Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Taming BotnetsLife cycle and detection of bot infections through             network traffic analysis
agenda●   Introduction●   Bots and botnets: short walk-through●   Taming botnets: Detection and Evasion●   Our approach●  ...
Introduction●   Why we are doing this research?●   Objectives●   Our data sources●   Our environment    bunch of code in n...
Introduction: bots●   “bot”: a software program, installed on target    machine(s) for the purpose of utilizing that    ma...
Introduction: bots (lifecycle)●   Installation (infection) phase: often by means of    a software exploit or a social engi...
Introduction●   Our basic assumption is that a bot needs to be    able to communicate back in order to be useful.●   Our a...
Botnets●   Infection vectors → often targetting enduser    machines (clients) in large number of    occurrences by exploit...
Botnets: lifecycle●   C&C Hosting itself is another interesting    research area ;-)
So how do you get bots on your        machine? :)
How do you get bots on your              machine? ;-)●   Compromised servers: most widespread, often    through silly vuln...
How do you get bots (pt 2)●   SEO poisoning/manipulation.
How you get bots (pt 3)●   Advertisements and malvertisements: whole    new ecosystem:      OpenX is a huge security hole ;)
Anyways●   Once infected, the bot talks back...    Lets look at some real-life cases. (data is very    recently, mostly pa...
Old-school bots (still active. For real!May/2012: IRC bots still real :-D ;-))
Carberp●   Bot Infection: Drive-By-HTTP●   Payload and intermediate malware domains: normal, just    registered/DynDNS●   ...
Domain                URL                         Referrer            Payload      Sizebeatshine.is-         /g/1841836267...
Activity and update
Another attack atempt and update                     URLsTime           Domain                      URL                   ...
Detection during infection and by          postinfection activity●   Infection: executable transfer from just    registere...
Netprotocol.exe●   Bot Infection was: Drive-By-FTP,                 now: Drive-By-FTP, Drive-By-HTTP●   Payload and interm...
Domain       URL                 Referrer        Payload      Size3645455029   /1/s.html           Infected site   html   ...
Attack analysis- Script from www. Java.com used during attack.- Applet exp.jar loaded by FTP- FTP Server IP address obfusc...
Interesting modificationsGET http://java.com/ru/download/windows_ie.jsp?host=java.com%26returnPage=ftp://217.73.58.181/1/s...
Activity exampleDate/Time 2012-04-29   Date/Time 2012-04-2902:05:48 MSD           02:06:08 MSDTag Name HTTP_Post     Tag N...
Onhost deteciton and activity  Payload: usually netprotocol.exe. Located in   UsersUSER_NAMEAppDataRoaming,   which period...
Detection By AV Sample from May        09 2012 Detect ratio 1/42●   (demos, recoreded as videos)
Detection during infection and by          postinfection activity●   Infection: .jar and .dat file downloaded by FTP, serv...
Noproblemslove.com,       whoismistergreen.com, etc...●   Bot Infection: Drive-By-HTTP●   Payload and intermediate malware...
Noproblemslove.com,whoismistergreen.com, etc...
Interesting domains from range184.82.149.178-184.82.149.180 (Feb 2012)            Domain Name                   IP       w...
HOSTER RANGE AND ASwww.google-analylics.com looks good,                   BUTGoogle, Rambler and Yandex together on       ...
What happens next?
Other domains but owner is the           same
Whats commonwhoismistergreen.com            noproblemslove.comIP-адрес: 213.5.68.105          213.5.68.105Create: 2011-07-...
Detection during infection and by          postinfection activity●   Infection: executable transfer from just    registere...
Detection
Detection●   What we are building ;)
Cross-correlation data sources●   WHOIS (including team cymru whois)●   Our own DNS index, also talking to ISC about    po...
Detection●   Manual and Automated●   Automated detection is largely based on    analysis of network traffic:    ●   Anomal...
Detection●   Detecting malicious botnet activity is very    popular in academia (interesting problem).●   In our research ...
Detection: loooots of papers!~
Detection: intreresting bits●   Botnet detection evolved from pattern based    approach (hardcoded bot CMD patterns and   ...
Detection●   Different “callback” methods, as seen in the    wild, possess interesting properties, such as:    ●   Large n...
Cat and mouse game●   Of course all of this is easy to evade. Once you    know the method. But security is always about   ...
Detection●   Detecting botnet activities by analyzing DNS    traffic    ●   Analyzing DNS names (dictionary-comparison,   ...
Detection: rcode: 3 (Non-existing             domains)12108                                     Column 16                 ...
Rcode:2 domainsDetection: rcode:2 (server failure)     (failed servers)
Detection●   WHOIS cross-correlation – easily automated.
Detection●   Further step: cross-correlation to domain    names which have the same WHOIS attributes●   Sandboxing (we use...
