hussain arshad, botnet tracking and intrusion detection

7/22/2019 Hussain Arshad, Botnet Tracking and Intrusion Detection

1/23

Botnet Tracking and Intrusion Detection

Arshad Hussain

Eastern Michigan University

TS-699

Prof. Skip Lawver


2/23

Hussain 2

Table of Contents

1. Abstract......3

2. Introduction........4

3. Classification & Characterization of Botnets5

Centralized Botnets5

Decentralized Botnets.........7

Role of DNS...7

Botnet Usage and Motivation.7

Life Cycle of a Botnet8

Financial Damage..11

4. Metrics for Detection.12

Detection Metrics...13

5. Measures and Detection Techniques.....13

Packet Inspection14

Flow Record Analysis....15

Spam Record Analysis.......15

Sinkholding....16

DNS Cache Snooping17

Reverse Engineering......17

Port Blocking.....18

Detecting Fast Flux Networks...18

Walled Gardens......18

Social Measures.....19

6. Conclusion.20

7. References..21


3/23

Hussain 3

Abstract

Robot networks are generally known as botnets. A bot can be defined as a series of

commands or scripts that is designed to connect to something and execute a command or a

series of commands. A botnet is a chain of coordinated machines. The machines can be

administered by a hacker remotely. These machines are called zombies. Botnets are a

primary security threat on the internet. They affect the organizations by stealing trade secrets,

stealing employee identity information, inserting malware into the source code files and

compromising data integrity. The result can be disastrous that leads to the loss of revenue and

reputation. As the metrics for detecting botnets havent been researched so far, this research

project deals with botnet tracking and detection techniques. Here, three metrics have been

proposed for detection of botnets. This project clarifies the botnet phenomenon and reveals

the most efficient botnet detection techniques.

Keywords:botnets, tracking, detection, intrusion, malware, hacker


4/23

Hussain 4

Introduction

A Botnet can be considered as a network of bots under the remote command of a

botmaster. These bots are controlled to perform illicit activities. They pose a significant threat

against cyber security. They provide a distributed platform for various cybercrimes such as

distribute denial of service (DDOS), malware dissemination, click fraud and phishing. The

botnet with zombies is depicted in Figure 1 (Mary Landesman, 2011).

All users of computers are at high risk because we all browse the same internet. Every

individual should be aware of social networking attacks.

Companies and governments suffer most damage from botnet attacks. The results of

these attacks can be dangerous, costing the companies significant manpower, cost and clean-

up time.

Figure 1: Botnet with zombies.

(Source: A Cisco Report on New Threat Landscape.)


5/23

Hussain 5

DDOS attacks can disrupt the communications and infected source code can halt the

critical servers. Botnets have become much more sophisticated and dangerous now a day.

Few formal studies have examined the botnet issues and very little is known about the

malicious behaviour of botnets. This research aims at finding out the latest and advanced

techniques of botnet detection.

Classification and Characterization of Botnets

The major part of the botnet is known as command and control (C&C) infrastructure.

It consists of bots and an entity that controls these bots. The entity may be centralized or

decentralized. Botmasters use one or more protocols in coordinating their activities and

commanding the victim computers. The C&C infrastructure is the only channel to control

these bots. To operate effectively, a stable connection has to be maintained by these bots.

Centr alized Botnets

The centralized form may be compared to that of client and server model. Here, all

the bots act as clients and connect to the centralized servers. The servers initiate commands to

these bots.

The bots communicate with one or more connection points. These points are

command and control servers that can be controlled by the botmaster. As all bots are

connected to the servers, botmaster can instantly send the commands to all the bots. This is a

better way of communication that maintains low reaction time. Botmaster can monitor all the

bots and receive direct and accurate feedback along with the status of the botnet.


6/23

Hussain 6

As per technical report of the Pennsylvania state university, the IRC (Internet Relay

Chat) protocol is one of the important technologies for enabling and controlling the

centralized models (Athichart, Xiaonan & Miller, 2011).

This protocol allows many participants in one channel. It can also command all the

bots in parallel. Private communications can be handled on a one-to-one basis that helps in

manipulating the single bots directly. IRC is a text based protocol. Implementation and

customization is very easy with IRC protocol. IRC servers offer robust and well-established

approaches to command botnets. Botmasters generally own few IRC servers to propagate the

commands. As the botmasters use their own servers, botnets are more strengthened. IRC

facilitates low latency and simple channels. The widely used IRC botnets are Agobot, GT bot,

SDBotand Spybot.

