hussain arshad, botnet tracking and intrusion detection
TRANSCRIPT
-
7/22/2019 Hussain Arshad, Botnet Tracking and Intrusion Detection
1/23
Botnet Tracking and Intrusion Detection
Arshad Hussain
Eastern Michigan University
TS-699
Prof. Skip Lawver
-
7/22/2019 Hussain Arshad, Botnet Tracking and Intrusion Detection
2/23
Hussain 2
Table of Contents
1. Abstract......3
2. Introduction........4
3. Classification & Characterization of Botnets5
Centralized Botnets5
Decentralized Botnets.........7
Role of DNS...7
Botnet Usage and Motivation.7
Life Cycle of a Botnet8
Financial Damage..11
4. Metrics for Detection.12
Detection Metrics...13
5. Measures and Detection Techniques.....13
Packet Inspection14
Flow Record Analysis....15
Spam Record Analysis.......15
Sinkholding....16
DNS Cache Snooping17
Reverse Engineering......17
Port Blocking.....18
Detecting Fast Flux Networks...18
Walled Gardens......18
Social Measures.....19
6. Conclusion.20
7. References..21
-
7/22/2019 Hussain Arshad, Botnet Tracking and Intrusion Detection
3/23
Hussain 3
Abstract
Robot networks are generally known as botnets. A bot can be defined as a series of
commands or scripts that is designed to connect to something and execute a command or a
series of commands. A botnet is a chain of coordinated machines. The machines can be
administered by a hacker remotely. These machines are called zombies. Botnets are a
primary security threat on the internet. They affect the organizations by stealing trade secrets,
stealing employee identity information, inserting malware into the source code files and
compromising data integrity. The result can be disastrous that leads to the loss of revenue and
reputation. As the metrics for detecting botnets havent been researched so far, this research
project deals with botnet tracking and detection techniques. Here, three metrics have been
proposed for detection of botnets. This project clarifies the botnet phenomenon and reveals
the most efficient botnet detection techniques.
Keywords:botnets, tracking, detection, intrusion, malware, hacker
-
7/22/2019 Hussain Arshad, Botnet Tracking and Intrusion Detection
4/23
Hussain 4
Introduction
A Botnet can be considered as a network of bots under the remote command of a
botmaster. These bots are controlled to perform illicit activities. They pose a significant threat
against cyber security. They provide a distributed platform for various cybercrimes such as
distribute denial of service (DDOS), malware dissemination, click fraud and phishing. The
botnet with zombies is depicted in Figure 1 (Mary Landesman, 2011).
All users of computers are at high risk because we all browse the same internet. Every
individual should be aware of social networking attacks.
Companies and governments suffer most damage from botnet attacks. The results of
these attacks can be dangerous, costing the companies significant manpower, cost and clean-
up time.
Figure 1: Botnet with zombies.
(Source: A Cisco Report on New Threat Landscape.)
-
7/22/2019 Hussain Arshad, Botnet Tracking and Intrusion Detection
5/23
Hussain 5
DDOS attacks can disrupt the communications and infected source code can halt the
critical servers. Botnets have become much more sophisticated and dangerous now a day.
Few formal studies have examined the botnet issues and very little is known about the
malicious behaviour of botnets. This research aims at finding out the latest and advanced
techniques of botnet detection.
Classification and Characterization of Botnets
The major part of the botnet is known as command and control (C&C) infrastructure.
It consists of bots and an entity that controls these bots. The entity may be centralized or
decentralized. Botmasters use one or more protocols in coordinating their activities and
commanding the victim computers. The C&C infrastructure is the only channel to control
these bots. To operate effectively, a stable connection has to be maintained by these bots.
Centr alized Botnets
The centralized form may be compared to that of client and server model. Here, all
the bots act as clients and connect to the centralized servers. The servers initiate commands to
these bots.
The bots communicate with one or more connection points. These points are
command and control servers that can be controlled by the botmaster. As all bots are
connected to the servers, botmaster can instantly send the commands to all the bots. This is a
better way of communication that maintains low reaction time. Botmaster can monitor all the
bots and receive direct and accurate feedback along with the status of the botnet.
-
7/22/2019 Hussain Arshad, Botnet Tracking and Intrusion Detection
6/23
Hussain 6
As per technical report of the Pennsylvania state university, the IRC (Internet Relay
Chat) protocol is one of the important technologies for enabling and controlling the
centralized models (Athichart, Xiaonan & Miller, 2011).
