Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis
Computer Science Department
Johns Hopkins University
A MULTIFACETED APPROACH TO
UNDERSTANDING THE BOTNET
PHENOMENON (2006)
Jonathan Brant
CAP 6135 – Spring 2010
Overview



Introduction
Background
Measurement Methodology




Results and Analysis








Malware Collection
Graybox testing
Longitudinal Tracking of Botnets
Botnet Prevalence
Spreading Methods
Growth Patterns
Botnet Structures
Effective Botnet Size
Lifetime
“Insider’s view”
Conclusion
Introduction

Botnets – “networks of infected end-hosts that are
under the control of a human operator”
 Bots
– end-hosts
 Botmaster – human operator

Command and Control channels facilitate botmaster
commands to bots in the botnet
 Channels
can use different communication mechanisms
(e.g. P2P)
 Most

modern botnets use Internet Relay Chat (IRC)
Originally used to form large chat rooms
Introduction

Botnets almost always used for illegal activities
 Extortion
 E-mail
spamming
 Identity theft
 Software piracy
Introduction

Paper attempts to address inquiries such as:
 Number
of botnet “species”
 Behavioral
 Evolution
categorization of different species
of a botnet
Background

Step 1 – Botnets
commandeer victims via
remotely exploiting
vulnerability of software
running on victim
 Infection
strategies include:
 Self-replicating
worms
 E-mail
viruses
 Social engineering

Convincing victims to run
malicious code on their machine
Background

Step 2 – Victim executes
shellcode and image of bot
binary is fetched from
location within botnet
 When
fetch is complete, the
binary installs itself on
target machine and
automatically starts on each
reboot
Background

Step 3 – Bot attempts to
contact IRC server (address
stored in executable)
 Using
a DNS name instead
of IP address allows
botmaster to retain control
if IP is blacklisted by ISP
Background

Step 4 – Bot attempts to
establish IRC session and join
C2 channel

Three authentication steps:

Bot authenticates itself using
PASS message


Bot issues C2 channel password


This is the IRC session password
This password and session
password are in bot binary
Botmaster authenticates to bot
population

This prevents other botmasters
from seizing control of botnet
Background

Step 5 – Channel topic is
parsed and executed


Contains default command
that every bot executes
Future commands coming
from botmaster can vary
widely

Wide variety of available
commands/responses
increases difficulty of
classifying botnet behaviors
Measurement Methodology

Data collection includes three phases:
 Malware
collection
 Binary analysis via gray-box testing
 Tracking of IRC botnets through IRC and DNS trackers
Measurement| Malware Collection

Goal is to collect as many bot binaries as possible


Must support a wide array of data collection endpoints and
be highly scalable
Distributed darknet

Locally deployed
darknet


Allocated but
unused portion of
IP address space
14 distributed
nodes using
PlanetLab testbed
Measurement| Malware Collection

Modified nepenthes platform

Mimics replies generated by
vulnerable services


Raw packets from PlanetLab
nodes translated


Collects first-stage exploit
(shell-code)
Using translation module written
in Click
Packets were injected into
local tunneling interface
Measurement | Malware Collection

On-line download
modules in nepenthes
disabled to prevent
excessive downloads
Binaries retrieved by
generating list of URL
targets and sending to
download station
 Download station
filtered entries in list and
extracted unique
sources/URLs

Measurement | Malware Collection

Honeynet catches exploits
missed by nepenthes

Composed of honeypots
running unpatched, virtual
instances of Windows XP



Each honeypot assigned
private static IP on
separate VLAN
Infected honeypots sustain
IRC connections until VM’s
reimaged
Suspect binaries retrieved
by comparing VM contents
to clean Windows image
Measurement | Malware Collection

Gateway routes
darknet traffic to
various parts on
internal network
 Half
of darknet
prefixes directed to
local responder and
other half to honeynet
 NAT
used to map each
honeypot to 128
darknet IP addresses
Measurement | Malware Collection

Serves as firewall
preventing honeypots
from conducting
outbound attacks or
infecting each other

Cross-infection prevented
by:



Placing each honeypot
on separate VLAN and
terminating cross-VLAN
traffic
Terminating cross-VLAN
traffic
Outbound traffic block on
popular vulnerable ports

