Presented by Nilesh Sharma Pulkit Mehndiratta Indraprashta Institute of Information Technology, Delhi (IIIT- DELHI)

Who we are….? M.tech (pursuing) from the IIIT- Delhi Research Interests- a) Botnets b) Cyber Forensics c) Privacy enhancive technologies d) Cryptographic techniques Part of IIITD-ACM student chapter

What Is a Bot/Botnet? Bot – A malware instance that runs autonomously and automatically on a compromised computer (zombie) without owner’s consent. Botnet (Bot Army): network of bots controlled by criminals- “A coordinated group of malware instances that are controlled by a botmaster via some C&C channel”. – “25% of Internet PCs are part of a botnet!” ( - Vint Cerf)

Botnets are used for….  All DDoS attacks  Spam  Click fraud  Information theft  Phishing attacks  Distributing other malware, e.g., spyware

How big is this problem? The size and prevalence of the botnet reported as many as 172,000 new bots recruited every day according to CipherTrust. which means about 5 million new bots are appeared every month. Symantec recently reported that the number of bots observed in a day is 30,000 on average. The total number of bot infected systems has been measured to be between 800,000 to 900,000. A single botnet comprised of more than 140,000 hosts was found in the wild and botnet driven attacks have been responsible for single DDoS attacks of more than 10Gbps capacity.

Conflicker according to McAfee When executed, the worm copies itself using a random name to the %Sysdir% folder. Obtains the public ip address of the affected computer. Attempts to download a malware file from the remote website Starts a HTTP server on a random port on the infected machine to host a copy of the worm. Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit.

Difference between a Virus,Worm and Botnets…. E:\nilesh _back up\academics\dss project\New Folder\botnet explained.flv E:\nilesh _back up\academics\dss project\New Folder\botnet explained.flv

Existing Techniques Traditional Anti Virus tools – Bots use packer, rootkit, frequent updating to easily defeat Anti Virus tools Honeypot – Not a good botnet detection tool

Challenges for Botnet Detection Selection of Network Monitoring Tool Clustering Algorithm Heuristics for clustering algorithm The fast flux. False Positives Graphical User Interface Looking for dynamic approach as static and signature based approaches may not be effective.

Related Work Botnet Detection by Monitoring Group Activities in DNS Traffic :Hyunsang Choi, Hanwoo Lee, Heejo Lee, Hyogon Kim Korea University. BotHunter [Gu etal Security’07]: dialog correlation to detect bots based on an infection dialog model BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection (Guofei Gu Georgia Institute of Technology)

Motivation Botnets can change their C&C content (encryption, etc.), protocols (IRC, HTTP, etc.), structures (P2P, etc.), C&C servers.

Again Botnet….. “A coordinated group of malware instances that are controlled by a botmaster via some C&C channel”

The Framework….

Methodology Collect the DNS data from wireshark and change it into.csv file format using Logparser tool through a GUI tool Insert the infected data(looks like botnet, having the fast flux characteristics). Retrieve the DNS name and its respective IP addresses from the packet information(.csv file). Perform the K-means clustering on the data on the basis of DNS name and try to find out that whether we are being able to detect botnet fastflux or not?

Demonstration of Methodology

Results (k=50 clusters) S.NO DNS INSTANCESIP INSTANCES PER DNS DETECTION RATE (%) FALSE POSITIVE RATE (%) FALSE NEGATIVE RATE (%)

Results (k=100 clusters) S.NO DNS INSTANCESIP INSTANCES PER DNS DETECTION RATE (%) FALSE POSITIVE RATE (%) FALSE NEGATIVE RATE(%)

Results (k=150 clusters) S.NO DNS INSTANCESIP INSTANCES PER DNS DETECTION RATE (%) FALSE POSITIVE RATE (%) FALSE NEGATIVE RATE (%)

Results (k=200 clusters) S.NO DNS INSTANCESIP INSTANCES PER DNS DETECTION RATE (%) FALSE POSITIVE RATE (%) FALSE NEGATIVE RATE (%)

False Negative Analysis

Detection Rate Analysis

Results

Real world fast-flux examples DNS Basics- A Record A records (also known as host records) are the central records of DNS. These records link a domain, or subdomain, to an IP address. A records and IP addresses do not necessarily match on a one-to-one basis. Many A records correspond to a single IP address, where one machine can serve many web sites. Alternatively, a single A record may correspond to many IP addresses. This can facilitate fault tolerance and load distribution, and allows a site to move its physical location.