This protocol allows many participants in one channel. It can also command all the
bots in parallel. Private communications can be handled on a one-to-one basis that helps in
manipulating the single bots directly. IRC is a text based protocol. Implementation and
customization is very easy with IRC protocol. IRC servers offer robust and well-established
approaches to command botnets. Botmasters generally own few IRC servers to propagate the
commands. As the botmasters use their own servers, botnets are more strengthened. IRC
facilitates low latency and simple channels. The widely used IRC botnets are Agobot, GT bot,
SDBotand Spybot.
Agobothas the ability to corrupt the systems in three modules. Each module retrieves
the next one after the completion of primary activity. Agobot alters the DNC entry of the
security related websites and directs them to the local host. GT bot refers to the Global
Threat. It is a common name used for mIRC scripted codes. It runs the scripts as event
responses and can also support TCP and UDP connections. There are many versions of GT
bots. SDBot has almost four thousand variants. It has already infected around 670000
machines. One of the most active exploits of SDBotis guessing brute-force passwords at the
port 445. Spybot is actually derived from SDBot. Spybot can perform certain activities of
logging keystrokes. It broadcasts spam via instant messaging. It can also alter the registry and
can disable the security center. So, Spybotis very effective in certain aspects when compared
to SDBot.
-
7/22/2019 Hussain Arshad, Botnet Tracking and Intrusion Detection
7/23
Hussain 7
Hypertext Transfer Protocol (HTTP) is a well-known standard throughout the web
that is useful in data delivery. As HTTP is filtered rarely, botmasters are interested in this
protocol. Examples of HTTP bots are those that are originated with the Zeus crimeware
toolkit. These botnets can be propagated and managed easily.
Locomotive botnet is another case of centralized botnet that relies on a C&C model
and synchronously switches the component. Botmaster can take control of certain
administrative tasks.
Decentr ali zed Botnets
The decentralized form allows the bots to act autonomously. Bots can establish
connections with other bots. They also send requests for additional commands to the botnet.
Here, the bots are loosely coupled. These links are useful for communicating with other bots
within botnets. These botnets are also known as peer-to-peer botnets.
The information regarding the other peers is distributed all over the botnet. Bots can
send and receive their revision numbers while communicating. If the revision number varies,
the older version gets updated to the newer version automatically. So, monitoring such an
activity becomes very difficult.
Role of DNS
Fast Flux Service Networks (FFSN) technology implements the Domain Name
System (DNS) in C&C infrastructure communications. FFSN has been developed to increase
anonymity. FFSN can act as a distributed proxy network consisting of flux agents that can
route the traffic to the appropriate node.
-
7/22/2019 Hussain Arshad, Botnet Tracking and Intrusion Detection
8/23
Hussain 8
Botnet Usage and Motivation
With the evolution of botnets, the underground malware and cyber crime economy
has grown rapidly. Botmasters are the customers of this malware supply chain.
This is illustrated in the Figure 2. Botmasters can make more profits by offering
malware services to various third parties. The major motivation behind this botnets is to get
financial benefits. Some other motivations are political benefits and military interests.
Figure 2: Malware Economy.
(Source: IT Security Report by St. Poleten University, Austria.)
-
7/22/2019 Hussain Arshad, Botnet Tracking and Intrusion Detection
9/23
Hussain 9
The L if e cycle of a Botnet
A botnet has four phases namely infection, injection, maintenance and malicious
activity. The Figure 3 illustrates the life cycle of a botnet.
In the initial infection phase, the systems get infected in many ways such as executing
malicious code, accidental downloading of malicious programs and email attachments.
Figure 3: Botnet Life Cycle.
(Source: Survey Report by the Third International Conference on Emerging Security Systems, 2009.)
Some of the ports are always being scanned by other bots. In these circumstances, the
bots can easily infect all systems on a network. In case of secondary injection, the botnet code
executes to generate bots. The botmaster controls all these bots. This process can be initiated
through FTP or HTTP. In the maintenance phase, botmasters perform some periodical steps.
-
7/22/2019 Hussain Arshad, Botnet Tracking and Intrusion Detection
10/23
Hussain 10
The botmaster authorizes certain activities such as distributed denial of service by sending
commands to C&C server.
