Botnets

Botnets

Collection of connected programs communicating with similar programs to perform tasks

Legal IRC bots to moderate/administer channels Origin of term botnet

Illegal Bots usually added through infections Communicate through standard network

protocols

Botnet

Named after malware that created the botnet Multiple botnets can be created by same

malware▪ Controlled by different entities

“Bot master” can control entire group of computers remotely through Command and Control(C&C) system

Botnet Uses

Botnets used for various purposes Distributed Denial of Service Attacks(DDOS) SMTP mail relays for spam Click Fraud▪ Simulating false clicks on advertisements to earn

money Theft of information▪ Application serial numbers▪ Login information▪ Financial information▪ Personal information

Bitcoin mining

Botnet Connection Models

Three main connection models Centralized P2P-based Unstructured

Centralized

Central point(server) that forwards messages to bots

Advantages Simple to implement Customizable

Disadvantages Easier to detect and destroy

Most botnets use this model

P2P-based

Mainly used to avoid problems with centralized model

Does not use server as central location Instead the bots are connected to each other

Advantages Very hard to destroy Commands can be injected at any point Hard for researchers to find all bots

Disadvantages Harder to implement and design

Unstructured

Bots will not actively contact other bots or botmaster Only listens for incoming connections

Botmsater randomly scans internet for bots When bot is found botmaster sends

encrypted commands

Communication

Botnets use well defined communication protocols Helps blend in with traffic

Protocol examples IRC▪ Most common▪ Used for one-to-many or one-on-one

HTTP▪ Difficult to be detected▪ Allowed through most security devices by default

P2P▪ More advanced communication▪ Not always allowed on network

Detection Methods

Two main detection methods Signature-based▪ Relies on knowing connection methods▪ Cannot detect new threats

Anomaly-based▪ Relies on anomalies from base-line traffic▪ High false-positive rates▪ Not useful in cases where base-line traffic

cannot be established

Methods to Avoid Detection

Malware writers constantly looking for new ways to avoid detection

Recent botnets employ new methods to avoid detection Fast flux Domain flux

Fast Flux

Use a set of IP addresses that all correspond to one domain name

Use short TTL(Time To Live) and large IP pools

Can be grouped in two categories. Single flux Double flux

Single Flux

Domain resolves to different IP in different time ranges

User accesses same domain twice First time DNS query returns 11.11.11.11 TTL expires on DNS query User performs another DNS query for

domain DNS server returns 22.22.22.22

Double Flux

More sophisticated counter-detection Repeated changes of both flux

agents and registration in DNS servers Authoritative DNS server part of fluxing

Provides extra redundancy

Detecting Botnets using Fast Flux

Critical step in detecting fast flux network is to distinguish fast fluxing attack network(FFAN) and fast fluxing service network(FFSN) All agents in FFSN should be up 24/7 Agents within FFAN have unpredictable alive

time▪ Botmaster does not have physical control over bots

Two metrics developed to distinguish these Average Online Rate(AOR) Minimum Available Rate(MAR)

Flux Agent Monitoring System Uses AOR and MAR to track FFANs and FFSNs Broken up into four components

Dig tool▪ Gather information and add new IP addresses to

database Agents monitor▪ Sends HTTP requests records response

IP lifespan records database▪ Stores service status

Detector▪ Judges between FFAN and FFSN by using AOR and MAR

Domain Flux

To avoid single point of failure domain flux was created

Uses a set of domain names that are constantly, and automatically, generated Occasionally correspond to IP address

Bots and server both run domain name generation algorithm.

Bots try to contact C&C server by using generated domain names If no answer is received at one, it moves on

Domain Flux in Torpig

Torpig was botnet that used domain flux Eventually taken over by researchers First calculated domain names by

current week and current year “weekyear.com” or “weekyear.net”

If those fail it moves on to calculated the daily domain

If all other methods fail, a Torpig bot will try to connect to a hard-coded domain within its configuration files

Detecting Botnets using Domain Flux

Reverse-engineering domain generation algorithm not always possible

Only a few domains will resolve to IP addresses

One detection method is to watch DNS query failures Small percentage will be user error/poor

configuration Larger part of errors will be from malicious activity

With enough data one should be able to find patterns in DNS query errors

Mitigation Techniques

Fast Flux networks mitigated by blacklisting domain name associated with flux Contact registrar ISP block requests in DNS ISP monitor DNS queries to domain

Domain flux is harder to mitigate In order to register domain names before attackers

one must know the algorithm used Automated techniques to block DNS queries not

always accurate Registrars used by attackers usually do not listen to

abuse reports

Why should we care?

BredoLab Created May, 2009 30,000,000 bots

Mariposa Created 2008 12,000,000 bots

Zeus Banking credentials for all major banks 3,600,000 bots in US alone Customizable

Questions?