a multifaceted approach to understanding the botnet phenomenon
DESCRIPTION
A Multifaceted Approach to Understanding the Botnet Phenomenon. Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science Department Johns Hopkins University Presented at : Internet Measurement Conference, IMC'06, Brazil, October 2006 Presented By : - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: A Multifaceted Approach to Understanding the Botnet Phenomenon](https://reader036.vdocuments.net/reader036/viewer/2022062411/5681391f550346895da0c506/html5/thumbnails/1.jpg)
A Multifaceted Approach to Understanding the BotnetPhenomenon
Authors :Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas TerzisComputer Science DepartmentJohns Hopkins UniversityPresented at : Internet Measurement Conference, IMC'06, Brazil, October 2006Presented By :Ramanarayanan Ramani
![Page 2: A Multifaceted Approach to Understanding the Botnet Phenomenon](https://reader036.vdocuments.net/reader036/viewer/2022062411/5681391f550346895da0c506/html5/thumbnails/2.jpg)
Outline Working of Botnets Measuring Botnets Inference from Measurement Strengths Weaknesses Suggestions
![Page 3: A Multifaceted Approach to Understanding the Botnet Phenomenon](https://reader036.vdocuments.net/reader036/viewer/2022062411/5681391f550346895da0c506/html5/thumbnails/3.jpg)
Botnets A botnet is a network of infected end-hosts
(bots) under the command of a botmaster.
3 Different Protocols Used: IRC HTTP P2P
![Page 4: A Multifaceted Approach to Understanding the Botnet Phenomenon](https://reader036.vdocuments.net/reader036/viewer/2022062411/5681391f550346895da0c506/html5/thumbnails/4.jpg)
Botnets (contd.)3 Steps of Authentication
Bot to IRC Server
IRC Server to Bot
Botmaster to Bot
(*) : Optional Step
![Page 5: A Multifaceted Approach to Understanding the Botnet Phenomenon](https://reader036.vdocuments.net/reader036/viewer/2022062411/5681391f550346895da0c506/html5/thumbnails/5.jpg)
Measuring Botnets Three Distinct Phases
Malware CollectionCollect as many bot binaries as possible
Binary analysis via gray-box testingExtract the features of suspicious binaries
Longitudinal trackingTrack how bots spread and its reach
![Page 6: A Multifaceted Approach to Understanding the Botnet Phenomenon](https://reader036.vdocuments.net/reader036/viewer/2022062411/5681391f550346895da0c506/html5/thumbnails/6.jpg)
Measuring Botnets
Darknet : Denotes an allocated but unused portion of the IP address space.
![Page 7: A Multifaceted Approach to Understanding the Botnet Phenomenon](https://reader036.vdocuments.net/reader036/viewer/2022062411/5681391f550346895da0c506/html5/thumbnails/7.jpg)
Malware Collection Nepenthes is a low interaction honeypot Nepenthes mimics the replies generated by
vulnerable services in order to collect the first stage exploit
Modules in nepenthes Resolve DNS asynchronous Emulate vulnerabilities Download files – Done here by the Download Station Submit the downloaded files Trigger events Shellcode handler
![Page 8: A Multifaceted Approach to Understanding the Botnet Phenomenon](https://reader036.vdocuments.net/reader036/viewer/2022062411/5681391f550346895da0c506/html5/thumbnails/8.jpg)
Malware Collection Honeynets also used along
with nepenthes Catches exploits missed by nepenthes Unpatched Windows XP are run which is
base copy Infected honeypot compared with base to
identify Botnet binary
![Page 9: A Multifaceted Approach to Understanding the Botnet Phenomenon](https://reader036.vdocuments.net/reader036/viewer/2022062411/5681391f550346895da0c506/html5/thumbnails/9.jpg)
Gateway Routing to different components Firewall : Prevent outbound attacks & self
infection by honeypots Detect & Analyze outgoing traffic for
infections in honeypot Only 1 infection in a honeypot Several other functions
![Page 10: A Multifaceted Approach to Understanding the Botnet Phenomenon](https://reader036.vdocuments.net/reader036/viewer/2022062411/5681391f550346895da0c506/html5/thumbnails/10.jpg)
Binary Analysis Two logically distinct phases
Derive a network fingerprint of the binary
Derive IRC-specific features of the binary
IRC Server learns Botnet “dialect” - Template Learn how to correctly mimic bot’s behavior -
Subject bot to a barrage of commands
![Page 11: A Multifaceted Approach to Understanding the Botnet Phenomenon](https://reader036.vdocuments.net/reader036/viewer/2022062411/5681391f550346895da0c506/html5/thumbnails/11.jpg)
IRC Tracker Use template to mimic bot Connect to real IRC server Communicate with botmaster using bot
“dialect” Drones modified and used to act as IRC
Client by the tracker to Cover lot of IP addresss
![Page 12: A Multifaceted Approach to Understanding the Botnet Phenomenon](https://reader036.vdocuments.net/reader036/viewer/2022062411/5681391f550346895da0c506/html5/thumbnails/12.jpg)
DNS Tracker Bots issue DNS queries to resolve the IP
addresses of their IRC servers Tracker uses DNS requests Has 800,000 entries after reduction Maintain hits to a server
![Page 13: A Multifaceted Approach to Understanding the Botnet Phenomenon](https://reader036.vdocuments.net/reader036/viewer/2022062411/5681391f550346895da0c506/html5/thumbnails/13.jpg)
Measuring Botnets
Darknet : Denotes an allocated but unused portion of the IP address space.
