“A Multifaceted Approach to Understanding the Botnet Phenomenon” By: Moheeb Abu Rajab, Jay Farfoss, Fabian Monrose & Andreas Terzis Affiliation: Computer Science Department at Johns Hopkins University Published: Internet Measurement Conference (IMC) 2006 Presented by: Andrew Mantel Presentation date: April 9, 2009 Class: CAP6135 – Malware and Software Vulnerability Analysis (Spring 2009) Professor: Dr. Cliff Zou -IMC is sponsored by ACM SIGCOMM -from IMC website: ”contribute to the current understanding of how to collect or analyze Internet measurements, or give insight into how the Internet behaves”
Outline Goal / Motivation Overview of botnets Data collection Results Author’s conclusions My review
Goal / Motivation Goal: Motivation: Get a better understanding of botnets Motivation: Botnets are dangerous Malicious intent Extortion of Internet businesses E-mail spamming Identity theft Increase in botnet activity in recent years Despite all this, we don’t know enough details about botnet behavior! M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
Botnet Overview
(Rajab et al, 42, Figure 1)
Step 1: Exploit Exploit software vulnerability of victim host Same infection strategies as other malware Worms Malicious email code (Modified from: Rajab et al, 42, Figure 1) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
Step 2: Download bot binary Infected host executes shellcode to fetch bot binary from specified location Usually the same machine that infected it After the download, the bot binary installs itself so it can auto start on reboot (Modified from: Rajab et al, 42, Figure 1) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
Step 3: DNS lookup Bot needs IP address of IRC server Perform DNS Lookup Better than hard- coding the server IP in case the IP gets blacklisted (Modified from: Rajab et al, 42, Figure 1) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
Step 4: Join IRC server Join server and channel specified in bot binary May use authentication: Bot authenticates to join server using password from bot binary Bot authenticates to join channel using password from bot binary Botmaster authenticates to bot population to send command (Modified from: Rajab et al, 42, Figure 1) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
Step 5: Execute commands Bot parses and executes channel topic Topic contains default command for all bots to execute (Modified from: Rajab et al, 42, Figure 1) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
(Modified from: Rajab et al, 42, Figure 1)
Data Collection
(Modified from: Rajab et al, 43, Figure 2)
Overview of Data Collection Three main phases: Malware collection Goal: Collect bot binaries Binary analysis via gray-box testing Goal: Analyze bot binaries Longitudinal tracking of botnets Goal: Use binary analysis to track real botnets M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
Phase 1: Malware Collection (Modified from: Rajab et al, 43, Figure 2) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
Malware Collection Goal: Collect bot binaries Setup: Receive connections from distributed darknet Darknet = an allocated but unused portion of the IP address space Two types of collectors: Nepenthes Mimics replies of a vulnerable service to retrieve the shellcode Pass URL in shellcode to download station to retrieve the bot binary Honeypot Implemented to handle cases where nepenthes failed Windows XP running on VM connected by VLAN Collects the bot binary itself -Download station only downloads from unique URLs -Nepenthes can fail if it doesn’t correctly mimic exploit sequences or if it can’t parse certain shellcodes M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
Malware Collection Gateway provides multiple functions: Route darknet traffic to local responders (nepenthes) and honeypots About a 50/50 split Firewall to stop honeypot from outgoing attack or cross infections Allow honeypot to connect to IRC server but not do any further communication Other miscellaneous functions M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
Phase 1: Malware Collection (Modified from: Rajab et al, 43, Figure 2) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
Phase 2: Binary Analysis (Modified from: Rajab et al, 43, Figure 2) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
Phase 2: Binary Analysis Goal: Analyze bot binaries Setup: Windows XP with bot binary on VM connected to a network sink Sink monitors all network traffic Two steps: Network fingerprint IRC-related features M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
Phase 2: Binary Analysis Network fingerprint fnet = {DNS, IPs, Ports, scan} DNS = targets of any DNS requests IPs = destination IP addresses Ports = contacted ports Scan = whether the bot tried to IP scan IRC-related features Create IRC daemon to listen to all ports specified by fnet When bot tries to connect to IRC server, create IRC- fingerprint: firc = {PASS, NICK, USER, MODE, JOIN} -PASS = password used to connect to the IRC server -JOIN = IRC channels that it joins M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