Agobothas the ability to corrupt the systems in three modules. Each module retrieves

the next one after the completion of primary activity. Agobot alters the DNC entry of the

security related websites and directs them to the local host. GT bot refers to the Global

Threat. It is a common name used for mIRC scripted codes. It runs the scripts as event

responses and can also support TCP and UDP connections. There are many versions of GT

bots. SDBot has almost four thousand variants. It has already infected around 670000

machines. One of the most active exploits of SDBotis guessing brute-force passwords at the

port 445. Spybot is actually derived from SDBot. Spybot can perform certain activities of

logging keystrokes. It broadcasts spam via instant messaging. It can also alter the registry and

can disable the security center. So, Spybotis very effective in certain aspects when compared

to SDBot.


7/23

Hussain 7

Hypertext Transfer Protocol (HTTP) is a well-known standard throughout the web

that is useful in data delivery. As HTTP is filtered rarely, botmasters are interested in this

protocol. Examples of HTTP bots are those that are originated with the Zeus crimeware

toolkit. These botnets can be propagated and managed easily.

Locomotive botnet is another case of centralized botnet that relies on a C&C model

and synchronously switches the component. Botmaster can take control of certain

administrative tasks.

Decentr ali zed Botnets

The decentralized form allows the bots to act autonomously. Bots can establish

connections with other bots. They also send requests for additional commands to the botnet.

Here, the bots are loosely coupled. These links are useful for communicating with other bots

within botnets. These botnets are also known as peer-to-peer botnets.

The information regarding the other peers is distributed all over the botnet. Bots can

send and receive their revision numbers while communicating. If the revision number varies,

the older version gets updated to the newer version automatically. So, monitoring such an

activity becomes very difficult.

Role of DNS

Fast Flux Service Networks (FFSN) technology implements the Domain Name

System (DNS) in C&C infrastructure communications. FFSN has been developed to increase

anonymity. FFSN can act as a distributed proxy network consisting of flux agents that can

route the traffic to the appropriate node.


8/23

Hussain 8

Botnet Usage and Motivation

With the evolution of botnets, the underground malware and cyber crime economy

has grown rapidly. Botmasters are the customers of this malware supply chain.

This is illustrated in the Figure 2. Botmasters can make more profits by offering

malware services to various third parties. The major motivation behind this botnets is to get

financial benefits. Some other motivations are political benefits and military interests.

Figure 2: Malware Economy.

(Source: IT Security Report by St. Poleten University, Austria.)


9/23

Hussain 9

The L if e cycle of a Botnet

A botnet has four phases namely infection, injection, maintenance and malicious

activity. The Figure 3 illustrates the life cycle of a botnet.

In the initial infection phase, the systems get infected in many ways such as executing

malicious code, accidental downloading of malicious programs and email attachments.

Figure 3: Botnet Life Cycle.

(Source: Survey Report by the Third International Conference on Emerging Security Systems, 2009.)

Some of the ports are always being scanned by other bots. In these circumstances, the

bots can easily infect all systems on a network. In case of secondary injection, the botnet code

executes to generate bots. The botmaster controls all these bots. This process can be initiated

through FTP or HTTP. In the maintenance phase, botmasters perform some periodical steps.


10/23

Hussain 10

The botmaster authorizes certain activities such as distributed denial of service by sending

commands to C&C server.

According to the research of McAfee Labs, around 1.5 million botnet infections have

been detected in India so far (Zheng, Pedro & Rahul, 2011).

Brazil, Germany and Russia exceeded 1 million infections recently.

The 2011 chart consisting of a number of botnets per victim machine and the worlds

population is shown in Figure 4 (Gunter Ollmann, 2011).

Figure 4: Botnet Effect.

(Source: Damballa Threat Report.)

The malicious activity phase includes: click fraud, spamming, identity theft and

political interests.

One of the major tasks of the botnets is Spamming. Botnets are used in spreading the

junk emails. Some networks are owned by the spammers. The intention behind spamming is

advertising. Some third parties purchase a pack of such spam emails that are to be delivered

by botmasters. This is the process of advertising third party products.


11/23

Hussain 11

As per Microsoft research report, spam emails are around 85% (John Mello, 2011).

Ferris research estimated that the cost of these emails would be around 130 billion US

dollars.

Click Fraud is the other way of monetizing botnets. The hacker opens an account with

online advertisers. These advertisers pay for the pages visited and for the banners clicked.

With the help of controlled bots, the hacker visits the pages and generates a number of clicks

on the banners. The hacker already has control on the victims computer and gets paid by

advertisers.

