Botnet Detection Based Botnet Detection Based on ICMP on ICMP Infiltrations Correlatio Infiltrations Correlatio n Pattern n Pattern Navaneethan C. Arjuman Phd Candidate and MyBrain Fellow [email protected] .my National Advanced IPv6 Centre February 2012 1 Copyright Nava 2012
46
Embed
Botnet Detection Based on ICMP Infiltrations Correlation Pattern Navaneethan C. Arjuman Phd Candidate and MyBrain Fellow [email protected] National Advanced.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Botnet Detection Based on Botnet Detection Based on ICMP ICMP Infiltrations Correlation PatteInfiltrations Correlation Patternrn
Navaneethan C. ArjumanPhd Candidate and MyBrain Fellow [email protected] .myNational Advanced IPv6 Centre February 2012
Inbound Scanning◦ Proposed new area on ICMP based scanning◦ Mitigation Technique ◦ Research Outcome
Copyright Nava 2012 2
What are Botnets?What are Botnets?An Internet Relay Chat (IRC) based,
command and control network of compromised hosts (bots)
A bot is a client program that runs in the background of a compromised host◦ Watches for certain strings on an IRC channel◦ These are encoded commands for the bot
Purpose◦ DoS, ID Theft, Phishing, keylogging, spam
Fun AND profit
3Copyright Nava 2012
Botnet History Botnet History First existence of botnet started in August
1988 when IRC invented at University of Oulu, Finland
1989 - First bot - “GM” ◦ -assist user to manage their own IRC Connections
May 1999 – Pretty park◦ Reported in June 1999 in Central Europe◦ Internet Worm – a password stealing trojan
1999 – Subseven◦ Remote controlled trojan
4Copyright Nava 2012
Botnet History Botnet History 2000 – GTbot (Global Threat)
◦ New capabilities - port scanning, flooding and cloning
◦ Support UDP and TCP socket connections◦ Support IRC Server to run malicious script
2002 – SDbot ◦ Written by Russian Programmer by the name ‘SD’◦ 40Kb – C++ Code◦ First to publish the code for hackers via website ◦ Provided e-mail and chat for support
2002 – Agobot ◦ Modular update◦ Spread through Kazaa, Grokser and etc
5Copyright Nava 2012
Botnet History Botnet History 2003 – Spybot or Milkit
◦ Derived from SDbot ◦ Come with spyware capabilities ◦ Spread via file sharing applications and e-mail
2003 – Rbot ◦ Backdoor trojan on IRC◦ Compromised Microsoft vulnerable share Port
139 and 445 ◦ Based on MSRT Report in June 2006 by Microsoft
- 1.9 million PCs affected worldwide2004 – PolyBot
◦ Polymorphism capabilities ◦ Based on Agobot
6Copyright Nava 2012
Botnet History Botnet History 2005 – MyBot
◦ New version of SpyBot ◦ Hybrid coding ◦ Spread via file sharing applications and e-mail
Address Discovery Reply Message Type 146, Code 0 till 2 - Mobile Prefix
SolicitationType 147, Code 0 - Mobile Prefix
AdvertisementType 151- Multicast Router
Advertisement (MRD)Type 152 - Multicast Router
Solicitation (MRD)
40Copyright Nava 2012
Mitigating ICMP Based Mitigating ICMP Based Scanning Attacks Scanning Attacks
Capturing this ICMP error message can lead to high probability attacks take place
Proposed new Profiling AlgorithmProposed new ICMP Based Scanning
Profiling ApplicationsNeed to improve the existing iNetmon
ICMP Default Monitoring features
41Copyright Nava 2012
Mitigating ICMP Based Mitigating ICMP Based Scanning Attacks…. Scanning Attacks…. Integration with Profiling system
required to correlate with other the correlation factors such as ◦ Exploit Usage◦ Egg Downloading◦ Outbound bots coordination dialog◦ Outbound attack propagation◦ Malware P2P communication
There are already systems are available such as Bot Hunter (SNORT based correlation engine) that does correlation for the above mentioned correlation features.
42Copyright Nava 2012
Proposed Research Proposed Research OutcomeOutcomePublish Papers (focus on ISI
Standard) and Journal based on this techniques
Develop the ICMP Based Scanning Profile Algorithm
Build ICMP Based Scanning Profile Solution (can modify NMap and add ICMP profiling algorithm)