![Page 1: A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science](https://reader035.vdocument.in/reader035/viewer/2022062718/56649ebe5503460f94bc84f1/html5/thumbnails/1.jpg)
A Multifaceted Approach to Understanding the BotnetPhenomenon
Authors :
Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis
Computer Science Department
Johns Hopkins University
Presented at :
Internet Measurement Conference, IMC'06, Brazil, October 2006
Presented By :
Ramanarayanan Ramani
![Page 2: A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science](https://reader035.vdocument.in/reader035/viewer/2022062718/56649ebe5503460f94bc84f1/html5/thumbnails/2.jpg)
Outline Working of Botnets Measuring Botnets Inference from Measurement Strengths Weaknesses Suggestions
![Page 3: A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science](https://reader035.vdocument.in/reader035/viewer/2022062718/56649ebe5503460f94bc84f1/html5/thumbnails/3.jpg)
Botnets A botnet is a network of infected end-hosts
(bots) under the command of a botmaster.
3 Different Protocols Used: IRC HTTP P2P
![Page 4: A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science](https://reader035.vdocument.in/reader035/viewer/2022062718/56649ebe5503460f94bc84f1/html5/thumbnails/4.jpg)
Botnets (contd.)3 Steps of Authentication
Bot to IRC Server
IRC Server to Bot
Botmaster to Bot
(*) : Optional Step
![Page 5: A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science](https://reader035.vdocument.in/reader035/viewer/2022062718/56649ebe5503460f94bc84f1/html5/thumbnails/5.jpg)
Measuring Botnets Three Distinct Phases
Malware Collection
Collect as many bot binaries as possible Binary analysis via gray-box testing
Extract the features of suspicious binaries Longitudinal tracking
Track how bots spread and its reach
![Page 6: A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science](https://reader035.vdocument.in/reader035/viewer/2022062718/56649ebe5503460f94bc84f1/html5/thumbnails/6.jpg)
Measuring Botnets
Darknet : Denotes an allocated but unused portion of the IP address space.
![Page 7: A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science](https://reader035.vdocument.in/reader035/viewer/2022062718/56649ebe5503460f94bc84f1/html5/thumbnails/7.jpg)
Malware Collection Nepenthes is a low interaction honeypot Nepenthes mimics the replies generated by
vulnerable services in order to collect the first stage exploit
Modules in nepenthes Resolve DNS asynchronous Emulate vulnerabilities Download files – Done here by the Download Station Submit the downloaded files Trigger events Shellcode handler
![Page 8: A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science](https://reader035.vdocument.in/reader035/viewer/2022062718/56649ebe5503460f94bc84f1/html5/thumbnails/8.jpg)
Malware Collection Honeynets also used along
with nepenthes Catches exploits missed by nepenthes Unpatched Windows XP are run which is
base copy Infected honeypot compared with base to
identify Botnet binary
![Page 9: A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science](https://reader035.vdocument.in/reader035/viewer/2022062718/56649ebe5503460f94bc84f1/html5/thumbnails/9.jpg)
Gateway
Routing to different components Firewall : Prevent outbound attacks & self
infection by honeypots Detect & Analyze outgoing traffic for
infections in honeypot Only 1 infection in a honeypot Several other functions
![Page 10: A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science](https://reader035.vdocument.in/reader035/viewer/2022062718/56649ebe5503460f94bc84f1/html5/thumbnails/10.jpg)
Binary Analysis Two logically distinct phases
Derive a network fingerprint of the binary
Derive IRC-specific features of the binary
IRC Server learns Botnet “dialect” - Template Learn how to correctly mimic bot’s behavior -
Subject bot to a barrage of commands
![Page 11: A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science](https://reader035.vdocument.in/reader035/viewer/2022062718/56649ebe5503460f94bc84f1/html5/thumbnails/11.jpg)
IRC Tracker
Use template to mimic bot Connect to real IRC server Communicate with botmaster using bot
“dialect” Drones modified and used to act as IRC
Client by the tracker to Cover lot of IP addresss
![Page 12: A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science](https://reader035.vdocument.in/reader035/viewer/2022062718/56649ebe5503460f94bc84f1/html5/thumbnails/12.jpg)
DNS Tracker Bots issue DNS queries to resolve the IP
addresses of their IRC servers Tracker uses DNS requests Has 800,000 entries after reduction Maintain hits to a server
![Page 13: A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science](https://reader035.vdocument.in/reader035/viewer/2022062718/56649ebe5503460f94bc84f1/html5/thumbnails/13.jpg)
Measuring Botnets
Darknet : Denotes an allocated but unused portion of the IP address space.
