Threat infrastructure: proxies, botnets, fast-flux
Botnets Concept “network of infected systems controlled by an administrator called Botmaster” Centralized infrastructure Basic Botmaster (only one Command and Control server) Multi-server Botmaster (one Botmaster but many C&C servers) Asprox botnet an example. Hierachical Botmaster (use Proxy servers to hide Botmaster location) Waledac botnet an example.
Botnets (centralized) Proxy servers
Botnets Command and Control communications Most bots do not listen on ports, because administrators could block these ports. Bots will initiate communications with C&C server to appear legitimate. How bots locate C&C server: fixed IP list (weak) and DNS lookup of the C&C server (reliable). Defense beyond anti-virus: take down the domain (s) , block DNS access (?!?!). The economics of botnets.
Botnets Decentralized Botnet architecture (P2P) No C&C server, rather uses peer-to-peer communications to send commands
Source: Wang et al P2P Botnet stages Recruiting: P2P malware such as Gnuman , WORM_PITUPI.K , and Koobface. Forming the botnet: parasite P2P botnet: all the bots are from an existing P2P network, and it uses this available P2P network for command and control. leeching P2P botnet: bot members join an existing P2P network and depend on this P2P network for C&C communication. bot-only P2P botnet: builds its own network, all members are bots, such as Storm botnet and Nugache. Standing by for instructions (using P2P Protocols): P2P file-sharing have a file index used by peers to locate the desired content, may be centralized (e.g., Napster), distributed over part of the file-sharing nodes (e.g., Gnutella), or distributed over all or a large fraction of the nodes (e.g., Overnet). Design a new P2P communication protocol to be used in a bot-only P2P botnet. Defenses: anti-virus + poison the index
Fast-flux Concept “The ability to quickly move the location of a web, email, DNS or generally any Internet or distributed service from one or more computers connected to the Internet to a different set of computers to delay or evade detection.” What it does: utilizes DNS to continually update valid domain names with A and NS records that resolve to an ever-changing set of of IP addresses of infected computers (a botnet). The motherships: command and control servers that issue commands to bots and add and remove IP addresses from DNS records. By cycling IP addresses of infected computers in and out of DNS records, the mothership is able to use active bots to host content and services. Action: To stop the constantly rotating IP addresses in the DNS server we need to take down the Fast-Flux domain. A domain Registrar needs to do so.
Fast-flux (single flux in action)
Fast-flux types Single-flux: utilizes static name servers to update DNS records, as seen in previous image. Double-flux and hydra-flux: include two or multiple motherships managing the rotating IP numbers, services and content. Mothership protection: The infected computers (botnet) form a protective barrier in front of the motherships. The only visible part of the attack are the bots. Fast-Flux Domains: to be able to change DNS records the motherships need to be located in Domains owned by the attackers. Only their domain Registrar can remove access to the Domain, but the Domain could easily be created in another Registrar. Possible attacks: phishing campaigns, bot recruiting malware, e-mail spam campaigns, etc.
Fast-flux mechanics The mothership and DNS: To cycle bot IP addresses and bypass caching features, fast-flux domains use short TTL (Time to live (TTL) values in the DNS to force clients to frequently query the name server for a new set of A addresses. The bots and content: the bots act as reverse proxies by sending requests to the mothership and relaying the malicious content hosted by the mothership. Multiple motherships: use of a single DNS server and mothership provides a single point to focus to stop the malicious action. Double or hydra flux addresses this “flaw” by providing multiple DNS, Domains, etc. References : Wikipedia, ICANN Advisory, Detection of Fast-flux, Recently discovered, Fast-flux Primer,