Download presentation
Presentation is loading. Please wait.
Published byLawrence Warren Modified over 9 years ago
1
Published: Internet Measurement Conference (IMC) 2006 Presented by Wei-Cheng Xiao 2015/11/221
2
Outline Introduction Overview of IRC-based botnets Data collection methodology Analysis results Related work Conclusion 2015/11/222
3
Introduction Botnet: a network of infected hosts, called bots, that are controlled by botmasters The characteristic of botnets The command and control (C&C) channel Communication mechanisms IRC (the majority, easy to distribute) P 2 P HTTP 2015/11/223
4
Why choosing IRC Supports several forms of communication Point-to-point, point-to-multipoint Supports several forms of data dissemination Provide open-source implemenations 2015/11/224
5
Motivation and Goals Motivation There are increases in botnet activity, but little behavior is known. Goals Getting better understanding of botnets, including the prevalence of botnet activity the botnet subspecies diversity the evolution of a botnet 2015/11/225
6
Contributions The development of a multifaceted infrastructure to capture and concurrently track multiple botnets in the wild A comprehensive analysis of measurements reflecting several important structural and behavioral aspects of botnets 2015/11/226
7
Outline Introduction Overview of IRC-based botnets Data collection methodology Analysis results Related work Conclusion 2015/11/227
8
The Life Cycle of A Botnet Infection 2015/11/228
9
Step 1: Exploit Exploit software vulnerability of victim hosts by worms or malicious email attachments 2015/11/229
10
Step 2: Download Bot Binary Execute a shellcode to download bot binary from a specific location and install it 2015/11/2210
11
Step 3: DNS Lookup (optional) Resolve the domain name of the IRC server coded in the binary Avoid server unavailability due to IP blocking 2015/11/2211
12
Step 4: Join Join the IRC server and C&C channel listed in the binary 3 types of authentications 1. Bots authenticate to join the server using passwords in the binary 2. Bots authenticate to join the C&C channel using passwords in the binary 3. Botmasters authenticate to the bot population to send commands 2015/11/2212
13
Step 5: Parse and Execute Commands Parse commands from the channel topic and execute them The topic contains default commands for all bots 2015/11/2213
14
Outline Introduction Overview of IRC-based botnets Data collection methodology Analysis results Related work Conclusion 2015/11/2214
15
The Overall Data Collection Architecture 2015/11/2215
16
The Three Main Phases 1. Malware collection Goal: collect bot binaries 2. Binary analysis via gray-box testing Goal: analyze the binaries 3. Longitudinal tracking of botnets Goal: track real botnets using the analysis results 2015/11/2216
17
Phase 1: Malware Collection Darknet: an allocated but unused portion of the IP address space 2015/11/2217
18
Malware Collection Environment setup There are 14 nodes distributed in the PlantLab testbed. These nodes have access to the darknet, whose IP space is located in 10 different class A networks. Nepenthes Mimics replies generated by vulnerable services to get shellcodes Pass URLs in the shellcodes to the download station to fetch bot binaries (why?) Honeynet Used to handle cases where Nepenthes failed Running unpatched Windows XP on VM VLAN 2015/11/2218
19
Gateway Route darknet traffic to Nepenthes and honeypots half to Nepenthes, half to honeypots Rotate routing among 8 class-C networks in the darknet Use NAT to keep # of honeypots small Act as a firewall to prevent honeypots from outgoing attack and cross infections (VLAN) Detect and manage IRC connections 2015/11/2219
20
Phase 2: Binary analysis (graybox) 2015/11/2220
21
Binary Analysis Environment setup A sink (IRC server) monitors all network traffic. A client, which is a VM with clean Windows XP installed and binary executed, is connected to the sink. Two steps Creating network fingerprints Extracting IRC-related features 2015/11/2221
22
