A presentation about botnets: what are, how they works, detection techniques and countermeasures

1. About Botnets
Alain Bindele
matr:695164

2. Summary
Introduction & Definitions
Main characteristics
Botnet examples
Countermeasures

3. Testo
Part I Introduction & Definitions
A Botnet is a collection of Internet-connected programs
communicating with other similar programs in order to
perform tasks

4. Malware
taxonomy:
Virus
Worm
Trojan
Botnet
!

5. Malware
taxonomy:
Virus
Worm
Trojan
Botnet
!
(Let’s make some order)

6. Malware
taxonomy:
Virus
Worm
Trojan
Botnet
!

7. Virus
A virus is a self-replicating program that infect an host,
often appending itself to other executables. It needs
the user action that runs (often unintentionally) the
infected executable file to start inflicting to the system
any kind of damage (from unwanted behaviours like
open windows or popups or the scrambling of the
desktop icons to the complete freeze of the system).

8. Malware
taxonomy:
Virus
Worm
Trojan
Botnet
!

9. Worm
A worm just like a virus is a damaging autoreplicating
software but unlike viruses it spread its copies
exploiting systems vulnerabilities and therefore it
doesn't necessary need the human interaction.

10. Malware
taxonomy:
Virus
Worm
Trojan
Botnet
!

11. Trojan
A trojan is just like the above malware but it typically
hide a so called "backdoor": a server running in
background waiting for a connection and giving to the
attacker some level of remote control over the infected
machine.

12. Malware
taxonomy:
Virus
Worm
Trojan
Botnet
!

13. Botnet
"Bot" is a term used to refer both the program and the
machine running them (often referred as "zombie").
Notice that botnets have all charateristics of the
previous malware types: damage, selfspreading and
remote control but also has the ability to organize many
bots to form a network.

14. –Agent Smith
“Never send a human to do a machine's job.”

15. Purposes
steal personal data
abuse the victim’s CPU
abuse the network bandwidth
click frauds
spamming
phishing
espionage, intelligence and
cyber-war

16. Personal data stealing
Some botnet are designed to scan computers files and
monitor user interaction (generally using key loggers )
and browser activity to steal password, contacts email,
check account etc
eg. Zeus, Waledac, Skynet

17. CPU abusing
Some botnet (eg. ZeroAccess and Skynet) uses
victim’s CPU to perform bitcoin mining or brute force
hash reversing and password attacks
eg. ZeroAccess, Skynet

18. Network bandwidth abusing
Many bonnet uses victim’s network bandwidth to
perform dDoS attacks.
A Denial of Service (DoS) is an offensive action wich
prevent a single server or an entire network to supply a
service. When the coordination many hosts (like a
botnet) is used to attack some service host or network
we talk about dDoS (distributed DoS)
eg. Waledac, Skynet, Storm, Mariposa
and many others..

19. Click frauds
Controlling or implementing browser functionalities a
bot could automatically browse and click links,
scamming pay per click companies.
eg. ZeroAccess, Chameleon

20. Spamming
Botnet are widely used for spamming purpose. A 2004
survey estimated that lost productivity costs Internet
users in the United States $21.58 billion annually, while
another reported the cost at $17 billion, up from $11
billion in 2003.[wikipedia]
eg. Waledac, MegaD, Kraken, Lethic
and many others..

21. Phishing frauds
Spam is also a medium for fraudsters to scam users
into entering personal information on fake Web sites
using emails forged to look like they are from banks or
other organizations, such as PayPal. This is known as
phishing. Targeted phishing, where known information
about the recipient is used to create forged emails, is
known as spear-phishing [wikipedia]

22. Botnet Lifecycle
initial infection
secondary injection
bootstrap
malicious C&C
update and maintenance

23. Initial infection
This phase starts when the attacker scans a system
looking for some vulnerability to exploit. Many
softwares (e.g. Metasploit) and techniques (e.g. social
engineering) can be used to conduct this preliminary
attack phase which ends when the malicious software
(sometime referred as payload or shell-code) is
successfully injected in the target machine.

24. Secondary Injection
The second phase starts with the code execution,
when the malware is loaded in the computer memory
and being processed i.e. when it actually runs on the
target machine turning the target machine into a
"zombie".

25. Bootstrap
In this phase the malware establishes a connection
with the C&C and/or the rest of the network
(depending on the network topology) that could include
many other kind of servers. In that phase the bot
become ready to serve the bot herder commands that
are acquired in the next phase.

26. C&C instruction phase
In that phase the bot herder remotely instruct the bot
to perform some task.
eg. perform a dDoS attack versus some target host,
collect personal data etc.

