Cross-Analysis of Botnet Victims: New Insights and Implication Seungwon Shin, Raymond Lin, Guofei Gu Presented by Bert Huang

Introduction  Botnet  Internet-Connected Computers  AKA. Zombie Army  Architecture  Command & Control (C&C) via Internet Relay Chat (IRC)  Peer to Peer (P2P)  What can they do?  DDoS  Spam  Facilitate other malware

Introduction  Propagation Method  Auto-self-propagating (Type I)  Network Scanning  Dictionary attack on Admin Share  Non-auto-self-propagating (Type II)  Phishing  Drive-by-download  Pay-per-installation

Introduction  Research Question  Are there any similarities/differences in infection patterns between these two types of botnets?  E.g. Distribution of victims  Motivation  Further understand the nature of botnets  Develop more accurate/targeted malware monitoring, detection, and prediction systems  Three Major Botnets  Conficker (Type I)  MegaD (Type II)  Srizbi (Type II)

Data Collection  Conficker  Gain total control of infected computers  Uses domain-fluxing to generate C&C domain names for victims to contact  Methodology  shadowserver.org  Sinkhole servers  Registered the domain names same as Conficker’s master servers to redirect queries of infected computers.  Captures communication activities

Data Collection  MegaD & Srizbi  Spam bots  Methodology  BOTLAB project  Spam trap servers  Crawling URLs  DNS monitoring  Determine via correlation

Data Collection  Limitations  Dynamic IP makes it hard to identify hosts  Generalize IP addresses to the subnet/network level  /24 subnet  If is infected, the whole subnet ( *) will be considered as an infected network  Unlikely to collect the complete data of certain botnets (in this case… data for MegaD and Srizbi)  Such is life

Data Collection  Conficker  24,912,492 victims  1,339,699 infected networks  MegaD  83,316 victims  71,896 infected networks  Srizbi  106,446 victims  77,934 infected networks

Data Collection  Type I  1,339,699 infected networks  Type II  137,902 infected networks  Common (Type I & Type II)  97,290 infected networks

Cross Analysis – Initial Analysis  The distributions of Type I and Type II botnet are VERY SIMILAR  IP address range of (77.* - 96.*), (109.* *) and (186.* *) are highly infected by BOTH type of botnets  These IP address range are continuous, which may imply that vulnerable networks are close to each other Hypothesis I – Since the two types of botnets have very different infection vectors, they may exhibit different infection patterns (e.g. distribution of their infected networks)

Cross Analysis – Initial Analysis  Only considering about the distribution of the IP address space, no semantic meanings  What are the reason for these highly infected range?  Where are these networks located?  Who are using these networks?  What about those non-infected machines?  Need more fine-grained analysis and investigation

Cross Analysis – Initial Analysis  Follow up investigation  Geographical distribution of infected networks  IP address population/density  Remote accessibility of networks  Dynamism of IP addresses  Build hypothesis for each point based on some intuition

Cross Analysis – Geological Location Hypothesis II – Type I and Type II infected networks are mainly distributed over similar countries.  Infected networks spread all over the world with some concentrated areas.  Some countries are prone to be infected by both Type I and Type II  Some countries are more likely to be infected by one type of botnet  E.g. China is highly prone to Type I, but not so much to Type II  Countries that are more prone to Type I… discuss later!  Countries that are more prone to Type II… discuss later too!

Cross Analysis – IP Address Population  IP addresses are not assigned evenly over networks or locations  Some addresses are registered only for special purposes  E.g. (224.* *) is assigned for multicast addresses  IP address population is different for every country  > 37% of IP addresses are assigned to United States  < 0.5% of IP addresses are assigned to Turkey

Cross Analysis – IP Address Population  The number of infected network for Type I, II, I EX, II EX are relatively proportional to IP address population  The more IP addresses a country has, the more infected networks it contains  Observed a spike of infections over low IP address population countries. Hypothesis III – Countries with more IP addresses (high IP address population countries) might contain more of both types of infected networks than low IP address population countries.

