Botnets CSE598K/CSE545 - Advanced Network Security Prof. McDaniel - - - PowerPoint PPT Presentation

฀฀฀฀ ฀

• ฀฀฀฀

฀฀฀฀฀ ฀฀฀฀฀฀

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Botnets

CSE598K/CSE545 - Advanced Network Security

• Prof. McDaniel - Spring 2008

1

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Story

2

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

• A botnet is a network of software robots

(bots) run on zombie machines which run are controlled by command and control networks

• IRCbots - command and control over IRC
• Bot herder - owner/controller of network
• "scrumping" - stealing resources from a

computer

• Surprising Factoid: the IRC server is exposed.

Botnets

3

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

• The actual number of bots, the size of the

botnets and the activity is highly controversial.

• As of 2005/6: hundreds of thousands of bots
• 1/4 of hosts are now part of bot-nets
• Growing fast (many more bots)
• Assertion: botnets are getting smaller(?!?)

Statistics (controversial)

4

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

What are botnets being used for?

5

• 50 botnets

– 100-20,000 bots/net

• Clients/servers

spread around the world

– Different geographic concentrations

Activities we have seen Stealing CD Keys: ying!ying@ying.2.tha.yang PRIVMSG #atta :BGR|0981901486 $getcdkeys BGR|0981901486!nmavmkmyam@212.91.170.57 PRIVMSG #atta :Microsoft Windows Product ID CD Key: (55274-648-5295662-23992). BGR|0981901486!nmavmkmyam@212.91.170.57 PRIVMSG #atta :[CDKEYS]: Search completed. Reading a user's clipboard: B][!Guardian@globalop.xxx.xxx PRIVMSG ##chem## :~getclip Ch3m|784318!~zbhibvn@xxx-7CCCB7AA.click-network.com PRIVMSG ##chem## :- [Clipboard Data]- Ch3m|784318!~zbhibvn@xxx-7CCCB7AA.click-network.com PRIVMSG ##chem## :If You think the refs screwed the seahawks over put your name down!!! DDoS someone: devil!evil@admin.of.hell.network.us PRIVMSG #t3rr0r0Fc1a :!pflood 82.147.217.39 443 1500 s7n|2K503827!s7s@221.216.120.120 PRIVMSG #t3rr0r0Fc1a :\002Packets\002 \002D\002one \002;\002>\n s7n|2K503827!s7s@221.216.120.120 PRIVMSG #t3rr0r0Fc1a flooding....\n Set up a web-server (presumably for phishing): [DeXTeR]!alexo@l85-130-136-193.broadband.actcom.net.il PRIVMSG [Del]29466 :.http 7564 c:\\ [Del]38628!zaazbob@born113.athome233.wau.nl PRIVMSG _[DeXTeR] :[HTTPD]: Server listening on IP: 10.0.2.100:7564, Directory: c:\\.

piracy mining attacks hosting

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

• SPAM relays
• Click fraud
• Spamdexing
• Adware

Other goals of a botnet ...

6

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

IRC botnets

• An army of compromised hosts (“bots”) coordinated via a

command and control center (C&C). The perpetrator is usually called a “botmaster”.

“A botnet is comparable to compulsory military service for windows boxes”

• - Bjorn Stromberg

7

IRC Server Bots (Zombies)

Find and infect more machines!

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Typical (IRC) infection cycle

8

• ptional

Bots usually require some form of authentication from their botmaster

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

• Worms, Tojan horses, backdoors
• Note: the software on these systems is updated
• Bot theft: bot controllers penetrate/"steal" bots.

Infection

9

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

• 1988 - one-to-many or many-to-many chat (for BBS)
• Client/server -- TCP Port 6667
• Used to report on 1991 Soviet coup attempt
• Channels (sometimes password protected) are used to

communicate between parties.

• Invisible mode (no list, not known)
• Invite only (must be invited to participate)

IRC

10

Server Server Server Server Server

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Not only for launching attacks ...

