./botnet

Summary • Introduction • Scrutiny • Detection Techniques • Evasion Techniques • Botnet Analysis Example • Defense techniques • Challenges • Trends • My Proposals • Motivation

Introduction

• Botnets has become the worst threat for Internet

• Malwares are bad applications that compromise machines – They are the pillar of the botnets actions

• Detect and stop botnets is a big challenge for security researchers

~/Scrutiny

Scrutiny

• Definition – Botnets is a group of compromised host machines known

as “bots”

– They are controlled remotely by one or more unauthorized user known as “botmasters”.

» Bot malware is a state of the art malware class

» They have the ability to communicate with an attacker trough a specially deployed Command and Control communication channel (C&C).

Scrutiny

• Potential damage – It has created a perfect environment for the dissemination, infection and

formation of botnets • Large number of machines connected to the Internet through full-time broadband links

• Substantial system vulnerabilities

– Difficult to estimate the size and the number of botnets that exist currently

– Some of malicious activities botnets implement are:

DDoS Illegal content distribution

Malware and Adware distribution Attacks on industrial control system

Click fraud Collecting of confidential information

Botnets Scrutiny – 2/7

Scrutiny • Botnet components

– Bots • Vulnerable machines compromised with malicious software

disseminated by a botmaster through a propagation mechanism

• They are known as “zombies” or “slaves” • Can be used as attacking platforms:

– Other vulnerable hosts – Carry out DoS/DDoS – Other malicious activities

Scrutiny

• C&C

– This is the difference between botnet malwares and others malwares attacks

– Enable remote coordination of a large number of bots

– Allow flexibility to change and update malicious botnet code

– It is also the most important indicator of botnet

Scrutiny

Scrutiny

• Architectural Designs (according to C&C)

Detection and disarticulation easy difficult

Scrutiny

• Botnet Life-cycle

1 - Infection

2 - Communication

3 - Attack

Detection Techniques

~/Detection_Techniques

Detection Techniques – Honeynets/honeypot

• Used to collect information from bots • Allow to get bot binaries and infiltrate botnets • Help to understand botnet characteristics

– Intrusion Detection Systems (IDS) • Signature-based

– Apply signatures of previous detected botnets to detection systems

• Anomaly-based – Host-based – Network-based

Honeynet-based

Intrusion Detection Systems

Signature-based

Anomaly-based

Host-based

Network-based

Active Monitoring

Passive Monitoring

IRC DNS SMTP P2P Multiporpose

Detection Techniques

Detection Techniques • Host-based

– Analyze the machine behavior • Looking at

– System registry – File system – Network connections

• Log files analysis

– Advantage

• They are much more effective against donwload attacks and onset infections in general

– Disadvantage

• Performing individual machine analysis and monitoring them is a complex costly and non-scalable task

Detection Techniques

• Network-based – This is the most used method currently

– Some techniques are specifically created for some protocols

• IRC or/and HTTP or/and P2P

– Others try to be more generic, involving multiple protocols and architectures

• All protocols

– Two methods • Active and passive monitoring

Detection Techniques • Active monitoring

– Try inject packets to get the behavior of response – Invasive method

– Advantage:

• The response time to detect malicious agents

– Disadvantage:

• Increase network traffic with additional packets sent to suspecious machines

• The packets injection facilitates detection tracking tools • May be subject to legal issues

Statistic approaches Traffic mining Visualization Graph theory Clustering Correlation Stochastic methods Entropy Decision trees

Neural networks Discrete Fourier transform CUSUM Machine learning Discrete time series Group analysis Combination of techniques

Detection Techniques

• Passive monitoring – Observe data traffic in the network and look for suspecious

communications (from bots and C&C servers)

– Employs a myriad of different techniques and methods:

Detection Techniques

A log from botnet Citadel

Evasion Techniques

~/Evasion_Techniques

Evasion Techniques

• Stealthy malware:

– botnets are hard to detect because their activities can be subtle and do not disrupt the network (in contrast to DDoS attacks and aggressive worms)

• Several techniques: – Tunneling through HTTP, ICMP, VoIP, and IPv6; fast-flux service

networks (FFSN); changes in statistical patterns; using dynamic DNS entries; encrypted traffic, assigning different tasks to bots in the same network, randomizing bot communication patterns

Evasion Techniques

• Developing new evasion techniques leads to developing new detection techniques – It creates a conflict between attackers and defenders

• Example – Initial detection techniques

• payload inspection – this techniques is no longer effective

– To defeat, bots evolved and employed cypher algorithms

Evasion Techniques

• Fast-flux service networks (FFSN) – It is also known as fast-flux domain

– “Fast-flux” = “rapid change”

– DNS technique used to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies • Low TTL

• Similar characteristics to legitimate services as Round Robin (RRDNS) and Content Delivery Network (CDN)

Evasion Techniques

~/Botnet_Analysis_Example

Botnet Analysis Example

• This analysis was done by Aleksandr Matrosov at welivesecurity web site

• Target

Botnet Analysis Example

• Win32/Atrax.A is a TOR-based backdoor family

• Downloader

– Win32/TrojanDownloader.Tiny.NIR

Botnet Analysis Example

• The hardcode domain was registered in the middle of June, 2013 – To bypass the detection systems as itself off as PayPal Customer

Service

• Yet, all trojan components and the downloader binary were compiled in July

Botnet Analysis Example

• After download the decompress routine is started for three PE modules via WinAPI function RtlDecompressBuffer() – TOR client

– DLL module x86

– DLL module x64

Botnet Analysis Example

• Before installation the dropper makes simple checks – If it is on a virtual machine

– If exists any debugger activity

Call graph for the routines that infect

the machine

Botnet Analysis Example • This routine tries during the last stages of execution to search for the

initialization of additional AES-encrypted plugins in the %APPDATA% directory

• All plugins are named according to the following pattern: %APPDATA%\CC250462B0857727*

• Plugins are decrypted on the fly during the bot initialization process but the encryption key depends on the infected machine

• This approach to plugin encryption makes it difficult to extract information during the forensic process

Botnet Analysis Example • The TOR client is embedded into the dropper executable and stored in

the %APPDATA% directory as an AES-encrypted file

• Initialization of the TOR connection takes place after checking for an active browser process and injection of TOR client code into the browser process byNtSetContextThread()

• Win32/Atrax.A supports code injection techniques for x86 and x64 processes.

