Botnets Dr. Neminath Hubballi IIT Indore © Neminath Hubballi Introduction Bot: A program performing automated task A bot itself is not bad A botnet is a collection of computers, which are connected and work under the instruction of a master in order to accomplish something Typically botnets are used for committing computer crimes A botnet is controlled by a person or a group of people Usually has monetary interests Advertisement companies Spam sending companies: outsource the work to bots IIT Indore © Neminath Hubballi Motivation A report from Dhamballa, 2010 – number of infections increased at the rate of 8% per week Almost every botnet newly created overtaking the previous largest Financial profits User credential stealing Click fraud Political interests Illegal activity include DDoS attacks Spamming Traffic sniffing Spreading malware Port scanning Key loggers etc.. IIT Indore © Neminath Hubballi Components of a Botnet Infrastructure Command and Control Infrastructure Centralized Client server model Distributed Works more autonomously Also called as peer to peer botnets Crucial Have to maintain a stable connectivity Robust Stable Reaction time Communication protocol IIT Indore © Neminath Hubballi Centralized Control Multiple communication channels with master Courtesy: Botnets: Detection, Measurement, Disinfection & Defense, Europian Network and Information Security Agency IIT Indore © Neminath Hubballi Decentralized Control Each bot will propagate commands to others Courtesy: Botnets: Detection, Measurement, Disinfection & Defense, Europian Network and Information Security Agency IIT Indore © Neminath Hubballi Botnets Types There are 2 types of botnets Operate through IRC Operate through web server Operate as Peer-to-Peer network IIT Indore © Neminath Hubballi Internet Relay Chat (IRC) based Uses a Push model of communication Master pushes commands for execution to the Bots All Bots receive commands through IRC PRIVMSG, understand the instruction and execute the command and send back results In order to issue commands Botmaster first authenticates herself with a username and password Advantages Open source Easy for modification Two way communication Real-time connectivity Public and private mode interaction Disadvantages Single point of failure Easily detectable IIT Indore © Neminath Hubballi Communication Over IRC Sequence of Events Master authenticates Master queries info about botnet –version number Master queries system information Issue instruction to scan other potentially vulnerable machines Bot replies with scan results Courtesy: Botsniffer: Detecting Botnet Command and Control Channels in Network Traffic IIT Indore © Neminath Hubballi HTTP based This type of Botnet uses HTTP as a communication medium Uses a pull method of interaction Bots periodically poll the master requesting new commands to be issued Through a HTTP post method Bots connect to the master Usually used for form submissions Advantage of using HTTP It becomes difficult to detect Port 80 is open in all firewalls Normally encryption is used to avoid detection and eavesdropping IIT Indore © Neminath Hubballi Role of DNS in Botnet DNS has an important role to play in Botent networks It allows changes to be done to the Botnet infrastructure transparently Fast Flux Networks Create a domain evil.com Authoritative DNS server for the network evil.com is owned by attacker Attacker has multiple infected machines in her possession The RR mapping is changed at a very high frequency Each time the client connects to a different infected machine or Bot machine All of these machines or Bots act as a proxy to the Bot server Increases the resiliency of Botnet infrastructure IIT Indore © Neminath Hubballi Fast Flux Network Courtesy: Botnets: Detection, Measurement, Disinfection & Defense, Europian Network and Information Security Agency IIT Indore © Neminath Hubballi Who Suffers from Botnet Three entities Victim – suffers directly ISP – have to carry lot of malicious traffic Third party – effect of malware Defense Victim- corporates have to protect their IT assets ISP – detect malicious traffic Third party – keep the machine clean IIT Indore © Neminath Hubballi Threat Characterization Botnet Size and Origin Footprint- Number of infected machines indicates scaling factor Live Population – How many of infected machines are able to interact using CC infrastructure currently Spam throughput: Received spam emails per unit of time Freshness of IP address in spam emails –fresh one is better Bandwidth usable for DDoS attacks Harvested personal data – more data approximately leads to more financial gain IIT Indore © Neminath Hubballi Botnet Detection There are two types of detection mechanisms Passive techniques Activity can be tracked without interfering with environment No disturbance Active techniques Blocking malicious domains and identifying infected machines IIT Indore © Neminath Hubballi Source of Data for Passive Detection Packet analysis Shell code detection Protocol filed Combination of some fields etc. Drawbacks Full packet inspection is difficult Scaling is a factor Only known patterns are detected If the attack code is split across multiple packets, streams it is far more difficult to detect IIT Indore © Neminath Hubballi Source of Data for Passive Detection Flow Record Analysis Flow is a summary of what transpired in communication Typical attributes are: Source and destination address Related port numbers Protocol used inside the packets Duration of the session Cumulative size and Number of transmitted packets. Drawbacks Payload is ignored Keep track of all sessions Switches and routers do it for you Courtesy: BotGrep IIT Indore © Neminath Hubballi Source of Data for Passive Detection Use of DNS Data Identify Fast Flux Networks Collect DNS queries and responses and do an offline analysis Identify “typo squatting” domain names in the data Ex. Goggle.com Malicious domain name can be blocked by domain registrars Currently not happening If a domain is identified as a malicious domain In all likelihood the queries to that domain are from infected machines It helps to track down even those machines IIT Indore © Neminath Hubballi Source of Data for Passive Detection Use of spam email analysis Botnets often run spam campaigns All spam emails will have similarity In contents Pattern Length of mail Source IP address used (often they reuse the IP addresses) Antivirus software feedback Collect information from many sensors IIT Indore © Neminath Hubballi Active Countermeasures Shinkholing –Changing the records of malicious domain to point to a good node Courtesy: Botnets: Detection, Measurement, Disinfection & Defense, Europian Network and Information Security Agency IIT Indore © Neminath Hubballi Active Countermeasures Identifying infected Machines through DNS Cache Snooping This will help identify whether any machines in the local network are part of a malicious domain Issue a query to a DNS server for a domain which is suspicious Verify the TTL value If any other machine has already visited that domain, it is likely that TTL value has decreased w.r.t the default TTL value given by authoritative name server Another variation is through by setting RD flag off IIT Indore © Neminath Hubballi Active Countermeasures Courtesy: Botnets: Detection, Measurement, Disinfection & Defense, Europian Network and Information Security Agency IIT Indore © Neminath Hubballi