Presentation is loading. Please wait.

Presentation is loading. Please wait.

“A Multifaceted Approach to Understanding the Botnet Phenomenon”

Published byGabriël Smit Modified over 5 years ago

Similar presentations

Presentation on theme: "“A Multifaceted Approach to Understanding the Botnet Phenomenon”"— Presentation transcript:

1 “A Multifaceted Approach to Understanding the Botnet Phenomenon”
By: Moheeb Abu Rajab, Jay Farfoss, Fabian Monrose & Andreas Terzis Affiliation: Computer Science Department at Johns Hopkins University Published: Internet Measurement Conference (IMC) 2006 Presented by: Andrew Mantel Presentation date: April 9, 2009 Class: CAP6135 – Malware and Software Vulnerability Analysis (Spring 2009) Professor: Dr. Cliff Zou -IMC is sponsored by ACM SIGCOMM -from IMC website: ”contribute to the current understanding of how to collect or analyze Internet measurements, or give insight into how the Internet behaves”

2 Outline Goal / Motivation Overview of botnets Data collection Results
Author’s conclusions My review

3 Goal / Motivation Goal: Motivation:
Get a better understanding of botnets Motivation: Botnets are dangerous Malicious intent Extortion of Internet businesses spamming Identity theft Increase in botnet activity in recent years Despite all this, we don’t know enough details about botnet behavior! M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp

4 Botnet Overview

5 (Rajab et al, 42, Figure 1)

6 Step 1: Exploit Exploit software vulnerability of victim host
Same infection strategies as other malware Worms Malicious code (Modified from: Rajab et al, 42, Figure 1) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp

7 Step 2: Download bot binary
Infected host executes shellcode to fetch bot binary from specified location Usually the same machine that infected it After the download, the bot binary installs itself so it can auto start on reboot (Modified from: Rajab et al, 42, Figure 1) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp

8 Step 3: DNS lookup Bot needs IP address of IRC server
Perform DNS Lookup Better than hard- coding the server IP in case the IP gets blacklisted (Modified from: Rajab et al, 42, Figure 1) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp

9 Step 4: Join IRC server Join server and channel specified in bot binary May use authentication: Bot authenticates to join server using password from bot binary Bot authenticates to join channel using password from bot binary Botmaster authenticates to bot population to send command (Modified from: Rajab et al, 42, Figure 1) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp

10 Step 5: Execute commands
Bot parses and executes channel topic Topic contains default command for all bots to execute (Modified from: Rajab et al, 42, Figure 1) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp

11 (Modified from: Rajab et al, 42, Figure 1)

12 Data Collection

13 (Modified from: Rajab et al, 43, Figure 2)

14 Overview of Data Collection
Three main phases: Malware collection Goal: Collect bot binaries Binary analysis via gray-box testing Goal: Analyze bot binaries Longitudinal tracking of botnets Goal: Use binary analysis to track real botnets M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp

15 Phase 1: Malware Collection
(Modified from: Rajab et al, 43, Figure 2) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp

16 Malware Collection Goal: Collect bot binaries
Setup: Receive connections from distributed darknet Darknet = an allocated but unused portion of the IP address space Two types of collectors: Nepenthes Mimics replies of a vulnerable service to retrieve the shellcode Pass URL in shellcode to download station to retrieve the bot binary Honeypot Implemented to handle cases where nepenthes failed Windows XP running on VM connected by VLAN Collects the bot binary itself -Download station only downloads from unique URLs -Nepenthes can fail if it doesn’t correctly mimic exploit sequences or if it can’t parse certain shellcodes M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp

17 Malware Collection Gateway provides multiple functions:
Route darknet traffic to local responders (nepenthes) and honeypots About a 50/50 split Firewall to stop honeypot from outgoing attack or cross infections Allow honeypot to connect to IRC server but not do any further communication Other miscellaneous functions M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp

18 Phase 1: Malware Collection
(Modified from: Rajab et al, 43, Figure 2) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp

19 Phase 2: Binary Analysis
(Modified from: Rajab et al, 43, Figure 2) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp

20 Phase 2: Binary Analysis
Goal: Analyze bot binaries Setup: Windows XP with bot binary on VM connected to a network sink Sink monitors all network traffic Two steps: Network fingerprint IRC-related features M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp

21 Phase 2: Binary Analysis
Network fingerprint fnet = {DNS, IPs, Ports, scan} DNS = targets of any DNS requests IPs = destination IP addresses Ports = contacted ports Scan = whether the bot tried to IP scan IRC-related features Create IRC daemon to listen to all ports specified by fnet When bot tries to connect to IRC server, create IRC- fingerprint: firc = {PASS, NICK, USER, MODE, JOIN} -PASS = password used to connect to the IRC server -JOIN = IRC channels that it joins M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp

22 Phase 2: Binary Analysis
fnet and firc provide enough information to join a real botnet However, still need botnet “dialect” dialect = “the syntax of the botmaster’s commands as well as the corresponding responses sent by the actual bot” (Rajab et al, 44) To learn dialect: Let bot connect to local IRC server Bot connects to default channel IRC query engine plays the role of the botmaster, generating commands What commands to generate? Those observed by honeynet Known commands of observed botnets M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp

23 Phase 2: Binary Analysis
(Modified from: Rajab et al, 43, Figure 2) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp

24 Phase 3: Longitudinal Tracking of Botnets
(Modified from: Rajab et al, 43, Figure 2)

25 Phase 3: Longitudinal Tracking of Botnets
Two mechanisms: IRC tracking DNS tracking IRC tracker (drone) Drone is given firc and template Connects to real IRC server and pretends to participate Must be intelligent enough to mimic a real bot Can have multiple drones per machine Have drone periodically disconnect from server Change drone external IP M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp

26 Phase 3: Longitudinal Tracking of Botnets
DNS tracking Exploits the fact that most bots issue DNS queries to resolve IP address of IRC server Probe caches of large number of DNS servers (800,000) for botnet domain name Record number of hits as the DNS footprint of the botnet This is merely a lower bound Bot must have DNS queried within TTL time-span of DNS server Only indicates a single hit to that DNS server, but could have been many hits Still, a good relative measure M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp

27 Phase 3: Longitudinal Tracking of Botnets
(Modified from: Rajab et al, 43, Figure 2)

28 (Modified from: Rajab et al, 43, Figure 2)

29 Results

30 Botnet Traffic Share Mapped total # of incoming SYN packets to local darknet vs. those originating from known botnet spreaders Known botnet spreader = any source observed to have delivered a bot binary Approximately 27% of incoming SYNs came from known botnet spreaders This is a lower-bound estimate M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp

31 Global look at botnet prevalance
Overview: During DNS probing experiments, tracked 65 IRC server domain names Of the 800,000 probed servers, 85,000 (11%) had at least one botnet activity Let’s take a closer look at globally tracking a single botnet IRC server M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp

32 Global look at botnet prevalance
(star is the IRC server, clouds are connections) (Rajab et al, 47, Figure 6) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp

33 Botnet Spreading & Growth Patterns
Two types of spreaders: Type I: worm-like botnets 17.7% of observed botnets Continuously scan certain ports following a given target selection algorithm Type II: variable scanning botnet Majority botnet type Use different algorithms to scan Only scan when commanded to Different growth patterns (semi-exponential, staircase, linear)… harder to track M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp

34 Botnet Spreading & Growth Patterns
(Cropped from: Rajab et al, 48, Figure 7) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp

35 Effective Botnet Sizes
effective size = # of bots connected to the IRC server at a specific time Observed that a botnet’s effective size is much smaller than its footprint Bots usually only stay connected for about 25 minutes May be due to client instability as a result of infection More likely, botmaster tells them to leave M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp

36 Some other results Botnets have a long lifetime
84% of the observed IRC servers were still up at the end of their study Bots can disable anti-virus/firewall processes and protect itself from being disabled Infection frequency by OS: (Rajab et al, 50, Table 4) M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp

37 Author’s Conclusions Botnets are very dangerous
Botnets are a major contributor to unwanted traffic on the Internet By understanding botnets, we will be better able to deal with them M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp

38 My Review

39 Strengths Good overview of botnet basics
Detailed botnet analyzing architecture Architecture attacked the problem from multiple fronts nepenthes + honeypots IRC tracking + DNS tracking Graphs/tables for most data Results supported by cross referencing data Even more data made publically available: <

40 Weaknesses Not many weaknesses… authors were very thorough
Architecture was completely automated, so missed out on smarter botnets How accurate is “botnet traffic share” based only on traffic to a darknet? One important piece of data they should have reported in the paper: average botnet fingerprint sizes

41 Extensions/Improvements
Improve intelligence of: nepenthes Botmaster IRC query engine Bot dialect template acquisition Update data to keep track of current botnets Monitor botnet traffic share within used IP space Discuss ways to apply this data to prevent botnet formation

42 References [1] M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A Multifaceted Approach to Understanding the Botnet Phenomenon". In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement. pp

Download ppt "“A Multifaceted Approach to Understanding the Botnet Phenomenon”"

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
1 MA Rajab, J Zarfoss, F Monrose, A Terzis - Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets My Botnet is Bigger than Yours.

1 MA Rajab, J Zarfoss, F Monrose, A Terzis - Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets My Botnet is Bigger than Yours.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
A M ULTIFACETED A PPROACH TO U NDERSTANDING THE B OTNET P HENOMENON Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science Department.

A M ULTIFACETED A PPROACH TO U NDERSTANDING THE B OTNET P HENOMENON Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science Department.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
Botnets An Introduction Into the World of Botnets Tyler Hudak

Botnets An Introduction Into the World of Botnets Tyler Hudak
BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker.

BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Similar presentations

Ads by Google