• Some botmasters pay very close attention to

their bots

• hence covert infiltration is important
• In many cases, Botmasters “inspect” their bots

fairly regularly, and isolate certain bots (“cherry

11

#HINDI-FILMZ :#1 294x [698M] [Movie] Dil Bechara Pyar Ka Mara DvD-RiP [ Full / AVI / 2001 ] #HINDI-FILMZ :#2 126x [141K] [English Subtitles] Dil Bechara Pyar Ka Mara #HINDI-FILMZ :** 2 packs ** 3 of 3 slots open, Record: 45.3KB/s #HINDI-FILMZ :** Bandwidth Usage ** Current: 0.0KB/s, Record: 304.5KB/s #HINDI-FILMZ :** To request a file type: /"/msg [HF]-[Street-Hunk]-30 xdcc send #x/" ** #HINDI-FILMZ :** -= #Hindi-Filmz=- ** #HINDI-FILMZ :** I M 100% Desi !! ** #HINDI-FILMZ :Total Offered: 698.5 MB Total Transferred: 206.57 GB #HINDI-FILMZ :#1 294x [698M] [Movie] Dil Bechara Pyar Ka Mara DvD-RiP [ Full / AVI / 2001 ] #HINDI-FILMZ :#2 126x [141K] [English Subtitles] Dil Bechara Pyar Ka Mara #HINDI-FILMZ :** 2 packs ** 3 of 3 slots open, Record: 45.3KB/s #HINDI-FILMZ :** Bandwidth Usage ** Current: 0.0KB/s, Record: 304.5KB/s #HINDI-FILMZ :** To request a file type: /"/msg [HF]-[Street-Hunk]-30 xdcc send #x/" ** #HINDI-FILMZ :** -= #Hindi-Filmz=- ** #HINDI-FILMZ :** I M 100% Desi !! ** #HINDI-FILMZ :Total Offered: 698.5 MB Total Transferred: 206.57 GB

That’s a lot of movies served! ( ~ 300)

CSE598K/CSE545 - Advanced Network Security - McDaniel Page 12

Lots of bots out there

• Level of botnet threat is supported by the conjecture that

large numbers of bots are available to inflict damage

• Press Quotes
• “Three suspects in a Dutch crime ring hacked 1.5 million

computers worldwide, setting up a “zombie network””, Associated Press

• “The bot networks that Symantec discovers run anywhere

from 40 systems to 400,000”, Symantec

CSE598K/CSE545 - Advanced Network Security - McDaniel Page 13

Measuring botnet size

• Two main categories
• Indirect methods: inferring

botnet size by exploiting the side-effects of botnet activity

(e.g., DNS requests)

• Direct methods: exploiting

internal information from monitoring botnet activity

CSE598K/CSE545 - Advanced Network Security - McDaniel Page 14

Indirect Methods

• Mechanism
• DNS blacklists
• DNS snooping
• What does it provide?
• DNS footprint
• Caveats
• DNS footprint is only a lower bound of the actual infection

footprint of the botnet

• DNS records with small TTLs
• DNS servers blocking external requests (~50%)

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

• The value of a bot is related to its status on the

DNS blacklists

• Compromised hosts often used as SMTP servers for

sending spam.

• DNS blacklists are lists maintained by providers that

indicate that SPAM has been received by them.

• Organizations review blacklists before allowing mail

from a host.

• A "clean" bot (not listed) is worth a lot
• A listed bot is largely blocked from sending SPAM

DNS Blacklist

15

A B C D E F ...

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

• Observation: bot controllers/users need to query for BL

status of hosts to determine value.

• Idea: if you watch who is querying (and you can tell the

difference from legitimate queries), then you know something is a bot

• Understanding the in/out ratio:
• Q: what does a high ration mean? Low?

DNSBL Monitoring

16

λn = dn,in dn,out

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Results

17

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Direct Methods

• Mechanisms
• Infiltrate botnets and directly count online bots
• DNS redirection (by Dagon et al.)
• What do they provide?
• Infection footprint & effective size (infiltration)
• Infection footprint (DNS redirection)
• Caveats
• Cloning (infiltration)
• Counting IDs vs. counting IPs (infiltration)
• Measuring membership in DNS sinkhole (DNS redirection)
• Botmasters block broadcasts on C&C channel (infiltration)

18

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

• DNS redirection “sinkhole”
• Identify, then self poison DNS entries
• DNS cache hits
• Idea: query for IRC server to see if in cache
• If yes, at least one bot in the network within

the TTL (see [14])

• Limitations: TTL, not all servers answer,

lower bound on bots

Estimating size [Monrose et. al]

19

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

• Approach: infiltration templates based on collected

honeynet data, e.g., observing compromised hosts that are identified within the channel

• How many?
• 1.1 million distinct user IDs used
• 425 thousand distinct IP addresses
• Issues:
• NAT/DHCP?
• “Cloaked” IP address (SOCKS proxies?)
• Botnet membership overlap

How many bots?