Real world fast-flux examples NS records- Name server records determine which servers will communicate DNS information for a domain. Two NS records must be defined for each domain. Generally, you will have a primary and a secondary name server record - NS records are updated with your domain registrar and will take hours to take effect. If your domain registrar is separate from your domain host, your host will provide two name servers that you can use to update your NS records with your registrar.

REAL WORLD FAST-FLUX EXAMPLES Credit Money Botnet- Zeus Botnet Below are the single-flux DNS records typical of such an infrastructure. The tables show DNS snapshots of the domain name divewithsharks.hk taken approximately every 30 minutes, with the five A records returned round-robin showing clear infiltration into home/business dialup and broadband networks. Notice that the NS records do not change, but some of the A records do. This is the money mule bot example. divewithsharks.hk IN A xxx [xxx.vf.shawcable.net] divewithsharks.hk IN A xxx [SBIS-AS - AT&T Internet Services] divewithsharks.hk IN A xxx [adsl-ustixxx bluetone.cz] divewithsharks.hk IN A xxx [d xxx.cust.tele2.fr] divewithsharks.hk IN A xxx [ xxx.msjw.hsdb.sasknet.sk.ca] divewithsharks.hk IN NS ns1.world-wr.com. divewithsharks.hk IN NS ns2.world-wr.com. ns1.world-wr.com IN A [HVC-AS - HIVELOCITY VENTURES CORP] ns2.world-wr.com IN A xxx [vpdn-dsl xxx.alami.net]

REAL WORLD FAST-FLUX EXAMPLES fast-flux nets appear to apply some form of logic in deciding which of their available IP addresses will be advertised in the next set of responses. This may be based on ongoing connection quality monitoring (and perhaps a load- balancing algorithm). New flux-agent IP addresses are inserted into the fast- flux service network to replace nodes with poor performance, being subject to mitigation or otherwise offline nodes. divewithsharks.hk IN A xxx [xxx.vs.shawcable.net] NEW divewithsharks.hk IN A xxx [d47-69-xxx- 177.try.wideopenwest.com] NEW divewithsharks.hk IN A xxx [xxx.vf.shawcable.net] divewithsharks.hk IN A xxx [d xxx.cust.tele2.fr] divewithsharks.hk IN A xxx [ xxx.msjw.hsdb.sasknet.sk.ca] divewithsharks.hk IN NS ns1.world-wr.com. divewithsharks.hk IN NS ns2.world-wr.com. ns1.world-wr.com IN A xxx [HVC-AS - HIVELOCITY VENTURES CORP] ns2.world-wr.com IN A xxx [vpdn-dsl xxx.alami.net]

REAL WORLD FAST-FLUX EXAMPLES As we see, highlighted in bold two of the advertised IP addresses have changed. Again, these two IP addresses belong to dial-up or broadband networks. Another 30 minutes later, a lookup of the domain returns the following information: divewithsharks.hk IN A xxx [xxx.ed.shawcable.net] NEW divewithsharks.hk IN A xxx [SBIS-AS - AT&T Internet Services] This one came back! divewithsharks.hk IN A xxx [xxx.ipt.aol.com] NEW divewithsharks.hk IN A xxx [pcxxx.telecentro.com.ar] NEW divewithsharks.hk IN A xxx [CNT Autonomous System] NEW divewithsharks.hk IN NS ns1.world-wr.com. divewithsharks.hk IN NS ns2.world-wr.com. ns1.world-wr.com IN A xxx [HVC-AS - HIVELOCITY VENTURES CORP] ns2.world-wr.com IN A xxx [vpdn-dsl xxx.alami.net] Now, we observe four new IP addresses and one IP address that we saw in the first query. This demonstrates the round-robin address response mechanism used in fast-flux networks. As we have seen in this example, the A records for the domain are constantly changing. Each one of these systems represents a compromised host acting as a redirector, a redirector that eventually points to the money mule botnet

