The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet Joan Calvet, Carlton R. Davis, Jose M. Fernandez, Jean-Yves Marion, Pier-Luc St-Onge, Wadie Guizani, Pierre-Marc Bureau, Anil Somayaji ACSAC 2010 A Presentation at Advanced Defense Lab
24
Embed
The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet
The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet. Joan Calvet , Carlton R. Davis, Jose M. Fernandez, Jean-Yves Marion, Pier-Luc St- Onge , Wadie Guizani , Pierre-Marc Bureau, Anil Somayaji ACSAC 2010. A Presentation at Advanced Defense Lab. - PowerPoint PPT Presentation
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet
Joan Calvet, Carlton R. Davis, Jose M. Fernandez, Jean-Yves Marion, Pier-Luc St-Onge, Wadie Guizani, Pierre-Marc Bureau, Anil Somayaji
IntroductionPresents an “in the lab” experiments involving at-scale
emulated botnets.Experiments with “in-the-wild” botnets can be problematic
(i) Researchers need to create entities which join the botnet.(ii) There are legal and ethical issues involved in performing
such botnet research.(iii) It is difficult to get statistically significant results.(iv) It is not repeatable.
At-scale emulation studies, where conditions as close as possible to the real-world are the best alternative to in-the-wild studies.
Advanced Defense Lab
4
IntroductionIn emulation experiments, botnet entities that are either
identical or slightly adapted versions of their real-world counterparts, are executed in controlled environments.
Such experiment allows researchers the privilege of hiding their ammunition from botnets operators, until the mitigation schemes are fully developed and optimised.
Recreating in thee lab an isolated version of the Waledac botnet consisting of approximately 3,000 nodes.
Botnet EmulationCapture of botnet client code, through various methods.Gather information on the botnetPassively monitoring the botnet by observing infected
machines and/or joining the botnet.Construction of a surrogate C&C infrastructure.Construction of realistic operating environment for the
botnet in the lab.Determination of metrics to be measured.Implementation of methods for measuring these metrics.
The Waledac Experiment – binary overviewA prominent botnet ! First appeared in Nov, 2008.Mode of operation (by reverse engineering)
P2P network infrastructure for its C&C4 layered C&C architecture.Hardcoded with a list consisting of 100 to 500 contact
information of repeaters - RList.
Advanced Defense Lab
14
S
The Waledac Experiment - RListConstant sharing with other peers
Advanced Defense Lab
12…
500
12…
500
B3
77
…
44
Select 100entries randomly B
7
38
…
302
Select 100entries randomly
Select 1 Entry randomly to Share Rlist.
15
The Waledac Experiment - Encryption
Advanced Defense Lab
From areferenced paper
16
The Waledac Experiment - EmulationCreate VM templatesAdd the IP of 500
repeaters to the RlistsAdd script to issue
commands to the VMsDeploy the VM
templatesSetup C&C ServerConstitute the botnetSetup environment
Advanced Defense Lab
17
The Waledac Experiment – Mitigation SchemeFlushes the Rlist with ours by launching sybil attacks !!Waledac bots do not check the Rlist received carefully.
If the bot is a repeater A race Condition situation arises.