A MULTIFACETED APPROACH TO A MULTIFACETED APPROACH TO UNDERSTANDING THE BOTNET UNDERSTANDING THE BOTNET PHENOMENON (2006) PHENOMENON (2006) Jonathan Brant CAP 6135 – Spring 2010 Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Andreas Terzis Computer Science Department Computer Science Department Johns Hopkins University Johns Hopkins University
57
Embed
A MULTIFACETED APPROACH TO UNDERSTANDING THE BOTNET PHENOMENON (2006) Jonathan Brant CAP 6135 – Spring 2010 Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose,
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
A MULTIFACETED APPROACH TO A MULTIFACETED APPROACH TO UNDERSTANDING THE BOTNET UNDERSTANDING THE BOTNET PHENOMENON (2006)PHENOMENON (2006)
Jonathan BrantCAP 6135 – Spring 2010
Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas TerzisTerzis
Computer Science DepartmentComputer Science DepartmentJohns Hopkins UniversityJohns Hopkins University
OverviewOverview
Introduction Background Measurement Methodology
Malware Collection Graybox testing Longitudinal Tracking of Botnets
Gateway also performs miscellaneous tasks Triggering honeypot
re-imaging Loading clean
Windows images Pre-filtering for
download station Running local DNS
server to resolve DNS queries from honeypots
Measurement | Graybox Measurement | Graybox TestingTesting Graybox testing used to extract features
of suspicious binaries Analysis spans two distinct phases
(performed on isolated network segment) First phase derives network fingerprint of
binary Second phase extracts binaries IRC-specific
features
Measurement | Graybox Measurement | Graybox TestingTesting Phase 1: Creation of a network fingerprint
Server acts as network sink All network activity initiated by malware will be detected
Traffic logs automatically processed to extract network fingerprint
DNS – target of DNS requests IPs – destination IP addresses Ports – contacted ports and protocols Scan – whether or not default scanning behavior was
detected Default scanning behavior – any attempt to contact more
than 20 distinct destinations on the same port during the monitored period
scanPortsIPsDNSfnet ,,,
Measurement | Graybox Measurement | Graybox TestingTesting Phase 2: Extraction of IRC-related features
Modified version of UnrealIRC daemon instantiated on network sink
IRC listens on all ports ever observed in network fingerprint
Upon detecting an IRC connection, IRC-fingerprint is created
PASS – initial password to establish IRC session NICK – nickname USER – username MODE – modes set JOIN – IRC channels to be automatically joined (and their
To learn botnet “dialect”, bot connects to local IRC server and enters default channel IRC query engine plays role of botmaster Bot behavior is learned by subjecting it to
series of commands Command set includes:
IRC commands observed in honeynet traces Commands extracted from publicly available
bot source code
Measurement | Longitudinal Measurement | Longitudinal TrackingTracking Botnet tracking is performed by two
“A modified IRC client that can join a specified IRC channel and automatically answer directed queries based on the template created by the graybox testing technique”
IRC tracker instantiates new IRC session to IRC server using fingerprint and template IRC trackers need to appear responsive
Type-II botnets were the most prevalent class Scanning triggered by a command More difficult to track due to continuosly changing behavior Localized and targeted scanning are were most prevalent
techniques Localized scanning focused on Class B address space Targeted scanning focused on Class A address space
Results|Growth PatternsResults|Growth Patterns
In order to examine botnet growth patterns, two approaches were taken: Cumulative number of unique DNS cache
hits for distinct botnets over time was plotted
Growth pattern was compared to behavior learned from IRC tracker
Results|Growth PatternsResults|Growth Patterns
Botnets with semi-exponential growth patterns exhibit persistent random scanning activity (unchanging over time) Example: for one botnet, topic of the corresponding channel
was set to randomly scan port 445 indefinitely for one month Related to worm infections
Results|Growth PatternsResults|Growth Patterns
Also representative of botnets with intermittent activity profiles Example: Botnet III corresponds to botnet that infected
honeypots on 3/13/2006 IRC server went down between 4/12/2006 – 4/30/2006 When IRC server became available, growth slope increased and
