Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

BOTNETS

advertisement 
Botnet Detection Based on ICMP
Infiltrations Correlation Pattern
Navaneethan C. Arjuman
Phd Candidate and MyBrain Fellow
nava@nav6.usm .my
National Advanced IPv6 Centre
February 2012
Copyright Nava 2012
1
Agenda


Objective
What are Botnets ?
◦ Botnet History
◦ Botnets Usage

◦ Botnet Command and Control (C&C) Mechanism
◦ Botnet Classification
Botnet Detection Techniques
◦ Anomalies Detection
 Correlation Techniques

Inbound Scanning
◦ Proposed new area on ICMP based scanning
◦ Mitigation Technique
◦ Research Outcome
Copyright Nava 2012
2
What are Botnets?
An Internet Relay Chat (IRC) based, command and
control network of compromised hosts (bots)
 A bot is a client program that runs in the background
of a compromised host

◦ Watches for certain strings on an IRC channel
◦ These are encoded commands for the bot

Purpose
◦ DoS, ID Theft, Phishing, keylogging, spam
 Fun AND profit
Copyright Nava 2012
3
Botnet History
First existence of botnet started in August 1988 when
IRC invented at University of Oulu, Finland
 1989 - First bot - “GM”

◦ -assist user to manage their own IRC Connections

May 1999 – Pretty park
◦ Reported in June 1999 in Central Europe
◦ Internet Worm – a password stealing trojan

1999 – Subseven
◦ Remote controlled trojan
Copyright Nava 2012
4
Botnet History

2000 – GTbot (Global Threat)
◦ New capabilities - port scanning, flooding and cloning
◦ Support UDP and TCP socket connections
◦ Support IRC Server to run malicious script

2002 – SDbot
◦
◦
◦
◦

Written by Russian Programmer by the name ‘SD’
40Kb – C++ Code
First to publish the code for hackers via website
Provided e-mail and chat for support
2002 – Agobot
◦ Modular update
◦ Spread through Kazaa, Grokser and etc
Copyright Nava 2012
5
Botnet History

2003 – Spybot or Milkit
◦ Derived from SDbot
◦ Come with spyware capabilities
◦ Spread via file sharing applications and e-mail

2003 – Rbot
◦ Backdoor trojan on IRC
◦ Compromised Microsoft vulnerable share Port 139 and 445
◦ Based on MSRT Report in June 2006 by Microsoft - 1.9
million PCs affected worldwide

2004 – PolyBot
◦ Polymorphism capabilities
◦ Based on Agobot
Copyright Nava 2012
6
Botnet History

2005 – MyBot
◦ New version of SpyBot
◦ Hybrid coding
◦ Spread via file sharing applications and e-mail

2006 – P2P Based Bot
◦ 1st generation - “SpamThru”, “Nugache”
 Basd on “Gnutella” file sharing
◦ 2nd Generation – “Peacomm’
 Pure Distributed P2P

2007 – “Storm Botnet”
◦ Truly pure P2P
◦ No single point of failure
◦ Provided high resilience, scalability and difficulty in tracking

List continue…….
Copyright Nav a 2012
7
What is the latest?



2010 – Stuxnet
◦ spreads via Microsoft Windows, and
targets Siemens industrial software and equipment
◦ malware that spies on and subverts industrial systems
◦ targeted five Iranian organizations - uranium
enrichment infrastructure in Iran
September 2011 – Duqu
◦ Duqu is a computer worm discovered on
1st September, 2011
◦ Operation Duqu is the process of only using Duqu
for unknown goals
New trend – new worm and new botnet
Copyright Nav a 2012
8
Botnet Usage
DDOS
 Spam
 Sniffing traffic
 Keylogging
 Installing Advertisement Addons and
Browser Helper Objects (BHOs)
 Manipulating online polls/games
 Mass ID theft

Copyright Nava 2012
9
Botnet Command and Control
(C&C) Mechanism
From the Botmaster point of view
 Centralized
◦ Pro - easy to setup, fast commands dissemination
◦ Cons - easy to detect , single point of failure

Peer-to-Peer Topology
◦ Pro – decentralized, not easy to detect , not single point of
failure
◦ Cons – not easy to setup (more complex), message delivery
not guaranteed and high latency
Copyright Nava 2012
10
Botnet Command and Control
(C&C) Mechanism…..

Unstructured Topology – extreme peer to peer
topology, one to one communication
◦ Pro – easy to setup, decentralized, not easy to detect , not
single point of failure
◦ Cons –message delivery not guaranteed and high latency
Copyright Nava 2012
11
Botnet Classification
Command & Control (C&C)
 IRC Based – C&C using IRC Server

HTTP Based – C&C using Web Server

P2P Based – C&C on peer-to-peer protocol

DNS Based – C&C use Fast-flux networks
Copyright Nava 2012
12
Botnet Detection

Signature Based – able to detect only known bots

Anomaly Based – detect bots based traffic anomalies

DNS Based – detect based DNS information

Mining Based – detect based machine learning,
classification and clustering
Copyright Nava 2012
13
Anomaly Based Detection
Detect based on traffic anomalies such as
High Network Latency
 High Volumes of Traffic
 Traffic on unusual ports
 Unusual System Behaviour