Phase 2: Binary Analysis fnet and firc provide enough information to join a real botnet However, still need botnet “dialect” dialect = “the syntax of the botmaster’s commands as well as the corresponding responses sent by the actual bot” (Rajab et al, 44) To learn dialect: Let bot connect to local IRC server Bot connects to default channel IRC query engine plays the role of the botmaster, generating commands What commands to generate? Those observed by honeynet Known commands of observed botnets M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
Phase 2: Binary Analysis (Modified from: Rajab et al, 43, Figure 2) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
Phase 3: Longitudinal Tracking of Botnets (Modified from: Rajab et al, 43, Figure 2)
Phase 3: Longitudinal Tracking of Botnets Two mechanisms: IRC tracking DNS tracking IRC tracker (drone) Drone is given firc and template Connects to real IRC server and pretends to participate Must be intelligent enough to mimic a real bot Can have multiple drones per machine Have drone periodically disconnect from server Change drone external IP M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
Phase 3: Longitudinal Tracking of Botnets DNS tracking Exploits the fact that most bots issue DNS queries to resolve IP address of IRC server Probe caches of large number of DNS servers (800,000) for botnet domain name Record number of hits as the DNS footprint of the botnet This is merely a lower bound Bot must have DNS queried within TTL time-span of DNS server Only indicates a single hit to that DNS server, but could have been many hits Still, a good relative measure M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
Phase 3: Longitudinal Tracking of Botnets (Modified from: Rajab et al, 43, Figure 2)
(Modified from: Rajab et al, 43, Figure 2)
Results
Botnet Traffic Share Mapped total # of incoming SYN packets to local darknet vs. those originating from known botnet spreaders Known botnet spreader = any source observed to have delivered a bot binary Approximately 27% of incoming SYNs came from known botnet spreaders This is a lower-bound estimate M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
Global look at botnet prevalance Overview: During DNS probing experiments, tracked 65 IRC server domain names Of the 800,000 probed servers, 85,000 (11%) had at least one botnet activity Let’s take a closer look at globally tracking a single botnet IRC server M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
Global look at botnet prevalance (star is the IRC server, clouds are connections) (Rajab et al, 47, Figure 6) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
Botnet Spreading & Growth Patterns Two types of spreaders: Type I: worm-like botnets 17.7% of observed botnets Continuously scan certain ports following a given target selection algorithm Type II: variable scanning botnet Majority botnet type Use different algorithms to scan Only scan when commanded to Different growth patterns (semi-exponential, staircase, linear)… harder to track M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
Botnet Spreading & Growth Patterns (Cropped from: Rajab et al, 48, Figure 7) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
Effective Botnet Sizes effective size = # of bots connected to the IRC server at a specific time Observed that a botnet’s effective size is much smaller than its footprint Bots usually only stay connected for about 25 minutes May be due to client instability as a result of infection More likely, botmaster tells them to leave M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
Some other results Botnets have a long lifetime 84% of the observed IRC servers were still up at the end of their study Bots can disable anti-virus/firewall processes and protect itself from being disabled Infection frequency by OS: (Rajab et al, 50, Table 4) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
Author’s Conclusions Botnets are very dangerous Botnets are a major contributor to unwanted traffic on the Internet By understanding botnets, we will be better able to deal with them M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.
My Review
Strengths Good overview of botnet basics Detailed botnet analyzing architecture Architecture attacked the problem from multiple fronts nepenthes + honeypots IRC tracking + DNS tracking Graphs/tables for most data Results supported by cross referencing data Even more data made publically available: <http://hinrg.cs.jhu.edu/botnets/>
Weaknesses Not many weaknesses… authors were very thorough Architecture was completely automated, so missed out on smarter botnets How accurate is “botnet traffic share” based only on traffic to a darknet? One important piece of data they should have reported in the paper: average botnet fingerprint sizes
Extensions/Improvements Improve intelligence of: nepenthes Botmaster IRC query engine Bot dialect template acquisition Update data to keep track of current botnets Monitor botnet traffic share within used IP space Discuss ways to apply this data to prevent botnet formation
References [1] M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp. 41-52. 2006.