Rishi Hotbots


Published on

Rishi - Identify Bot Contaminated Hosts by IRC Nickname Evaluation

Published in: Economy & Finance, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Rishi Hotbots

  1. 1. Rishi Identify Bot Contaminated Hosts by IRC Nickname Evaluation Jan Göbel Center for Computing and Communication RWTH Aachen Thorsten Holz Laboratory for Dependable Distributed Systems University of Mannheim Rishi HotBots´07
  2. 2. Outline What is Rishi? ▸ Rishi setup and design ▸ Nickname evaluation ▸ Results and limitations ▸ Discussion ▸ Rishi HotBots´07
  3. 3. What is Rishi? ▸ Basic idea: IRC-based bots need a distinct nickname – Can we detect similarity in IRC nicknames to detect bots? – Detection of communication channel between botherder and victim possible? ▸ Small Python script (~1700 lines) that passively monitors network traffic ▸ Analyses payload for the occurrence of known IRC commands – NICK, JOIN, USER, MODE, QUIT – Analysis function to computer score for given nickname ▸ Related work: – Binkley et al.: botnets use same IRC channel, offline analysis – Livadas et al. use machine learning techniques to detect C&C traffic Rishi HotBots´07
  4. 4. Rishi Setup Rishi HotBots´07
  5. 5. Rishi Design Rishi HotBots´07
  6. 6. Nickname Evaluation ▸ Check nickname against dynamic and static whitelists – similarity check based on n-gram analysis ▸ Check if nickname contains a known extension: – _away, ^working, ... – Substract extension and check nickname again ▸ Check nickname against dynamic and static blacklists – similarity check based on n-gram analysis ▸ Check for suspicious substrings and special characters in nickname – DEU, GBR, 2K, XP, r00t3d-, |, [, ], ... ▸ Check for suspicious pre-/suffix in nickname – _13, _12, l33t-, xyz-, ... Rishi HotBots´07
  7. 7. Nickname Evaluation ▸ Check number of digits in nickname – Every two digits add one point to final score ▸ Check if target IP address is a known C&C Server ▸ Check if target port is uncommon ▸ Check nickname against regular expressions – Evaluation of ~4K known bot nicks resulting in 52 REs ▸ ▸ Example: RBOT|DE-6182 2 points for suspicious substrings RBOT and DE – 2 points for occurrence of special character | and - – – 2 points for two occurrences of consecutive digits – 10 points for match against regular expression Rishi HotBots´07
  8. 8. Final Scores of Some Nicknames Rishi HotBots´07
  9. 9. Results I ▸ Detection of more than 300 bots within 3 months ▸ Comparison with Blast-o-Mat (see ;login: 31(6)) – Custom IDS system at RWTH Aachen university • Detection of scanning machines via SYN threshold • Detection of spam-sending machines via threshold • Usage of honeypots to detect suspicious activities ▸ Preliminary results for period of 14 days – Detection of 82 machines with Rishi 34 of these were also detected by Blast-o-Mat – – Remaining 48 machines undetected – Blast-o-Mat detected additional 20 hosts 5 false positives – Rishi HotBots´07
  10. 10. Results II ▸ Case study: detecting spam-bots – Bots that do not scan / propagate further (→ rather stealth) – Presumably infected via drive-by downloads Detection of communication channel via Rishi – – Detected a couple of hours later due to spamming activity ▸ Case study: spotting botnet-tracking activity Several TOR nodes (one exit node) within university network – – Frequently observed within Rishi output – Definitely not bot-infected (Linux machine, known user) – Caused by botnet-tracking hosts that use TOR Rishi HotBots´07
  11. 11. Results III ▸ Case study: detecting modified IRC protocol – Rishi logged JOIN without any related info in connection object – Analysis revealed: bot with modified C&C protocol • NICK SENDN • USER SENDU • PRIVMSG SENDP • But: JOIN was not modified – We could detect incident since one protocol element was not changed Rishi HotBots´07
  12. 12. Limitations ▸ Detection of cleartext, IRC-based botnets – Most prevailing type of botnets nowadays, but this changes – Bots can use dictionary to create nicknames ▸ Ad-hoc computation of final score – Better evaluation needed, taking care of false positives / negatives ▸ Dependence on regular expressions – No automated learning yet – Inclusion of nepenthes / CWSandbox results? ▸ Monitoring at the central router – RWTH Aachen has 10 GBit Ethernet with spikes > 3 GBit/s Rishi HotBots´07
  13. 13. Conclusion ▸ Rishi is a simple, yet effective way to detect bots – Based on evaluation of nickname – Ad-hoc scoring function – Generates warning e-mail (next step: automated mitigation) ▸ Detected more than 300 bot-infected machines ▸ Orthogonal to other IDS-system used within university – Combination of both? Thanks a lot for your attention! Rishi HotBots´07