Presentation is loading. Please wait.

Presentation is loading. Please wait.

Published: Internet Measurement Conference (IMC) 2006 Presented by Wei-Cheng Xiao 2015/11/221.

Published byLawrence Warren Modified over 8 years ago

Similar presentations

Presentation on theme: "Published: Internet Measurement Conference (IMC) 2006 Presented by Wei-Cheng Xiao 2015/11/221."— Presentation transcript:

1 Published: Internet Measurement Conference (IMC) 2006 Presented by Wei-Cheng Xiao 2015/11/221

2 Outline Introduction Overview of IRC-based botnets Data collection methodology Analysis results Related work Conclusion 2015/11/222

3 Introduction Botnet: a network of infected hosts, called bots, that are controlled by botmasters The characteristic of botnets The command and control (C&C) channel Communication mechanisms IRC (the majority, easy to distribute) P 2 P HTTP 2015/11/223

4 Why choosing IRC Supports several forms of communication Point-to-point, point-to-multipoint Supports several forms of data dissemination Provide open-source implemenations 2015/11/224

5 Motivation and Goals Motivation There are increases in botnet activity, but little behavior is known. Goals Getting better understanding of botnets, including the prevalence of botnet activity the botnet subspecies diversity the evolution of a botnet 2015/11/225

6 Contributions The development of a multifaceted infrastructure to capture and concurrently track multiple botnets in the wild A comprehensive analysis of measurements reflecting several important structural and behavioral aspects of botnets 2015/11/226

7 Outline Introduction Overview of IRC-based botnets Data collection methodology Analysis results Related work Conclusion 2015/11/227

8 The Life Cycle of A Botnet Infection 2015/11/228

9 Step 1: Exploit Exploit software vulnerability of victim hosts by worms or malicious email attachments 2015/11/229

10 Step 2: Download Bot Binary Execute a shellcode to download bot binary from a specific location and install it 2015/11/2210

11 Step 3: DNS Lookup (optional) Resolve the domain name of the IRC server coded in the binary Avoid server unavailability due to IP blocking 2015/11/2211

12 Step 4: Join Join the IRC server and C&C channel listed in the binary 3 types of authentications 1. Bots authenticate to join the server using passwords in the binary 2. Bots authenticate to join the C&C channel using passwords in the binary 3. Botmasters authenticate to the bot population to send commands 2015/11/2212

13 Step 5: Parse and Execute Commands Parse commands from the channel topic and execute them The topic contains default commands for all bots 2015/11/2213

14 Outline Introduction Overview of IRC-based botnets Data collection methodology Analysis results Related work Conclusion 2015/11/2214

15 The Overall Data Collection Architecture 2015/11/2215

16 The Three Main Phases 1. Malware collection Goal: collect bot binaries 2. Binary analysis via gray-box testing Goal: analyze the binaries 3. Longitudinal tracking of botnets Goal: track real botnets using the analysis results 2015/11/2216

17 Phase 1: Malware Collection Darknet: an allocated but unused portion of the IP address space 2015/11/2217

18 Malware Collection Environment setup There are 14 nodes distributed in the PlantLab testbed. These nodes have access to the darknet, whose IP space is located in 10 different class A networks. Nepenthes Mimics replies generated by vulnerable services to get shellcodes Pass URLs in the shellcodes to the download station to fetch bot binaries (why?) Honeynet Used to handle cases where Nepenthes failed Running unpatched Windows XP on VM VLAN 2015/11/2218

19 Gateway Route darknet traffic to Nepenthes and honeypots half to Nepenthes, half to honeypots Rotate routing among 8 class-C networks in the darknet Use NAT to keep # of honeypots small Act as a firewall to prevent honeypots from outgoing attack and cross infections (VLAN) Detect and manage IRC connections 2015/11/2219

20 Phase 2: Binary analysis (graybox) 2015/11/2220

21 Binary Analysis Environment setup A sink (IRC server) monitors all network traffic. A client, which is a VM with clean Windows XP installed and binary executed, is connected to the sink. Two steps Creating network fingerprints Extracting IRC-related features 2015/11/2221

22 The Two Steps Creating network fingerprints (network level) f net = {DNS, IPs, Ports, Scan} DNS: targets of any DNS requests IPs: destination IP addresses Ports: contacted ports on the server side Scan: whether or not the IP scanning behavior is detected Extracting IRC-related features (application level) When an IRC session is detected, an IRC-fingerprint is created: f irc = {PASS, NICK, USER, MODE, JOIN}. f net and f irc provide enough information to join a botnet in the wild. 2015/11/2222

