about botnets
DESCRIPTION
A presentation about botnets: what are, how they works, detection techniques and countermeasuresTRANSCRIPT
About BotnetsAlain Bindele matr:695164
Summary
Introduction & Definitions
Main characteristics
Botnet examples
Countermeasures
Testo
Part I Introduction & DefinitionsA Botnet is a collection of Internet-connected programs communicating with other similar programs in order to
perform tasks
Malware taxonomy:Virus Worm Trojan Botnet !
Malware taxonomy:Virus Worm Trojan Botnet !
(Let’s make some order)
Malware taxonomy:Virus Worm Trojan Botnet !
Virus
A virus is a self-replicating program that infect an host, often appending itself to other executables. It needs the user action that runs (often unintentionally) the infected executable file to start inflicting to the system any kind of damage (from unwanted behaviours like open windows or popups or the scrambling of the desktop icons to the complete freeze of the system).
Malware taxonomy:Virus Worm Trojan Botnet !
Worm
A worm just like a virus is a damaging autoreplicating software but unlike viruses it spread its copies exploiting systems vulnerabilities and therefore it doesn't necessary need the human interaction.
Malware taxonomy:Virus Worm Trojan Botnet !
Trojan
A trojan is just like the above malware but it typically hide a so called "backdoor": a server running in background waiting for a connection and giving to the attacker some level of remote control over the infected machine.
Malware taxonomy:Virus Worm Trojan Botnet !
Botnet
"Bot" is a term used to refer both the program and the machine running them (often referred as "zombie"). Notice that botnets have all charateristics of the previous malware types: damage, selfspreading and remote control but also has the ability to organize many bots to form a network.
–Agent Smith
“Never send a human to do a machine's job.”
Purposessteal personal data
abuse the victim’s CPU
abuse the network bandwidth
click frauds
spamming
phishing
espionage, intelligence and cyber-war
Personal data stealing
Some botnet are designed to scan computers files and monitor user interaction (generally using key loggers ) and browser activity to steal password, contacts email, check account etc
eg. Zeus, Waledac, Skynet
CPU abusing
Some botnet (eg. ZeroAccess and Skynet) uses victim’s CPU to perform bitcoin mining or brute force hash reversing and password attacks
eg. ZeroAccess, Skynet
Network bandwidth abusingMany bonnet uses victim’s network bandwidth to perform dDoS attacks.
A Denial of Service (DoS) is an offensive action wich prevent a single server or an entire network to supply a service. When the coordination many hosts (like a botnet) is used to attack some service host or network we talk about dDoS (distributed DoS)
eg. Waledac, Skynet, Storm, Mariposa and many others..
Click frauds
Controlling or implementing browser functionalities a bot could automatically browse and click links, scamming pay per click companies.
eg. ZeroAccess, Chameleon
Spamming
Botnet are widely used for spamming purpose. A 2004 survey estimated that lost productivity costs Internet users in the United States $21.58 billion annually, while another reported the cost at $17 billion, up from $11 billion in 2003.[wikipedia]
eg. Waledac, MegaD, Kraken, Lethic and many others..
Phishing frauds
Spam is also a medium for fraudsters to scam users into entering personal information on fake Web sites using emails forged to look like they are from banks or other organizations, such as PayPal. This is known as phishing. Targeted phishing, where known information about the recipient is used to create forged emails, is known as spear-phishing [wikipedia]
Botnet Lifecycle
initial infection
secondary injection
bootstrap
malicious C&C
update and maintenance
Initial infection
This phase starts when the attacker scans a system looking for some vulnerability to exploit. Many softwares (e.g. Metasploit) and techniques (e.g. social engineering) can be used to conduct this preliminary attack phase which ends when the malicious software (sometime referred as payload or shell-code) is successfully injected in the target machine.
Secondary Injection
The second phase starts with the code execution, when the malware is loaded in the computer memory and being processed i.e. when it actually runs on the target machine turning the target machine into a "zombie".
Bootstrap
In this phase the malware establishes a connection with the C&C and/or the rest of the network (depending on the network topology) that could include many other kind of servers. In that phase the bot become ready to serve the bot herder commands that are acquired in the next phase.
C&C instruction phase
In that phase the bot herder remotely instruct the bot to perform some task.
eg. perform a dDoS attack versus some target host, collect personal data etc.