Botnet Analysis Example • C&C Communication

– A special HTTP request function call

If the second parameter request_via_tor setup is in the TRUE state all communications will be initialized by the TOR client TOR communications call graph:

Botnet Analysis Example • After execution a new thread with the Tor client software will be set up

using

– AUTHENTICATE – password for authentication

– SIGNAL NEWNYM – change proxy-nodes chain

• During the first connection

Botnet Analysis Example • It isn’t possible to ascertain the original C&C IP address or domain with a

TOR enabled connection but it is possible to use the address generated in the TOR network for analysis

• After played a little bit with the internal address in the TOR network

Botnet Analysis Example • Win32/Atrax.A supports the execution of

remote commands – dlexec – download and execute file

– dlrunmem – download file and inject it to browser

– dltorexec – download TOR executable file and execute

– dltorrunmem – download TOR executable file inject it to browser

– update – update itself

– install – download file, encrypt with AES and save to %APPDATA%

– installexec – download file, encrypt with AES and save to %APPDATA% and execute afterward

– kill – terminate all own threads

Botnet Analysis Example • Once known the structure of remote commands and execution algorithm it

is possible to simulate a real bot and try to communication with the C&C

• The author received two plugins

- A Form Grabber - A PASSWORD STEALER

Researchers continue to track activities for Win32/Atrax.A

~/Defense_Techniques

Defense Techniques • They are focused on two main activities:

– Propagation • Aim to reduce the vulnerable population, limit the worm spread and

reduce the botnet size

– Bot communication • Stop the commands from botmaster

• Cover three main areas:

– Prevention => act to avoid hosts vulnerabilities – Treatment => act to disinfect the compromised hosts (scalability and time

problem) – Containment => detection and response

Defense Techniques

• Containment mechanisms

– Detection and reaction time

– Strategy used to identify and contain bots

– Solution by topology and scope

– All approaches just block the botnets actions, but they haven’t applied the disinfection

~/Challenges

Challenges

• Researchers do not have the same facility of botmasters to access hosts in various domains around the world – Detailed information are considered secret for

administrative domains

– Network traces main contain sensitive information

• It is treated like information plutonium

Challenges

• Researchers can only generate botnet synthetic traces for their experiments (academic networks) – Academic networks do not reflect the reality

of heterogeneous networks

– The performance of a detecting bot method can be overestimated when applied to a particular network scenario

Researcher

Challenges • Synthetic traces generation (to model

botnet behavior) – Epidemiological models

• attempt to compare malware and virus spreads in populations

– Stochastic Activity Network (SAN) models • generate a set of interconnected states that the

host follows after its infection • Each state transition probability is defined in

advance • It may not be considered a universal solution

– SANs have some limitations for modelling complex and large-scale systems

Challenges

• How estimating how much a novel detection technique enhances overall botnet detection?

– There is not a methodology or benchmark to do a quantitative comparison

• Pervasive privacy concerns

• Difficult of data sharing

Challenges

• Botnets are widespread in a distributed environment

– It can involve several countries

• It is necessary agreements between countries

– Coordination and consistence against cyber-crimes

• User education about botnet threats – Software vendors should make more efforts to increase

their product’s security and the update/patch processes

Challenges • ISP actions

– Apply/improve ingress and egress filtering – Blocking inbound/outbound malicious users connections

• Allow to block the C&C communication • Adequately deal with the legal aspects such as privacy

• New algorithms to hijack botnets

– It also leads to legal issues but it can generate security concerns about the botnet monitoring importance to avoid potential privacy issues

Challenges

• In a general vision: – Development of efficient detection techniques

– Derive ways to dismantle botnet’s infrastructures

– Understand the new botnets trends

– Discussing legal international issues in a global botnet countermeasures effort

• Super-botnet

– Many smaller botnets

– Commands are routed to each other

– Collectively achieve the same results as a large botnet

• High resilience

./Im_watching_you.sh

~/Trends

Trends

New opportunities

for botmasters

Trends

Internet of Things Vs

Internet of Vulnerabilities

• Botnets in mobile devices – Research is just beginning in this area

– High potential to compromise services

– It is not possible to apply the ISPs security measures because mobile devices connect to unknown wireless networks

– There is a lack of certification for applications created and placed in repositories by programmers

Trends

• Socialbot network (SbN)

– Botmasters have exploited social network websites to behave as their C&C infrastructures.

• Difficult to distinguish the C&C activities from normal social networking traffic

• Examples:

– Koobface, Nazbot

Trends

Trends

• Mini-botnets

– Small-scale

– Highly specialized

– Used for information thefts

– Few information is generated during attacks

Trends

• Super-botnet

– Many smaller botnets

– Commands are routed to each other

– Collectively achieve the same results as a large botnet

• High resilience

Trends

./Im_watching_you.sh

Trends

./Im_watching_you.sh

Trends

./Im_watching_you.sh

Trends

./Im_watching_you.sh

Trend

• Random model C&C – The communication starting is done by

botmasters

– Network scan-based • A problem in the scalability coordination

– Model for future botnets to be more resilient • No modus operandi is known by detectors and may

be hard to detect and interrupt

– No real bot currently uses this strategy