about botnets


Published on

A presentation about botnets:
what are, how they works, detection techniques and countermeasures

Published in: Internet, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

about botnets

  1. 1. About Botnets Alain Bindele matr:695164
  2. 2. Summary Introduction & Definitions Main characteristics Botnet examples Countermeasures
  3. 3. Testo Part I Introduction & Definitions A Botnet is a collection of Internet-connected programs communicating with other similar programs in order to perform tasks
  4. 4. Malware taxonomy: Virus Worm Trojan Botnet !
  5. 5. Malware taxonomy: Virus Worm Trojan Botnet ! (Let’s make some order)
  6. 6. Malware taxonomy: Virus Worm Trojan Botnet !
  7. 7. Virus A virus is a self-replicating program that infect an host, often appending itself to other executables. It needs the user action that runs (often unintentionally) the infected executable file to start inflicting to the system any kind of damage (from unwanted behaviours like open windows or popups or the scrambling of the desktop icons to the complete freeze of the system).
  8. 8. Malware taxonomy: Virus Worm Trojan Botnet !
  9. 9. Worm A worm just like a virus is a damaging autoreplicating software but unlike viruses it spread its copies exploiting systems vulnerabilities and therefore it doesn't necessary need the human interaction.
  10. 10. Malware taxonomy: Virus Worm Trojan Botnet !
  11. 11. Trojan A trojan is just like the above malware but it typically hide a so called "backdoor": a server running in background waiting for a connection and giving to the attacker some level of remote control over the infected machine.
  12. 12. Malware taxonomy: Virus Worm Trojan Botnet !
  13. 13. Botnet "Bot" is a term used to refer both the program and the machine running them (often referred as "zombie"). Notice that botnets have all charateristics of the previous malware types: damage, selfspreading and remote control but also has the ability to organize many bots to form a network.
  14. 14. –Agent Smith “Never send a human to do a machine's job.”
  15. 15. Purposes steal personal data abuse the victim’s CPU abuse the network bandwidth click frauds spamming phishing espionage, intelligence and cyber-war
  16. 16. Personal data stealing Some botnet are designed to scan computers files and monitor user interaction (generally using key loggers ) and browser activity to steal password, contacts email, check account etc eg. Zeus, Waledac, Skynet
  17. 17. CPU abusing Some botnet (eg. ZeroAccess and Skynet) uses victim’s CPU to perform bitcoin mining or brute force hash reversing and password attacks eg. ZeroAccess, Skynet
  18. 18. Network bandwidth abusing Many bonnet uses victim’s network bandwidth to perform dDoS attacks. A Denial of Service (DoS) is an offensive action wich prevent a single server or an entire network to supply a service. When the coordination many hosts (like a botnet) is used to attack some service host or network we talk about dDoS (distributed DoS) eg. Waledac, Skynet, Storm, Mariposa and many others..
  19. 19. Click frauds Controlling or implementing browser functionalities a bot could automatically browse and click links, scamming pay per click companies. eg. ZeroAccess, Chameleon
  20. 20. Spamming Botnet are widely used for spamming purpose. A 2004 survey estimated that lost productivity costs Internet users in the United States $21.58 billion annually, while another reported the cost at $17 billion, up from $11 billion in 2003.[wikipedia] eg. Waledac, MegaD, Kraken, Lethic and many others..
  21. 21. Phishing frauds Spam is also a medium for fraudsters to scam users into entering personal information on fake Web sites using emails forged to look like they are from banks or other organizations, such as PayPal. This is known as phishing. Targeted phishing, where known information about the recipient is used to create forged emails, is known as spear-phishing [wikipedia]
  22. 22. Botnet Lifecycle initial infection secondary injection bootstrap malicious C&C update and maintenance
  23. 23. Initial infection This phase starts when the attacker scans a system looking for some vulnerability to exploit. Many softwares (e.g. Metasploit) and techniques (e.g. social engineering) can be used to conduct this preliminary attack phase which ends when the malicious software (sometime referred as payload or shell-code) is successfully injected in the target machine.
  24. 24. Secondary Injection The second phase starts with the code execution, when the malware is loaded in the computer memory and being processed i.e. when it actually runs on the target machine turning the target machine into a "zombie".
  25. 25. Bootstrap In this phase the malware establishes a connection with the C&C and/or the rest of the network (depending on the network topology) that could include many other kind of servers. In that phase the bot become ready to serve the bot herder commands that are acquired in the next phase.