Detectionflow
Detection                 (visualization)●   Parallel coordinates (also see recent talk by    Alexandre Dulaunoy from CIRC...
Detection●   (demos, lets look at some videos :)
Conclusions●   Detection is still trivial, but keep your methods    “private” ;-)●   Detecting advanced botnets (name your...
Tips and recommendations●   For infected machines: boot from clean media    and periodically do OFFLINE AV checking●   Mon...
questions●   Contact us at:    ●   fygrave@gmail.com    ●   vladimir.b.kropotov@gmail.com        http://github.com/fygrave...
Upcoming SlideShare
Loading in …5
×

Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis

2,312 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis

  1. 1. Taming BotnetsLife cycle and detection of bot infections through network traffic analysis
  2. 2. agenda● Introduction● Bots and botnets: short walk-through● Taming botnets: Detection and Evasion● Our approach● Case studies● Conclusion● Disclaimer: We steal our images From google image :)
  3. 3. Introduction● Why we are doing this research?● Objectives● Our data sources● Our environment bunch of code in node.js and python. Customized sandboxing platform (cuckoo based). Data indexed in solr
  4. 4. Introduction: bots● “bot”: a software program, installed on target machine(s) for the purpose of utilizing that machine computational/network resources or collect information● A typical bot is controlled by external party therefore needs to be able to utilize a communication channel in order to receive commands and pass information● Bots typically are used for malicious purposes ;-)
  5. 5. Introduction: bots (lifecycle)● Installation (infection) phase: often by means of a software exploit or a social engineering technique (fake antivirus, fake software update)● Post-infection phase: communication (C&C, peer etc)
  6. 6. Introduction● Our basic assumption is that a bot needs to be able to communicate back in order to be useful.● Our analysis is primarily “blackbox” by observing network traffic of a large network infrastructure in order to identify possible infections and “communication” links● We also utilize sandboxing techniques to observe behavior (mainly from the network side)● We do not attempt to reverse engineer (manually or automatically) botnet software
  7. 7. Botnets● Infection vectors → often targetting enduser machines (clients) in large number of occurrences by exploiting a software vulnerability in browser or related components● C&C communication: ● Remember IRC bots? :) ● over HTTP (most common) ● Proprietary protocol ● Centralized or P2P infrastructure
  8. 8. Botnets: lifecycle● C&C Hosting itself is another interesting research area ;-)
  9. 9. So how do you get bots on your machine? :)
  10. 10. How do you get bots on your machine? ;-)● Compromised servers: most widespread, often through silly vulns (i.e. wordpress!), but also high profile web sites are affected, or domains taken over (DNS poisoning and more)● Placing a javascript iframe on compromised high-traffic machine is way more profitable than defacing (hacktivism is only for hippies? ;)
  11. 11. How do you get bots (pt 2)● SEO poisoning/manipulation.
  12. 12. How you get bots (pt 3)● Advertisements and malvertisements: whole new ecosystem: OpenX is a huge security hole ;)
  13. 13. Anyways● Once infected, the bot talks back... Lets look at some real-life cases. (data is very recently, mostly past few months).
  14. 14. Old-school bots (still active. For real!May/2012: IRC bots still real :-D ;-))
  15. 15. Carberp● Bot Infection: Drive-By-HTTP● Payload and intermediate malware domains: normal, just registered/DynDNS● Distributed via: Many many compromised web-sites, top score > 100 compromised resources detected during 1 week.● C&C domains usually generated, but some special cases below ;-).● C&C and Malware domains located on the same AS (from bot point of view). Easy to detect.● Typical bot activity: Mass HTTP Post
  16. 16. Domain URL Referrer Payload Sizebeatshine.is- /g/18418362672595167.js www.*****press.ru javascript 9414saved.orgactivatedreplacing. /index.php? www.*****press.ru html 45443is-very-evil.org 28d9000e56c2a63080ff89c 6f5357591activatedreplacing. //images/r/785cee8be7f1da application/x 4135is-very-evil.org 9a9d60820cbf8b1840.jar -jaractivatedreplacing. /server_privileges.php? application/e 155529is-very-evil.org 91370f5f009a815950578cb xecutable 539f28b58=3
  17. 17. Activity and update
  18. 18. Another attack atempt and update URLsTime Domain URL IP10/Apr/2012: nod32-matrosov-pideri.org //images/785cee8be7f1da9a9d6 62.122.79.4210:29:09 0820cbf8b1840.jar10/Apr/2012: nod32-matrosov-pideri.org /expl0it/At00micArray.class 62.122.79.4210:29:1010/Apr/2012: nod32-matrosov-pideri.org / 62.122.79.4210:29:11 expl0it/At00micArray/class.class02/May/2012: rgn7er8yafh89cehuighv.org / 91.228.134.21008:42:59 bxlkizmfgtlfwcdmljmrjlunqkvsslfir u.tpl02/May/2012: avast-pidersiy-gandon.com /crypt/files/crypted/config.bin 62.122.79.5208:42:5902/May/2012: rgn7er8yafh89cehuighv.org /aDHfNt8w43yYGM.tiff 91.228.134.21008:43:00
  19. 19. Detection during infection and by postinfection activity● Infection: executable transfer from just registered, example lifenews-sport.org or Dyn-DNS domains, like uphchtxmji.homelinux.com● Updates: executable transfer from just registered or DynDNS domain● Postinfection activity: Mass HTTP Post to generated domains like n87e0wfoghoucjfe0id.org, URL ends with different extensions
  20. 20. Netprotocol.exe● Bot Infection was: Drive-By-FTP, now: Drive-By-FTP, Drive-By-HTTP● Payload and intermediate malware domains:Normal, Obfuscated● Distributed via: compromised web-sites● C&C domains usually generated, many domains in .be zone.● C&C and Malware domains located on the different AS. Bot updates payload via HTTP● Typical bot activity: HTTP Post, payload updates via HTTP.
