandrashekar, Steve Orrin, Carl Livadas, Eve M. Schooler
Available at:http://download.intel.com/technology/itj/2009/v13i2/pdfs/ITJ9.2.9-Cloud.pdf
This presentation by:Adrian Crenshaw
http://Irongeek.com
![Page 2: Article presentation for: The Dark Cloud: Understanding …€“Rxbot –SDBot –Spybot –Others… Search for BotNet.Source.Codes.rar How are Botnets controlled? ...](https://reader031.fdocuments.net/reader031/viewer/2022022517/5b08e7007f8b9a51508c8a7a/html5/thumbnails/2.jpg)
Background
A little information to get you up to
speed on botnets
http://Irongeek.com
![Page 3: Article presentation for: The Dark Cloud: Understanding …€“Rxbot –SDBot –Spybot –Others… Search for BotNet.Source.Codes.rar How are Botnets controlled? ...](https://reader031.fdocuments.net/reader031/viewer/2022022517/5b08e7007f8b9a51508c8a7a/html5/thumbnails/3.jpg)
So, what is a Botnet?
• A collection of compromised computers that can be sent orders
• Individual hosts in a Botnet are know as bots or zombies
• The administrator of the Botnet is often known as a “Bot Herder”
• A few examples of Botnets include:StormKrakenConficker
http://Irongeek.com
![Page 4: Article presentation for: The Dark Cloud: Understanding …€“Rxbot –SDBot –Spybot –Others… Search for BotNet.Source.Codes.rar How are Botnets controlled? ...](https://reader031.fdocuments.net/reader031/viewer/2022022517/5b08e7007f8b9a51508c8a7a/html5/thumbnails/4.jpg)
Botnet life cycle (As outlined by the article)
• Spread Phase– SE Spam, Web drive bys, Network worm functionality, etc.
• Infection Phase
– Polymorphism
– Rootkitting
• Trojan binaries
• Library hooking
• Command and Control Phase
• Attack Phase
http://Irongeek.com
![Page 5: Article presentation for: The Dark Cloud: Understanding …€“Rxbot –SDBot –Spybot –Others… Search for BotNet.Source.Codes.rar How are Botnets controlled? ...](https://reader031.fdocuments.net/reader031/viewer/2022022517/5b08e7007f8b9a51508c8a7a/html5/thumbnails/5.jpg)
How do hosts become part of a
Botnet?
• Drive by malware installs via web
browsers
• Automated or targeted network
vulnerability attacks
• End users socially engineered to install
them via phishing attacks, or confusing
browser messages
• Other vectors…
http://Irongeek.com
![Page 6: Article presentation for: The Dark Cloud: Understanding …€“Rxbot –SDBot –Spybot –Others… Search for BotNet.Source.Codes.rar How are Botnets controlled? ...](https://reader031.fdocuments.net/reader031/viewer/2022022517/5b08e7007f8b9a51508c8a7a/html5/thumbnails/6.jpg)
Botnet Source Code Families
• Lots of source code is out there:
– Agobot
– Rxbot
– SDBot
– Spybot
– Others…
http://leetupload.com
Search for BotNet.Source.Codes.rar
http://Irongeek.com
![Page 7: Article presentation for: The Dark Cloud: Understanding …€“Rxbot –SDBot –Spybot –Others… Search for BotNet.Source.Codes.rar How are Botnets controlled? ...](https://reader031.fdocuments.net/reader031/viewer/2022022517/5b08e7007f8b9a51508c8a7a/html5/thumbnails/7.jpg)
How are Botnets controlled?