Some more fast-flux examples login.mylspacee.com. 177 IN A xxx [c xxx.hsd1.fl.comcast.net] login.mylspacee.com. 177 IN A xxx [cpe xxx.gt.res.rr.com] login.mylspacee.com. 177 IN A xxx [adsl xxx.dsl.hrlntx.swbell.net] login.mylspacee.com. 177 IN A xxx [cpe xxx.stny.res.rr.com] login.mylspacee.com. 177 IN A xxx [ xxx.dhcp.insightbb.com] mylspacee.com IN NS ns3.myheroisyourslove.hk. mylspacee.com IN NS ns4.myheroisyourslove.hk. mylspacee.com IN NS ns5.myheroisyourslove.hk. mylspacee.com IN NS ns1.myheroisyourslove.hk. mylspacee.com IN NS ns2.myheroisyourslove.hk. ns1.myheroisyourslove.hk.854 IN A xxx [ppp xxx.dsl.sfldmi.ameritech.net] ns2.myheroisyourslove.hk.854 IN A xxx [adsl xxx.dsl.bumttx.sbcglobal.net] ns3.myheroisyourslove.hk. 854 IN A xxx [c xxx.hsd1.al.comcast.net] ns4.myheroisyourslove.hk. 854 IN A xxx [xxx tampabay.res.rr.com] ns5.myheroisyourslove.hk. 854 IN A xxx [xxx cfl.res.rr.com]

Results… login.mylspacee.com. 161 IN A xxx [ xxx.dhcp.insightbb.com] NEW login.mylspacee.com. 161 IN A xxx [cpe xxx.elp.res.rr.com] NEW login.mylspacee.com. 161 IN A xxx [adsl xxx.dsl.hstntx.swbell.net] NEW login.mylspacee.com. 161 IN A xxx [ppp xxx.dsl.ipltin.ameritech.net] NEW login.mylspacee.com. 161 IN A xxx [adsl xxx.dsl.pltn13.pacbell.net] NEW mylspacee.com IN NS ns3.myheroisyourslove.hk. mylspacee.com IN NS ns4.myheroisyourslove.hk. mylspacee.com IN NS ns5.myheroisyourslove.hk. mylspacee.com IN NS ns1.myheroisyourslove.hk. mylspacee.com IN NS ns2.myheroisyourslove.hk. ns1.myheroisyourslove.hk. 608 IN A xxx [ppp xxx.dsl.sfldmi.ameritech.net] ns2.myheroisyourslove.hk. 608 IN A xxx [adsl xxx.dsl.bumttx.sbcglobal.net] ns3.myheroisyourslove.hk. 608 IN A xxx [c xxx.hsd1.al.comcast.net] ns4.myheroisyourslove.hk. 608 IN A xxx [xxx tampabay.res.rr.com] ns5.myheroisyourslove.hk. 608 IN A xxx [xxx cfl.res.rr.com]

Conclusion On the basis of DNS instances by the k means clustering it is possible to detect the fast flux characteristics of botnets. New botnet detection system based on Horizontal correlation Independent of botnet C&C protocol and structure Real-world evaluation shows promising results The false positive is very low in case of large IP address instances corresponding to same DNS which actually resembles with the condition of real world botnets.

Acknowledgements Nullcon team. To all the Listeners Our professors Dr. Ponnurangam Kumaraguru Dr. Shishir Nagaraja

Thank you