A MULTIFACETED APPROACH TO UNDERSTANDING THE BOTNETPHENOMENONMoheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis

Computer Science DepartmentJohns Hopkins University

Internet Measurement Conference 2006

2

OUTLINE Introduction

Working of Botnet Measuring of Botnet Result and Analysis Comments

3

BOTNET Very little known about the behavior of these

distributed computing platforms. model the botnet life cycle

The term botnet is used to define networks of infected end-hosts, called bots, that are under the control of a human operator commonly known as botmaster.

While botnets recruit vulnerable machines using methods also utilized by other classes of malware, their defining characteristic is the use of command and control (C&C) channels.

4

BOTNET (CONT’D) Channels

IRC, Internet Relay Channel was originally designed to form large social chat rooms

HTTP P2P

While other class of malware were mostly used demonstrate technical prominence among hackers, botnets are used for illegal activities.

A multifaceted measurement approach to capture the behavior and impact of botnets distributed malware collection (binary) IRC tracking (live botnet) DNS cache probing

5

BOTNET LIFE CYCLE

- remotely exploiting software vulnerabilities - social engineering

shell codeactual bot binary

defining characteristic

resolving the DNS nameof IRC server (instead ofusing hard-coded IP)

(authenticate)

(authenticate)

6

MEASUREMENT METHODOLOGY Three Distinct Phases

Malware Collection Collect as many bot binaries as possible

Binary analysis via gray-box testing Extract the features of suspicious binaries

Longitudinal tracking of IRC botnets Through IRC and DNS trackers Track how bots spread and its reach

7

INFRASTRUCTURE DEPLOYMENT

Darknet: denote an allocated but unused portion of the IP addresses space.

1 Large Local darknet.14 distributed nodes (PlanetLab testbed).1 Honeynet1 Download Station1 Gateway1 local IRC server

IRC trackers (drone)DNS probers

Use of 10 different classA (/8) darknet IP spaces.

8

MALWARE COLLECTION Nepenthes (on PlanetLab) mimics the replies

generated by vulnerable services in order to collect the first stage exploit. Nepenthes is a low interaction honeypot

a framework for large-scale collection of information on self-replicating malware in the wild, emulating only the vulnerable parts of a service

Modules in nepenthes emulate vulnerabilities download files – done by the Download Station submit the downloaded files shellcode handler

9

MALWARE COLLECTION (CONT’D) Honeynets also used along with nepenthes

ensure catching exploits missed by nepenthes These failures are most likely due to the

responder’s inability to mimic unknown exploit sequences or to parse certain shellcodes.

Running unpatched instances of Windows XP in a virtualized environment (VMware) with static private-space IP. One infection allowed and connections with

unique IRC servers

Binaries (from nepenthes or honeynets) are sent to analysis engine for graybox testing.

10

MALWARE COLLECTION (CONT’D) Gateway

Forwards traffic to 8 /24, daily rotating to cover the whole darknet (NAT)

Firewall (SNORT) Prevent outbound attacks & self infection by honeypots

Only 1 infection in a honeypot

11

BINARY ANALYSIS (GREY BOX TESTING) They use graybox analysis to extract the features

of suspicious binaries (regardless of the mechanism by which they were collected).

Phase 1: Creation of a network fingerprint fnet = <DNS, IPs, Ports, scan>

DNS requests, destination IPs, Contact Ports, Contact Protocols, default scanning behavior (e.g n=20 destination/port/monitored period)

Phase 2: Extraction of IRC-related features firc = <PASS, NICK, USER, MODE, JOIN>

initial password, nickname and username, the particular modes set, and which IRC channels are joined (with associated channel passwords)

12

LEARN A BOTNET DIALECT Taken together, fnet and firc provide enough

information to join a botnet in the wild. not enough

They make the bot connect to their local IRC channel. Force bot to join a local IRC server ( fake

Botmaster) Use a query engine to learn the botnet “dialect”,

extracting command-response templates.

13

LONGITUDINAL TRACKING IRC tracker (Drone)

Connects to a real IRC channel using fnet and firc. Pretends to dutifully follow any commands from the

botmaster, and provides realistic responses to her commands. need to be intelligent enough filter inappropriate information included in the template

DNS Tracking Bots issue DNS queries to resolve the IP addresses of

their IRC servers (~800,000 name servers are used) Each DNS name of a newly detected IRC server is

added to the list of servers to be probed. They probe the caches of all DNS and record any

cache hits.

14

RESULTS AND ANALYSIS Collection period starts 1 Feb 2006

Darknet Traffic traces > 3 months IRC logs (honeynet, drones) > 3 months More than 100 botnet IRC channels Result of DNS cache hits from tracking 65 IRC

servers more than 45 days Captured

318 malicious binaries.

15

BOTNET TRAFFIC SHARE

Botnet Spreader: any source that successfully completed an exploitation transaction and delivered a bot executable.

- ~27% of the incoming SYN is contributed by known botnet spreader- 76% to target ports (135, 139, 445, 3127)- >70% succeed to send shellcode

16

DNS TRACKER RESULTS

Geographic location of the DNS cache hits for one of the tracked botnets. The star indicates the location of the IRC server.

- Total 65 IRC server identified.- 11% of the name servers involved in atleast one botnet activity.- 29% of the .com servers had at least 1cache hit.

(Top Level Domain)

17

BOT SCAN METHOD Type I (34 of 192 IRC bots) 17%

worm-like scanning continuously scan certain ports following a

specific target selection algorithm Type II (158 of 192 IRC bots ) 83%

variable scanning behaviors only scan after receiving a command over C&C

channel

18

BOTNET GROWTH – DNS AND IRCDifferent bots have different growth pattern, and they can be shown by DNS and IRC views.

19

BOTNET STRUCTURE Of 318 malicious binaries, 60% were IRC

70% of the botnets has single IRC server. Bridged 30% ( 25% public servers)

Two Servers 50% Unrelated botnets had similar naming

conventions, channel names, user IDs. In many cases, these botnets seem to belong to the

same botmaster(s). Several instances where a selected group of bots

were commanded to download an updated binary, which subsequently moved the bots to a different IRC server.

20

SIZE AND LIFETIME

broadcast join/leave information for members on the channel

Bots generally do not stay longon the IRC channel

21

BOTNET SOFTWARE TAXONOMY

AV: Anti-VirusFW: Firewall

22

COMMENTS A measurement methodology

How to capture a botnet’s binary? How to find the characteristic of a binary?

Build a system over honeypot.

Only focus on RPC and DNS analysis They did lots of analysis after capturing the

bot, how about evaluate the methodology?