  26. 26. C&C instruction phase In that phase the bot herder remotely instruct the bot to perform some task. eg. perform a dDoS attack versus some target host, collect personal data etc.
  27. 27. Update & Mantainance Many bots could update themselves automatically or programmatically. In the case of spamming botnet they could periodically update their mail templates.
  28. 28. Attack vectors any medium, hardware or software used to subvert the normal execution of a computer system USB drives E-mail Files Buggy software Open ports …
  29. 29. dDoS attack Volumetric Attacks TCP State-Exhaustion Attacks Application Layer Attacks
  30. 30. Volumetric attack These attacks attempt to saturate the bandwidth of the targeted system (it could be a single host or an entire network service) and could be achieved by generating an enormous amount of traffic in the network. Examples of volumetric attacks include ICMP, Fragment and UDP floods.
  31. 31. These attempt to consume the connection state tables which are present in many infrastructure components such as load-balancers, firewalls and the application servers themselves. Syn-flood attack is one of such techiques that could lead to the unusability of a misconfigured system. TCP State-Exhaustion Attacks
  32. 32. Application Layer Attacks These target some aspect of an application or service at Layer-7. Generating a relatively high volume of requests (HTTP GET/POST flood etc.) servers could be crammed with complex tasks and jobs queues.
  33. 33. Botnet characteristics Topology Lookup Resilience Blind proxy redirection Polymorphism
  34. 34. Topology Centralized: Star topology Multi-server Decentralized P2P
  35. 35. Testo Star topology All bots are connected to a central server
  36. 36. Testo Hierarchical Bots are connected to a backbone of intermediate servers that receives instructions from one or more C&C servers
  37. 37. Testo P2P There’s not a single C&C, every computer in the network communicates with a set of neighbors.
  38. 38. Lookup resiliency IP fast Flux Single Flux Double Flux Domain flux Wildcarding DGA
  39. 39. Fluxing IP Flux: is the periodic change of ip address associates to a particular fully qualified domain name (FQDN). Domain flux: is effectively the inverse of IP flux. Instead of change the ip, we change the name associated. High frequency fluxing is named Fast-Flux
  40. 40. IP Flux (two flavors) Single-flux is the simplest form: we have multiple (hundreds or even thousands) ip addresses associated with a domain name. These IP addresses are registered and de- registered rapidly on a particular DNS server using round- robin algorithms and very short Time-to-live (TTL) values. Double-flux is the evolution of Single-flux wich not only fluxes the IP addresses associated with the fully-qualified domain name, but also fluxes the IP addresses of the DNS servers used to lookup the IP addresses of the FQDN.
  41. 41. Dns Wildcarding Domain Wildcarding abuses the DNS functionality to wildcard an higher domain such that all FQDN’s point to the same IP address. eg. *.domain.com could encapsulate both mypc.foo.domain.com and myserver.domain.com
  42. 42. Domain generation Algorithm In Domain Generation Algorithms (DGA), a periodically changed list of FQDN’s is created, these names are then polled by the bot agent looking for the C&C infrastructure. Since the created domain names are dynamically generated in volume and typically have a short life of a single day, the turnover makes it very difficult to investigate or block every possible domain name
  43. 43. Blind proxy redirection With this technique some host of the botnet acts like a proxy, interrupting the tracing attempts to discover and shutdown the flux services network (dns register, C&C etc.) Relay-nodes basically act as an intermediary between the slave-nodes and the master command- and-control servers, as well as for each other
  44. 44. Blind Proxy Redirection Pro* Anonymity Con* Lower Propagation Speed *from a bot herder perspective, from a law enforcer’s perspective it’s exactly the opposite
  45. 45. Polymorphism What is? Server side Repacking
  46. 46. Polymorphism Every time an antivirus is updated it downloads the digital signature of known malware and then comparing the signature of the executables on the machine with the one stored on the database could detect and remove the threatening software. As countermeasure to that, malware programmers uses to repack and encrypt the binaries of their software in order to diffuse it. Some of them also continuously downloads the new code to execute changing its signature and hence remaining hidden to the antivirus software that couldn't know a priori all possible signature of an encrypted executable .
  47. 47. Testo Part II Case of study Botnets real examples
  48. 48. Testo Part III Countermeasures
  49. 49. Stakeholders Institutions Law enforcers Research Corporations Single Users
  50. 50. Attack Points C&C server DNS denial Takedown C&C Infected Host AV, firewalling Botnet Communications sinkholing