![Page 14: A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science](https://reader035.vdocument.in/reader035/viewer/2022062718/56649ebe5503460f94bc84f1/html5/thumbnails/14.jpg)
Botnet Traffic Share
![Page 15: A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science](https://reader035.vdocument.in/reader035/viewer/2022062718/56649ebe5503460f94bc84f1/html5/thumbnails/15.jpg)
Botnet Traffic Share
![Page 16: A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science](https://reader035.vdocument.in/reader035/viewer/2022062718/56649ebe5503460f94bc84f1/html5/thumbnails/16.jpg)
DNS Tracker Results
![Page 17: A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science](https://reader035.vdocument.in/reader035/viewer/2022062718/56649ebe5503460f94bc84f1/html5/thumbnails/17.jpg)
Bot Scan Method 2 Types
Immediately start scanning the IP space looking for new victims after infection : 34 / 192
Scan when issued some command by botmaster
![Page 18: A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science](https://reader035.vdocument.in/reader035/viewer/2022062718/56649ebe5503460f94bc84f1/html5/thumbnails/18.jpg)
Botnet Growth - DNS
![Page 19: A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science](https://reader035.vdocument.in/reader035/viewer/2022062718/56649ebe5503460f94bc84f1/html5/thumbnails/19.jpg)
Botnet Growth – IRC Tracker
![Page 20: A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science](https://reader035.vdocument.in/reader035/viewer/2022062718/56649ebe5503460f94bc84f1/html5/thumbnails/20.jpg)
Botnet Online Population
![Page 21: A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science](https://reader035.vdocument.in/reader035/viewer/2022062718/56649ebe5503460f94bc84f1/html5/thumbnails/21.jpg)
Botnet Online Population
![Page 22: A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science](https://reader035.vdocument.in/reader035/viewer/2022062718/56649ebe5503460f94bc84f1/html5/thumbnails/22.jpg)
Botnet Software TaxonomyServices Launched in Victim Machine OS of Exploited Host
![Page 23: A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science](https://reader035.vdocument.in/reader035/viewer/2022062718/56649ebe5503460f94bc84f1/html5/thumbnails/23.jpg)
Botmaster Analysis
![Page 24: A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science](https://reader035.vdocument.in/reader035/viewer/2022062718/56649ebe5503460f94bc84f1/html5/thumbnails/24.jpg)
Strengths All aspects of a botnet analyzed No prior analysis of bots Ability to model various types of bots
![Page 25: A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science](https://reader035.vdocument.in/reader035/viewer/2022062718/56649ebe5503460f94bc84f1/html5/thumbnails/25.jpg)
Weakness Only Microsoft Windows systems
analyzed Focus on IRC-based bots as they are
predominant
![Page 26: A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science](https://reader035.vdocument.in/reader035/viewer/2022062718/56649ebe5503460f94bc84f1/html5/thumbnails/26.jpg)
Suggestions Use the analysis to model new bots Use the analysis to model protection
methods
![Page 27: A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science](https://reader035.vdocument.in/reader035/viewer/2022062718/56649ebe5503460f94bc84f1/html5/thumbnails/27.jpg)
Questions