The Two Steps Creating network fingerprints (network level) f net = {DNS, IPs, Ports, Scan} DNS: targets of any DNS requests IPs: destination IP addresses Ports: contacted ports on the server side Scan: whether or not the IP scanning behavior is detected Extracting IRC-related features (application level) When an IRC session is detected, an IRC-fingerprint is created: f irc = {PASS, NICK, USER, MODE, JOIN}. f net and f irc provide enough information to join a botnet in the wild. 2015/11/2222
23
Dialect Dialect: the syntax of botmasters’ commands and their responses Learning a botnet’s dialect is required for mimicking actual bot behavior. An IRC query engine plays the role of botmaster. Commands come from those observed in honeypots source codes of public known bots The output of the querying process becomes the template. 2015/11/2223
24
Phase 3: Longitudinal Tracking of Botnets 2015/11/2224
25
IRC Tracker (Drone): An IRC clients who can join a real-world IRC channel. A drone is given f irc and the template. Automatically answer queries based on the template Pretend to be a dutiful bot Must be intelligent enough Mimicry improvement Randomly join and leave Change external IP 2015/11/2225
26
DNS Tracking Most bots find out IRC servers via DNS queries. Probe about 800,000 real-world DNS servers Query domain names of the IRC servers A cache hits implies one or more bots Shortcomings Not all DNS server are probed. # of hits provides only the lower bound of # of bots Still useful when the broadcast feature in a botnet is turned off. 2015/11/2226
27
Outline Introduction Overview of IRC-based botnets Data collection methodology Analysis results Related work Conclusion 2015/11/2227
28
Data collected Started from Feb. 1 st, 2006, including Traffic traces over the span of 3 months IRC logs over the span of 3 months, covering data from more than 100 botnet channels Results of DNS cache hits from tracking 65 IRC servers on 800,000 DNS servers for more than 45 days 2015/11/2228
29
Botnet Traffic Share 27% of SYNs are from known botnet spreaders. 76% of SYNs direct to target ports. The two curves reveal similar traffic pattern. This is a low-bound estimate. 2015/11/2229
30
About 85,000 DNS servers are involved in at least one botnet activity. Botnet Prevalence: A Global Look 2015/11/2230
31
Botnet Prevalence: A Global Look 2015/11/2231
32
Botnet Spreading Patterns Two types of botnet: Type-I: fixed scanning algorithm Type-II: variable scanning algorithm Out of 192 IRC bots, 34 are Type-I. Summery of Type-II scanning practice 2015/11/2232
33
Botnet Growth Patterns 2015/11/2233
34
Predominant Botnet Structures 1. Single IRC server ( 70% ) Prevalent among small botnets 2. Multiple IRC servers, bridged botnet ( 30% ) 25% of which are public known servers 3. A botmaster controls multiple botnets 4. Some botnets migrate 2015/11/2234
35
Effective Botnet Sizes and Botnet Lifetime Effective size: the # of online bots The observed effective size was much smaller than the footprint. Bots usually stay connected for only 25 minutes. May be due to client inavailability More likely, botmasters ask them to leave. Botnets, however, have long life time 84% IRC servers were still up at the end of study. 2015/11/2235
36
Botnet Software Taxonomy 2015/11/2236
37
Outline Introduction Overview of IRC-based botnets Data collection methodology Analysis results Related work Conclusion 2015/11/2237
38
Related Work Botnet Tracking: Exploring a Root-Cause Methodology to Prevent DoS Attacks. ESORICS, 2005 Introduces the idea of using honeypots and active responders to analyze the botnet behavior Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm. ACM SIGOPS, 2005 A very useful tool for botnet detection, but not appropriate for long term botnet tracking 2015/11/2238
39
Outline Introduction Overview of IRC-based botnets Data collection methodology Analysis results Related work Conclusion 2015/11/2239
40
Conclusion A multifaceted approach is proposed to understand botnet phenomenon. The results show that botnet is a major contributor to the unwanted network traffic. The scanning and pattern of botnets is quite different from that of autonomous malware. The effective size of botnets are much smaller than that of fingerprints. 2015/11/2240
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.