botnets and machine learning - dca.fee.unicamp.br · –this is the difference between botnet...
TRANSCRIPT
./botnet
Summary • Introduction • Scrutiny • Detection Techniques • Evasion Techniques • Botnet Analysis Example • Defense techniques • Challenges • Trends • My Research
Introduction
• Botnets has become the worst threat for Internet
• Malwares are bad applications that compromise machines – They are the pillar of the botnets actions
• Detect and stop botnets is a big challenge for security researchers
~/Scrutiny
Scrutiny
• Botnet Definition – A coordinated group of malware instances that are
controlled by a botmaster via some C&C channel • Bot malware is a state of the art malware class
• Each malware instance is known as bot
Scrutiny • Botnet components
– Bots • Vulnerable machines compromised with malicious software
disseminated by a botmaster through a propagation mechanism
• They are known as “zombies” or “slaves” • Can be used as attacking platforms:
– Other vulnerable hosts – Carry out DoS/DDoS – Other malicious activities
Scrutiny
• C&C
– This is the difference between botnet malwares and others malwares attacks
– Enable remote coordination of a large number of bots
– Allow flexibility to change and update malicious botnet code
– It is also the most important indicator of botnet
Scrutiny
• Architectural Designs (according to C&C)
Detection and disarticulation easy difficult
Scrutiny
• Botnet Life-cycle
1 - Infection
2 - Communication
3 - Attack
Scrutiny
• Potential damage – The network technologies has created a perfect environment for the
dissemination, infection and formation of botnets • Large number of machines connected to the Internet through full-time broadband links
• Substantial system vulnerabilities
– Difficult to estimate the size and the number of botnets that exist currently
– Botnets are used for (some examples):
DDoS Illegal content distribution
Malware and Adware distribution Attacks on industrial control system
Click fraud Collecting of confidential information
Examples (MAP)
./Example
Some Botnets Maps
Botnets Scrutiny – 2/7
Detection Techniques
~/Detection_Techniques
Detection Techniques – Honeynets/honeypot
• Used to collect information from bots • Allow to get bot binaries and infiltrate botnets • Help to understand botnet characteristics
– Intrusion Detection Systems (IDS) • Signature-based
– Apply signatures of previous detected botnets to detection systems
• Anomaly-based – Host-based – Network-based
Honeynet-based
Intrusion Detection Systems
Signature-based
Anomaly-based
Host-based
Network-based
Active Monitoring
Passive Monitoring
IRC DNS SMTP P2P Multiporpose
Detection Techniques
Detection Techniques • Host-based
– Analyze the machine behavior • Looking at
– System registry – File system – Network connections
• Log files analysis
– Advantage
• They are much more effective against donwload attacks and onset infections in general
– Disadvantage
• Performing individual machine analysis and monitoring them is a complex costly and non-scalable task
Detection Techniques
• Network-based – This is the most used method currently
– Some techniques are specifically created for some protocols
• IRC or/and HTTP or/and P2P
– Others try to be more generic, involving multiple protocols and architectures
• All protocols
– Two methods • Active and passive monitoring
Detection Techniques • Active monitoring
– Try inject packets to get the behavior of response – Invasive method
– Advantage:
• The response time to detect malicious agents
– Disadvantage:
• Increase network traffic with additional packets sent to suspecious machines
• The packets injection facilitates detection tracking tools • May be subject to legal issues
Statistic approaches Traffic mining Visualization Graph theory Clustering Correlation Stochastic methods Entropy Decision trees
Neural networks Discrete Fourier transform CUSUM Machine learning Discrete time series Group analysis Combination of techniques
Detection Techniques
• Passive monitoring – Observe data traffic in the network and look for suspecious
communications (from bots and C&C servers)
– Employs a myriad of different techniques and methods:
Detection Techniques
A log from botnet Citadel
Evasion Techniques
~/Evasion_Techniques
Evasion Techniques
• Stealthy malware:
– botnets are hard to detect because their activities can be subtle and do not disrupt the network (in contrast to DDoS attacks and aggressive worms)
• Several techniques: – Tunneling through HTTP, ICMP, VoIP, and IPv6; fast-flux service
networks (FFSN); changes in statistical patterns; using dynamic DNS entries; encrypted traffic, assigning different tasks to bots in the same network, randomizing bot communication patterns
Evasion Techniques
• Developing new evasion techniques leads to developing new detection techniques – It creates a conflict between attackers and defenders
• Example – Initial detection techniques
• payload inspection – this techniques is no longer effective
– To defeat, bots evolved and employed cypher algorithms
Evasion Techniques
• Fast-flux service networks (FFSN) – It is also known as fast-flux domain
– “Fast-flux” = “rapid change”
– DNS technique used to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies • Low TTL