135, 139, 445, etc.
Measurement | Malware Collection

Runs IRC detection
module

Application-level traffic
searched for common IRC
protocol strings

NICK, JOIN, USER
Once IRC connection
witnessed, detection
module establishes record
for IRC session
 When honeypot attempts
to reconnect, connection
allowed to proceed to IRC
server

Measurement | Malware Collection
 Detection
module only
allows one honeypot to
connect to an IRC
server at given point in
time
 Gateway
detects when
honeypot is infected

Rules inserted to block
inbound attacks to that
honeypot
Measurement | Malware Collection
 Gateway
also
performs miscellaneous
tasks
 Triggering
honeypot re-
imaging
 Loading clean
Windows images
 Pre-filtering for
download station
 Running local DNS
server to resolve DNS
queries from honeypots
Measurement | Graybox Testing


Graybox testing used to extract features of
suspicious binaries
Analysis spans two distinct phases (performed on
isolated network segment)
 First
phase derives network fingerprint of binary
 Second phase extracts binaries IRC-specific features
Measurement | Graybox Testing

Phase 1: Creation of a network fingerprint

Server acts as network sink


All network activity initiated by malware will be detected
Traffic logs automatically processed to extract network
fingerprint
f net  DNS , IPs, Ports, scan
DNS – target of DNS requests
 IPs – destination IP addresses
 Ports – contacted ports and protocols
 Scan – whether or not default scanning behavior was detected


Default scanning behavior – any attempt to contact more than 20
distinct destinations on the same port during the monitored period
Measurement | Graybox Testing

Phase 2: Extraction of IRC-related features
Modified version of UnrealIRC daemon instantiated on
network sink
 IRC listens on all ports ever observed in network fingerprint
 Upon detecting an IRC connection, IRC-fingerprint is created

firc  PASS, NICK ,USER, MODE , JOIN
PASS – initial password to establish IRC session
 NICK – nickname
 USER – username
 MODE – modes set
 JOIN – IRC channels to be automatically joined (and their
associated passwords)

Measurement | Graybox Testing

(Phase 2 continued…)
 To
learn botnet “dialect”, bot connects to local IRC
server and enters default channel
 IRC
query engine plays role of botmaster
 Bot behavior is learned by subjecting it to series of
commands

Command set includes:
 IRC commands observed in honeynet traces
 Commands extracted from publicly available bot source
code
Measurement | Longitudinal Tracking

Botnet tracking is performed by two means:
 The
use of a custom, lightweight IRC tracker
 Probing DNS caches across the globe
Measurement | Longitudinal Tracking

IRC Tracker
 “A
modified IRC client that can join a specified IRC
channel and automatically answer directed queries
based on the template created by the graybox testing
technique”
 IRC tracker instantiates new IRC session to IRC server
using fingerprint and template
 IRC
trackers need to appear responsive
Measurement | Longitudinal Tracking
 In
order to appear “real”, the following must be
performed:
 Traffic
filtered so inappropriate information is not included
in template

Filtering performed automatically while bot is executing
 Computer
specifications (e.g. memory, disk space) are
changed to resemble specifications of a real machine
 IRC query engine issues a set of commands that require
stateful responses

Emulates a bot’s stateful software
Measurement | Longitudinal Tracking

DNS Tracking
 Most
bots issue DNS queries to resolve IP addresses of
IRC servers
 Caches of DNS servers are probed to determine
number of DNS servers giving cache hits
 “Cache
hit” implies at least one client queried DNS server
during lifetime of its DNS entry
Measurement | Longitudinal Tracking

Original list contained 1.6 million DNS servers

First filter removed top level domains


Second filter checked consistency of replies




.gov, .mil, etc.
Two consecutive DNS queries
 First query was recursive and forced DNS server to completely
resolve query
 Second query was not recursive and obtained local answers
from server cache
TTL field in second response should be smaller than first
After filtering, master list consisted of 800,000 name servers
For a given IRC server, the caches of all DNS servers were
probed and any associated cache hits recorded
Results and Analysis

