Botnets An Introduction

1
Botnets An Introduction

• Kapil Kumar Singh
• CS 6262 Presentation
• Georgia Institute of Technology

2
Outline

• Introduction
• Definitions
• (Mis)uses of botnets
• IRC based Botnets
• Propagation
• Rallying
• Detection, including KarstNet
• P2P Botnets

3
Definition Bots

• Definition autonomous programs automatically
  performing tasks, absent a real user.
• Benign bots
• countless examples at http//www.botknowledge.com/
  
• Gray-area bots
• Blogbots, e.g., wikipedia, xanga Note
  http//en.wikipedia.org/wiki/WikipediaBots
• Other examples xdcc, fserve bots for IRC
• Malicious bots
• Key characteristics process forking, with
  network and file access, and propagation
  potential.

4
Definition Botnets

• Definition networks of autonomous programs
  capable of acting on instructions.
• Again, gray areas FServe bot farms, spider
  farms, etc.
• Today, just a narrow definition
• organized network of malicious bot clients

5
Botnets as a Root cause

• Distributed DoS
• Spamming
• Click fraud attacks
• Identity thefts
• Cheating in online polls/games
• many others

6
Attack Update

• Botnets of course are used for DDoS

Typical Distributed Denial of Service (DDoS)
7
Attack Update

• Botnets have been used for reflective attacks

Distributed Reflective Attack
8
Attack Update

• Botnets increasingly used for amplified
  distributed reflective attacks

Amplified Distributed Reflective Attack
9
Summary of capabilities

• Sophisticated, highly adept programmers well
  funded
• ID Theft only hints at the problem
• Massive phishing (pharming) enterprises
• Trivial ability to influence routing, BGP
  exploitation
• Critical infrastructure implications

10
Botnets Money matters !
11
New Threats

• To evade trivial rate-based detection (L4), worms
  now spread through applications (L7)
• Impossible to scan all e-mail, P2P, IRC, traffic
• Key problem for the attackers
• How to rally victims
• Rallying options P2P, Usenet, (Dyn)DNS
• Most ( 90) use DNS

12
Botnet Propagation Hiring of new bots

• Email
• Requires user interaction, social engineering
• Easiest method common.
• instant message
• Various social eng., file transfer,
  vulnerabilities
• remote software vulnerability
• Often, no interaction needed

13
Botnet Propagation Hiring of new bots

• seed botnets
• Botnets create botnets.
• Used for upgrades.
• More than 80 of the bots are unpatched windows
  machines!

14
The Rallying Problem

• Suppose we create virus
• Download vx code fiddle compile
• Uses email propagation/social engr.
• We mail it...
• What if we want to use victim resources?

15
Rallying - I

• Naively, we could have victims contact us...
• Problems
• VX must include author's address (not stealthy)
• Single rallying point (not robust)
• VX has hard-coded address (not mobile)

16
Rallying - II

• The victims could contact a 3rd party, e.g., post
  to Usenet
• Some connections dropped, single point of failure
  (not robust)
• Rival VXers and AVers obtain list (not stealthy)
• Public, lasting record of victims (not stealthy)

17
Rallying - III

• The victims could contact a robust service, e.g.,
  IRCd
• No single point of failure (is robust)
• Rival VXers and AVers id list (not stealthy)
• Addressed by adjusting protocol adherence or
  private nature of service.
• Portability of IRCd DNS (is mobile)

18
Rallying Summary

• A first task of zombies is rallying
• how can victims contact the master safely?
• Simple, naïve approach
• Victims contact single IP, website, ping a
  server, etc.
• Easily defeated (ISP intervention, blackhole
  routing, etc.)
• Still used by kiddies, first-time malware authors
• Resilient Networks needed
• IRC resists assaults by ISPs very little
  supervision/intrusion
• P2P, WASTE
• Open Problem
• If you had 300K bots, what does command and
  control look like?
• Botnets usually use 3,000 users/channel
• Newer botnets use command and control hierarchy,
  with botmaster, lieutenants, and individual
  zombies

19
Botnet Statistics

• Botnets
• Collections of individual bots
• Command and control via single IRC channel
• 1,000 node botnets is small.
• Observed 8,000 bot connections/hour
• 200K to 300K machines in botnet possible
• Channels with
• Example One random Undernet observation
• 52,000 visible
• 67,000 invisible
• 30,000 are bots

20
Bandwidth study of sample from 3 million bots
observed online. Most are DSL (130Kbp/s), with
some peaks at 300Kbps/s. Not shown are very
high BW bots (DS3 connections)
Botnets can DDoS some countries, most
large companies, etc.
21
IRC Botnet Removal

• Dynamic Drone Detection (DDD)
• A confidential tool to detect botnet patterns
  (simple markov model)
• Very effective in real use against the classics
  netsky, agobot, sdbot, etc.
• Identifies patterns in
• nick, user, realname
• Perl IRSSI plugin
• Simple
• Evasion possible
• But were developing better detection heuristics
• Behavior, Turing tests plugins, etc.