honeypots were re-infected by the same botnet
Results|Growth PatternsResults|Growth Patterns
Predominantly used time-scoped scanning commands As opposed to continuous scanning like the
previous two
Results|Growth PatternsResults|Growth Patterns
Botnet evolution estimated by counting unique sources for message broadcast to the channel Only plotted botnets of comparable size on
a given plot Trends confirm heterogeneity in botnets
60% of 318 collected malicious binaries were IRC bots Four predominant IRC structures were revealed
All bots connected to a single IRC server Prevalent among smaller classes of botnets (few hundred users) 70% of observed botnets fell into this category
IRC servers can be connected to form an IRC network supporting large numbers of users 30% of botnets bridged on multiple servers 50% bridged between two servers only
Seemingly unrelated botnets appear more similar when comparing their naming conventions, channel names, and operators’ user IDs These botnets may seem to belong to the wrong botmaster
Selected group of bots commanded to download an updated binary Results in bots being moved to a different IRC server
Results | Effective Botnet Results | Effective Botnet SizeSize Botnet footprint can become fairly large
(> 15,000 bots) Predominant structures were botnets
managed by a single or few servers Distinction drawn between
Botnet’s footprint Number of bots connected to IRC channel
at a given time Effective Size
Results | Effective Botnet Results | Effective Botnet SizeSize Some “chatty” IRC servers broadcast join/leave information for
members on channel Number of online bots versus time for these IRC servers is plotted in figure
9
Maximum size of online population is significantly smaller than botnet’s footprint Footprint greater than
10,000 No more than 3,000
bots online at the same time
Effective size has little impact on long term activity, however, it affects number of bots available to execute commands in a timely manner
Results | LifetimeResults | Lifetime
Discrepancy between footprint and effective size likely due to the long lifetime of a typical botnet Bot death rates and high churn rates can
affect botnet’s effective size
Results | LifetimeResults | Lifetime
High churn rates Bots do not stay long on IRC channel
Average stay time: 25 minutes 90% stay less than 50 minutes
Small botnets receive larger portion of control and mining commands Hands-on botmasters that devote large amounts of
time to manually control their botnet Medium and large
botnets have a larger percentage of cloning and download commands Cloning could
include the use of one botnet to attack another botnet by overloading its IRC server with join requests
ConclusionConclusion
Botnets are a major contributor to overall unwanted internet traffic Most botnet traffic can be attributed to scans used to
recruit new bots IRC is still the dominant protocol used for C2
communications Effective sizes of botnets can range from a few
hundred to a few thousand Botnet footprints are usually much larger than effective size
This is due to high churn rate within a botnet Bot’s average channel occupancy is less than half an hour
Graybox testing revealed sophistication of modern bot software E.g. Self-protection measures
ContributionsContributions
Established empirical measurements for botnet prevalence Particularly in considering DNS cache hits by IRC
botnets that were tracked Classified typicality's of bot binaries
Registry monitoring tactics Locking down host vulnerabilities
Classified most prevalent botnet activities as a function of botnet size
Delineated between botnet footprint and “effective size.”
Large experiment samples further solidified results
CritiqueCritique
Focused mainly on Windows-based systems It would be interesting to see the effectiveness of
noted infection strategies on Unix systems Only evaluated two anti-virus applications
Perhaps include other popular anti-virus applications McAfee, Symantec Corporate, AVG, etc.
Authors noted 60% of binaries collected were IRC bots Did the other 40% use a different communication
mechanism? If so, it would be interesting to know how they were
structured and if the authors evaluated them in any way
ReferencesReferences
[1] Rajab, M.A., Zarfoss, J., Monrose, F., & Terzis A. (2006). A multifaceted approach to understanding the botnet phenomenon. Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, Rio de Janeriro, Brazil