Results include:
 Traffic
3
 IRC
3
traces captured on local darknet
month period
logs gathered
month period
 DNS
 45
cache hit results from tracking 65 IRC servers
day period
Results| Botnet Prevalence

Botnet Traffic share

Two week snapshot of total incoming SYN packets to local
darknet vs. packets originating from botnet spreaders


A botnet spreader is any source that delivered a bot executable
27% of incoming SYNs
attributed to botnet
spreaders
 76%
come from botnet
spreaders if target
ports considered
Results| Botnet Prevalence



More than 90% of all traffic during peaks targeted ports
used by botnet spreaders
More than 70% of sources during peak periods sent shell
exploits
This suggests the
total amount of
botnet-related traffic
is far greater than
27%
Results| Botnet Prevalence

11% (85,000) of probed servers were involved in
at least one botnet activity

55% of servers in
dataset are for .com
domains



82% of DNS cache hits
from name servers in
that domain
29% of .com servers
had at least 1 cache hit
.cn servers only 0.2% of
total servers

95% of them exhibited
botnet activity
Results|Spreading Methods

Botnets use a variety of means to spread and recruit
new victims
Email
 Web
 Active scanning (most prevalent)


Botnets can be grouped into two types:

Worm-like


Continuosly scan ports following target selection algorithm
Variable scanning behavior

Uses a number of scanning algorithms

Uniform, non-uniform, localized
Results|Spreading Methods

192 botnets captured
 34
botnets were Type-I
 Upon
infection, bot starts scanning IP space for new victims
 Initiates connection to IRC servers (identified by hard-coded
list of DNS names)


All IRC servers/channels bots tried to join were unreachable
 Channel was banned by public IRC server
 DNS name did not resolve to valid IP address
Still, botnet grew over time due to persistence of scanning
Results|Spreading Methods

Type-II botnets were the most prevalent class



Scanning triggered by a command
More difficult to track due to continuosly changing behavior
Localized and targeted scanning are were most prevalent techniques


Localized scanning focused on Class B address space
Targeted scanning focused on Class A address space
Results|Growth Patterns

In order to examine botnet growth patterns, two
approaches were taken:
 Cumulative
number of unique DNS cache hits for distinct
botnets over time was plotted
 Growth pattern was compared to behavior learned
from IRC tracker
Results|Growth Patterns

Botnets with semi-exponential growth patterns exhibit
persistent random scanning activity (unchanging over time)


Example: for one botnet, topic of the corresponding channel was
set to randomly scan port 445 indefinitely for one month
Related to worm infections
Results|Growth Patterns

Also representative of botnets with intermittent activity profiles

Example: Botnet III corresponds to botnet that infected honeypots on
3/13/2006


IRC server went down between 4/12/2006 – 4/30/2006
When IRC server became available, growth slope increased and honeypots
were re-infected by the same botnet
Results|Growth Patterns

Predominantly used time-scoped scanning
commands
 As
opposed to continuous scanning like the previous two
Results|Growth Patterns

Botnet evolution estimated by counting unique
sources for message broadcast to the channel
 Only
plotted botnets of comparable size on a given
plot

Trends confirm heterogeneity in botnets
Results | Botnet Structures


60% of 318 collected malicious binaries were IRC bots
Four predominant IRC structures were revealed

All bots connected to a single IRC server



IRC servers can be connected to form an IRC network supporting large
numbers of users



30% of botnets bridged on multiple servers
50% bridged between two servers only
Seemingly unrelated botnets appear more similar when comparing their
naming conventions, channel names, and operators’ user IDs


Prevalent among smaller classes of botnets (few hundred users)
70% of observed botnets fell into this category
These botnets may seem to belong to the wrong botmaster
Selected group of bots commanded to download an updated binary

Results in bots being moved to a different IRC server
Results | Effective Botnet Size

Botnet footprint can become fairly large (> 15,000
bots)
 Predominant
structures were botnets managed by a
single or few servers

Distinction drawn between
 Botnet’s
footprint
 Number of bots connected to IRC channel at a given
time
 Effective
Size
Results | Effective Botnet Size

Some “chatty” IRC servers broadcast join/leave information for members
on channel


Maximum size of online
population is significantly
smaller than botnet’s footprint