22
Removal with DDD

• So, you find a bot army big enough to DDoS
  cnn.com or similar sites. What now?
• Proceed with caution.
• Bot is reverse engineered
• Always approach channel from the IRC server, or
  from a proxied address. (Your proxies will get
  burned.)
• Remove self command issued
• Most bots have such a command, to help evade
  forensic analysis
• Locate, and send command, spoofed from the bot
  masters address.

23
KarstNet Responding to Botnets

• KarstNet approach
• Manipulate the DNS for drone armies
• Almost all malware rallies through use of DynDNS
• Therefore, have DynDNS provider make a sinkhole
  Record Response (RR) for the CNAME.

Dude, wheres my botnet?
24
KarstNet Malware with Strings
Dyn DNS
www.hackerz.com 10.0.0.1 (Rallying box)
VX www.hack- ers.com
Malware Author
Victim Cloud
25
KarstNet A-record Rallying
Dyn DNS
www.hackerz.com 10.0.0.1 (Rallying box)
DNS for www.hackers.com?
Victim Cloud
26
KarstNet A-record Rallying
Dyn DNS
www.hackerz.com 10.0.0.1 (Rallying box)
Authoritative 10.0.0.1
DNS for www.hackers.com?
Victim Cloud
27
KarstNet Command and Control
Dyn DNS
www.hackerz.com 10.0.0.1 (Rallying box)
Victim Cloud
28
KarstNet Command and Control
Dyn DNS
www.hackerz.com 10.0.0.1 (Rallying box)
Malware Author
Victim Cloud
29
KarstNet Detection
!
Dyn DNS
Dnstop alert. DynDNS updates CName to point to
GT sinkhole
www.hackerz.com 10.0.0.1 (Rallying box)
Malware Author
Victim Cloud
30
Drone Army Responses DNS
!
Dyn DNS
Dnstop alert. DynDNS updates CName to point to
GT sinkhole
www.hackerz.com 10.0.0.1 (Rallying box)
GT Sinkhole
???
Malware Author
Victim Cloud
31
Response Options

• DNS Removal
• Passive Logging (blackhole)
• Passive Monitoring (sinkhole)
• TCP-layer 4 timeout games
• Application-layer delays
• Interactive Monitoring
• Proxynet/Man-in-middle
• Fingerprinting hosts clock skew, OS services,
  IP, time, etc.
• Bot Application versioning
• Removal interactions (Caution!)

32
(No Transcript)
33
(No Transcript)
34
Conclusions

• Botnets are the biggest Internet threat of the
  current generation
• Source of many attacks
• Detection and containment can be successful only
  at the network level
• Detection should be ideally before the attack

35
P2P Botnets

• Bots organized in a decentralized, distributed,
  self-sustaining network that is more difficult to
  detect and more resilient to response than
  centrally controlled botnets.
• Still relatively new problem, subject to research.

36
P2P Botnets A Real Threat

• P2P botnets are logical next step in the
  evolution of botnets
• resilience (no central point of failure)
• Hard to track and disable CC
• Specialized botnets are on the horizon (e.g.,
  warez distribution, high bandwidth small size)
• Botnet size does not fall off with time,
  automatic recruitment in response to losses
• Learning experience (WASTE). Prototype has been
  discovered, more will come

37
P2P Botnet Creation (Bootstrap Problem)

• In-band
• Bots carry peer list with them.
• Cache list when going offline and attempt
  connections to cached entries when coming up.
• Scanning the internet like a worm is another
  option. Less reliable.
• Initial topology created at time of malware
  propagation
• Out-of-band
• Use a means such as gWebCache to locate each
  other (already seen). Topology can be created
  anytime.
• These (or a combination of these two) are the
  only ways in which a P2P botnet can bootstrap.

38
P2P Botnet Operating Invariants

• Bot behavior is diurnal (because of user
  behavior).
• Stable topology needs to be maintained.

39
P2P Botnet Detection

• Long lived connections to various countries in a
  diurnal fashion.
• Large number of failed connection attempts for
  nodes that go offline because topology
  information propagates slowly.
• Correlation of CC commands from various points
  (e.g. at an ingress or egress) has to be both in
  time and space (how close were two messages in
  time or how many machines did the message emanate
  from)

40
Discussion

• There are invariants of botnets that P2P botnets
  also have. e.g.
• Large scale bot recruitment
• CC is needed
• Network reachability or connectedness is a main
  concern
• Diurnal behavior due to user activities (e.g.,
  turn off/disconnect computers).
• Command and control has three parts. (a) Locating
  the botnet (b) Authenticating to the botnet (c)
  Querying and command distribution.
• New paradigms in emerging botnets, e.g setting up
  gradients in P2P networks to find points of high
  b/w, file availability, high uptime etc.

41
Thanks

• David Dagon
• Wenke Lee
• Sanjeev Dwivedi