Taxonomy of Botnet ThreatsDefense by the

WanderersAngel  Pia Jr., Wander Smelan, Koonal Bose, Scott

Thompson

Botnet DebateBotnet Debate

Resolve that the Trend Micro white paper: Taxonomy of Botnet Threats provided a better understanding of botnet behavior, detection and mitigation.

What this white paper is What this white paper is and what it is not.and what it is not. It is not meant to be the most comprehensive, all

inclusive, most definitive resource material for botnets and its future incarnations.

It is a working document meant to provide an organized and systematic approach to understanding botnets and its behavior to confront the threat that it poses.

And for this reason this white paper merits its intended goal above any minor and nit-picky blemishes it may have, if ever it has.

OutlineOutline Definition [Angel Pia]

History and background [Angel Pia]

Taxonomy of botnets Attacking behavior [Wander Smelan] Command and Control model [Wander Smelan] Rallying mechanisms [Koonal Bose] Communication Protocols [Koonal Bose] Evasion Techniques [Scott Thompson] Observable botnet activities [Scott Thompson]

Conclusion and Q&A

DefinitionDefinition Botnets (robot networks)

zombie computers/drones/armies large number of compromised computers under the control of

a botmaster means to conduct various attacks ranging from Distributed

Denial of Service (DDoS) to email-spamming, spreading new malware, etc.

harnessing immense computing power.

Source: A typical botnet created from zombies (Credit: Cisco) http://www.macworld.co.uk/business/news/index.cfm?newsid=25756

DefinitionDefinition Bot

compromised host computer also refer to the code planted on such computer.

Botmaster one or a few computers used by the crackers to run command

and control operations over the botnet.

Taxonomy Science or technique of classification

History and History and backgroundbackground First bot PrettyPark worm (1999)

retrieved log-in names, email addresses, nicknames. connects to a remote IRC server from which the botmaster can

remotely control a large pool of infected hosts. first time such command and control method was employed. this concept soon spread to the rest of the black hat

community and various variants of the botnet evolved through the years.

Rise of profit-driven attacks such as DDoS, spamming, phishing and identity theft of which botnets have proven to be a compelling vehicle over status-seeking and vandalism objectives.

History and History and backgroundbackgroundDDoS, spamming, phishing and identity theft attacks from botnets.

History and History and backgroundbackground

History and History and backgroundbackground Sophistication of attacks and now has evolved to one

which poses the highest security threat in the internet.

In 2006, it cost $67.2B for US businesses to deal with malware.

Taxonomy of Taxonomy of botnetsbotnets Attacking behavior

means of compromising, propagating and launching attacks from a botnet

DDoS; scan; remote exploits; junk emails (phishing and virus attachments); phishing websites; spyware; identity theft; etc

Command & Control (C&C) models classification of botnet topologies centralized; distributed; P2P; etc

Rally mechanisms methods of bot activation into the botnet for malware service. hard-coded IP; Dynamic DNS; Distributed DNS; etc

Taxonomy of Taxonomy of botnetsbotnets Communication protocols

way of botnets communicating to each other and to the botmaster or C&C server

IRC; HTTP; IM; P2P; etc

Observable botnet activities other observable techniques DNS queries; burst short packets; abnormal system calls; etc

Evasion Techniques ways botnets evade detection HTTP/VOIP tunneling; IPv6 tunneling; P2P encrypted traffic; etc

Attacking BehaviorsAttacking Behaviors

Attacking BehaviorsAttacking BehaviorsPurposes and techniques:

Infecting new hosts (propagation of botnets) social engineering and distribution of malicious emails

Stealing Sensitive Information keylogger and Network traffic sniffers

Sending Spam and Phishing botnets distribute untraceable emails

Distributed Denial of Service (DDoS) large amount of synchronized requests to a particular server or

service

Command and Command and Control (C&C)Control (C&C) Used to manage large-scale attacks

Essential for operation and support of botnets

Weakest links of botnets

3 types: Centralized, Peer-to-Peer (P2P) and Random

Attacking BehaviorsAttacking BehaviorsProfile of a botnet mastermind

Name: Owen Thor Walker

Aka “AKILL”

Country: New Zealand

Started his “A-TEAM” botnet group when he was 16. By age 19, had 1.3mi+ computers

Had been diagnosed with Asperger's syndrome, a mild form of autism often characterized by social isolation, when he was 10

Caused damaged of over $20mi

Caused computer to crash, stole private information and sold to e-criminals.

Command and Command and Control (C&C)Control (C&C)Centralized C&C Model

Most commonly used Simple to implement and customize Easiest to eliminate Small message latency Botnet network size: 1,000++

Source: http://mrcracker.com/2009/09/botnet/

Command and Command and Control (C&C)Control (C&C)P2P C&C Model

More resilient to failures Less common, hard to discover, and hard to defend Unreliable from the messaging system perspective Hard to launch large scale attacks Botnet network size: 10-50

Source: http://mrcracker.com/2009/09/botnet/

Command and Command and Control (C&C)Control (C&C)Random C&C Model

Described by Evan Cooke – but still not in use in real world botnets

Model: Bot waits (listens) for incoming connection. Easy implementation Highly resilient to discovery and destruction. Scalability limitations make it difficult to coordinate

large attacks.