  51. 51. Steps Detection Cleaning defensive strategies offensive strategies
  52. 52. Detectors classification Signature based File monitoring Connection monitoring Anomaly based Self-learning Programmed Compound
  53. 53. Signature based There is a database of known threat. Files or connection are scanned to search matching events. Pro: zero false positives Con: unable to detect unknown malware
  54. 54. Self-Learning detection The system first learns from an initial condition (usually safe) and, in a second phase, controls if the system behave accordingly to that condition. If the observed system diverges from the "normal" condition it will be notified. Pro: could detect zero-days attack Con: could give false positives
  55. 55. Programmed detection Statistics, rules and thresholds are used to define some anomaly condition. If system matches anomaly conditions alert will be raised. Pro: could detect zero-days attack Con: doesn’t scales very well
  56. 56. Anomaly based detectors “something that is abnormal is probably suspicious” Self-learning systems learn by example what constitutes normal for the installation typically by observing traffic for an extended period of time and building some model of the underlying process. [2] (stocastic models, machine learning, hidden markov models, neural network, hybrid models)
  57. 57. Other methods Honey-Pot Honeypot refers to a decoy system to entice the attention of attackers to attack this computer system to having an aim of protecting the critical targets. Honeypots are computer systems which don't have any production value. According to this concept, a resource that expects no data, so any traffic to or from it is most likely suspicious activity and must be investigated [3]
  58. 58. Other methods DNS based DNS-based detection techniques are based on particular DNS information generated by a Botnet. DNS-based detection techniques are similar to anomaly detection techniques as similar anomaly detection algorithms are applied on DNS traffic [4][6][9]
  59. 59. Countermeasures a proposed taxonomy [3] Signature based Honey-Pot based Anomaly based DNS based Mining based Network based
  60. 60. Testo Detectors taxonomy Some detectors described in [2] grouped by features (march 2000)
  61. 61. Other detectors Bot-hunter [7] Cisco® Cyber Threat Defense Solution 1.0 [8] Snort [10] ETPro™ Ruleset (works with Snort) [11] The Botnets [12] RUBotted [13]
  62. 62. Offensive strategies Mitigation C&C takedown Block botnet traffic at ISP level (sinkholing, BGP blackholing …) Manipulation Leverage bot command layer Infiltration & Poisoning Exploitation Leverage bot leaks
  63. 63. Mitigation Strategies for mitigation are offensive, technical means that slow botnets down, by consuming resources for instance. Examples can be temporary DoS attempts against C&C servers, trapping and holding connections from infected machines, or blocking of malicious domains. [5]
  64. 64. Manipulation Possible manipulation can be the alteration or removal of DDoS or Spam commands as well as commands to download and execute programs, which allows a remote cleanup of infected machine. Less invasive options include dropping collected personal data, like credit card or banking details, replacing them by fake information, or issuing commands to make bots stop the collection [5].
  65. 65. Exploitation is a special strategy that makes use of bugs found in bots. Like bugs in other products, these can be used to perform actions on the infected machines. Even though, this category is the most powerful, it is the one with the highest risk involved because exploits can easily crash and damage systems if not designed carefully [5].
  66. 66. Questions?.
  67. 67. Testo The end…(?)
  68. 68. Bibliography [1] http://en.wikipedia.org/wiki/Botnet [2] Axelsson, Stefan. Intrusion detection systems: A survey and taxonomy. Vol. 99. Technical report, 2000. [3] Raghava, N. S., Divya Sahgal, and Seema Chandna. "Classification of Botnet Detection Based on Botnet Architechture." Communication Systems and Network Technologies (CSNT), 2012 International Conference on. IEEE, 2012 [4] Feily, Maryam, Alireza Shahrestani, and Sureswaran Ramadass. "A survey of botnet and botnet detection." Emerging Security Information, Systems and Technologies, 2009. SECURWARE'09. Third International Conference on. IEEE, 2009. [5] Leder, Felix, Tillmann Werner, and Peter Martini. "Proactive botnet countermeasures–an offensive approach." The Virtual Battlefield: Perspectives on Cyber Warfare 3 (2009): [6] Hu, Xin, Matthew Knysz, and Kang G. Shin. "RB-Seeker: Auto-detection of Redirection Botnets." NDSS. 2009. [7] http://www.bothunter.net/
  69. 69. Bibliography [8] http://www.cisco.com/c/en/us/solutions/enterprise-networks/threat-defense/index.html [9] Schiller, Craig, and James R. Binkley. Botnets: The killer web applications. Syngress, 2011. [10] http://www.snort.org/ [11] http://www.emergingthreats.net/ [12] https://code.google.com/p/botnets/ [13] http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1777&lang_loc=1