• Similar characteristics to legitimate services as Round Robin (RRDNS) and Content Delivery Network (CDN)
Evasion Techniques
~/Botnet_Analysis_Example
Botnet Analysis Example
• This analysis was done by Aleksandr Matrosov at welivesecurity web site
• Target
Botnet Analysis Example
• Win32/Atrax.A is a TOR-based backdoor family
• Downloader
– Win32/TrojanDownloader.Tiny.NIR
Botnet Analysis Example
• The hardcode domain was registered in the middle of June, 2013 – To bypass the detection systems as itself off as PayPal Customer
Service
• Yet, all trojan components and the downloader binary were compiled in July
Botnet Analysis Example
• After download the decompress routine is started for three PE modules via WinAPI function RtlDecompressBuffer() – TOR client
– DLL module x86
– DLL module x64
Botnet Analysis Example
• Before installation the dropper makes simple checks – If it is on a virtual machine
– If exists any debugger activity
Call graph for the routines that infect
the machine
Botnet Analysis Example • This routine tries during the last stages of execution to search for the
initialization of additional AES-encrypted plugins in the %APPDATA% directory
• All plugins are named according to the following pattern: %APPDATA%\CC250462B0857727*
• Plugins are decrypted on the fly during the bot initialization process but the encryption key depends on the infected machine
• This approach to plugin encryption makes it difficult to extract information during the forensic process
Botnet Analysis Example • The TOR client is embedded into the dropper executable and stored in
the %APPDATA% directory as an AES-encrypted file
• Initialization of the TOR connection takes place after checking for an active browser process and injection of TOR client code into the browser process byNtSetContextThread()
• Win32/Atrax.A supports code injection techniques for x86 and x64 processes.
Botnet Analysis Example • C&C Communication
– A special HTTP request function call
If the second parameter request_via_tor setup is in the TRUE state all communications will be initialized by the TOR client TOR communications call graph:
Botnet Analysis Example • After execution a new thread with the Tor client software will be set up
using
– AUTHENTICATE – password for authentication
– SIGNAL NEWNYM – change proxy-nodes chain
• During the first connection
Botnet Analysis Example • It isn’t possible to ascertain the original C&C IP address or domain with a
TOR enabled connection but it is possible to use the address generated in the TOR network for analysis
• After played a little bit with the internal address in the TOR network
Botnet Analysis Example • Win32/Atrax.A supports the execution of
remote commands – dlexec – download and execute file
– dlrunmem – download file and inject it to browser
– dltorexec – download TOR executable file and execute
– dltorrunmem – download TOR executable file inject it to browser
– update – update itself
– install – download file, encrypt with AES and save to %APPDATA%
– installexec – download file, encrypt with AES and save to %APPDATA% and execute afterward
– kill – terminate all own threads
Botnet Analysis Example • Once known the structure of remote commands and execution algorithm it
is possible to simulate a real bot and try to communication with the C&C
• The author received two plugins
- A Form Grabber - A PASSWORD STEALER
Researchers continue to track activities for Win32/Atrax.A
~/Defense_Techniques
Defense Techniques • They are focused on two main activities:
– Propagation • Aim to reduce the vulnerable population, limit the worm spread and
reduce the botnet size
– Bot communication • Stop the commands from botmaster
• Cover three main areas:
– Prevention => act to avoid hosts vulnerabilities – Treatment => act to disinfect the compromised hosts (scalability and time
problem) – Containment => detection and response
Defense Techniques
• Containment mechanisms
– Detection and reaction time
– Strategy used to identify and contain bots
– Solution by topology and scope
– All approaches just block the botnets actions, but they haven’t applied the disinfection
~/Challenges
Challenges
• Researchers do not have the same facility of botmasters to access hosts in various domains around the world – Detailed information are considered secret for
administrative domains
– Network traces main contain sensitive information
• It is treated like information plutonium
Challenges
• Researchers can only generate botnet synthetic traces for their experiments (academic networks) – Academic networks do not reflect the reality
of heterogeneous networks
– The performance of a detecting bot method can be overestimated when applied to a particular network scenario
Researcher
Challenges • Synthetic traces generation (to model
botnet behavior) – Epidemiological models
• attempt to compare malware and virus spreads in populations
– Stochastic Activity Network (SAN) models • generate a set of interconnected states that the
host follows after its infection • Each state transition probability is defined in
advance • It may not be considered a universal solution
– SANs have some limitations for modelling complex and large-scale systems
Challenges
• How estimating how much a novel detection technique enhances overall botnet detection?