27. Update & Mantainance
Many bots could update themselves automatically or
programmatically. In the case of spamming botnet they
could periodically update their mail templates.

28. Attack vectors
any medium, hardware or software used to subvert the normal
execution of a computer system
USB drives
E-mail
Files
Buggy software
Open ports
…

29. dDoS attack
Volumetric Attacks
TCP State-Exhaustion
Attacks
Application Layer
Attacks

30. Volumetric attack
These attacks attempt to
saturate the bandwidth of
the targeted system (it could
be a single host or an entire
network service) and could
be achieved by generating
an enormous amount of
traffic in the network.
Examples of volumetric
attacks include ICMP,
Fragment and UDP floods.

31. These attempt to consume
the connection state tables
which are present in many
infrastructure components
such as load-balancers,
firewalls and the application
servers themselves.
Syn-flood attack is one of
such techiques that could
lead to the unusability of a
misconfigured system.
TCP State-Exhaustion Attacks

32. Application Layer Attacks
These target some
aspect of an application
or service at Layer-7.
Generating a relatively
high volume of requests
(HTTP GET/POST flood
etc.) servers could be
crammed with complex
tasks and jobs queues.

33. Botnet characteristics
Topology
Lookup Resilience
Blind proxy redirection
Polymorphism

34. Topology
Centralized:
Star topology
Multi-server
Decentralized
P2P

35. Testo
Star topology
All bots are connected to a central server

36. Testo
Hierarchical
Bots are connected to a backbone of intermediate servers
that receives instructions from one or more C&C servers

37. Testo
P2P
There’s not a single C&C, every computer in the
network communicates with a set of neighbors.

38. Lookup resiliency
IP fast Flux
Single Flux
Double Flux
Domain flux
Wildcarding
DGA

39. Fluxing
IP Flux: is the periodic change of ip address
associates to a particular fully qualified domain name
(FQDN).
Domain flux: is effectively the inverse of IP flux.
Instead of change the ip, we change the name
associated.
High frequency fluxing is named Fast-Flux

40. IP Flux (two flavors)
Single-flux is the simplest form: we have multiple
(hundreds or even thousands) ip addresses associated with
a domain name. These IP addresses are registered and de-
registered rapidly on a particular DNS server using round-
robin algorithms and very short Time-to-live (TTL) values.
Double-flux is the evolution of Single-flux wich not only
fluxes the IP addresses associated with the fully-qualified
domain name, but also fluxes the IP addresses of the DNS
servers used to lookup the IP addresses of the FQDN.

41. Dns Wildcarding
Domain Wildcarding abuses the DNS functionality to
wildcard an higher domain such that all FQDN’s point
to the same IP address.
eg. *.domain.com could encapsulate both
mypc.foo.domain.com and myserver.domain.com

42. Domain generation
Algorithm
In Domain Generation Algorithms (DGA), a periodically
changed list of FQDN’s is created, these names are
then polled by the bot agent looking for the C&C
infrastructure. Since the created domain names are
dynamically generated in volume and typically have a
short life of a single day, the turnover makes it very
difficult to investigate or block every possible domain
name

43. Blind proxy redirection
With this technique some host of the botnet acts like a
proxy, interrupting the tracing attempts to discover and
shutdown the flux services network (dns register, C&C
etc.) Relay-nodes basically act as an intermediary
between the slave-nodes and the master command-
and-control servers, as well as for each other

44. Blind Proxy Redirection
Pro*
Anonymity
Con*
Lower Propagation
Speed
*from a bot herder perspective, from a law enforcer’s perspective it’s exactly the opposite

45. Polymorphism
What is?
Server side
Repacking

46. Polymorphism
Every time an antivirus is updated it
downloads the digital signature of known
malware and then comparing the signature
of the executables on the machine with the
one stored on the database could detect
and remove the threatening software.
As countermeasure to that, malware
programmers uses to repack and encrypt
the binaries of their software in order to
diffuse it. Some of them also continuously
downloads the new code to execute
changing its signature and hence remaining
hidden to the antivirus software that
couldn't know a priori all possible signature
of an encrypted executable .