Cross Analysis – IP Address Population  What’s up with the spike?  Security education/knowledge of people in these countries may not be as prevalent compare to others  People may open some vulnerable services or click suspicious URLs without serious considerations  Network configuration/protection may not be as up to date as others, making malware more easy to abuse these exploits

Cross Analysis – IP Address Population  Since high IP address population countries are likely to have more infected network…  The infected networks could still be a relatively small percentage in the address population  Purely comparing between absolute infection count could shadow countries with high percentage infections  Need ways of finding countries with…  Low IP address population  High infection percentage

Cross Analysis – IP Address Population

Cross Analysis – Remote Accessibility  Check network accessibility via Ping  5 ICMP echo request packets  Regard network as reachable is success  Only shows the lower bound of reachable networks  Perimeter defending systems (Firewall, IDS, etc.)  Host may be offline  Assume each /24 subnet have the same network access control policy Hypothesis IV – Networks that are more open (more directly accessible from remote hosts) might have more infected networks of Type I botnets than that of Type II botnets.

Cross Analysis – Remote Accessibility  Able to access 54.32% of Type I infected networks  Ratio could be higher  Lower bound limitation  Networks are aware of malware scanning attacks, so they’re more defensive  Able to access 46.85% of Type II infected networks  Type 2 botnets do not depend on remote accessibility anyways…  Able to access >60% of common infected networks  Remote accessible networks are much more vulnerable to malware attacks

Cross Analysis – Dynamism of IP Address  Analyze % of infected networks that are using dynamic IP  Keywords in reverse PTR (pointer) record  E.g. dynamic-host.abcd.com  Only shows the lower bound of dynamic IP addresses  Limitation of reverse DNS lookup & selected keywords Hypothesis V – Places (or networks) with more dynamic IP addresses are more prone to be infected by both types of botnets.

Cross Analysis – Dynamism of IP Address  Dynamic IP addresses are more vulnerable  Type I have no network preference  Scan the address space regardless whether victim is using dynamic or static IP  Type II prefers dynamic addresses  Most likely to be home users with less security awareness TypeDynamic IPStatic IP Common 62%38% Type I 50.1%49.9% Type II 58.4%41.6% Type I EX49.08%50.92% Type II EX51.87%48.13%

Victim Prediction  K-Nearest Neighbour Classification (k-NN)  Popular machine learning algorithm  Type I botnet  Done in previous work  >90% accuracy  Strong neighbourhood correlation due to network scanning  Attempt to do k-NN for Type II botnet

Victim Prediction  K-NN for Type II botnet  Select the same features for the k-NN classifier  /24 subnet address  Physical location of infected networks  Data preparation  Infected network as malicious network  Clean network as benign network  Determined by looking up several DNS blacklists

Victim Prediction  Around 88% accuracy  Strong neighbourhood correlation  Type II Infected network highly depends on who receives spam s  Spammers specifically harness addresses  Similar locations  E.g. Same company and same university BotnetKAccuracyFalse +ive %7.35% MegaD388.25%7.36% %7.54% %6.23% Srizbi387.70%6.04% %5.77%

Cross-Botnet Prediction  Confirm similarity between botnets  Calculated the Manhattan distance between the distribution of the two types of botnets The Manhattan distance between two items is the sum of all feature value differences for each of the all features in the item. It is frequently used to denote whether two data distributions are similar or not.

Cross-Botnet Prediction  Probability distribution of infected networks for Conficker, MegaD, and Srizbi  Manhattan distance  Conficker / MegaD   Conficker / Srizbi   MegaD / Srizbi 

Cross-Botnet Prediction  Use currently available information to predict future unknown botnets  Use k-NN classification again, but changing the training and testing sets to cross-botnets  More than 83% Accuracy  Even if we have no knowledge of a botnet, if they share similar infection vector, we may be able to predict unknown infected networks BotnetKAccuracyFalse +ive %7.41% %7.49% %7.69% %6.53% %6.31% %5.09% MegaD (Training) Srizbi (Testing) Srizbi(Training) MegaD(Testing)

Conclusion  Type I and Type II botnet have similar infection distribution  Some countries are more vulnerable than others  Can be largely influenced by:  Geological location  Security education/knowledge  Malware owners intention (specifically or generally target)  Remote accessibility  Dynamism of IP address  Prediction and classification of future malware is possible if they share some common traits with existing botnets

Criticism  Limitation in dataset can cause bias in these evaluations  Conclusions drawn from each hypothesis are guessed  Assumes /24 subnet have the same network access control policy  Many evaluation rely on previous works, which may not be applicable or directly comparable due to difference in methodologies

The End Any Questions?