Bots are also used for extracting user credentials. The important targets are email

account passwords, banking transaction passwords and credit card details. This may result in

fraudulent transferring of money and buying & selling in e-shops.

Botmasters use the botnets in political and military contexts. GhostNet and Shadow

Network are the two botnets that are responsible for infecting the machines in almost 103

countries so far. The machines belong to various commissions and embassies. The network

traces revealed that some sensitive and confidential files have been extracted.

F inancial Damage

As the customer credentials are being used for illegitimate transfers, the financial

claims made by these customers are increasing every day. Zeus botnet has already infected

3.6 million computers in the USA. Zeus is considered as a financial malware and it is also

named as zbot. Variants of Zeus can steal all the credentials of social-networking and

online-shopping users.


12/23

Hussain 12

Many literature reviews described botnets as a growing industry and these attacks

have powerful impact on global businesses. Certain efforts and studies are in progress in

understanding the botnet issues and designing defenses against botnet attacks. Some efforts

are based on setting up honeynets (virtual honeypots). Some researchers proposed and

discussed the use of honeynets for tracking botnets (Jing Liu, Hongmei & Ghaboosi, 2009).

Honeynet is one of the informal studies of botnet issues. Honeynets are useful in only

understanding the technology and characteristics of botnets. They need not necessarily detect

botnet infections. With recent developments in botnets, honeynet is less effective. So, we

need to investigate a better approach.

Metrics for Detection

The existing methods of measuring the botnet size generally lack accuracy. The

numbers are not satisfactory and they are also limited to a small degree. Based on analysis

and various approaches, certain objectives can be derived for tackling botnet issues and

threats.

The major recommendations for tackling the botnets are mentioned below.

Mitigating existing botnets:

In order to mitigate the existing botnets, the present infections should be reduced.

ISPs must be strongly induced to better utilize their position for detecting and

minimizing the botnets.

The methods of botnet monitoring and identification should be refined and improved.

Malware analysis and information sharing among various stakeholders should be

improved.


13/23

Hussain 13

Simplification of cross-border functionality should be harmonized.

Preventing new infections:

System protection and the management of vulnerable conditions should be enhanced.

To minimize the spread of malware, both the vendors and customers should take part

in tackling these vulnerability issues.

Minimizing the benefits and profits of cyber crime:

Certain measures should be undertaken to look into the profitability of the botnets.

As the patterns are shifting to monetary benefits, they should be controlled effectively

by improving anti-fraud methods.

Information should be shared among various parties including ISPs and research

bodies in this fight against cyber crime.

Detection Metr ics

The metrics for detecting botnets can be derived from botnet behavior. The three

metrics are relationship, response and synchronization.

Relationship: Botnets have one-to-many relationships between bots and botmaster. A

relationship can be defined as a connection over one protocol. This connection need not be

over transport layer. It can be over upper layers. When botmaster is located centrally, the

botnets shape dense topology in their connection.

Response Time:The other features of a botnet can be traced through the response time. Bots

respond accurately as soon as they get commands from the botmaster. The bot performs pre-

programmed activities as it receives commands from the master and the response time is

almost constant. Response times of human beings and bots can be compared by Figure 5.


14/23

Hussain 14

The response time is one of the important metrics in detecting the botnets.

Synchronization: As the bot can carry certain programmatic functionality that is the direct

reflection of botmaster commands, all the bots are well synchronized with each other. All

these bots can simultaneously perform the actions such as DDOS attack, information sharing,

reporting and receiving commands.

By tracing the traffic and their activities, botnets can be detected. These botnets can

be treated as homogeneous or suspicious bot-groups.

Measures and Detection Techniques

A variety of botnet detection techniques and approaches are presented below:

Figure 5: Response time comparison.

(Source: EURASIP Journal on Wireless Communication, 2009.)


15/23

Hussain 15

Packet Inspection

This technique is helpful in increasing network security. In this approach, the protocol

fields are matched against the existing patterns of malicious content. This can be shell code

sequence packets or a file server which can communicate through IRC protocol. The patterns

are known as detection signatures. Intrusion detection systems (IDS) are the best examples

of this approach. IDS can monitor and issue warnings when the attack is identified. In some

cases IDS takes one more step and tries to prevent the attacks. Such a system is known as

intrusion prevention systems (IPS). The function of IPS is to reject the packets and close the

connections. It can also forward the contents of the packets to an analyzing system. All the

details extracted regarding the attack are used for blacklist contribution. The information is

also used in updating the firewall rules. As far as the botnet research is concerned, the packet

inspection technique can be used for automated measurement and as a detection mechanism.