Major Advantage
 Solve the unknown bots
Copyright Nava 2012
14
Correlation Techniques






Inbound Scanning
Exploit Usage
Egg Downloading
Outbound bots coordination dialog
Outbound attack propagation
Malware P2P communication
Copyright Nava 2012
15
Scanning for recruits
Black – C&C
Red – Scan info
VASCAN 2005 Copyright Marchany
2005
16
Bot Attack Strategy

Recruitment of the agent network
◦ Finding vulnerable systems
◦ Breaking into vulnerable systems
 Protocol attack
 Middleware attack
 Application or resource attack

Controlling the agent network
◦ Direct, Indirect commands
◦ Updating malware
◦ Unwitting agents
Copyright Nava 2012
17
Finding Vulnerable Systems

Blended threat scanning
◦ Program(s) that provide command & control
using IRC bots
IRC commands tells bot(e.g. Power) to do
a netblock scan
 Bot builds list of vulnerable hosts, informs
attacker via botnet
 Attacker gets file and adds to master list

Copyright Nava 2012
18
Inbound Scanning
There several inbound ports scanning methods
available. All port scanning methods work if target
host satisfied the RFC 793 – Transmission Control
Protocol (TCP).
 Internet Control Message Protocol (ICMP)
 Transmission Control Protocol (TCP)
 User Datagram Protocol (UDP)
 SYN
 ACK
 Window
 FIN
Copyright Nava 2012
19
Inbound Scanning…..
Other Types (Uncommon)
 X-mas and Null
 Protocol
 Proxy
 Idle
 CatSCAN
Copyright Nava 2012
20
Why use ICMP Scanning ?
Understanding ICMP Based Attacks
Attackers preferred to do inbound scanning based
on ICMP because

ICMP scanning provide high level target
scanning

Elimination of Target Network (Type 3, Code 0Destination network unreachable)
Copyright Nava 2012
21
Why use ICMP Scanning ? ….

Elimination target host networks - Type 3, Code
1-Destination host unreachable

Elimination of particular protocol – Type 3,
Code 2 - Destination protocol unreachable

Elimination of particular port – Type 3, Code 3Destination port unreachable
Copyright Nava 2012
22
Why use ICMP Scanning ?......

Smaller payload - unnoticeable in terms of
volume increment for detection

More reliable in reply – return by error
message compare to TCP and UDP
Copyright Nava 2012
23
Understanding ICMP
Currently there are two (2) types
 ICMPv4
 ICMPv6
Copyright Nava 2012
24
ICMPv4





Core Protocol of Internet Protocol Suite
Defined under RFC 792
Mainly used to provide error message
ICMP messages are typically generated in
response to errors in IP datagrams (as specified
in RFC 1122) or for diagnostic or routing
purposes
ICMP errors are always reported to the original
source IP address of the originating datagram.
Copyright Nava 2012
25
ICMPv4 – IP Datagram
Bits
0-7
8-15
0
TYPE
CODE
32




16-23
24-31
CHECKSUM
REST OF HEADER
Type – ICMP type as specified below.
Code – Subtype to the given type.
Checksum – Error checking data. Calculated from the
ICMP header+data, with value 0 for this field. The
checksum algorithm is specified in RFC 1071.
Rest of Header – Four byte field. Will vary based on
the ICMP type and code.
Copyright Nava 2012
26
ICMPv4 - Type
Type Range
 There are 0-255 types
 0 till 41 – already defined
 42 till 255 – reserved
Special attention focused on the following type
 Type 3
 Type 9 and 10
 Type 15 and 16
 Type 17 and 18
 Type 37 and 38
Copyright Nava 2012
27
ICMPv4 - Type 3
Below are special codes that required main
attention
Code Range
 0 - Destination network unreachable
 1 - Destination host unreachable
 2 - Destination protocol unreachable
 3 - Destination port unreachable
 6 - Destination network unknown
 7 - Destination host unknown
Copyright Nava 2012
28
ICMPv4 - Type 3






8 - Source host isolated
9 - Network administratively prohibited
10 - Host administratively prohibited
11 - Network unreachable for TOS
12 - Host unreachable for TOS
13 - Communication administratively prohibited
Copyright Nava 2012
29
ICMPv4 - Others Type








Type 9, Code 0 -Router Advertisement
Type 10, Code 0 - Router discovery/selection/
solicitation
Type 15, Code 0 - Information Request
Type 16, Code 0 - Information Reply
Type 17, Code 0 - Address Mask Request
Type 18, Code 0 - Address Mask Reply
Type 37, Code 0 - Domain Name Request
Type 38, Code 0 - Domain Name Reply
Copyright Nava 2012
30
ICMPv4 – ICMP Fault Monitoring
Features Sample Capture
Copyright Nava 2012
31
ICMPv6





Internet Control Message Protocol (ICMP)
for Internet Protocol version 6 (IPv6)
Defined under RFC 4443
Mainly used for error message
Several extensions have been published, defining
new ICMPv6 message types as well as new
options for existing ICMPv6 message types
Neighbor Discovery Protocol (NDP) is a node
discovery protocol in IPv6 which replaces and
enhances functions of ARP
Copyright Nava 2012
32
ICMPv6
Secure Neighbor Discovery Protocol(SEND) is
an extension of NDP with extra security.
 Multicast Router Discovery (MRD) allows
discovery of multicast routers.
 ICMPv6 messages may be classified into two
categories: error messages and information
messages
 ICMPv6 messages are transported by IPv6
packets in which the IPv6 Next Header value
for ICMPv6 is set to 58.