20

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Botnet size, what does it mean?

• Infection Footprint: the total number of infected bots throughout a

botnet’s lifetime

• Relevance: how wide spread the botnet infection
• Effective Botnet Size: the number of bots simultaneously connected

to the command and control channel

• Relevance: the botnet capacity to execute botmaster commands

(e.g., flood attacks)

• An Example:
• While a botnet appeared to have a footprint of 45,000 bots, the

number of online bots (i.e. its effective size) was < 3,000

21

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Botnet footprint estimates

• Redirection results:
• Botnets with up to 350,000 infected hosts [Dagon et al.]

22

CSE598K/CSE545 - Advanced Network Security - McDaniel Page 23

Large botnets may not be so big!

Footprints Effective size

CSE598K/CSE545 - Advanced Network Security - McDaniel Page 24

Are we counting unique infections?

Temporary migration

• Cloning activity observed in 20% of the botnets tracked (moving

between bot channels)

• 130,000 bots created more than 2 million clones during our tracking

period

Cloning

CSE598K/CSE545 - Advanced Network Security - McDaniel Page 25

Summary

• Size estimation is harder than it seems
• Botnet size should be a qualified term
• Different size definitions lead to radically different estimates
• Current estimation techniques are laden with a number of caveats
• Cloning, counting method, migration, botnet structures, DHCP,

NAT, etc.

• A prudent study of the problem requires persistent multifaceted

tracking of botnet activity

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Web Malware (for bots?)

• For bigger impact, exploit vulnerable servers/

webapps and attempt to infect client base

• Provos et al. showed a number of injection vectors by

which this is done

• Inject content that targets browser vulnerabilities to

automatically download and run malware upon visiting a website

• Goal: Understand the prevalence of drive-by

downloads, the delivery mechanisms used, and the structural properties of the distribution networks

26

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Infrastructure

• landing page: a URL that initiates drive-by

downloads

• generally malicious payload loaded via IFRAME or

SCRIPT from a remote site

• distribution site: site that hosts malicious payloads

27

“out of place” IFRAMEs, obfuscated javascript, iframes to known distribution sites, etc

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Infrastructure

• construct malware distribution trees from malicious URLs
• contains all nodes the browser visits from the landing page until it

contacts the distribution site

• extract causal edges (e.g., inspecting Referrer headers,

interpreting fetched HTML/Javascript content, etc).

28

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Impact

29

fraction of search queries that result in at least one malicious URL

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Impact

30

Distribution of (~=1 million) landing pages

• Exposure is not tied to browsing habits?

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Malicious content injection

• Two infection vectors
• 1. Website compromise (and insert IFRAMEs)
• 2. Advertising: the abuse of Ad syndication

31

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Contribution due to ad networks

• For each landing URL, examine the causal tree

and check every intermediate node for membership in set of 2,000 well known advertising networks

32

weighted by popularity of search engine results (avg ~12%) fraction of landing sites delivering malware via Ads (avg ~2%)

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Distribution networks

• Their reach is far and wide
• 3% host more than 100 distinct exploits
• Many sites are long-lived and dynamic

33

>22,000 landing pages

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Distribution networks

• Infrastructure is fairly sophisticated

34

lots of changes are for short periods

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Commonality among distribution sites

35

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Summary and Challenges

• Firewalls, dynamic addressing etc, don’t pose a hurdle
• Better sanitization of syndicated content is necessary
• New pull-based models is a challenge for AV engines
• Post infection can be quite nasty
• Yes, many victim machines join botnets
• Behavior-based detection is likely more critical now

36

n

• i=0

i3

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Visualizing botnet footprints

37

Fun with GoogleMaps and IP2Location