F low Record Analysis

In this technique, network traffic is traced at abstract levels. There is no need to

inspect the packets individually as explained in the previous technique. Here the streams are

collectively regarded as an aggregate form. A Flow Record has many properties that describe

the streams of data. The flow record has certain important attributes such as the source

address, destination address, port numbers, protocols, session time, the number of packets

and the packet size. Larger traffic amounts are tackled in this approach. The session headers

can be tracked that help in describing the packet flows.

The flow record analysis aims at identifying traffic patterns. This information is used

to filter the malicious content. With this information, certain schemes can be created for the


16/23

Hussain 16

detection of malicious traffic. Inputs from the packet inspection technique help the flow

record analysis in supporting the rule specifications. This approach can be used for

identifying the specific network infections and disinfection mechanisms.

Spam Record Analysis

Botnets usually distribute unsolicited emails and this is called spamming. By

analyzing these spam records, the botnet activities can be determined. Here all the necessary

information is obtained from investigating spam messages of botnets. As the botnets generate

spam emails, they follow the same pattern. These patterns are analyzed in identifying the

spam generation. The templates of the spam are extracted from the botnets. The headers of

spam messages are used in discovering the botnet location and its overall distribution. This

process of comparing and aggregating the spam emails is known as spam campaigning.

Sinkholding

Sinkholding can be defined as a countermeasure for removing the malicious source

control from the botnets. This technique is used against various targets. The technique

changes the target domain and redirects to trusted parties. Figure 6 illustrates the proposed

model of Sinkholding technique.


17/23

Hussain 17

Figure 6: Sinkholding Technique.

(This is the proposed model of Sinkholed server.)

Here the accuracy is largely dependent on the details of the target host. In many cases,

the information provided by the bots to the sinkholed server can reveal the identity of these

bots with very high accuracy. The sinkhole operators should be cautious regarding the

sensitive content of the incoming data.

The operators should carefully handle the incoming packets consisting of bank

account details, credit card details and other financial information. This approach can be used

for both the centralized and decentralized botnets.


18/23

Hussain 18

DNS Cache Snooping

This technique deals with the caching properties that can be implemented by almost

all DNS servers. If a query is made to the DNS server that has no specific entry, the DNS

server issues a query to the authoritative servers. It stores the results in a local cache. Caching

helps in increasing the overall performance of the name server by reducing the traffic load.

Here there are two variants. In case of the first variant, DNS server is queried with a

variable. The server can send the direct answer or sends the answer with the names of

authoritative servers. Sometimes this may not work for all the DNS servers.

The second variant works with all DNS servers. In this approach, the variable is not

set. The DNS server can forward the queries to all other servers. This technique gives

complete parallelization of the process in determining the cached answer by analyzing the

name queries. This can be tracked by the TTL (Time to Live) response values.

By this approach, we can exploit the general partition of the web. All the required

information can be derived from these well-defined partitions.

Reverse Engineering

Recovering the functionality of a program without the source code is known as

reverse engineering. The malware reverse engineering technique helps in extracting the

details of the installation and spreading of malware. The process involves static analysis and

dynamic analysis. In case of static analysis, the binary is not executed. This phase deals with

the reconstruction of certain aspects of the functionality.


19/23

Hussain 19

The dynamic analysis deals with the execution of the sample. The behavior of the

malware can be determined by monitoring the host. The behavior includes credential

searching and key-logging.

Port Blocking

This technique is usually implemented by ISPs to minimize spam messages. As 87%

of the emails have been reported as SPAM, this threat should be mitigated. Some services

such as Direct Mail Exchange are operated through port 25. Their sole purpose is to distribute

spam messages. So the best approach is to block port 25 at ISP level. The ports used for IRCs

and FTP applications should also be blocked. Certain legitimate services should be

whitelisted.

Detecting Fast F lux Networks

These networks can change the DNS records very quickly and can point to larger

hosts. They can be treated as a proxy layer. Many IP addresses can be linked with few

domain names or only one domain name. The domain records of flux networks are valid for a

short period and can be traced by TTL response values. By tracing the domains with low TTL

response values, the fast flux domains could be identified.

Another way of extracting the network hosts is by sending repeated queries and

collecting the records.

Walled Gardens

Walled gardens can protect the customers of an ISP and the other users of the internet.

A walled garden intercepts and isolates the outgoing connections from the infected hosts.