  21. 21. Domain URL Referrer Payload Size3645455029 /1/s.html Infected site html 997Java.com /js/deployJava.js 3645455029 javascript 49233645455029 /1/exp.jar application/x 18046 -jar3645455029 /file1.dat application/e 138352 xecutable
  22. 22. Attack analysis- Script from www. Java.com used during attack.- Applet exp.jar loaded by FTP- FTP Server IP address obfuscated to avoid detection
  23. 23. Interesting modificationsGET http://java.com/ru/download/windows_ie.jsp?host=java.com%26returnPage=ftp://217.73.58.181/1/s.html%26locale=ru HTTP/1.1 Key feature exampleDate/Time 2012-04-20 11:11:49 MSDTag Name FTP_PassTarget IP Address 217.73.63.202Target Object Name 21:password Java1.6.0_30@:user anonymous
  24. 24. Activity exampleDate/Time 2012-04-29 Date/Time 2012-04-2902:05:48 MSD 02:06:08 MSDTag Name HTTP_Post Tag Name HTTP_PostTarget IP Address Target IP Address217.73.60.107 208.73.210.29:server :serverrugtif.be eksyghskgsbakrys.com● :URL :URL /check_system.php /check_system.php Domain registered: 2012-04-21
  25. 25. Onhost deteciton and activity Payload: usually netprotocol.exe. Located in UsersUSER_NAMEAppDataRoaming, which periodically downloads other malwareFurther payload loaded via HTTP http://64.191.65.99/view_img.php?c=4& k=a4422297a462ec0f01b83bc96068e064
  26. 26. Detection By AV Sample from May 09 2012 Detect ratio 1/42● (demos, recoreded as videos)
  27. 27. Detection during infection and by postinfection activity● Infection: .jar and .dat file downloaded by FTP, server name = obfuscated IP Addres, example ftp://3645456330/6/e.jar Java version in FTP password, example Java1.6.0_29@● Updates: executable transfer from some Internet host, example GET http://184.82.0.35/f/kwe.exe● Postinfection activity: Mass HTTP Post to normal and generated domains with URL: check_system.php 09:04:46 POST http://hander.be/check_system.php 09:05:06 POST http://aratecti.be/check_system.php 09:06:48 POST http://hander.be/check_system.php 09:07:11 POST http://aratecti.be/check_system.php
  28. 28. Noproblemslove.com, whoismistergreen.com, etc...● Bot Infection: Drive-By-HTTP● Payload and intermediate malware domains:Normal /DynDNS● Distributed via: Compromised web-sites.● C&C domains: normal.● C&C and Malware domains located on the different AS. Sophisticated attack scheme. Timeout before activity.● Typical bot activity: Mass HTTP Post
  29. 29. Noproblemslove.com,whoismistergreen.com, etc...
  30. 30. Interesting domains from range184.82.149.178-184.82.149.180 (Feb 2012) Domain Name IP www.google-analylics.com 184.82.149.179 google-anatylics.com 184.82.149.178 www.google-analitycs.com 184.82.149.180 webmaster-google.ru 184.82.149.178 paged2.googlesyndlcation.com 184.82.149.179 googlefilter.ru 184.82.149.179 rambler-analytics.ru 184.82.149.179 site-yandex.net 184.82.149.180 paged2.googlesyndlcation.com 184.82.149.179 www.yandex-analytics.ru 184.82.149.178 googles.4pu.com 184.82.149.178 googleapis.www1.biz 184.82.149.178 syn1-adriver.ru 184.82.149.178
  31. 31. HOSTER RANGE AND ASwww.google-analylics.com looks good, BUTGoogle, Rambler and Yandex together on 184.82.149.176/29 ?hoster range and autonomous system (AS)are useful, when you analyze suspicious events.
