1. A M ULTIFACETED A PPROACH TO U NDERSTANDING THE B OTNET P HENOMENON Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science Department Johns Hopkins University Internet Measurement Conference 2006

2. O UTLINE Introduction Working of Botnet Measuring of Botnet Result and Analysis Comments 2

3. B OTNET Very little known about the behavior of these distributed computing platforms. model the botnet life cycle The term botnet is used to define networks of infected end-hosts, called bots, that are under the control of a human operator commonly known as botmaster. While botnets recruit vulnerable machines using methods also utilized by other classes of malware, their defining characteristic is the use of command and control (C&C) channels. 3

4. B OTNET ( CONT ’ D ) Channels IRC, Internet Relay Channel was originally designed to form large social chat rooms HTTP P2P While other class of malware were mostly used demonstrate technical prominence among hackers, botnets are used for illegal activities. A multifaceted measurement approach to capture the behavior and impact of botnets distributed malware collection (binary) IRC tracking (live botnet) DNS cache probing 4

5. B OTNET L IFE C YCLE 5 - remotely exploiting software vulnerabilities - social engineering shell code actual bot binary defining characteristic resolving the DNS name of IRC server (instead of using hard-coded IP) (authenticate)

6. M EASUREMENT M ETHODOLOGY Three Distinct Phases Malware Collection Collect as many bot binaries as possible Binary analysis via gray-box testing Extract the features of suspicious binaries Longitudinal tracking of IRC botnets Through IRC and DNS trackers Track how bots spread and its reach 6

7. I NFRASTRUCTURE D EPLOYMENT 7 Darknet: denote an allocated but unused portion of the IP addresses space. 1 Large Local darknet. 14 distributed nodes (PlanetLab testbed). 1 Honeynet 1 Download Station 1 Gateway 1 local IRC server IRC trackers (drone) DNS probers Use of 10 different class A (/8) darknet IP spaces.

8. M ALWARE C OLLECTION Nepenthes (on PlanetLab) mimics the replies generated by vulnerable services in order to collect the first stage exploit. Nepenthes is a low interaction honeypot a framework for large-scale collection of information on self- replicating malware in the wild, emulating only the vulnerable parts of a service Modules in nepenthes emulate vulnerabilities download files – done by the Download Station submit the downloaded files shellcode handler 8

9. M ALWARE C OLLECTION ( CONT ’ D ) Honeynets also used along with nepenthes ensure catching exploits missed by nepenthes These failures are most likely due to the responder’s inability to mimic unknown exploit sequences or to parse certain shellcodes. Running unpatched instances of Windows XP in a virtualized environment (VMware) with static private-space IP. One infection allowed and connections with unique IRC servers Binaries (from nepenthes or honeynets) are sent to analysis engine for graybox testing. 9

10. M ALWARE C OLLECTION ( CONT ’ D ) Gateway Forwards traffic to 8 /24, daily rotating to cover the whole darknet (NAT) Firewall (SNORT) Prevent outbound attacks & self infection by honeypots Only 1 infection in a honeypot 10

11. B INARY A NALYSIS ( GREY BOX TESTING ) They use graybox analysis to extract the features of suspicious binaries (regardless of the mechanism by which they were collected). Phase 1: Creation of a network fingerprint f net = DNS requests, destination IPs, Contact Ports, Contact Protocols, default scanning behavior (e.g n=20 destination/port/monitored period) Phase 2: Extraction of IRC-related features f irc = initial password, nickname and username, the particular modes set, and which IRC channels are joined (with associated channel passwords) 11

12. L EARN A BOTNET DIALECT Taken together, f net and f irc provide enough information to join a botnet in the wild. not enough They make the bot connect to their local IRC channel. Force bot to join a local IRC server ( fake Botmaster) Use a query engine to learn the botnet “dialect”, extracting command-response templates. 12

13. L ONGITUDINAL T RACKING IRC tracker (Drone) Connects to a real IRC channel using f net and f irc. Pretends to dutifully follow any commands from the botmaster, and provides realistic responses to her commands. need to be intelligent enough filter inappropriate information included in the template DNS Tracking Bots issue DNS queries to resolve the IP addresses of their IRC servers (~800,000 name servers are used) Each DNS name of a newly detected IRC server is added to the list of servers to be probed. They probe the caches of all DNS and record any cache hits. 13

14. R ESULTS AND A NALYSIS Collection period starts 1 Feb 2006 Darknet Traffic traces > 3 months IRC logs (honeynet, drones) > 3 months More than 100 botnet IRC channels Result of DNS cache hits from tracking 65 IRC servers more than 45 days Captured 318 malicious binaries. 14

15. B OTNET T RAFFIC S HARE 15 Botnet Spreader: any source that successfully completed an exploitation transaction and delivered a bot executable. - ~27% of the incoming SYN is contributed by known botnet spreader - 76% to target ports (135, 139, 445, 3127) - >70% succeed to send shellcode

16. DNS T RACKER R ESULTS 16 Geographic location of the DNS cache hits for one of the tracked botnets. The star indicates the location of the IRC server. - Total 65 IRC server identified. - 11% of the name servers involved in at least one botnet activity. - 29% of the.com servers had at least 1 cache hit. (Top Level Domain)

17. B OT S CAN M ETHOD Type I (34 of 192 IRC bots) 17% worm-like scanning continuously scan certain ports following a specific target selection algorithm Type II (158 of 192 IRC bots ) 83% variable scanning behaviors only scan after receiving a command over C&C channel 17

18. B OTNET G ROWTH – DNS AND IRC 18 Different bots have different growth pattern, and they can be shown by DNS and IRC views.

19. B OTNET S TRUCTURE Of 318 malicious binaries, 60% were IRC 70% of the botnets has single IRC server. Bridged 30% ( 25% public servers) Two Servers 50% Unrelated botnets had similar naming conventions, channel names, user IDs. In many cases, these botnets seem to belong to the same botmaster(s). Several instances where a selected group of bots were commanded to download an updated binary, which subsequently moved the bots to a different IRC server. 19

20. S IZE AND L IFETIME 20 broadcast join/leave information for members on the channel Bots generally do not stay long on the IRC channel

21. B OTNET S OFTWARE T AXONOMY 21 AV: Anti-Virus FW: Firewall

22. C OMMENTS A measurement methodology How to capture a botnet’s binary? How to find the characteristic of a binary? Build a system over honeypot. Only focus on RPC and DNS analysis They did lots of analysis after capturing the bot, how about evaluate the methodology? 22