• Decentralized Command and Control
Channels (C&C)
• Decentralization is important to make C&C
harder to shutdown
• By using Command and Control Channels,
“bot herders” can change what their Botnet
is tasked to do, and update the Botnet’s
nodes
http://Irongeek.com
![Page 8: Article presentation for: The Dark Cloud: Understanding …€“Rxbot –SDBot –Spybot –Others… Search for BotNet.Source.Codes.rar How are Botnets controlled? ...](https://reader031.fdocuments.net/reader031/viewer/2022022517/5b08e7007f8b9a51508c8a7a/html5/thumbnails/8.jpg)
Illustration of C&C
Image Source: Intel Technology Journal; Jun2009, Vol. 13 Issue 2, p130-147
http://Irongeek.com
![Page 9: Article presentation for: The Dark Cloud: Understanding …€“Rxbot –SDBot –Spybot –Others… Search for BotNet.Source.Codes.rar How are Botnets controlled? ...](https://reader031.fdocuments.net/reader031/viewer/2022022517/5b08e7007f8b9a51508c8a7a/html5/thumbnails/9.jpg)
Illustration of C&C: Another take
bot
Herder
IRC
Server
bot bot bot bot bot bot bot
http://Irongeek.com
IRC
Server
IRC
Server
![Page 10: Article presentation for: The Dark Cloud: Understanding …€“Rxbot –SDBot –Spybot –Others… Search for BotNet.Source.Codes.rar How are Botnets controlled? ...](https://reader031.fdocuments.net/reader031/viewer/2022022517/5b08e7007f8b9a51508c8a7a/html5/thumbnails/10.jpg)
Illustration of C&C: Yet another take
bot
Herder
Middle
Layer
Middle
Layer
Middle
Layer
Middle
Layer
bot bot bot bot bot bot bot
http://Irongeek.com
![Page 11: Article presentation for: The Dark Cloud: Understanding …€“Rxbot –SDBot –Spybot –Others… Search for BotNet.Source.Codes.rar How are Botnets controlled? ...](https://reader031.fdocuments.net/reader031/viewer/2022022517/5b08e7007f8b9a51508c8a7a/html5/thumbnails/11.jpg)
Illustration of C&C: Blind drop
bot
Herder
Middle
Layer
bot bot bot bot
Could be a web site, forum posting, image, etc
http://Irongeek.com
![Page 12: Article presentation for: The Dark Cloud: Understanding …€“Rxbot –SDBot –Spybot –Others… Search for BotNet.Source.Codes.rar How are Botnets controlled? ...](https://reader031.fdocuments.net/reader031/viewer/2022022517/5b08e7007f8b9a51508c8a7a/html5/thumbnails/12.jpg)
Economics of Bot Herding
• So, why would some one want a Botnet?– Distributed Denial Of Service (DDoS)
• Personal vendettas
• Protection money
– Spam (both email and web posts)
– Adware
– Click Fraud
– Harvested identities (Sniffers, Key Loggers, Etc.)
• They can also be rented out for tasks
• BBC show Click rents a Botnet:http://www.tudou.com/programs/view/13Cx-LNrTfU/
http://Irongeek.com
![Page 13: Article presentation for: The Dark Cloud: Understanding …€“Rxbot –SDBot –Spybot –Others… Search for BotNet.Source.Codes.rar How are Botnets controlled? ...](https://reader031.fdocuments.net/reader031/viewer/2022022517/5b08e7007f8b9a51508c8a7a/html5/thumbnails/13.jpg)
Problems with detecting/removing
a Bot installationMain points from the article:
• Polymorphism
• Rootkitting
• Only periodic communications back to controller
Others:
• Retaliation Denial of Service
• Distributed
• Fast Flux
• Encrypted channels
http://Irongeek.com
![Page 14: Article presentation for: The Dark Cloud: Understanding …€“Rxbot –SDBot –Spybot –Others… Search for BotNet.Source.Codes.rar How are Botnets controlled? ...](https://reader031.fdocuments.net/reader031/viewer/2022022517/5b08e7007f8b9a51508c8a7a/html5/thumbnails/14.jpg)
Article’s proposal: Canary Detector
Made with three main strategies
(paraphrased):
1. Establish a baseline for the network.
2. Use end-host detection algorithm to
determine botnet C&C channel, based on
destinations that are regularly contacted.
3. Aggregate information across nodes on
the network to find commonality.
http://Irongeek.com
![Page 15: Article presentation for: The Dark Cloud: Understanding …€“Rxbot –SDBot –Spybot –Others… Search for BotNet.Source.Codes.rar How are Botnets controlled? ...](https://reader031.fdocuments.net/reader031/viewer/2022022517/5b08e7007f8b9a51508c8a7a/html5/thumbnails/15.jpg)
Canary Detector: Atoms
• Uses the tuple:
– destIP/dstService = Host being contacted
– destPort = Port number
– proto = UDP or TCP
• Examples:
– (google.com, 80, tcp)
– (208.67.222.222, 53, udp)
– (ftp.nai.com, 21:>1024, tcp)
– (mail.cisco.com,135:>1024,tcp)
http://Irongeek.com
![Page 16: Article presentation for: The Dark Cloud: Understanding …€“Rxbot –SDBot –Spybot –Others… Search for BotNet.Source.Codes.rar How are Botnets controlled? ...](https://reader031.fdocuments.net/reader031/viewer/2022022517/5b08e7007f8b9a51508c8a7a/html5/thumbnails/16.jpg)
Canary Detector: Persistence
• Look for “temporal heavy hitters”
– Not so concerned about amount of traffic
– Concerned about regularity
• Starting with a small tracking window (w) time, track if an Atom was contacted or not
• Set an observational time window (W), for example W=10w in duration
• The authors also use multiple time scales 1 through 5
http://Irongeek.com
![Page 17: Article presentation for: The Dark Cloud: Understanding …€“Rxbot –SDBot –Spybot –Others… Search for BotNet.Source.Codes.rar How are Botnets controlled? ...](https://reader031.fdocuments.net/reader031/viewer/2022022517/5b08e7007f8b9a51508c8a7a/html5/thumbnails/17.jpg)
Canary Detector: Commonality
• How common is a destination Atom
amongst network nodes?
