Botnet Communication Topologies

Similar documents
Size Matters Measuring a Botnet Operator s Pinkie

Automating Security Response based on Internet Reputation

Copyright

THE ACCENTURE CYBER DEFENSE SOLUTION

Security & Phishing

CYBER RESILIENCE & INCIDENT RESPONSE

Real-time Protection for Microsoft Hyper-V

Large-Scale Internet Crimes Global Reach, Vast Numbers, and Anonymity

Protecting Against Encrypted Threats

THE STATE OF MEDIA SECURITY HOW MEDIA COMPANIES ARE SECURING THEIR ONLINE PROPERTIES

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

DDoS MITIGATION BEST PRACTICES

The Interactive Guide to Protecting Your Election Website

Botnet Detection. Botnet Detection for Communications Service Providers

GDPR. The new landscape for enforcing and acquiring domains. You ve built your business and your brand. Now how do you secure and protect it?

Evolution of Spear Phishing. White Paper

AKAMAI CLOUD SECURITY SOLUTIONS

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

FOR FINANCIAL SERVICES ORGANIZATIONS

Supercharge Your SIEM: How Domain Intelligence Enhances Situational Awareness

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

PineApp Mail Secure SOLUTION OVERVIEW. David Feldman, CEO

RSA INCIDENT RESPONSE SERVICES

SOLUTION MANAGEMENT GROUP

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

Advanced Threat Defense Certification Testing Report. Trend Micro Incorporated Trend Micro Deep Discovery Inspector

RSA INCIDENT RESPONSE SERVICES

Segment Your Network for Stronger Security

IBM Cloud Internet Services: Optimizing security to protect your web applications

Phishing Activity Trends Report August, 2006

GNSO Issues Report on Fast Flux Hosting

with Advanced Protection

Neustar Security Solutions Overview

Transforming Security from Defense in Depth to Comprehensive Security Assurance

DNS Security. Ch 1: The Importance of DNS Security. Updated

Fast Flux Hosting Final Report. GNSO Council Meeting 13 August 2009

Putting security first for critical online brand assets. cscdigitalbrand.services

May the (IBM) X-Force Be With You

BIG DATA INDUSTRY PAPER

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Security by Default: Enabling Transformation Through Cyber Resilience

Standard Categories for Incident Response (definitions) V2.1. Standard Categories for Incident Response Teams. Definitions V2.1.

ForeScout ControlFabric TM Architecture

Dynamic Botnet Detection

INTELLIGENCE DRIVEN GRC FOR SECURITY

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

WHOIS High-Level Technical Brief

Phishing Activity Trends

Use Cases. E-Commerce. Enterprise

Chapter 2 Malicious Networks for DDoS Attacks

Implementation Guide - VPN Network with Static Routing

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

The McAfee MOVE Platform and Virtual Desktop Infrastructure

Cyber Threat Landscape April 2013

The Cost of Phishing. Understanding the True Cost Dynamics Behind Phishing Attacks A CYVEILLANCE WHITE PAPER MAY 2015

SIEM: Five Requirements that Solve the Bigger Business Issues

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

Phishing Activity Trends

Botnets: A Survey. Rangadurai Karthick R [CS10S009] Guide: Dr. B Ravindran

RSA FRAUDACTION ANTI-PHISHING SERVICE: BENEFITS OF A COMPREHENSIVE MITIGATION STRATEGY

Q-Balancer Range FAQ The Q-Balance LB Series General Sales FAQ

Imperva Incapsula Survey: What DDoS Attacks Really Cost Businesses

THE EVOLUTION OF SIEM

CYBERCRIME AS A NEW FORM OF CONTEMPORARY CRIME

Borderless security engineered for your elastic hybrid cloud. Kaspersky Hybrid Cloud Security. #truecybersecurity

NETWORK FORENSIC ANALYSIS IN THE AGE OF CLOUD COMPUTING.

FIREWALL BEST PRACTICES TO BLOCK

Designing an Exchange 2000/2003 Routing Group Connector Topology

PALANTIR CYBERMESH INTRODUCTION

INSIDE. Symantec AntiVirus for Microsoft Internet Security and Acceleration (ISA) Server. Enhanced virus protection for Web and SMTP traffic

THE CYBER SECURITY PLAYBOOKECTOR SHOULD KNOW BEFPRE, DURING & AFTER WHAT EVERY DIRECTOR SHOULD KNOW BEFORE, DURING AND AFTER AN ATTACK

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Symantec Protection Suite Add-On for Hosted Security

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

June 2 nd, 2016 Security Awareness

Cato Cloud. Solution Brief. Software-defined and Cloud-based Secure Enterprise Network NETWORK + SECURITY IS SIMPLE AGAIN

Advanced Threat Defense Certification Testing Report. Symantec Corporation Symantec Advanced Threat Protection

Achieving End-to-End Security in the Internet of Things (IoT)

Modern two-factor authentication: Easy. Affordable. Secure.