Rallying Rallying MechanismsMechanisms

Rallying Rallying MechanismsMechanisms Hard-coded IP address

Dynamic Domain Name Server

Distributed DNS service

Rallying Rallying MechanismsMechanismsHard-coded IP address

The bot includes hard-coded C&C server IP address in its binary.

Easy to defend against if ip addresses is detected channel is blocked botnet is deactivated

Rallying Rallying MechanismsMechanismsDynamic DNS

Hard-coded domain names, assigned by dynamical DNS providers

If C&C Server is deactivated, botmaster can resume control by assigning a new IP address to corresponding DNS entry

Makes it harder to detect

Rallying Rallying MechanismsMechanismsDistributed DNS service

Botnets run their own distributed DNS service

Many are run at high port numbers in order to avoid detection by security devices

Hardest to identify and destroy

Communication Communication ProtocolsProtocols Botnets communicate with each other and their

Botmasters following well defined network protocols Importance of discovering communication has 2 main

advantages understanding Botnets origin, and possible software tools used helps security groups decode conversations between bots and

between bots and their master Main Communication Protocols being used

IRC (Internet Relay Chat) HTTP (Hypertext Transfer – www) P2P (Peer to Peer) IM (Instant Messaging)

Communication Communication ProtocolsProtocolsIRC Protocol IRC based Botnets are most frequently used IRC is mainly designed for group communication but can

also handle private messages between two people Botnet C&C Server runs an IRC service that is no

different from a standard IRC server Inbound vs Outbound IRC traffic

inbound usually indicates local host is being recruited by Botnet outbound usually indicates local host has been compromised

and is being used as a C&C server of a Botnet Firewalls can be configured to block IRC traffic IRC botnets have scripts that parse messages and will

execute malicious functions accordingly

Communication Communication ProtocolsProtocolsIRC Protocol

Botnet C&C Server running IRC service

Botmaster

IRC Server

Communication Communication ProtocolsProtocolsIRC Protocol

Once detected can easily be blocked

Botnet user

Communication Communication ProtocolsProtocolsHTTP and Other Protocols 2 main advantages of using HTTP Protocol

Blends with normal Internet traffic Abnormal ports are normally blocked at firewall, HTTP allows

botnet to communicate back with the C&C Server

HTTP is harder to detect but not impossible since response header fields and page payload would be different from normal HTTP traffic.

P2P and IM are more recent protocols being used by Botnets Still relatively small number compared to HTTP and IRC

Communication Communication ProtocolsProtocols P2P Protocol

Distributed control

Communication Communication ProtocolsProtocols P2P Protocol

Distributed control Even if one is detected it is hard to disable

Evasion and Evasion and Detection Detection TechniquesTechniques

Detection and Detection and Evasion TechniquesEvasion Techniques

Detection Techniques

Antivirus & Intrusion Detection Systems (IDS) These antivirus systems are based

on virus signature.

Anomaly-based detection systems Monitor communication traffic

Detection and Detection and Evasion TechniquesEvasion TechniquesEvasion Techniques

From Signature-based Detection Executable Packers Rootkits Protocol evasion techniques

From Anomaly-based detection systems New / modified communication protocols: IRC, HTTP, VoIP Utilize secure channels to hide communications Alternative channels: ICMP or IPv6 tunneling Potentially use SKYPE or IM

Detection and Detection and Evasion TechniquesEvasion TechniquesEffective Detection Alternative

Combination of Techniques: Detect connections to C&C centers Monitor for Communication Traffic Monitor for Anomalous Behavior

Detection and Detection and Evasion TechniquesEvasion TechniquesCombating Botnets focusing on Detectable Behavior

Global Correlation Behavior

Network-based Behavior

Host-Based Behavior

Detection and Detection and Evasion TechniquesEvasion TechniquesNetwork-based Behaviors

Observable Communications: Monitor IRC & HTTP traffic to servers that don't require these

protocols IRC traffic that is not “human readable” DNS queries (lookups for C&C controllers) Frequency changes in IP for DNS lookups Long idle periods followed by very rapid responses Very bursty traffic patterns

Attack Traffic: Denial of Service: TCP SYN packets (invalid source) Internal system sending emails (Phishing)

Detection and Detection and Evasion TechniquesEvasion Techniques

Host-based Behaviors

Detectable activity on an infected host:

Disabled Anti-virus Large numbers of updates to

system registry Specific system/library call

sequences

Detection and Detection and Evasion TechniquesEvasion TechniquesGlobal Correlated Behaviors Common across different Botnet implementations:

Detect DNS changes for C&C host

Large numbers of DNS queries

ConclusionConclusion

ConclusionConclusion Botnets are a dangerous evolution in the malware

world

They are being used to damage systems, steal information and comprise systems

They are hard to detect and eliminate

The taxonomy approach allowed us an organized and systematic means to understanding the nature of botnets and their behaviors. This will allow us to mitigate the threat with corrective measures.

Q&AQ&A

ConclusionConclusion