According to the research of McAfee Labs, around 1.5 million botnet infections have
been detected in India so far (Zheng, Pedro & Rahul, 2011).
Brazil, Germany and Russia exceeded 1 million infections recently.
The 2011 chart consisting of a number of botnets per victim machine and the worlds
population is shown in Figure 4 (Gunter Ollmann, 2011).
Figure 4: Botnet Effect.
(Source: Damballa Threat Report.)
The malicious activity phase includes: click fraud, spamming, identity theft and
political interests.
One of the major tasks of the botnets is Spamming. Botnets are used in spreading the
junk emails. Some networks are owned by the spammers. The intention behind spamming is
advertising. Some third parties purchase a pack of such spam emails that are to be delivered
by botmasters. This is the process of advertising third party products.
-
7/22/2019 Hussain Arshad, Botnet Tracking and Intrusion Detection
11/23
Hussain 11
As per Microsoft research report, spam emails are around 85% (John Mello, 2011).
Ferris research estimated that the cost of these emails would be around 130 billion US
dollars.
Click Fraud is the other way of monetizing botnets. The hacker opens an account with
online advertisers. These advertisers pay for the pages visited and for the banners clicked.
With the help of controlled bots, the hacker visits the pages and generates a number of clicks
on the banners. The hacker already has control on the victims computer and gets paid by
advertisers.
Bots are also used for extracting user credentials. The important targets are email
account passwords, banking transaction passwords and credit card details. This may result in
fraudulent transferring of money and buying & selling in e-shops.
Botmasters use the botnets in political and military contexts. GhostNet and Shadow
Network are the two botnets that are responsible for infecting the machines in almost 103
countries so far. The machines belong to various commissions and embassies. The network
traces revealed that some sensitive and confidential files have been extracted.
F inancial Damage
As the customer credentials are being used for illegitimate transfers, the financial
claims made by these customers are increasing every day. Zeus botnet has already infected
3.6 million computers in the USA. Zeus is considered as a financial malware and it is also
named as zbot. Variants of Zeus can steal all the credentials of social-networking and
online-shopping users.
-
7/22/2019 Hussain Arshad, Botnet Tracking and Intrusion Detection
12/23
Hussain 12
Many literature reviews described botnets as a growing industry and these attacks
have powerful impact on global businesses. Certain efforts and studies are in progress in
understanding the botnet issues and designing defenses against botnet attacks. Some efforts
are based on setting up honeynets (virtual honeypots). Some researchers proposed and
discussed the use of honeynets for tracking botnets (Jing Liu, Hongmei & Ghaboosi, 2009).
Honeynet is one of the informal studies of botnet issues. Honeynets are useful in only
understanding the technology and characteristics of botnets. They need not necessarily detect
botnet infections. With recent developments in botnets, honeynet is less effective. So, we
need to investigate a better approach.
Metrics for Detection
The existing methods of measuring the botnet size generally lack accuracy. The
numbers are not satisfactory and they are also limited to a small degree. Based on analysis
and various approaches, certain objectives can be derived for tackling botnet issues and
threats.
The major recommendations for tackling the botnets are mentioned below.
Mitigating existing botnets:
In order to mitigate the existing botnets, the present infections should be reduced.
ISPs must be strongly induced to better utilize their position for detecting and
minimizing the botnets.
The methods of botnet monitoring and identification should be refined and improved.
Malware analysis and information sharing among various stakeholders should be
improved.
-
7/22/2019 Hussain Arshad, Botnet Tracking and Intrusion Detection
13/23
Hussain 13
Simplification of cross-border functionality should be harmonized.
Preventing new infections:
System protection and the management of vulnerable conditions should be enhanced.
To minimize the spread of malware, both the vendors and customers should take part
in tackling these vulnerability issues.
Minimizing the benefits and profits of cyber crime:
Certain measures should be undertaken to look into the profitability of the botnets.
As the patterns are shifting to monetary benefits, they should be controlled effectively
by improving anti-fraud methods.
Information should be shared among various parties including ISPs and research
bodies in this fight against cyber crime.
Detection Metr ics
The metrics for detecting botnets can be derived from botnet behavior. The three
metrics are relationship, response and synchronization.
