Your SlideShare is downloading. ×
0
Rishi Hotbots
Rishi Hotbots
Rishi Hotbots
Rishi Hotbots
Rishi Hotbots
Rishi Hotbots
Rishi Hotbots
Rishi Hotbots
Rishi Hotbots
Rishi Hotbots
Rishi Hotbots
Rishi Hotbots
Rishi Hotbots
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Rishi Hotbots

1,487

Published on

Rishi - Identify Bot Contaminated Hosts by IRC Nickname Evaluation

Rishi - Identify Bot Contaminated Hosts by IRC Nickname Evaluation

Published in: Economy & Finance, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,487
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Rishi Identify Bot Contaminated Hosts by IRC Nickname Evaluation Jan Göbel Center for Computing and Communication RWTH Aachen Thorsten Holz Laboratory for Dependable Distributed Systems University of Mannheim Rishi HotBots´07
  • 2. Outline What is Rishi? ▸ Rishi setup and design ▸ Nickname evaluation ▸ Results and limitations ▸ Discussion ▸ Rishi HotBots´07
  • 3. What is Rishi? ▸ Basic idea: IRC-based bots need a distinct nickname – Can we detect similarity in IRC nicknames to detect bots? – Detection of communication channel between botherder and victim possible? ▸ Small Python script (~1700 lines) that passively monitors network traffic ▸ Analyses payload for the occurrence of known IRC commands – NICK, JOIN, USER, MODE, QUIT – Analysis function to computer score for given nickname ▸ Related work: – Binkley et al.: botnets use same IRC channel, offline analysis – Livadas et al. use machine learning techniques to detect C&C traffic Rishi HotBots´07
  • 4. Rishi Setup Rishi HotBots´07
  • 5. Rishi Design Rishi HotBots´07
  • 6. Nickname Evaluation ▸ Check nickname against dynamic and static whitelists – similarity check based on n-gram analysis ▸ Check if nickname contains a known extension: – _away, ^working, ... – Substract extension and check nickname again ▸ Check nickname against dynamic and static blacklists – similarity check based on n-gram analysis ▸ Check for suspicious substrings and special characters in nickname – DEU, GBR, 2K, XP, r00t3d-, |, [, ], ... ▸ Check for suspicious pre-/suffix in nickname – _13, _12, l33t-, xyz-, ... Rishi HotBots´07
  • 7. Nickname Evaluation ▸ Check number of digits in nickname – Every two digits add one point to final score ▸ Check if target IP address is a known C&C Server ▸ Check if target port is uncommon ▸ Check nickname against regular expressions – Evaluation of ~4K known bot nicks resulting in 52 REs ▸ ▸ Example: RBOT|DE-6182 2 points for suspicious substrings RBOT and DE – 2 points for occurrence of special character | and - – – 2 points for two occurrences of consecutive digits – 10 points for match against regular expression Rishi HotBots´07
  • 8. Final Scores of Some Nicknames Rishi HotBots´07
  • 9. Results I ▸ Detection of more than 300 bots within 3 months ▸ Comparison with Blast-o-Mat (see ;login: 31(6)) – Custom IDS system at RWTH Aachen university • Detection of scanning machines via SYN threshold • Detection of spam-sending machines via threshold • Usage of honeypots to detect suspicious activities ▸ Preliminary results for period of 14 days – Detection of 82 machines with Rishi 34 of these were also detected by Blast-o-Mat – – Remaining 48 machines undetected – Blast-o-Mat detected additional 20 hosts 5 false positives – Rishi HotBots´07
  • 10. Results II ▸ Case study: detecting spam-bots – Bots that do not scan / propagate further (→ rather stealth) – Presumably infected via drive-by downloads Detection of communication channel via Rishi – – Detected a couple of hours later due to spamming activity ▸ Case study: spotting botnet-tracking activity Several TOR nodes (one exit node) within university network – – Frequently observed within Rishi output – Definitely not bot-infected (Linux machine, known user) – Caused by botnet-tracking hosts that use TOR Rishi HotBots´07
  • 11. Results III ▸ Case study: detecting modified IRC protocol – Rishi logged JOIN without any related info in connection object – Analysis revealed: bot with modified C&C protocol • NICK SENDN • USER SENDU • PRIVMSG SENDP • But: JOIN was not modified – We could detect incident since one protocol element was not changed Rishi HotBots´07
  • 12. Limitations ▸ Detection of cleartext, IRC-based botnets – Most prevailing type of botnets nowadays, but this changes – Bots can use dictionary to create nicknames ▸ Ad-hoc computation of final score – Better evaluation needed, taking care of false positives / negatives ▸ Dependence on regular expressions – No automated learning yet – Inclusion of nepenthes / CWSandbox results? ▸ Monitoring at the central router – RWTH Aachen has 10 GBit Ethernet with spikes > 3 GBit/s Rishi HotBots´07
  • 13. Conclusion ▸ Rishi is a simple, yet effective way to detect bots – Based on evaluation of nickname – Ad-hoc scoring function – Generates warning e-mail (next step: automated mitigation) ▸ Detected more than 300 bot-infected machines ▸ Orthogonal to other IDS-system used within university – Combination of both? Thanks a lot for your attention! Rishi HotBots´07

×