• The more common the Atom, the more
important it is
http://Irongeek.com
![Page 18: Article presentation for: The Dark Cloud: Understanding …€“Rxbot –SDBot –Spybot –Others… Search for BotNet.Source.Codes.rar How are Botnets controlled? ...](https://reader031.fdocuments.net/reader031/viewer/2022022517/5b08e7007f8b9a51508c8a7a/html5/thumbnails/18.jpg)
Canary Detector: Whitelists
• Ignore “safe” Atoms to easy computation
1. Observe traffic during training period to see
common, regularly contacted Atoms
(Windows update servers might be an
example)
2. Set nodes to ignore, adjust as needed.
3. Whitelists are established at both the host
and network level.
http://Irongeek.com
![Page 19: Article presentation for: The Dark Cloud: Understanding …€“Rxbot –SDBot –Spybot –Others… Search for BotNet.Source.Codes.rar How are Botnets controlled? ...](https://reader031.fdocuments.net/reader031/viewer/2022022517/5b08e7007f8b9a51508c8a7a/html5/thumbnails/19.jpg)
Canary Detector: Alarm Types
• p-alarms (persistence): When a destination Atom not contained in the host’s whitelist becomes persistent. More for local use, whitelist or flag.
• c-alarms (commonality): When a destination atom is observed at a large number of end-hosts in the same window and is identified as common. More for network use, whitelist or flag.
http://Irongeek.com
![Page 20: Article presentation for: The Dark Cloud: Understanding …€“Rxbot –SDBot –Spybot –Others… Search for BotNet.Source.Codes.rar How are Botnets controlled? ...](https://reader031.fdocuments.net/reader031/viewer/2022022517/5b08e7007f8b9a51508c8a7a/html5/thumbnails/20.jpg)
Using the information
• Article defines thresholds for persistence
and commonality (p* and c*) for when to
take note
• Suspicious alarms can be acted upon
– Nullrouting
– Investigation
– Cleanup
http://Irongeek.com
![Page 21: Article presentation for: The Dark Cloud: Understanding …€“Rxbot –SDBot –Spybot –Others… Search for BotNet.Source.Codes.rar How are Botnets controlled? ...](https://reader031.fdocuments.net/reader031/viewer/2022022517/5b08e7007f8b9a51508c8a7a/html5/thumbnails/21.jpg)
Tested against real bots
• SDBot: Controlled over IRC, but easy to spot
because of connecting to irc.undernet.org.
Scans ports scans on ports 135, 139, 445,
2097 looking to spread.
• Zapchast: Five IRC service atoms (about 13
distinct IPs). Mostly NetBIOs attack traffic.
• Storm: P2P based. The traces were two
orders of magnitude larger than the other
botnets tested.
http://Irongeek.com
![Page 22: Article presentation for: The Dark Cloud: Understanding …€“Rxbot –SDBot –Spybot –Others… Search for BotNet.Source.Codes.rar How are Botnets controlled? ...](https://reader031.fdocuments.net/reader031/viewer/2022022517/5b08e7007f8b9a51508c8a7a/html5/thumbnails/22.jpg)
Graph of botnet Atom persistence
• SDBot (Triange)
• Zapchast (Dimonds)
• Storm (Blue Dots)
– Note that they only
graphed 100 atoms
Image Source:
THE DARK CLOUD: UNDERSTANDING AND DEFENDING AGAINST BOTNETS
AND STEALTHY MALWARE
Intel Technology Journal, Jun2009, Vol. 13 Issue 2, p130-147, 18p, 3 charts, 3
diagrams
Diagram; found on p144
http://Irongeek.com
![Page 23: Article presentation for: The Dark Cloud: Understanding …€“Rxbot –SDBot –Spybot –Others… Search for BotNet.Source.Codes.rar How are Botnets controlled? ...](https://reader031.fdocuments.net/reader031/viewer/2022022517/5b08e7007f8b9a51508c8a7a/html5/thumbnails/23.jpg)
Links for more research
• The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malwarehttp://download.intel.com/technology/itj/2009/v13i2/pdfs/ITJ9.2.9-Cloud.pdf
• Shadow Serverhttp://www.shadowserver.org
• SANs Internet Storm Centerhttp://isc.sans.org/
• Honeynet Projecthttp://www.honeynet.org
• LAN of the Dead http://www.irongeek.com/i.php?page=security/computerzombies
http://Irongeek.com
![Page 24: Article presentation for: The Dark Cloud: Understanding …€“Rxbot –SDBot –Spybot –Others… Search for BotNet.Source.Codes.rar How are Botnets controlled? ...](https://reader031.fdocuments.net/reader031/viewer/2022022517/5b08e7007f8b9a51508c8a7a/html5/thumbnails/24.jpg)
Conclusions/Questions
• How difficult is it to choose good
thresholds for persistence/commonality?
• What if Botnets varied their call back
times?
• System overhead?
• Whitelisting of services that have become
blind drops?
• Audience questions?
http://Irongeek.com