Botnets

Transcript

1. Botnets By Kausik, Nisheeth, Shubham and Vipul

2. Introduction • A botnet is a collection of Internet-connected programs

   communicating with similar programs to do certain tasks. • It is used to send spam or execute Distributed Denial of Service attacks.

3. Image Source : Wikipedia

4. C&C Server • The control and command server is the

   sole control point of the botnet. • It hosts an Apache Web server and a MySQL database. To avoid suspicion, it has a public innocent webpage. • The bots talk to the C&C server using HTTP. Harder to detect by the network administrators. • The botmaster can login to the C&C server and issue commands which are then fetched by the bots.

5. Botnets in the Wild • Old way : Centralized botnet.

   Ex. Agobot

6. Agobot • Remote Control ◦ Password protected IRC Client control

   interface • Host Control ◦ Commands to locate sensitive information like email addresses, AOL & Paypal passwords, etc. ◦ Network traffic sniffer based on pcap ◦ control over local file system, including executable and downloads.

7. Agobot • Propagation ◦ scans across network prefix ranges or

   random addresses • Exploits and attacks ◦ Password brute forcers for MS-SQL and Windows ◦ Seven types of DDoS attacks: udp flood, syn flood, http flood,targa3, wonk flood, phat syn flood, ICMP flood ◦ Can automatically spread via previously installed open-door Trojan horses

8. Agobot • Obfuscation ◦ Swapping consecutive bytes ◦ Polymorphic encoding

   ◦ Rotate left / Rotate right • Deception ◦ Rootkit like mechanism for hiding files and processes ◦ Kills antivirus processes

9. Stormbot • Today’s botnet: P2P ◦ Ex. Storm botnet

10. Stormbot • Gained prominence in Jan 2007 • First major

    botnet to employ P2P command and control architecture • Recruits new bots using a variety of attack vectors ◦ Email messages with exe ◦ Email messages with link to infected sites ◦ E-card spam

11. Stormbot • Used computing power of compromised machines ◦ Sends

    and relays SPAM, Conducts DDoS attacks etc. • Hides on machine with rootkit technology • Uses fast-flux DNS for hosting on named sites • Decentralized nature makes it impossible to track • Fighting-back capabilities(DDos Counter attacks)

12. Stormbot

13. Problems • From a botmaster’s perspective, the C&C server are

    the fundamental weak points of the botnet architecture. • The botmaster will lose control of his botnet if the C&C servers are caught by defenders • If a bot is compromised, the identities of the C&C server will be revealed. • If a C&C server is caught, the entire botnet would be exposed.

14. Peer-to-Peer • The conventional solution to centralized point of failure

    -> Make it distributed. P2P protocol was developed for this intent. • Instead of a centralized C&C server, each bot contains a lists of peer bots that it communicates with. It does not reveal its peer lists to any other bot. • To send a command to the botnets, the botmaster needs to send it to anyone of the bots in the botnet. • The command is relayed by the bot to its peers, and so on, till the whole botnet receives the command.

15. P2P Architecture Image Source : An Advanced Hybrid Peer-to-Peer Botnet

16. Characteristics • Servent Bots : Have public static IP addresses.

    Candidates for being in peer lists. Have a self-determined port and encryption key for its communications. • Client Bots : Bots with dynamic IPs, behind NATs or a firewall. They fetch commands from its peers(servent bots). • Individualized service ports make it hard to detect a botnet based on monitored network traffic. • Botmaster can monitor by using sensor hosts(which could be a infected host). The sensor host IP is not hard-coded and can be relayed to the entire botnet.

17. Infection • A Bot simply is a malicious piece of

    software that is running on a compromised(infected) host. • The botnet master sends out worms via the Internet, setting up an extensive bot network. • This can be achieved by exploiting web based vulnerabilities. For eg. a user can be lured to download and run a malicious executable via an email attachment.

18. Infection • Other techniques deployed by botmasters include buffer overflow

    attacks, Remote Procedure Calls(RPC) or other software bug attacks. • Once, the malware bot program is running on the infected machine, it can login into the C&C server if the bot program is designed for a central architectured botnet or it’s peer bots if it is designed for a P2P architecture botnet.

19. Infection: Pushdo botnets An email attachment containing a link to

    a website which looks exactly like youtube and prompts the user to update flash player. Clicking the OK button installs a SMTP engine that quickly sends spam emails.

20. Attacks • Once the bot network is established, they can

    be used to launch Denial Of Service Attacks, spamming, click fraud etc. • Botnets can also be used to spy on an entity or an organisation. The individual botnets can collect private information about the user like voter’s Id, Bank details, Adhaar card id etc.

21. Botnet detection Two types of methods: ⚫ Static Analysis: checking

    computers’ characteristics against a list of known threats. High precision, low recall. ⚫ Behavioural Analysis: monitoring networks for behaviors known to be exhibited by botnets. Low precision, high recall.

22. Static Analysis Involves checking items against a known list of

    malicious or dangerous items, e.g. ⚫ executable binaries ⚫ IP addresses ⚫ malicious URL’s If lists are up-to-date, the process is a fast and reliable way of detecting threats

23. Static Analysis: Problems Malware authors can use a variety of

    techniques to avoid detection: ⚫ Polymorphism — the creation of multiple unique but functionally identical malware files ⚫ URL obfuscation (e.g. using escape sequences, converting IP address to decimal) ⚫ Changing IP addresses and/or web pages rapidly ⚫ Using large numbers of alternate URLs that connect to the same resource

24. Behavioural Analysis ⚫ Some bots attempt connections to each port

    on a target computer in sequence (port scan). Largely obsolete now. ⚫ Bot activities are often closely coordinated with DDoS attacks and time-sensitive spam/phishing attacks. Leads to a very high number of connections in a short time. ⚫ Bots often use protocols such as IRC or UDP exclusively, which is unusual for uninfected hosts.

25. Behavioural Analysis Compared to most systems, bots are likelier to:

    ⚫ have shorter intervals between acquisition of new targets ⚫ have higher number of failed connections ⚫ send large volumes of email from locally installed SMTP servers ⚫ communicate using the IP addresses of web servers rather than server names

26. Behavioural Analysis: Problems ⚫ Require high processing time ⚫ Need

    for an appropriate environment (some malware refuses to run if it detects it is being executed in a virtual/isolated environment) ⚫ Need to mitigate high risk of false positives

27. The End