Taxonomy of Botnet Threats - PowerPoint PPT Presentation

About This Presentation
Title:

Taxonomy of Botnet Threats

Description:

... http://www.macworld.co.uk/business/news/index.cfm?newsid=25756 Definition Bot compromised host computer also refer to the code planted on such computer. – PowerPoint PPT presentation

Number of Views:250
Avg rating:3.0/5.0
Slides: 44
Provided by: opera4
Category:

less

Transcript and Presenter's Notes

Title: Taxonomy of Botnet Threats


1
Taxonomy of Botnet Threats
  • Defense by the Wanderers
  • Angel  Pia Jr., Wander Smelan, Koonal Bose, Scott
    Thompson

2
Botnet Debate
  • Resolve that the Trend Micro white paper
    Taxonomy of Botnet Threats provided a better
    understanding of botnet behavior, detection and
    mitigation.

3
What this white paper is and what it is not.
  • It is not meant to be the most comprehensive, all
    inclusive, most definitive resource material for
    botnets and its future incarnations.
  • It is a working document meant to provide an
    organized and systematic approach to
    understanding botnets and its behavior to
    confront the threat that it poses.
  • And for this reason this white paper merits its
    intended goal above any minor and nit-picky
    blemishes it may have, if ever it has.

4
Outline
  • Definition Angel Pia
  • History and background Angel Pia
  • Taxonomy of botnets
  • Attacking behavior Wander Smelan
  • Command and Control model Wander Smelan
  • Rallying mechanisms Koonal Bose
  • Communication Protocols Koonal Bose
  • Evasion Techniques Scott Thompson
  • Observable botnet activities Scott Thompson
  • Conclusion and QA

5
Definition
  • Botnets (robot networks)
  • zombie computers/drones/armies
  • large number of compromised computers under the
    control of a botmaster
  • means to conduct various attacks ranging from
    Distributed Denial of Service (DDoS) to
    email-spamming, spreading new malware, etc.
  • harnessing immense computing power.
  • Source A typical botnet created from zombies
    (Credit Cisco) http//www.macworld.co.uk/business
    /news/index.cfm?newsid25756

6
Definition
  • Bot
  • compromised host computer
  • also refer to the code planted on such computer.
  • Botmaster
  • one or a few computers used by the crackers to
    run command and control operations over the
    botnet.
  • Taxonomy
  • Science or technique of classification

7
History and background
  • First bot PrettyPark worm (1999)
  • retrieved log-in names, email addresses,
    nicknames.
  • connects to a remote IRC server from which the
    botmaster can remotely control a large pool of
    infected hosts.
  • first time such command and control method was
    employed.
  • this concept soon spread to the rest of the black
    hat community and various variants of the botnet
    evolved through the years.
  • Rise of profit-driven attacks such as DDoS,
    spamming, phishing and identity theft of which
    botnets have proven to be a compelling vehicle
    over status-seeking and vandalism objectives.

8
History and background
  • DDoS, spamming, phishing and identity theft
    attacks from botnets.

9
History and background
10
History and background
  • Sophistication of attacks and now has evolved to
    one which poses the highest security threat in
    the internet.
  • In 2006, it cost 67.2B for US businesses to deal
    with malware.

11
Taxonomy of botnets
  • Attacking behavior   
  • means of compromising, propagating and launching
    attacks from a botnet
  • DDoS scan remote exploits junk emails
    (phishing and virus attachments) phishing
    websites spyware identity theft etc
  •  Command Control (CC) models
  • classification of botnet topologies
  • centralized distributed P2P etc
  •  Rally mechanisms
  • methods of bot activation into the botnet for
    malware service.
  • hard-coded IP Dynamic DNS Distributed DNS etc

12
Taxonomy of botnets
  •  Communication protocols
  • way of botnets communicating to each other and to
    the botmaster or CC server
  • IRC HTTP IM P2P etc
  •  Observable botnet activities
  • other observable techniques
  • DNS queries burst short packets abnormal system
    calls etc
  •  Evasion Techniques
  • ways botnets evade detection
  • HTTP/VOIP tunneling IPv6 tunneling P2P
    encrypted traffic etc

13
Attacking Behaviors
14
Attacking Behaviors
  • Purposes and techniques
  • Infecting new hosts (propagation of botnets)
  • social engineering and distribution of malicious
    emails
  • Stealing Sensitive Information  
  • keylogger and Network traffic sniffers
  • Sending Spam and Phishing
  • botnets distribute untraceable emails
  • Distributed Denial of Service (DDoS)
  • large amount of synchronized requests to a
    particular server or service

15
Command and Control (CC)
16
Command and Control (CC)
  • Used to manage large-scale attacks
  • Essential for operation and support of botnets
  • Weakest links of botnets
  • 3 types Centralized, Peer-to-Peer (P2P) and
    Random

17
Attacking Behaviors
  • Profile of a botnet mastermind
  • Name Owen Thor Walker
  • Aka AKILL
  • Country New Zealand
  • Started his A-TEAM botnet group when he was
    16. By age 19, had 1.3mi computers
  • Had been diagnosed with Asperger's syndrome, a
    mild form of autism often characterized by social
    isolation, when he was 10
  • Caused damaged of over 20mi
  • Caused computer to crash, stole private
    information and sold to e-criminals.

18
Command and Control (CC)
  • Centralized CC Model
  • Most commonly used
  • Simple to implement and customize
  • Easiest to eliminate
  • Small message latency
  • Botnet network size 1,000
  • Source http//mrcracker.com/2009/09/botnet/

19
Command and Control (CC)
  • P2P CC Model
  • More resilient to failures
  • Less common, hard to discover, and hard to defend
  • Unreliable from the messaging system perspective
  • Hard to launch large scale attacks
  • Botnet network size 10-50
  • Source http//mrcracker.com/2009/09/botnet/

20
Command and Control (CC)
  • Random CC Model
  • Described by Evan Cooke but still not in use in
    real world botnets
  • Model Bot waits (listens) for incoming
    connection.
  • Easy implementation
  • Highly resilient to discovery and destruction.
  • Scalability limitations make it difficult to
    coordinate large attacks.