Update & Mantainance
Many bots could update themselves automatically or programmatically. In the case of spamming botnet they could periodically update their mail templates.
Attack vectors any medium, hardware or software used to subvert the normal execution of a computer system
USB drives
Files
Buggy software
Open ports
…
dDoS attack
Volumetric Attacks
TCP State-Exhaustion Attacks
Application Layer Attacks
Volumetric attackThese attacks attempt to saturate the bandwidth of the targeted system (it could be a single host or an entire network service) and could be achieved by generating an enormous amount of traffic in the network. Examples of volumetric attacks include ICMP, Fragment and UDP floods.
These attempt to consume the connection state tables which are present in many infrastructure components such as load-balancers, firewalls and the application servers themselves.
Syn-flood attack is one of such techiques that could lead to the unusability of a misconfigured system.
TCP State-Exhaustion Attacks
Application Layer Attacks
These target some aspect of an application or service at Layer-7. Generating a relatively high volume of requests (HTTP GET/POST flood etc.) servers could be crammed with complex tasks and jobs queues.
Botnet characteristics
Topology
Lookup Resilience
Blind proxy redirection
Polymorphism
Topology
Centralized:
Star topology
Multi-server
Decentralized
P2P
Testo
Star topologyAll bots are connected to a central server
Testo
HierarchicalBots are connected to a backbone of intermediate servers that receives instructions from one or more C&C servers
Testo
P2PThere’s not a single C&C, every computer in the network communicates with a set of neighbors.
Lookup resiliencyIP fast Flux
Single Flux
Double Flux
Domain flux
Wildcarding
DGA
Fluxing
IP Flux: is the periodic change of ip address associates to a particular fully qualified domain name (FQDN).
Domain flux: is effectively the inverse of IP flux. Instead of change the ip, we change the name associated.
High frequency fluxing is named Fast-Flux
IP Flux (two flavors)
Single-flux is the simplest form: we have multiple (hundreds or even thousands) ip addresses associated with a domain name. These IP addresses are registered and de-registered rapidly on a particular DNS server using round-robin algorithms and very short Time-to-live (TTL) values.
Double-flux is the evolution of Single-flux wich not only fluxes the IP addresses associated with the fully-qualified domain name, but also fluxes the IP addresses of the DNS servers used to lookup the IP addresses of the FQDN.
Dns Wildcarding
Domain Wildcarding abuses the DNS functionality to wildcard an higher domain such that all FQDN’s point to the same IP address.
eg. *.domain.com could encapsulate both mypc.foo.domain.com and myserver.domain.com
Domain generation Algorithm
In Domain Generation Algorithms (DGA), a periodically changed list of FQDN’s is created, these names are then polled by the bot agent looking for the C&C infrastructure. Since the created domain names are dynamically generated in volume and typically have a short life of a single day, the turnover makes it very difficult to investigate or block every possible domain name
Blind proxy redirection
With this technique some host of the botnet acts like a proxy, interrupting the tracing attempts to discover and shutdown the flux services network (dns register, C&C etc.) Relay-nodes basically act as an intermediary between the slave-nodes and the master command-and-control servers, as well as for each other
Blind Proxy Redirection
Pro*
Anonymity
Con*
Lower Propagation Speed
*from a bot herder perspective, from a law enforcer’s perspective it’s exactly the opposite
Polymorphism
What is?
Server side
Repacking
PolymorphismEvery time an antivirus is updated it downloads the digital signature of known malware and then comparing the signature of the executables on the machine with the one stored on the database could detect and remove the threatening software.
As countermeasure to that, malware programmers uses to repack and encrypt the binaries of their software in order to diffuse it. Some of them also continuously downloads the new code to execute changing its signature and hence remaining hidden to the antivirus software that couldn't know a priori all possible signature of an encrypted executable .
Testo
Part II Case of studyBotnets real examples
Testo
Part III Countermeasures
Stakeholders
Institutions
Law enforcers
Research
Corporations
Single Users
Attack PointsC&C server
DNS denial
Takedown C&C
Infected Host
AV, firewalling
Botnet Communications
sinkholing
Steps
Detection
Cleaning
defensive strategies
offensive strategies
Detectors classificationSignature based
File monitoring
Connection monitoring
Anomaly based
Self-learning
Programmed
Compound
Signature basedThere is a database of known threat. Files or connection are scanned to search matching events.