23 Dialect Dialect: the syntax of botmasters’ commands and their responses Learning a botnet’s dialect is required for mimicking actual bot behavior. An IRC query engine plays the role of botmaster. Commands come from those observed in honeypots source codes of public known bots The output of the querying process becomes the template. 2015/11/2223

24 Phase 3: Longitudinal Tracking of Botnets 2015/11/2224

25 IRC Tracker (Drone): An IRC clients who can join a real-world IRC channel. A drone is given f irc and the template. Automatically answer queries based on the template Pretend to be a dutiful bot Must be intelligent enough Mimicry improvement Randomly join and leave Change external IP 2015/11/2225

26 DNS Tracking Most bots find out IRC servers via DNS queries. Probe about 800,000 real-world DNS servers Query domain names of the IRC servers A cache hits implies one or more bots Shortcomings Not all DNS server are probed. # of hits provides only the lower bound of # of bots Still useful when the broadcast feature in a botnet is turned off. 2015/11/2226

27 Outline Introduction Overview of IRC-based botnets Data collection methodology Analysis results Related work Conclusion 2015/11/2227

28 Data collected Started from Feb. 1 st, 2006, including Traffic traces over the span of 3 months IRC logs over the span of 3 months, covering data from more than 100 botnet channels Results of DNS cache hits from tracking 65 IRC servers on 800,000 DNS servers for more than 45 days 2015/11/2228

29 Botnet Traffic Share 27% of SYNs are from known botnet spreaders. 76% of SYNs direct to target ports. The two curves reveal similar traffic pattern. This is a low-bound estimate. 2015/11/2229

30 About 85,000 DNS servers are involved in at least one botnet activity. Botnet Prevalence: A Global Look 2015/11/2230

31 Botnet Prevalence: A Global Look 2015/11/2231

32 Botnet Spreading Patterns Two types of botnet: Type-I: fixed scanning algorithm Type-II: variable scanning algorithm Out of 192 IRC bots, 34 are Type-I. Summery of Type-II scanning practice 2015/11/2232

33 Botnet Growth Patterns 2015/11/2233

34 Predominant Botnet Structures 1. Single IRC server ( 70% ) Prevalent among small botnets 2. Multiple IRC servers, bridged botnet ( 30% ) 25% of which are public known servers 3. A botmaster controls multiple botnets 4. Some botnets migrate 2015/11/2234

35 Effective Botnet Sizes and Botnet Lifetime Effective size: the # of online bots The observed effective size was much smaller than the footprint. Bots usually stay connected for only 25 minutes. May be due to client inavailability More likely, botmasters ask them to leave. Botnets, however, have long life time 84% IRC servers were still up at the end of study. 2015/11/2235

36 Botnet Software Taxonomy 2015/11/2236

37 Outline Introduction Overview of IRC-based botnets Data collection methodology Analysis results Related work Conclusion 2015/11/2237

38 Related Work Botnet Tracking: Exploring a Root-Cause Methodology to Prevent DoS Attacks. ESORICS, 2005 Introduces the idea of using honeypots and active responders to analyze the botnet behavior Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm. ACM SIGOPS, 2005 A very useful tool for botnet detection, but not appropriate for long term botnet tracking 2015/11/2238

39 Outline Introduction Overview of IRC-based botnets Data collection methodology Analysis results Related work Conclusion 2015/11/2239

40 Conclusion A multifaceted approach is proposed to understand botnet phenomenon. The results show that botnet is a major contributor to the unwanted network traffic. The scanning and pattern of botnets is quite different from that of autonomous malware. The effective size of botnets are much smaller than that of fingerprints. 2015/11/2240

Download ppt "Published: Internet Measurement Conference (IMC) 2006 Presented by Wei-Cheng Xiao 2015/11/221."

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
Offense: Brute Force A Multifaceted Approach to Understanding the Botnet Phenomenon (Rajab/Zarfoss/Monrose/Terzis)

Offense: Brute Force A Multifaceted Approach to Understanding the Botnet Phenomenon (Rajab/Zarfoss/Monrose/Terzis)
1 MA Rajab, J Zarfoss, F Monrose, A Terzis - Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets My Botnet is Bigger than Yours.

1 MA Rajab, J Zarfoss, F Monrose, A Terzis - Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets My Botnet is Bigger than Yours.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.

Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.
Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.

Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
A M ULTIFACETED A PPROACH TO U NDERSTANDING THE B OTNET P HENOMENON Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science Department.

A M ULTIFACETED A PPROACH TO U NDERSTANDING THE B OTNET P HENOMENON Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science Department.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

Similar presentations

Ads by Google