![Page 14: A Multifaceted Approach to Understanding the Botnet Phenomenon](https://reader036.vdocuments.net/reader036/viewer/2022062411/5681391f550346895da0c506/html5/thumbnails/14.jpg)
Botnet Traffic Share
![Page 15: A Multifaceted Approach to Understanding the Botnet Phenomenon](https://reader036.vdocuments.net/reader036/viewer/2022062411/5681391f550346895da0c506/html5/thumbnails/15.jpg)
Botnet Traffic Share
![Page 16: A Multifaceted Approach to Understanding the Botnet Phenomenon](https://reader036.vdocuments.net/reader036/viewer/2022062411/5681391f550346895da0c506/html5/thumbnails/16.jpg)
DNS Tracker Results
![Page 17: A Multifaceted Approach to Understanding the Botnet Phenomenon](https://reader036.vdocuments.net/reader036/viewer/2022062411/5681391f550346895da0c506/html5/thumbnails/17.jpg)
Bot Scan Method 2 Types
Immediately start scanning the IP space looking for new victims after infection : 34 / 192
Scan when issued some command by botmaster
![Page 18: A Multifaceted Approach to Understanding the Botnet Phenomenon](https://reader036.vdocuments.net/reader036/viewer/2022062411/5681391f550346895da0c506/html5/thumbnails/18.jpg)
Botnet Growth - DNS
![Page 19: A Multifaceted Approach to Understanding the Botnet Phenomenon](https://reader036.vdocuments.net/reader036/viewer/2022062411/5681391f550346895da0c506/html5/thumbnails/19.jpg)
Botnet Growth – IRC Tracker
![Page 20: A Multifaceted Approach to Understanding the Botnet Phenomenon](https://reader036.vdocuments.net/reader036/viewer/2022062411/5681391f550346895da0c506/html5/thumbnails/20.jpg)
Botnet Online Population
![Page 21: A Multifaceted Approach to Understanding the Botnet Phenomenon](https://reader036.vdocuments.net/reader036/viewer/2022062411/5681391f550346895da0c506/html5/thumbnails/21.jpg)
Botnet Online Population
![Page 22: A Multifaceted Approach to Understanding the Botnet Phenomenon](https://reader036.vdocuments.net/reader036/viewer/2022062411/5681391f550346895da0c506/html5/thumbnails/22.jpg)
Botnet Software TaxonomyServices Launched in Victim Machine OS of Exploited Host
![Page 23: A Multifaceted Approach to Understanding the Botnet Phenomenon](https://reader036.vdocuments.net/reader036/viewer/2022062411/5681391f550346895da0c506/html5/thumbnails/23.jpg)
Botmaster Analysis
![Page 24: A Multifaceted Approach to Understanding the Botnet Phenomenon](https://reader036.vdocuments.net/reader036/viewer/2022062411/5681391f550346895da0c506/html5/thumbnails/24.jpg)
Strengths All aspects of a botnet analyzed No prior analysis of bots Ability to model various types of bots
![Page 25: A Multifaceted Approach to Understanding the Botnet Phenomenon](https://reader036.vdocuments.net/reader036/viewer/2022062411/5681391f550346895da0c506/html5/thumbnails/25.jpg)
Weakness Only Microsoft Windows systems
analyzed Focus on IRC-based bots as they are
predominant
![Page 26: A Multifaceted Approach to Understanding the Botnet Phenomenon](https://reader036.vdocuments.net/reader036/viewer/2022062411/5681391f550346895da0c506/html5/thumbnails/26.jpg)
Suggestions Use the analysis to model new bots Use the analysis to model protection
methods
![Page 27: A Multifaceted Approach to Understanding the Botnet Phenomenon](https://reader036.vdocuments.net/reader036/viewer/2022062411/5681391f550346895da0c506/html5/thumbnails/27.jpg)
Questions