47. Testo
Part II Case of study
Botnets real examples

49. Testo
Part III Countermeasures

50. Stakeholders
Institutions
Law enforcers
Research
Corporations
Single Users

51. Attack Points
C&C server
DNS denial
Takedown C&C
Infected Host
AV, firewalling
Botnet Communications
sinkholing

52. Steps
Detection
Cleaning
defensive strategies
offensive strategies

53. Detectors classification
Signature based
File monitoring
Connection monitoring
Anomaly based
Self-learning
Programmed
Compound

54. Signature based
There is a database of
known threat. Files or
connection are scanned
to search matching
events.
Pro: zero false positives
Con: unable to detect
unknown malware

55. Self-Learning detection
The system first learns from an
initial condition (usually safe)
and, in a second phase,
controls if the system behave
accordingly to that condition. If
the observed system diverges
from the "normal" condition it
will be notified.
Pro: could detect zero-days
attack
Con: could give false positives

56. Programmed detection
Statistics, rules and
thresholds are used to
define some anomaly
condition. If system
matches anomaly
conditions alert will be
raised.
Pro: could detect zero-days
attack
Con: doesn’t scales very well

57. Anomaly based detectors
“something that is abnormal is probably suspicious”
Self-learning systems learn by
example what constitutes normal
for the installation typically by
observing traffic for an extended
period of time and building some
model of the underlying process.
[2]
(stocastic models, machine
learning, hidden markov models,
neural network, hybrid models)

58. Other methods
Honey-Pot
Honeypot refers to a decoy system
to entice the attention of attackers
to attack this computer system to
having an aim of protecting the
critical targets. Honeypots are
computer systems which don't have
any production value. According to
this concept, a resource that
expects no data, so any traffic to or
from it is most likely suspicious
activity and must be investigated [3]

59. Other methods
DNS based
DNS-based detection techniques
are based on particular DNS
information generated by a Botnet.
DNS-based detection techniques
are similar to anomaly detection
techniques as similar anomaly
detection algorithms are applied
on DNS traffic [4][6][9]

60. Countermeasures
a proposed taxonomy [3]
Signature based
Honey-Pot based
Anomaly based
DNS based
Mining based
Network based

61. Testo
Detectors taxonomy
Some detectors described in [2] grouped by features
(march 2000)

62. Other detectors
Bot-hunter [7]
Cisco® Cyber Threat Defense Solution 1.0 [8]
Snort [10]
ETPro™ Ruleset (works with Snort) [11]
The Botnets [12]
RUBotted [13]

63. Offensive strategies
Mitigation
C&C takedown
Block botnet traffic at ISP level
(sinkholing, BGP blackholing …)
Manipulation
Leverage bot command layer
Infiltration & Poisoning
Exploitation
Leverage bot leaks

64. Mitigation
Strategies for mitigation are offensive, technical means
that slow botnets down, by consuming resources for
instance. Examples can be temporary DoS attempts
against C&C servers, trapping and holding connections
from infected machines, or blocking of
malicious domains. [5]

65. Manipulation
Possible manipulation can be the alteration or removal
of DDoS or Spam commands as well as commands to
download and execute programs, which allows a
remote cleanup of infected machine. Less invasive
options include dropping collected personal data,
like credit card or banking details, replacing them by
fake information, or issuing commands to make bots
stop the collection [5].

66. Exploitation
is a special strategy that makes use of bugs found in
bots. Like bugs in other products, these can be used
to perform actions on the infected machines. Even
though, this category is the most powerful, it is the one
with the highest risk involved because exploits can
easily crash and damage systems if not designed
carefully [5].

67. Questions?.

68. Testo
The end…(?)

69. Bibliography
[1] http://en.wikipedia.org/wiki/Botnet
[2] Axelsson, Stefan. Intrusion detection systems: A survey and taxonomy. Vol. 99. Technical report, 2000.
[3] Raghava, N. S., Divya Sahgal, and Seema Chandna. "Classification of Botnet Detection Based on Botnet Architechture."
Communication Systems and Network Technologies (CSNT), 2012 International Conference on. IEEE, 2012
[4] Feily, Maryam, Alireza Shahrestani, and Sureswaran Ramadass. "A survey of botnet and botnet detection." Emerging
Security Information, Systems and Technologies, 2009. SECURWARE'09. Third International Conference on. IEEE, 2009.
[5] Leder, Felix, Tillmann Werner, and Peter Martini. "Proactive botnet countermeasures–an offensive approach." The Virtual
Battlefield: Perspectives on Cyber Warfare 3 (2009):
[6] Hu, Xin, Matthew Knysz, and Kang G. Shin. "RB-Seeker: Auto-detection of Redirection Botnets." NDSS. 2009.
[7] http://www.bothunter.net/

70. Bibliography
[8] http://www.cisco.com/c/en/us/solutions/enterprise-networks/threat-defense/index.html
[9] Schiller, Craig, and James R. Binkley. Botnets: The killer web applications. Syngress, 2011.
[10] http://www.snort.org/
[11] http://www.emergingthreats.net/
[12] https://code.google.com/p/botnets/
[13] http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1777&lang_loc=1