Number of online bots versus time for these IRC servers is plotted in figure 9
Footprint greater than
10,000
No more than 3,000 bots
online at the same time
Effective size has little impact
on long term activity,
however, it affects number of
bots available to execute
commands in a timely manner
Results | Lifetime

Discrepancy between footprint and effective size
likely due to the long lifetime of a typical botnet
 Bot
death rates and high churn rates can affect botnet’s
effective size
Results | Lifetime

High churn rates

Bots do not stay long on IRC channel



Average stay time: 25 minutes
90% stay less than 50 minutes
Likely causes include



Client instability (as
a result of infection)
Machine hibernation
Botmasters
commanding bots to
leave the channel
Results | Botnet Software Taxonomy

183 of 192 confirmed IRC-based bot executables responded to
probes of IRC query engine


49% of bots run AV/FW killer – a utility that disables anti-virus and
firewall processes
43% run identd server which performs user identification


40% run system security monitor which tightens bot security


Ensures only intended bots join a given IRC channel
E.g. disables DCOM service and file sharing
38% run a registry monitor which alerts the bot of any attempts to
disable it
Results | Botnet Software Taxonomy

Number of exploits within bot binaries varied from
3 to 29
 Average
of 15 exploits per binary
 Most popular exploits (appeared in over 75% of
binaries)
 DCOM135
 LSASS445
 NTPASS
Results | Botnet Software Taxonomy

Authors evaluated effectiveness of ClamAV and
Norton anti-virus on 192 malicious binaries
 ClamAV
classified 137 binaries as malicious
 Norton anti-virus classified 179 binaries as malicious

Windows XP service pack 2 still not immune
Results | “Insider’s view”

Traces show that:
 Botmasters
share information concerning what prefixes
should not be scanned
 Bots are tweaked to minimize chatter on C2 channel
 Bots are probed to detect and isolate “misbehavers”
 Also
look for “super-bots” with high bandwidth network links
and large storage capacities
Results | “Insider’s view”

Bots migrate from one IRC channel to another, instructed by:


Command from botmaster
Download of replacement software that points to a different C2
server
Results | “Insider’s view”



Control commands include channel joins and leaves
Mining category includes commands that collect
machine specifications
Attack category includes commands from
botmasters to attack other network computers
Results | “Insider’s view”

Small botnets receive larger portion of control and mining
commands


Hands-on botmasters that devote large amounts of time to
manually control their botnet
Medium and large
botnets have a larger
percentage of cloning
and download
commands

Cloning could include
the use of one botnet to
attack another botnet
by overloading its IRC
server with join requests
Conclusion

Botnets are a major contributor to overall unwanted internet
traffic



Most botnet traffic can be attributed to scans used to recruit new
bots
IRC is still the dominant protocol used for C2 communications
Effective sizes of botnets can range from a few hundred to
a few thousand

Botnet footprints are usually much larger than effective size



This is due to high churn rate within a botnet
Bot’s average channel occupancy is less than half an hour
Graybox testing revealed sophistication of modern bot software

E.g. Self-protection measures
Contributions

Established empirical measurements for botnet
prevalence


Particularly in considering DNS cache hits by IRC botnets
that were tracked
Classified typicality's of bot binaries
Registry monitoring tactics
 Locking down host vulnerabilities




Classified most prevalent botnet activities as a function
of botnet size
Delineated between botnet footprint and “effective
size.”
Large experiment samples further solidified results
Critique

Focused mainly on Windows-based systems


It would be interesting to see the effectiveness of noted
infection strategies on Unix systems
Only evaluated two anti-virus applications

Perhaps include other popular anti-virus applications


McAfee, Symantec Corporate, AVG, etc.
Authors noted 60% of binaries collected were IRC bots

Did the other 40% use a different communication
mechanism?

If so, it would be interesting to know how they were structured and
if the authors evaluated them in any way
References
[1] Rajab, M.A., Zarfoss, J., Monrose, F., & Terzis A. (2006). A
multifaceted approach to understanding the botnet
phenomenon. Proceedings of the 6th ACM SIGCOMM
conference on Internet measurement, Rio de Janeriro, Brazil