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

Security and Compliance for Office 365

Sizing and Scoping ecrime

Reduce Your Network's Attack Surface

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

PURPOSE STATEMENT FOR THE COLLECTION AND PROCESSING OF WHOIS DATA

Check Point 4800 with Gigamon Inline Deployment Guide

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?

Think You re Safe from DDoS Attacks? As an AWS customer, you probably need more protection. Discover the vulnerabilities and how Neustar can help.

DNS Firewall with Response Policy Zone. Suman Kumar Saha bdcert Amber IT Limited

Optimal Gateway Selection for Pulse Connect Secure with Pulse Secure Virtual Traffic Manager

Symantec Security Monitoring Services

WHITEPAPER THE EVOLUTION OF APPSEC: FROM WAFS TO AUTONOMOUS APPLICATION PROTECTION

HOW TO ANALYZE AND UNDERSTAND YOUR NETWORK

ELECTRONIC BANKING & ONLINE AUTHENTICATION

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Optimizing Pulse Secure Access Suite with Pulse Secure Virtual Application Delivery Controller solution

IBM TS7700 grid solutions for business continuity

Securely Access Services Over AWS PrivateLink. January 2019

Fighting Spam, Phishing and Malware With Recurrent Pattern Detection

Transcription:

Understanding the intricacies of botnet Command-and-Control By Gunter Ollmann, VP of Research, Damballa, Inc. Introduction A clear distinction between a bot agent and a common piece of malware lies within a bot s ability to communicate with a Command-and-Control (CnC) infrastructure. CnC allows a bot agent to receive new instructions and malicious capabilities, as dictated by a remote criminal entity. This compromised host then can be used as an unwilling participant in Internet crime as soon as it is linked into a botnet via that same CnC. The criminals actively controlling botnets must ensure that their CnC infrastructure is sufficiently robust to manage tens-of-thousands of globally scattered bot agents, as well as resist attempts to hijack or shutdown the botnet. Botnet operators have consequently developed a range of technologies and tactics to protect their CnC investment. This paper reviews the tactics commonly employed by botnet operators to maintain control of their botnets and the impact of these tactics on standard network-blocking protection stratagems. Botnet Topology Botnets come in all kinds of shapes and sizes. As a result, they employ a range of CnC topologies in response to commercial defenses, legal shutdowns and hijacking attempts. This evolution means that a criminal botnet operator has a number of wellstudied CnC topology options to base a new botnet upon each of which have relative strengths and weaknesses. Botnet CnC topologies have been optimized to minimize network chatter and system failures, just like commercial-grade technology tasked with remotely managing tens of thousands of hosts. The precise CnC topology selected by a botnet operator often reflects that individual s perceived risk to continued command access and the financial business model of that botnet. CnC topologies encountered in the wild typically match one of the following types: Star Multi-server Hierarchical Random Star The Star topology relies upon a single centralized CnC resource to communicate with all bot agents. Each bot agent is issued new instructions directly from the central CnC point. Targeted Protection Against Targeted Attacks

When a bot agent successfully breaches a victim computer, it is normally preconfigured to phone home to this central CnC, whereupon it registers itself as a botnet member and awaits new instructions. Pros Speed of Control The direct communication between the CnC and the bot agent means that instructions (and stolen data) can be transferred rapidly Cons Single point of failure If the central CnC is blocked or otherwise disabled, the botnet is effectively neutered. Figure 1: Star CnC topology with direct communications between the central command hub and each bot agent Multi-Server Multi-Server CnC topology is a logical extension of the Star topology, in which multiple servers are used to provide CnC instructions to bot agents. These multiple command systems communicate amongst each other as they manage the botnet. Should an individual sever fail or be permanently removed, commands from the remaining servers maintain control of the botnet. It takes more planning and effort on the part of the botnet s operator to construct a Multi-Server CnC. However the same bot agents can be used for both Star and Multi- Server topologies. Intelligent distribution of the multiple CnC severs amongst different geographical locations can speed up communications with similarly located bot agents. Likewise, CnC servers simultaneously hosted in multiple countries can make the botnet more resistant to legal shutdown requests. Page 2

