08-08-2011 Guide: Dr. B Ravindran
Outline 1 Introduction 2 3 4 5 6 2
Big Picture Recent Incidents Reasons for Study Internet Scenario Major Threats Flooding attacks Spamming Phishing Identity theft, etc.
Big Picture Recent Incidents Reasons for Study Internet Scenario Major Threats Flooding attacks Spamming Phishing Identity theft, etc. How is it all possible? By owning a million computers 3
Big Picture Recent Incidents Reasons for Study Notable Attacks South Korean Government websites. Wordpress.com Estonian Government websites. Yahoo, ebay. Network security firms. 4
Big Picture Recent Incidents Reasons for Study Why is this problem hard? Key issues Co-ordiated Control CnC channels Detection methods available Specific to attack types Working of bots vary Infection vector wide array of mechanisms to infect a machine 5
Definitions Command and Control Centralized & P2P Key Words Bot Infected host, can be remotely controlled. Botnet Network of bots. Botmaster Attacker who controls bots remotely. CnC Command and Control. IRC Internet Relay Chat. P2P Peer-to-Peer Communication. 6
Definitions Command and Control Centralized & P2P General Working Uses of CnC Major uses of CnC channels for a Bot Master. Rendezvous for bots Give commands to bots Updates to bot software Types of CnC Centralized CnC P2P CnC 7
Definitions Command and Control Centralized & P2P Types Centralized Major protocol used: IRC Easy to control and co-ordinate Single point of failure P2P Distributed servers instead of one Highly resilient Command latency is high 8
Modus Operandi CnC servers Bot binaries Infected hosts 4 Internet 5 3 2 DNS lookup 1 Vulnerable machine Figure: Botnet 9
Bot download CnC communication Communicating with bots BotMiner [3] Argument: Bots belonging to same botnet behave similarly Approach: Monitor network traffic from two different views Activity Plane: who is doing what Communication Plane: who is talking to whom Cluster entities which behave abnormally in both planes Other approaches Bot Hunter [4] 10
IRC based bots Introduction Bot download CnC communication IRC nick name [1] Argument: IRC nick used by bots follow regular pattern IRC traffic [6] Two step approach 1 Separate IRC traffic from other traffic 2 Separate bot IRC traffic from normal IRC traffic 11
Bot download CnC communication P2P bots Challenges [5, 2] Loosely coupled nature of P2P protocols P2P networks are harder to monitor, shutdown Bot masters can write custom protocols for CnC Can have encrypted communication channels Need not follow standard communication behavior 12
Honeypot Honeypots & Honeynets [7] Uses and Working To gain insight into bot malware Vulnerable system left open for attackers to exploit Two types Low Interaction Honeypots High Interaction Honeypots 13
Jan Goebel and Thorsten Holz. Rishi: Identify bot contaminated hosts by irc nickname evaluation. USENIX Security Symposium, 2007. J.B. Grizzard, V. Sharma, C. Nunnery, B.B.H. Kang, and D. Dagon. Peer-to-peer botnets: Overview and case study. In Proceedings of the first conference on First Workshop on Hot Topics in Understanding, pages 1 8. USENIX Association, 2007. G. Gu, R. Perdisci, J. Zhang, and W. Lee. BotMiner: Clustering analysis of network traffic for protocol-and structure-independent botnet detection. In Proceedings of the 17th conference on Security symposium, pages 139 154. USENIX Association, 2008.
G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee. Bothunter: Detecting malware infection through ids-driven dialog correlation. In Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, pages 1 16. USENIX Association, 2007. Thorsten Holz, Moritz Steiner, Frederic Dahl, Ernst Biersack, and Felix C. Freiling. Measurements and mitigation of peer-to-peer-based botnets: A case study on storm worm. In Networked Systems Design and Implementation, 2008. W. Lu, M. Tavallaee, and A.A. Ghorbani. Automatic discovery of botnet communities on large-scale communication networks.
In Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, pages 1 10. ACM, 2009. Niels Provos. A virtual honeypot framework. In USENIX Security Symposium, pages 1 14, 2004.
Thank You!