  32. 32. What happens next?
  33. 33. Other domains but owner is the same
  34. 34. Whats commonwhoismistergreen.com noproblemslove.comIP-адрес: 213.5.68.105 213.5.68.105Create: 2011-07-26 Created: 2011-12-07Registrant Name: JOHN Registrant Contact:ABRAHAM Whois Privacy Protection ServiceAddress: ul. Dubois 119 Whois AgentCity: Lodz gmvjcxkxhs@whoisservices.cnpatr1ckjane.com noproblemsbro.comIP Was 176.65.166.28 176.65.166.28IP Now 213.5.68.105 Created: 2011-12-07 Registrant Contact:Create: 2011-07-21 Whois Privacy Protection ServiceRegistrant Name: patrick jane Whois AgentAddress: ul. Dubois 119 gmvjcxkxhs@whoisservices.cnCity: Lodz
  35. 35. Detection during infection and by postinfection activity● Infection: executable transfer from just registered, or Dyn-DNS domains, like fx58.ddns.us● Updates: application/octet-stream bulk data load from C&C● Postinfection activity: Mass HTTP Post to seem-normal domains,i.e: noproblemslove.com, whoismistergreen.com, etc...
  36. 36. Detection
  37. 37. Detection● What we are building ;)
  38. 38. Cross-correlation data sources● WHOIS (including team cymru whois)● Our own DNS index, also talking to ISC about possibilities of data swaps● Sandbox farm (mainly to detect compromised websites automagically and study behavior)● Public “malicious IP address” databases.● Public reputation (I.e ToS) databases. ● (still work in progress)
  39. 39. Detection● Manual and Automated● Automated detection is largely based on analysis of network traffic: ● Anomaly detection ● Pattern based-analysis ● Signatures (snort!) ● Traffic profiling (DNS traffic profiling, HTTP traffic profiling etc)
  40. 40. Detection● Detecting malicious botnet activity is very popular in academia (interesting problem).● In our research we do not claim extreme novelty but rather will demonstrate our experience and a few practical solutions that seem to work :-)
  41. 41. Detection: loooots of papers!~
  42. 42. Detection: intreresting bits● Botnet detection evolved from pattern based approach (hardcoded bot CMD patterns and capture then with snort) to a complex field of generic detection of automated “call-back” communication channels..
  43. 43. Detection● Different “callback” methods, as seen in the wild, possess interesting properties, such as: ● Large number of failed DNS requests ● Large number of DNS requests for IP addresses, which are offline ● Connection attempts to mostly dead IP addresses ● Traffic pattern (differs from regular browsing)
  44. 44. Cat and mouse game● Of course all of this is easy to evade. Once you know the method. But security is always about cat-n-mouse game ;-)
  45. 45. Detection● Detecting botnet activities by analyzing DNS traffic ● Analyzing DNS names (dictionary-comparison, alpha numeric characters, detection of “generated” domain names (similarities/patterns) ● Analyzing failed DNS queries ● DNS “ranking” (based on whois information)
  46. 46. Detection: rcode: 3 (Non-existing domains)12108 Column 16 Column 2 Column 3420 Row 1 Row 2 Row 3 Row 4
  47. 47. Rcode:2 domainsDetection: rcode:2 (server failure) (failed servers)
  48. 48. Detection● WHOIS cross-correlation – easily automated.
  49. 49. Detection● Further step: cross-correlation to domain names which have the same WHOIS attributes● Sandboxing (we use modified version of cuckoosandbox, with user event simulation, not perfect but works) ● Challenges: – Simulate complex user behavior (mouse movements) – Simulate complex user browsing pattern (visiting X with search engine (image?) as referer)
  50. 50. Detectionflow
  51. 51. Detection (visualization)● Parallel coordinates (also see recent talk by Alexandre Dulaunoy from CIRCL.LU and Sebastien Tricaud from Picviz Labs at cansectwest)
  52. 52. Detection● (demos, lets look at some videos :)
  53. 53. Conclusions● Detection is still trivial, but keep your methods “private” ;-)● Detecting advanced botnets (name your favourite traffic profiling evasion method!) is out of question here. Unless this becomes wide- spread● Cat and mouse game is still fun! ;-)
  54. 54. Tips and recommendations● For infected machines: boot from clean media and periodically do OFFLINE AV checking● Monitor network traffic for any unusual activity● Default-deny firewall policies + block any active executable content
  55. 55. questions● Contact us at: ● fygrave@gmail.com ● vladimir.b.kropotov@gmail.com http://github.com/fygrave/dnslyzer for some code

×