Pros No single point of failure Should any single CnC server be disabled, the botnet operator can still maintain control over all bot agents. Geographical optimization Multiple geographically distributed CnC severs can speed up communications between botnet elements. Cons Requires advance planning Additional preparation effort is required to construct a multi-sever CnC infrastructure. Figure 2: Multi-server CnC topology with direct communications between a distributed cluster of central command servers and each bot agent Hierarchical A Hierarchical topology reflects the dynamics of the methods used in the compromise and subsequent propagation of the bot agents themselves. Bot agents have the ability to proxy new CnC instructions to previously propagated progeny agents. However, updated command instructions typically suffer latency issues making it difficult for a botnet operator to use the botnet for real-time activities. A Hierarchical botnet means that no single bot agent is aware of the location of the entire botnet. This configuration makes it difficult for security researchers to estimate the overall size of the botnet. The hierarchical structure also facilitates carving up larger botnets in to sub-botnets for sale or lease to other botnet operators. Page 3

Hierarchical topologies can facilitate a mix of propagation tactics e.g. an initial driveby download infection that then initiates worm capabilities once established inside an enterprise network. Pros Botnet awareness Interception or hijacking of bot agents will not enumerate all members of the botnet and is unlikely to reveal the CnC server. Ease of re-sale A botnet operator can easily carve off sections of their botnet for lease or resale to other operators. Cons Command latency Because commands must traverse multiple communication branches within the botnet, there can be a high degree of latency with updated instructions being received by bot agents. This delay makes some forms of botnet attack and malicious operation difficult. Figure 3: Hierarchical CnC topology with proxied CnC communication Random Botnets with a Random topology (i.e., a dynamic master-slave or peer-to-peer relationship) have no centralized CnC infrastructure. Instead, commands are injected in to the botnet via any bot agent. These commands are often signed as authoritative, which tells the agent to automatically propagate the commands to all other agents. Random botnets are highly resilient to shutdown and hijacking because they lack centralized CnC and employ multiple communication paths between bot agents. However, it is often easy to identify members of the botnet by monitoring a single infected host and observing the external hosts it communicates with. Page 4

Command latency is a problem for Random topology botnets. However, the multiple communication links between bot agents make latency less of a problem than with Hierarchical topologies. Pros Highly resilient Lack of a centralized CnC infrastructure and the many-to-many communication links between bot agents make it very resilient to shutdown. Cons Command latency The ad hoc nature of links between bot agents make CnC communication unpredictable, which can result in high levels of latency for some clusters of bot agents. Botnet enumeration Passive monitoring of communications from a single bot-compromised host can enumerate other members of the botnet. Figure 4: CnC topology with no centralized CnC server infrastructure Lookup Resilience The ability for a bot agent to locate CnC infrastructure is a critical requirement for maintaining control of the entire botnet for botnets that rely upon centralized CnC. If the CnC cannot be found, a bot agent will not be able to receive new instructions. While some bot agents may opt to function in an alternative autonomous zombie mode reverting to embedded instructions for propagation and infection most bot agents will continue to harvest local host information and poll the missing CnC at regularly scheduled times. Page 5

Botnet operators use a number of technologies to increase the probability that bot agents will be able to locate the central CnC infrastructure. These tools and techniques also make botnets more resilient to shut-down and hijacking maneuvers. One key technology that enables CnC location resolution and failover resilience is referred to as fluxing. Fluxing comes in two major flavors: IP Flux Domain Flux Both technologies are used extensively by professional botnet operators. IP Flux IP Flux refers to the constant changing of IP address information (e.g. 192.168.1.1) related to a particular, fully-qualified domain name (e.g. mypc.atl.damballa.com). Botnet operators abuse this ability to change IP address information associated with a host name by linking multiple IP addresses with a specific host name and rapidly changing the linked addresses. This rapid changing aspect is more commonly referred to as fast-flux. There are two types of fast-flux single-flux and double-flux. Single-flux is characterized by having multiple (hundreds or even thousands) IP addresses associated with a domain name. These IP addresses are registered and de-registered rapidly using a combination of round-robin allocation and very short Time-to-live (TTL) values against a particular DNS Resource Record (i.e., A records). Double-flux is a more advanced evolution of Single-flux. Double-flux not only fluxes the IP addresses associated with the fully-qualified domain name (FQDN), but also fluxes the IP addresses of the DNS servers (e.g., NS records) that are in turn used to lookup the IP addresses of the FQDN. Domain Flux Domain flux is effectively the inverse of IP flux and refers to the constant changing and allocation of multiple FQDN s to a single IP address or CnC infrastructure. Techniques applicable to Domain Flux encompass domain wildcarding and newer domain generation algorithms Domain Wildcarding abuses native DNS functionality to wildcard (e.g., *) a higher domain such that all FQDN s point to the same IP address. For example, *.damballa.com could encapsulate both mypc.atl.damballa.com and myserver.damballa.com. This technique is most commonly associated with botnets that deliver spam and phishing content whereby the wildcarded information that appears random (e.g. asdkjlkwer of asdkjlkwer.atl.damballa) is Page 6