This process involves detection, notification and removal stages.


20/23

Hussain 20

The initial detection of botnet can be handled by one of the DNS based methods.

After the confirmation of the infection for a connection, that user should be placed in a

walled garden.

Here the users connectivity is constrained and depends on the policy of ISP. This

notification is sent to the user. A walled garden forbids most of the attempts for connection

by this isolated user. The user can only connect to certain services of malware mitigation.

Such DNS queries should be handled by providing crafted solutions and redirecting the user

to ISPs website. The website provides the necessary instructions and the links to tools that

can remove the malware. This is known as self-remediation.

Social M easures

We need to raise the user awareness to prevent botnets.

Users should be trained in tackling the malware infected systems.

Up to date software patches can protect the systems.

Good password management can help in reducing the damage.

Employees should be trained through security awareness programs and courses from

their organization.

Effective cooperation among the stakeholders is one of the important initiatives in

tackling the botnets.

Researchers may have all the necessary details regarding some botnets.

Law enforcement can order to implement the measures of eliminating the botnets.

All these stakeholders should contribute in order to enhance the botnet mitigation

mechanisms and processes.


21/23

Hussain 21

Global collaboration can help in understanding the overall view of malware effect and

the latest developments in analyzing and tackling the infected systems. This is very essential

as almost all the countries have been affected by botnets.

Conclusion

The measures and techniques provided in this report generally operate at various

levels. Sinkholding technique works well on the top tier of the infrastructure. Walled gardens

can detect the root cause of the infection by including the hosts. One of the countermeasures

that can be used to target the malware operators is through legislations and regulations on

cybercrime. These cybercrime laws should offer the flexibility in facing cybercrime and the

botnet evolution globally. All these global efforts can significantly impact the success.


22/23

Hussain 22

References

B. Stone-Gross, T. Holz, G. Stringhini, and G. Vigna. The underground economy of Spam: A

Botmasters perspectiveof coordinating large-scale Spam campaigns. In 4thUSENIX

Workshop on Large-Scale Exploits and Emerging Threats (LEET),Mar. 2011.

C. P. Lee.Framework for Botnet Emulation and Analysis.PhD thesis, Georgia Institute of

Technology, Atlanta, Georgia, May 2009.

Damballa Labs, Threat Report, 2011.

Husna, H., Phithakkitnukoon, S. and Dantu, R. (2008) Trafficshaping of spam botnets,

ICCNC 2008. 5th IEEE.

J. B. Grizzard, V. Sharma, C. Nunnery, B. B. Kang, and D. Dagon. Peer-to-peer botnets:

Overview and case study. InFirst Workshop on Hot Topics in Understanding Botnets,

2007.

Joseph Massi, Sudhir Panda, Girisha Rajappa, Senthil Selvaraj, and Swapana Revankar.

Literature Review from Botnet Detection and Mitigation, Pace University, White

Plains, NY, May. 2010.

J. Reed, A. J. Aviv, D.Wagner, A. Haeberlen, B. C. Pierce, and J. M. Smith. Differential

privacy for collaborative security. In 3rd EuropeanWorkshop on System Security

(EuroSec), Apr. 2010.

K. Ono, I. Kawaishi, and T. Kamon, Trend of botnetactivities, inProceedings of the


23/23

Hussain 23

41st Annual IEEE Carnahan Conference on Security Technology (ICCST 07), pp.

243249, Ottawa, Canada, October 2007.

M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. A multifaceted approach to

understanding the botnet phenomenon. InProc. of the 6th ACM SIGCOMM on

Internet Measurement Conference (IMC), 2006.

S. Nagaraja, P. Mittal, C. Y. Hong, M. Caesar, and N. Borisov. BotGrep: Finding P2P Bots

with Structured Graph Analysis. In USENIX Security Symposium,Aug. 2010

Stinson, E & Mitchell, JC 2008, 'Towards Systematic Evaluation of the Evadability of

Bot/Botnet Detection Methods'. WOOT08: Proceedings of the 2nd conference on

USENIX Workshop on offensive technologies, pp. 19, USENIX Association,

Berkeley, CA, USA.

Y. Xie, F. Yu, K. Achan, R. Panigrahy, G. Hulten, and I. Osipkov, Spamming botnets:

signatures and characteristics,inProceedings of the ACM SIGCOMM Conference on

Data Communication (SIGCOMM 08), vol. 38, Seattle, August 2008.

hussain arshad, botnet tracking and intrusion detection

Documents