Pro: zero false positives
Con: unable to detect unknown malware
Self-Learning detectionThe system first learns from an initial condition (usually safe) and, in a second phase, controls if the system behave accordingly to that condition. If the observed system diverges from the "normal" condition it will be notified.
Pro: could detect zero-days attack
Con: could give false positives
Programmed detectionStatistics, rules and thresholds are used to define some anomaly condition. If system matches anomaly conditions alert will be raised.
Pro: could detect zero-days attack
Con: doesn’t scales very well
Anomaly based detectors “something that is abnormal is probably suspicious”
Self-learning systems learn by example what constitutes normal for the installation typically by observing traffic for an extended period of time and building some model of the underlying process. [2]
(stocastic models, machine learning, hidden markov models, neural network, hybrid models)
Other methodsHoney-Pot
Honeypot refers to a decoy system to entice the attention of attackers to attack this computer system to having an aim of protecting the critical targets. Honeypots are computer systems which don't have any production value. According to this concept, a resource that expects no data, so any traffic to or from it is most likely suspicious activity and must be investigated [3]
Other methods
DNS based DNS-based detection techniques are based on particular DNS information generated by a Botnet. DNS-based detection techniques are similar to anomaly detection techniques as similar anomaly detection algorithms are applied on DNS traffic [4][6][9]
Countermeasures a proposed taxonomy [3]
Signature based
Honey-Pot based
Anomaly based
DNS based
Mining based
Network based
Testo
Detectors taxonomySome detectors described in [2] grouped by features (march 2000)
Other detectorsBot-hunter [7]
Cisco® Cyber Threat Defense Solution1.0 [8]
Snort [10]
ETPro™ Ruleset (works with Snort) [11]
The Botnets [12]
RUBotted [13]
Offensive strategiesMitigation
C&C takedown
Block botnet traffic at ISP level (sinkholing, BGP blackholing …)
Manipulation
Leverage bot command layer
Infiltration & Poisoning
Exploitation
Leverage bot leaks
Mitigation
Strategies for mitigation are offensive, technical means that slow botnets down, by consuming resources for instance. Examples can be temporary DoS attempts against C&C servers, trapping and holding connections from infected machines, or blocking of malicious domains. [5]
Manipulation
Possible manipulation can be the alteration or removal of DDoS or Spam commands as well as commands to download and execute programs, which allows a remote cleanup of infected machine. Less invasive options include dropping collected personal data, like credit card or banking details, replacing them by fake information, or issuing commands to make bots stop the collection [5].
Exploitation
is a special strategy that makes use of bugs found in bots. Like bugs in other products, these can be used to perform actions on the infected machines. Even though, this category is the most powerful, it is the one with the highest risk involved because exploits can easily crash and damage systems if not designed carefully [5].
Questions?.
Testo
The end…(?)
Bibliography[1] http://en.wikipedia.org/wiki/Botnet
[2] Axelsson, Stefan. Intrusion detection systems: A survey and taxonomy. Vol. 99. Technical report, 2000.
[3] Raghava, N. S., Divya Sahgal, and Seema Chandna. "Classification of Botnet Detection Based on Botnet Architechture." Communication Systems and Network Technologies (CSNT), 2012 International Conference on. IEEE, 2012
[4] Feily, Maryam, Alireza Shahrestani, and Sureswaran Ramadass. "A survey of botnet and botnet detection." Emerging Security Information, Systems and Technologies, 2009. SECURWARE'09. Third International Conference on. IEEE, 2009.
[5] Leder, Felix, Tillmann Werner, and Peter Martini. "Proactive botnet countermeasures–an offensive approach." The Virtual Battlefield: Perspectives on Cyber Warfare 3 (2009):
[6] Hu, Xin, Matthew Knysz, and Kang G. Shin. "RB-Seeker: Auto-detection of Redirection Botnets." NDSS. 2009.
[7] http://www.bothunter.net/
Bibliography
[8] http://www.cisco.com/c/en/us/solutions/enterprise-networks/threat-defense/index.html
[9] Schiller, Craig, and James R. Binkley. Botnets: The killer web applications. Syngress, 2011.
[10] http://www.snort.org/
[11] http://www.emergingthreats.net/
[12] https://code.google.com/p/botnets/
[13] http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1777&lang_loc=1