used by the botnet operator to uniquely identify a victim, track success using various delivery techniques, and bypass anti-spam technologies. Domain Generation Algorithms are a more recent addition to bot agents. They create a dynamic list of multiple FQDN s each day, which are then polled by the bot agent as it tries to locate the CnC infrastructure. Since the created domain names are dynamically generated in volume and typically have a life of only a single day, the rapid turnover makes it very difficult to investigate or block every possible domain name. Blind Proxy Redirection Both IP Flux and Domain Flux provide advanced levels of redundancy and resilience for the CnC infrastructure of a botnet. However, botnet operators often employ a second layer of abstraction to further increase security and failover blind proxy redirection. Redirection helps disrupt attempts to trace or shutdown IP Flux service networks. As a result, botnet operators often employ bot agents that proxy both IP/domain lookup requests and CnC traffic. These agents act as redirectors that funnel requests and data to and from other servers under the botnet operator s control. These other servers actually serve the content. Location Resilience Most botnets today rely upon DNS as the service for location of CnC infrastructure. Fluxing DNS records provides varying degrees of resilience to shutdown and hijacking that can be best summed up as: Brittle: Less brittle: Resilient: Very resilient: Single domain Single flux Double flux Domain flux Conclusion Understanding the botnet communication topologies that are used by today s criminal operators is a critical component in understanding how to best protect against the overall botnet threat. The topology utilized by the botnet will often dictate the type and degree of actions an enterprise can pursue in either blocking or shutting down a botnet, and the likelihood of success. Independent of the topology, multiple layers of DNS fluxing and redirection make some botnets highly resilient to shutdown or enumeration. All of these techniques are available to botnet operators. Fortunately, very few botnets employ all of them. As a result, by understanding the nuances of each technique and whether a particular botnet is employing it, enterprise security staff gain critical insight into dealing with the threat. Page 7

It is likely an expensive task for a botnet operator to employ all techniques described in this paper after all, doing so requires a great deal of planning and tuning. That said, some well known botnets do employ all of these techniques successfully, and are generally considered to be stable platforms for the delivery of multiple criminal fraud systems. While the topology of the botnet CnC greatly influences its resilience to enumeration and eventual shutdown, its architecture may be independent of the location service being used. For example, it may be a centralized HTTP Web server (brittle) or based upon a loose IRC federation model (less brittle). Therefore, locating and shutting down the actual CnC servers (rather than the location services) will effectively cauterize the threat. The criminals behind botnets are smart and adaptive. It is a safe bet that botnets will increasingly adopt the most advanced permutations of resilient lookup techniques in to the future in order to ensure long-term, stable success. For that reason, Hierarchical or Random topologies will soon replace legacy Star- or Multi-Server based botnets. Further Reading http://faculty.cs.tamu.edu/guofei/paper/dagon_acsac07_botax.pdf http://us.trendmicro.com/imperia/md/content/us/pdf/threats/securitylibrary/botnetta xonomywhitepapernovember2006.pdf How Fast-flux Service Networks Work http://www.honeynet.org/node/132 Page 8

About Damballa, Inc. Damballa protects businesses from bot-driven targeted attacks used for organized, online crime by using the Internet cloud to identify and isolate threats that evade other technologies. Our unique, global approach monitors the Command-and-Control that coordinates botnet attacks to rapidly identify compromised systems and enable immediate control of malicious activity. Global 1000 corporations, large Internet service providers, OEM partners and government agencies use Damballa s signatureless solutions and industryleading research to reinforce existing security infrastructure and stop hidden Internet attacks. The result is dramatically improved security both inside and outside the network perimeter. Damballa is privately held and headquartered in Atlanta, Georgia. Copyright 2009, Damballa, Inc. All rights reserved worldwide. This page contains the most current trademarks for Damballa, Inc., which include Damballa, the Damballa logo and Harvester. The absence of a name or logo on this page does not constitute a waiver of any and all intellectual property rights that Damballa, Inc. has established in any of its products, services, names, or logos. All other marks are the property of their respective owners in their corresponding jurisdictions, and are used here in an editorial context, without intent of infringement. Page 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback