Botnet Detection Based on ICMP Infiltrations Correlation Pattern Navaneethan C. Arjuman Phd Candidate and MyBrain Fellow [email protected] National Advanced.

Botnet Detection Based on Botnet Detection Based on ICMP ICMP Infiltrations Correlation PatteInfiltrations Correlation Patternrn

Navaneethan C. ArjumanPhd Candidate and MyBrain Fellow [email protected] .myNational Advanced IPv6 Centre February 2012

1Copyright Nava 2012

AgendaAgendaObjectiveWhat are Botnets ?

◦ Botnet History◦ Botnets Usage

◦ Botnet Command and Control (C&C) Mechanism

◦ Botnet ClassificationBotnet Detection Techniques

◦ Anomalies Detection Correlation Techniques

Inbound Scanning◦ Proposed new area on ICMP based scanning◦ Mitigation Technique ◦ Research Outcome

Copyright Nava 2012 2

What are Botnets?What are Botnets?An Internet Relay Chat (IRC) based,

command and control network of compromised hosts (bots)

A bot is a client program that runs in the background of a compromised host◦ Watches for certain strings on an IRC channel◦ These are encoded commands for the bot

Purpose◦ DoS, ID Theft, Phishing, keylogging, spam

Fun AND profit

3Copyright Nava 2012

Botnet History Botnet History First existence of botnet started in August

1988 when IRC invented at University of Oulu, Finland

1989 - First bot - “GM” ◦ -assist user to manage their own IRC Connections

May 1999 – Pretty park◦ Reported in June 1999 in Central Europe◦ Internet Worm – a password stealing trojan

1999 – Subseven◦ Remote controlled trojan

4Copyright Nava 2012

Botnet History Botnet History 2000 – GTbot (Global Threat)

◦ New capabilities - port scanning, flooding and cloning

◦ Support UDP and TCP socket connections◦ Support IRC Server to run malicious script

2002 – SDbot ◦ Written by Russian Programmer by the name ‘SD’◦ 40Kb – C++ Code◦ First to publish the code for hackers via website ◦ Provided e-mail and chat for support

2002 – Agobot ◦ Modular update◦ Spread through Kazaa, Grokser and etc

5Copyright Nava 2012

Botnet History Botnet History 2003 – Spybot or Milkit

◦ Derived from SDbot ◦ Come with spyware capabilities ◦ Spread via file sharing applications and e-mail

2003 – Rbot ◦ Backdoor trojan on IRC◦ Compromised Microsoft vulnerable share Port

139 and 445 ◦ Based on MSRT Report in June 2006 by Microsoft

- 1.9 million PCs affected worldwide2004 – PolyBot

◦ Polymorphism capabilities ◦ Based on Agobot

6Copyright Nava 2012

Botnet History Botnet History 2005 – MyBot

◦ New version of SpyBot ◦ Hybrid coding ◦ Spread via file sharing applications and e-mail

2006 – P2P Based Bot ◦ 1st generation - “SpamThru”, “Nugache”

Basd on “Gnutella” file sharing

◦ 2nd Generation – “Peacomm’ Pure Distributed P2P

2007 – “Storm Botnet” ◦ Truly pure P2P ◦ No single point of failure ◦ Provided high resilience, scalability and difficulty in

trackingList continue…….

7Copyright Nav a 2012

What is the latest? What is the latest? 2010 – Stuxnet

◦ spreads via Microsoft Windows, and targets Siemens industrial software and equipment  

◦ malware that spies on and subverts industrial systems

◦  targeted five Iranian organizations - uranium enrichment infrastructure in Iran

September 2011 – Duqu ◦ Duqu is a computer worm discovered on 1st September, 2011◦ Operation Duqu is the process of only using

Duqu for unknown goals

New trend – new worm and new botnet

8Copyright Nav a 2012

Botnet Usage Botnet Usage DDOSSpamSniffing trafficKeyloggingInstalling Advertisement Addons

and Browser Helper Objects (BHOs)

Manipulating online polls/gamesMass ID theft

9Copyright Nava 2012

Botnet Command and Botnet Command and Control (C&C) Mechanism Control (C&C) Mechanism

From the Botmaster point of viewCentralized

◦ Pro - easy to setup, fast commands dissemination

◦ Cons - easy to detect , single point of failure

Peer-to-Peer Topology ◦ Pro – decentralized, not easy to detect , not

single point of failure◦ Cons – not easy to setup (more complex),

message delivery not guaranteed and high latency

10Copyright Nava 2012

Botnet Command and Botnet Command and Control (C&C) Mechanism….. Control (C&C) Mechanism…..

Unstructured Topology – extreme peer to peer topology, one to one communication◦ Pro – easy to setup, decentralized, not easy to

detect , not single point of failure◦ Cons –message delivery not guaranteed and high

latency

11Copyright Nava 2012

Botnet ClassificationBotnet ClassificationCommand & Control (C&C) IRC Based – C&C using IRC Server

HTTP Based – C&C using Web Server

P2P Based – C&C on peer-to-peer protocol

DNS Based – C&C use Fast-flux networks

12Copyright Nava 2012

Botnet Detection Botnet Detection Signature Based – able to detect only

known bots

Anomaly Based – detect bots based traffic anomalies

DNS Based – detect based DNS information

Mining Based – detect based machine learning, classification and clustering

13Copyright Nava 2012

Anomaly Based Detection Anomaly Based Detection Detect based on traffic anomalies such as

High Network LatencyHigh Volumes of TrafficTraffic on unusual portsUnusual System Behaviour

Major AdvantageSolve the unknown bots

14Copyright Nava 2012

Correlation Techniques Correlation Techniques

Inbound ScanningExploit UsageEgg DownloadingOutbound bots coordination dialogOutbound attack propagationMalware P2P communication

15Copyright Nava 2012

Scanning for recruitsScanning for recruits

VASCAN 2005 Copyright Marchany 2005 16

Black – C&CRed – Scan info

Bot Attack StrategyBot Attack StrategyRecruitment of the agent

network◦Finding vulnerable systems◦Breaking into vulnerable systems

Protocol attack Middleware attack Application or resource attack

Controlling the agent network◦Direct, Indirect commands◦Updating malware◦Unwitting agents

17Copyright Nava 2012

Finding Vulnerable Finding Vulnerable SystemsSystemsBlended threat scanning

◦Program(s) that provide command & control using IRC bots

IRC commands tells bot(e.g. Power) to do a netblock scan

Bot builds list of vulnerable hosts, informs attacker via botnet

Attacker gets file and adds to master list

18Copyright Nava 2012

Inbound Scanning Inbound Scanning There several inbound ports scanning methodsavailable. All port scanning methods work if

target host satisfied the RFC 793 – Transmission

ControlProtocol (TCP).Internet Control Message Protocol (ICMP)Transmission Control Protocol (TCP) User Datagram Protocol (UDP)SYN ACK WindowFIN

19Copyright Nava 2012

Inbound Scanning….. Inbound Scanning….. Other Types (Uncommon)X-mas and NullProtocol Proxy Idle CatSCAN

20Copyright Nava 2012

Why use ICMP Scanning ? Why use ICMP Scanning ? Understanding ICMP Based AttacksAttackers preferred to do inbound

scanning basedon ICMP because

ICMP scanning provide high level target scanning

Elimination of Target Network (Type 3, Code 0- Destination network unreachable)

21Copyright Nava 2012

Why use ICMP Scanning ? Why use ICMP Scanning ? …. …. Elimination target host networks -

Type 3, Code 1-Destination host unreachable

Elimination of particular protocol – Type 3, Code 2 - Destination protocol unreachable

Elimination of particular port – Type 3, Code 3- Destination port unreachable

22Copyright Nava 2012

Why use ICMP Why use ICMP Scanning ?...... Scanning ?...... Smaller payload - unnoticeable in

terms of volume increment for detection

More reliable in reply – return by error message compare to TCP and UDP

23Copyright Nava 2012

Understanding ICMPUnderstanding ICMP

Currently there are two (2) typesICMPv4ICMPv6

24Copyright Nava 2012

ICMPv4ICMPv4Core Protocol of Internet Protocol Suite Defined under RFC 792Mainly used to provide error message ICMP messages are typically generated

in response to errors in IP datagrams (as specified in RFC 1122) or for diagnostic or routing purposes

ICMP errors are always reported to the original source IP address of the originating datagram.

25Copyright Nava 2012

ICMPv4 – IP DatagramICMPv4 – IP Datagram

Type – ICMP type as specified below.Code – Subtype to the given type.Checksum – Error checking data. Calculated

from the ICMP header+data, with value 0 for this field. The checksum algorithm is specified in RFC 1071.

Rest of Header – Four byte field. Will vary based on the ICMP type and code.

26

Bits 0-7 8-15 16-23 24-31

0 TYPE CODE CHECKSUM

32 REST OF HEADER

Copyright Nava 2012

ICMPv4 - Type ICMPv4 - Type Type RangeThere are 0-255 types0 till 41 – already defined42 till 255 – reservedSpecial attention focused on the

following typeType 3Type 9 and 10Type 15 and 16Type 17 and 18 Type 37 and 38 27Copyright Nava 2012

ICMPv4 - Type 3 ICMPv4 - Type 3 Below are special codes that required mainattention

Code Range0 - Destination network unreachable1 - Destination host unreachable2 - Destination protocol unreachable3 - Destination port unreachable6 - Destination network unknown7 - Destination host unknown

28Copyright Nava 2012

ICMPv4 - Type 3 ICMPv4 - Type 3 8 - Source host isolated9 - Network administratively

prohibited10 - Host administratively prohibited11 - Network unreachable for TOS12 - Host unreachable for TOS13 - Communication administratively

prohibited

29Copyright Nava 2012

ICMPv4 - Others TypeICMPv4 - Others TypeType 9, Code 0 -Router AdvertisementType 10, Code 0 - Router

discovery/selection/ solicitationType 15, Code 0 - Information Request Type 16, Code 0 - Information ReplyType 17, Code 0 - Address Mask RequestType 18, Code 0 - Address Mask ReplyType 37, Code 0 - Domain Name RequestType 38, Code 0 - Domain Name Reply

30Copyright Nava 2012

ICMPv4 – ICMP Fault ICMPv4 – ICMP Fault Monitoring Features Sample Monitoring Features Sample CaptureCapture

31Copyright Nava 2012

ICMPv6ICMPv6Internet Control Message Protocol (ICMP)

for Internet Protocol version 6 (IPv6)Defined under  RFC 4443Mainly used for error messageSeveral extensions have been published,

defining new ICMPv6 message types as well as new options for existing ICMPv6 message types 

Neighbor Discovery Protocol (NDP) is a node discovery protocol in IPv6 which replaces and enhances functions of ARP

32Copyright Nava 2012

ICMPv6ICMPv6 Secure Neighbor Discovery Protocol

(SEND) is an extension of NDP with extra security.

 Multicast Router Discovery (MRD) allows discovery of multicast routers.

ICMPv6 messages may be classified into two categories: error messages and information messages

 ICMPv6 messages are transported by IPv6 packets in which the IPv6 Next Header value for ICMPv6 is set to 58.

33Copyright Nava 2012

ICMPv6 – IP DatagramICMPv6 – IP Datagram

Type – ICMP type as specified below.Code – Subtype to the given type.Checksum – Error checking data.

Calculated from the ICMP header+data, with value 0 for this field.