– There is not a methodology or benchmark to do a quantitative comparison
• Pervasive privacy concerns
• Difficult of data sharing
Challenges
• Botnets are widespread in a distributed environment
– It can involve several countries
• It is necessary agreements between countries
– Coordination and consistence against cyber-crimes
• User education about botnet threats – Software vendors should make more efforts to increase
their product’s security and the update/patch processes
Challenges • ISP actions
– Apply/improve ingress and egress filtering – Blocking inbound/outbound malicious users connections
• Allow to block the C&C communication • Adequately deal with the legal aspects such as privacy
• New algorithms to hijack botnets
– It also leads to legal issues but it can generate security concerns about the botnet monitoring importance to avoid potential privacy issues
Challenges
• In a general vision: – Development of efficient detection techniques
– Derive ways to dismantle botnet’s infrastructures
– Understand the new botnets trends
– Discussing legal international issues in a global botnet countermeasures effort
• Super-botnet
– Many smaller botnets
– Commands are routed to each other
– Collectively achieve the same results as a large botnet
• High resilience
./Im_watching_you.sh
~/Trends
Trends
New opportunities
for botmasters
Trends
Internet of Things Vs
Internet of Vulnerabilities
• Botnets in mobile devices – Research is just beginning in this area
– High potential to compromise services
– It is not possible to apply the ISPs security measures because mobile devices connect to unknown wireless networks
– There is a lack of certification for applications created and placed in repositories by programmers
Trends
• Socialbot network (SbN)
– Botmasters have exploited social network websites to behave as their C&C infrastructures.
• Difficult to distinguish the C&C activities from normal social networking traffic
• Examples:
– Koobface, Nazbot
Trends
Trends
• Mini-botnets
– Small-scale
– Highly specialized
– Used for information thefts
– Few information is generated during attacks
Trends
• Super-botnet
– Many smaller botnets
– Commands are routed to each other
– Collectively achieve the same results as a large botnet
• High resilience
Trends
./Im_watching_you.sh
Trends
./Im_watching_you.sh
Trends
./Im_watching_you.sh
Trends
./Im_watching_you.sh
Trends
• Random model C&C – The communication starting is done by
botmasters
– Network scan-based • A problem in the scalability coordination
– Model for future botnets to be more resilient • No modus operandi is known by detectors and may
be hard to detect and interrupt
– No real bot currently uses this strategy
~/My_researches
My Researches
• During a long time I’ve been working with the intersection between Computational Intelligence and Security.
– Intrusion detection
– Cryptanalysis
– Botnets => current
~/Motivation
My Research
• After a long studies about the Botnets and the methods to detect them, I noted that there is not a benchmark to apply quantitative and qualitative comparison among the several approaches presented until now.
My Research
• Comparison is complicated because:
– Different detectors are planned out to different scenarios
– Previous experiments are very difficult to reproduce
– Botnets are evolving
– Different detectors aim different botnets
My Research
• We need a global model
– An ideal world
• Some infrastructures have been proposing currently (DETERLAB, EMULAB etc)
• It is necessary an effort from governments to share botnet data
• What is the status of botnets detection in Brazil?
My Research • Currently, I’m working with the DeterLab environment configuration
– It is a big infrastructure created to security simulations/experiments
– The first idea is developing an environment that allows any researcher
to test his proposals and compare with each others • I’m going to tests some detection techniques and compare their with new
techniques that I’m studying which use Computational Intelligence approaches into Multi-agents (intelligent agents)
– Also, I’m studying the botnets evolution and my target is presenting a
new proposal of botnets and how can be the impact on current detection systems and how we can mitigate it
Conclusion • Botnets is a big research area
– A lot of challenges – Difficult to get data to apply tests – Very complexity networks and very difficult to access
them – It can be considered a young research area – But it is very interesting to work…to learn…to be very,
very occupied!
• Thank you!
• My contacts:
https://br.linkedin.com/in/moisesdanziger