Botnets Abhishek Debchoudhury Jason Holmes
What is a botnet? A network of computers running software that runs autonomously. In a security context we are interested in botnets in which the computers have been compromised and are under the control of a malicious adversary.
What are botnets used for? Spam o ~85% of is spam DDoS attacks Identity theft o Cost in 2006: $15.6 billion Phishing attacks o 4500 active sites at any given time, 1 million previously active sites
What are botnets used for? Hosting pirated software Hosting and distributing malware Click fraud o ~14% of all advertisement clicks are fraudulent Packet sniffing
What's a botmaster? Person(s) controlling the botnet o Business person Often paid by customers Willing to rent out botnet o Glory Hound Brags about size of botnet Willing to talk to researchers o Script kiddies Inexperienced
Command Topologies Star o Bots tied to centralized C&C server. Multi-Server o Same as star but with multiple C&C servers Hierarchical o Parent bot control child bots Random o Full P2P support
Topology Tradeoffs Control vs. Survivability More Control o Easier to get botnet to do your bidding o Easier to shut down Survivability o Harder to shut down o Less control
Communication Methods HTTP o Easy for attacker to blend in IRC o Harder to hide since IRC is much less used than HTTP Custom o Makes use of new application protocols
Propagation Methods Scanning o 0-day attacks o Worm-like behavior Infected attachments Drive-by-downloads Trojan horses
Infection Procedure
History and Notable Botnets Sub GTbot a bot based on mIRC SDbot small c++ binary with widely available source code Agobot staged attacked with modular payload Sinit first peer-to-peer botnet Bagle and Bobax first spamming botnets Storm botnet Waledac botnet Zeus botnet
Defense Three main issues: 1. How to find them 2. Decide how to fight them (defense vs offense) 3. How to negate the threat
Detection: Analyze Network Traffic Temporal o Same repeated traffic pattern from node Spatial o Nodes in same subnet likely infected
Detection: Packet Analysis Using statistical analysis on network traffic flows Classify packets based on payload signature and destination port o Looking for clusters of similar data packets o n-gram byte distribution IRC botnet traffic it is not very diverse compared to traffic generated by humans
Strategy Active: attack the source Shut down C&C server Re-route DNS Pushback Passive: defend at the target Filters Human attestation Collective defense
Defense - Change DNS routing Defender figures out domain that attacker is using and takes control Pros: Central point of attack Severs botmaster's ability to communicate with the botnet Cons: Not all bot nets have C&C server C&C domain changes often o > 97% turn over per week
Defense -Black Lists Defender creates list of attackers. Used primarily as spam fighting technique Pros: Allows for broad knowledge sharing Easy to maintain/understand Cons: List has to be continually updated Innocent service providers get blocked
Defense -Human Attestation Defender requests that client prove his humanity. Requires the client to have a trusted attester o Accomplished through the use of a Trusted Platform Module Several methods for an attester to determine that the actions were initiated by a human o Through the use of secure input devices which cryptographically sign their output o CAPTCHA or secure prompt o Analyze keystrokes and mouse movement
Defense - Collective defense We must all hang together or assuredly we shall all hang separately. -- Benjamin Franklin Key contentions o Most end users don't know/care about security o The best way to secure the internet is through a collective effort without relying on end users o Compromised hardware must be quarantined until healthy Authenticate healthiness before network access o Public Health Model for Internet Allow everyone but identify suspicious behavior o Japan's Cyber Clean Center o Finnish national Computer Emergency Response Team
Thanks