Copyright Nava 2012
33
ICMPv6 – IP Datagram
Bit Offset
0-7
8-15
16-31
0
Type
Code
Checksum
32
Message Body
Type – ICMP type as specified below.
 Code – Subtype to the given type.
 Checksum – Error checking data. Calculated
from the ICMP header+data, with value 0 for
this field.

Copyright Nava 2012
34
ICMPv6 - Type
Special attention focused on the following type
 Type 1
 Type 128 and 137
 Type 139 and 153
Copyright Nava 2012
35
ICMPv6 - Type 1
Below is special codes that required attention
when scanning take place
Code Range
 0 - no route to destination
 1 - communication with destination
administratively prohibited
 2 - beyond scope of source address
 3 - address unreachable
 4 - port unreachable
Copyright Nava 2012
36
ICMPv6 - Type 1
7 - source address failed ingress/egress policy
 8 - reject route to destination

Copyright Nava 2012
37
ICMPv6 - Others Type







Type 128, Code 0 - Echo Request
Type 129, Code 0 – Echo Reply
Type 130, Code 0 - Multicast Listener Query
Type 133, Code 0 - Router Solicitation (NDP)
Type 134, Code 0 - Router Advertisement
(NDP)
Type 135, Code 0 - Neighbor Solicitation (NDP)
Type 136, Code 0 - Neighbor Advertisement
(NDP)
Copyright Nava 2012
38
ICMPv6 - Others Type





Type 139, Code 0 till 2 - ICMP Node
Information Query
Type 140, Code 0 till 2 - ICMP Node
Information Response
Type 141, Code 0 - Inverse Neighbor Discovery
Solicitation Message
Type 142, Code 0 - Inverse Neighbor Discovery
Advertisement Message
Type 144, Code 0 - Home Agent Address
Discovery Request Message
Copyright Nava 2012
39
ICMPv6 - Others Type





Type 145, Code 0 - Home Agent Address
Discovery Reply Message
Type 146, Code 0 till 2 - Mobile Prefix
Solicitation
Type 147, Code 0 - Mobile Prefix Advertisement
Type 151- Multicast Router Advertisement
(MRD)
Type 152 - Multicast Router Solicitation (MRD)
Copyright Nava 2012
40
Mitigating ICMP Based Scanning
Attacks
Capturing this ICMP error message can lead to
high probability attacks take place
 Proposed new Profiling Algorithm
 Proposed new ICMP Based Scanning Profiling
Applications
 Need to improve the existing iNetmon ICMP
Default Monitoring features

Copyright Nava 2012
41
Mitigating ICMP Based Scanning
Attacks….

Integration with Profiling system required to
correlate with other the correlation factors such as
◦
◦
◦
◦
◦

Exploit Usage
Egg Downloading
Outbound bots coordination dialog
Outbound attack propagation
Malware P2P communication
There are already systems are available such as Bot
Hunter (SNORT based correlation engine) that does
correlation for the above mentioned correlation
features.
Copyright Nava 2012
42
Proposed Research Outcome
Publish Papers (focus on ISI Standard) and
Journal based on this techniques
 Develop the ICMP Based Scanning Profile
Algorithm
 Build ICMP Based Scanning Profile
Solution (can modify NMap and add ICMP
profiling algorithm)

Copyright Nava 2012
43
References
www.sunbeltsoftware.com/ihs/alex/rmbotnets.ppt
 http://www.bothunter.net/doc/users_guideWIN.html
 http://www.iana.org/assignments/icmpv6parameters
 http://www.sans.org/securityresources/idfaq/icmp_misuse.php


“Know your Enemy: Tracking Botnets”, Lance Spitzner,
http://www.honeynet.org/papers/bots
Copyright Nava 2012
44
References
http://en.wikipedia.org/wiki/ICMPv6
 http://en.wikipedia.org/wiki/Internet_Control_
Message_Protocol
 http://en.wikipedia.org/wiki/Stuxnet
 http://en.wikipedia.org/wiki/Duqu

Copyright Nava 2012
45
Thank You
Copyright Nava 2012
46
Related documents
PowerPoint Slides
PowerPoint Slides
Agriculture Reuse of Wastewater
Agriculture Reuse of Wastewater
Brendan Innen Scan
Brendan Innen Scan
NanoIsrael 2010: Why You Should Be There
NanoIsrael 2010: Why You Should Be There
Document
Document
Chapter 3
Chapter 3
Chapter 10
Chapter 10
Download
advertisement