Botnets - Detection and Mitigation Literature study presentation By Ajit Skanda Kumarawamy (1735764) Faculty of Exact Sciences VU Amsterdam Under the guidance of Dr.Corina Stratan Faculty of Exact Sciences VU Amsterdam
Topics IntroductionStudy of botnet detection and mitigationtechniques Storm worm BotHunter BotSniffer RBSeeker Torpig Botnet Takeover Conclusion
Botnets – an introduction What is a bot? A computer that is running piece of malware Without knowledge of host/owner through external instructions Can be self-propogating What is a botnet? A co-ordinated group of bots under the control of a botmaster Act in a similar or co-related manner Used for fraudulant and abusive activities
Types of Botnets IRC based HTTP based P2P based
Attacks of botnets DDOS attacks Spamming Key logging and data/identity thefts Phishing and pharming Click fraud Distribution of other adware/spyware.
C&C and its role Command and Control – nerve centre of botnets Publish/push commands (Re)Organize botnets into subnets Methods of communicationKey component of botnet mitigation is to identifyC&C communication protocol
Methods for identifying botnets Signature based detectionCompare incoming and outgoing packets of data to a set of knownsignatures of bot binaries Anomaly based detectionAn analytical method for identifying and studying botnets ratherthan a preventative processAnalyse the network traffic for any irregular behavior like TCP Synscanning
Steps for mitigation of botnetsThe three generic steps for mitigation of botnets: Acquiring and analyzing a bot. Infiltrate the botnet.Identify and takedown the C&C server/botmaster.
Storm worm – a case studyMost virulent P2P bot out there in the wild(Peacomm,Nuwar or Zhelatin) Uses the OVERNET and an own P2P networkPropogates using e-mails (attachment orembedded link) Uses specific keys as rendezvous point/ mailbox Controller publishes commands at keys
Storm worm – analysis andmitigationObtain bot binary using a spam trap and a clienthoneypot Compute keys - two methods Use a Sybil attack to infiltrate the Stormnet Mitigate using Eclipsing content and polluting
RBSeeker Used for detecting Redirection bots Spam source sub-system Netflow analysis sub-system Active DNS anomaly detection sub-system Correlation of aggregated data
Takeover of the Torpig Botnet Data harvesting bot - financial data Fast flux vs Domain flux Deterministic DGA and weak C&C communication procedure Sinkholing .net and .com domains 25/01/2009 – 04/02/2009 8310 accounts with range of $83K - $8.3M
Conclusions Botnets provide services to interested partiesBotnet detection techniques should go hand inhandCo-operation between authorities, registrars,ISPsLower layers of Botnet infrastructure should bedismantled