21
Rallying Mechanisms
22
Rallying Mechanisms
  • Hard-coded IP address
  • Dynamic Domain Name Server
  • Distributed DNS service

23
Rallying Mechanisms
  • Hard-coded IP address
  • The bot includes hard-coded CC server IP address
    in its binary.
  • Easy to defend against if ip addresses is
    detected
  • channel is blocked
  • botnet is deactivated

24
Rallying Mechanisms
  • Dynamic DNS
  • Hard-coded domain names, assigned by dynamical
    DNS providers
  • If CC Server is deactivated, botmaster can
    resume control by assigning a new IP address to
    corresponding DNS entry
  • Makes it harder to detect

25
Rallying Mechanisms
  • Distributed DNS service
  • Botnets run their own distributed DNS service
  • Many are run at high port numbers in order to
    avoid detection by security devices
  • Hardest to identify and destroy

26
Communication Protocols
27
Communication Protocols
  • Botnets communicate with each other and their
    Botmasters following well defined network
    protocols
  • Importance of discovering communication has 2
    main advantages
  • understanding Botnets origin, and possible
    software tools used
  • helps security groups decode conversations
    between bots and between bots and their master
  • Main Communication Protocols being used
  • IRC (Internet Relay Chat)
  • HTTP (Hypertext Transfer www)
  • P2P (Peer to Peer)
  • IM (Instant Messaging)

28
Communication Protocols
  • IRC Protocol
  • IRC based Botnets are most frequently used
  • IRC is mainly designed for group communication
    but can also handle private messages between two
    people
  • Botnet CC Server runs an IRC service that is no
    different from a standard IRC server
  • Inbound vs Outbound IRC traffic
  • inbound usually indicates local host is being
    recruited by Botnet
  • outbound usually indicates local host has been
    compromised and is being used as a CC server of
    a Botnet
  • Firewalls can be configured to block IRC traffic
  • IRC botnets have scripts that parse messages and
    will execute malicious functions accordingly

29
Communication Protocols
  • IRC Protocol
  • Botnet CC Server running IRC service

IRC Server
30
Communication Protocols
  • IRC Protocol
  • Once detected can easily be blocked

31
Communication Protocols
  • HTTP and Other Protocols
  • 2 main advantages of using HTTP Protocol
  • Blends with normal Internet traffic
  • Abnormal ports are normally blocked at firewall,
    HTTP allows botnet to communicate back with the
    CC Server
  • HTTP is harder to detect but not impossible since
    response header fields and page payload would be
    different from normal HTTP traffic.
  • P2P and IM are more recent protocols being used
    by Botnets
  • Still relatively small number compared to HTTP
    and IRC

32
Communication Protocols
  • P2P Protocol
  • Distributed control

33
Communication Protocols
  • P2P Protocol
  • Distributed control
  • Even if one is detected it is hard to disable

34
Evasion and Detection Techniques
35
Detection and Evasion Techniques
  • Detection Techniques
  • Antivirus Intrusion Detection Systems (IDS)
  • These antivirus systems are based on virus
    signature.
  • Anomaly-based detection systems 
  • Monitor communication traffic 

36
Detection and Evasion Techniques
  • Evasion Techniques
  • From Signature-based Detection
  • Executable Packers
  • Rootkits
  • Protocol evasion techniques
  • From Anomaly-based detection systems 
  • New / modified communication protocols IRC,
    HTTP, VoIP
  • Utilize secure channels to hide communications
  • Alternative channels ICMP or IPv6 tunneling
  • Potentially use SKYPE or IM

37
Detection and Evasion Techniques
  • Effective Detection Alternative
  • Combination of Techniques
  • Detect connections to CC centers
  • Monitor for Communication Traffic
  • Monitor for Anomalous Behavior

38
Detection and Evasion Techniques
  • Combating Botnets focusing on Detectable
    Behavior 
  • Global Correlation Behavior
  • Network-based Behavior
  • Host-Based Behavior

39
Detection and Evasion Techniques
  • Network-based Behaviors
  • Observable Communications
  • Monitor IRC HTTP traffic to servers that don't
    require these protocols
  • IRC traffic that is not human readable
  • DNS queries (lookups for CC controllers)
  • Frequency changes in IP for DNS lookups
  • Long idle periods followed by very rapid
    responses
  • Very bursty traffic patterns
  • Attack Traffic
  • Denial of Service TCP SYN packets (invalid
    source)
  • Internal system sending emails (Phishing)

40
Detection and Evasion Techniques
  • Host-based Behaviors
  • Detectable activity on an infected host
  • Disabled Anti-virus
  • Large numbers of updates to system registry
  • Specific system/library call sequences

41
Detection and Evasion Techniques
  • Global Correlated Behaviors
  • Common across different Botnet implementations
  • Detect DNS changes for CC host
  • Large numbers of DNS queries

42
Conclusion
43
Conclusion
  • Botnets are a dangerous evolution in the malware
    world
  • They are being used to damage systems, steal
    information and comprise systems
  • They are hard to detect and eliminate
  • The taxonomy approach allowed us an organized and
    systematic means to understanding the nature of
    botnets and their behaviors. This will allow us
    to mitigate the threat with corrective measures.

44
QA
45
Conclusion
The Wanderers
Write a Comment
User Comments (0)
About PowerShow.com