34Copyright Nava 2012

Bit Offset 0-7 8-15 16-31

0 Type Code Checksum

32 Message Body

ICMPv6 - Type ICMPv6 - Type Special attention focused on the

following typeType 1Type 128 and 137Type 139 and 153

35Copyright Nava 2012

ICMPv6 - Type 1 ICMPv6 - Type 1 Below is special codes that required

attention when scanning take placeCode Range0 - no route to destination1 - communication with destination

administratively prohibited2 - beyond scope of source address3 - address unreachable4 - port unreachable

36Copyright Nava 2012

ICMPv6 - Type 1 ICMPv6 - Type 1

7 - source address failed ingress/egress policy

8 - reject route to destination

37Copyright Nava 2012

ICMPv6 - Others TypeICMPv6 - Others TypeType 128, Code 0 - Echo RequestType 129, Code 0 – Echo ReplyType 130, Code 0 - Multicast Listener QueryType 133, Code 0 - Router Solicitation (NDP)Type 134, Code 0 - Router Advertisement

(NDP) Type 135, Code 0 - Neighbor Solicitation

(NDP)Type 136, Code 0 - Neighbor Advertisement

(NDP)

38Copyright Nava 2012

ICMPv6 - Others TypeICMPv6 - Others TypeType 139, Code 0 till 2 - ICMP Node

Information Query Type 140, Code 0 till 2 - ICMP Node

Information ResponseType 141, Code 0 - Inverse Neighbor

Discovery Solicitation MessageType 142, Code 0 - Inverse Neighbor

Discovery Advertisement MessageType 144, Code 0 - Home Agent

Address Discovery Request Message

39Copyright Nava 2012

ICMPv6 - Others TypeICMPv6 - Others TypeType 145, Code 0 - Home Agent

Address Discovery Reply Message Type 146, Code 0 till 2 - Mobile Prefix

SolicitationType 147, Code 0 - Mobile Prefix

AdvertisementType 151- Multicast Router

Advertisement (MRD)Type 152 - Multicast Router

Solicitation (MRD)

40Copyright Nava 2012

Mitigating ICMP Based Mitigating ICMP Based Scanning Attacks Scanning Attacks

Capturing this ICMP error message can lead to high probability attacks take place

Proposed new Profiling AlgorithmProposed new ICMP Based Scanning

Profiling ApplicationsNeed to improve the existing iNetmon

ICMP Default Monitoring features

41Copyright Nava 2012

Mitigating ICMP Based Mitigating ICMP Based Scanning Attacks…. Scanning Attacks…. Integration with Profiling system

required to correlate with other the correlation factors such as ◦ Exploit Usage◦ Egg Downloading◦ Outbound bots coordination dialog◦ Outbound attack propagation◦ Malware P2P communication

There are already systems are available such as Bot Hunter (SNORT based correlation engine) that does correlation for the above mentioned correlation features.

42Copyright Nava 2012

Proposed Research Proposed Research OutcomeOutcomePublish Papers (focus on ISI

Standard) and Journal based on this techniques

Develop the ICMP Based Scanning Profile Algorithm

Build ICMP Based Scanning Profile Solution (can modify NMap and add ICMP profiling algorithm)

43Copyright Nava 2012

ReferencesReferenceswww.sunbelt-software.com/ihs/alex/

rmbotnets.ppthttp://www.bothunter.net/doc/

users_guide-WIN.htmlhttp://www.iana.org/assignments/

icmpv6-parametershttp://www.sans.org/security-

resources/idfaq/icmp_misuse.php“Know your Enemy: Tracking Botnets”,

Lance Spitzner, http://www.honeynet.org/papers/bots

44Copyright Nava 2012

ReferencesReferenceshttp://en.wikipedia.org/wiki/ICMPv6http://en.wikipedia.org/wiki/

Internet_Control_Message_Protocolhttp://en.wikipedia.org/wiki/Stuxnethttp://en.wikipedia.org/wiki/Duqu

45Copyright Nava 2012

46

Thank You

Copyright Nava 2012