Relationship: Botnets have one-to-many relationships between bots and botmaster. A
relationship can be defined as a connection over one protocol. This connection need not be
over transport layer. It can be over upper layers. When botmaster is located centrally, the
botnets shape dense topology in their connection.
Response Time:The other features of a botnet can be traced through the response time. Bots
respond accurately as soon as they get commands from the botmaster. The bot performs pre-
programmed activities as it receives commands from the master and the response time is
almost constant. Response times of human beings and bots can be compared by Figure 5.
-
7/22/2019 Hussain Arshad, Botnet Tracking and Intrusion Detection
14/23
Hussain 14
The response time is one of the important metrics in detecting the botnets.
Synchronization: As the bot can carry certain programmatic functionality that is the direct
reflection of botmaster commands, all the bots are well synchronized with each other. All
these bots can simultaneously perform the actions such as DDOS attack, information sharing,
reporting and receiving commands.
By tracing the traffic and their activities, botnets can be detected. These botnets can
be treated as homogeneous or suspicious bot-groups.
Measures and Detection Techniques
A variety of botnet detection techniques and approaches are presented below:
Figure 5: Response time comparison.
(Source: EURASIP Journal on Wireless Communication, 2009.)
-
7/22/2019 Hussain Arshad, Botnet Tracking and Intrusion Detection
15/23
Hussain 15
Packet Inspection
This technique is helpful in increasing network security. In this approach, the protocol
fields are matched against the existing patterns of malicious content. This can be shell code
sequence packets or a file server which can communicate through IRC protocol. The patterns
are known as detection signatures. Intrusion detection systems (IDS) are the best examples
of this approach. IDS can monitor and issue warnings when the attack is identified. In some
cases IDS takes one more step and tries to prevent the attacks. Such a system is known as
intrusion prevention systems (IPS). The function of IPS is to reject the packets and close the
connections. It can also forward the contents of the packets to an analyzing system. All the
details extracted regarding the attack are used for blacklist contribution. The information is
also used in updating the firewall rules. As far as the botnet research is concerned, the packet
inspection technique can be used for automated measurement and as a detection mechanism.
F low Record Analysis
In this technique, network traffic is traced at abstract levels. There is no need to
inspect the packets individually as explained in the previous technique. Here the streams are
collectively regarded as an aggregate form. A Flow Record has many properties that describe
the streams of data. The flow record has certain important attributes such as the source
address, destination address, port numbers, protocols, session time, the number of packets
and the packet size. Larger traffic amounts are tackled in this approach. The session headers
can be tracked that help in describing the packet flows.
The flow record analysis aims at identifying traffic patterns. This information is used
to filter the malicious content. With this information, certain schemes can be created for the
-
7/22/2019 Hussain Arshad, Botnet Tracking and Intrusion Detection
16/23
Hussain 16
detection of malicious traffic. Inputs from the packet inspection technique help the flow
record analysis in supporting the rule specifications. This approach can be used for
identifying the specific network infections and disinfection mechanisms.
Spam Record Analysis
Botnets usually distribute unsolicited emails and this is called spamming. By
analyzing these spam records, the botnet activities can be determined. Here all the necessary
information is obtained from investigating spam messages of botnets. As the botnets generate
spam emails, they follow the same pattern. These patterns are analyzed in identifying the
spam generation. The templates of the spam are extracted from the botnets. The headers of
spam messages are used in discovering the botnet location and its overall distribution. This
process of comparing and aggregating the spam emails is known as spam campaigning.
Sinkholding
Sinkholding can be defined as a countermeasure for removing the malicious source
control from the botnets. This technique is used against various targets. The technique
changes the target domain and redirects to trusted parties. Figure 6 illustrates the proposed
model of Sinkholding technique.
-
7/22/2019 Hussain Arshad, Botnet Tracking and Intrusion Detection
17/23
Hussain 17
Figure 6: Sinkholding Technique.
(This is the proposed model of Sinkholed server.)
Here the accuracy is largely dependent on the details of the target host. In many cases,
the information provided by the bots to the sinkholed server can reveal the identity of these
bots with very high accuracy. The sinkhole operators should be cautious regarding the
sensitive content of the incoming data.
The operators should carefully handle the incoming packets consisting of bank
account details, credit card details and other financial information. This approach can be used
for both the centralized and decentralized botnets.
-
7/22/2019 Hussain Arshad, Botnet Tracking and Intrusion Detection
18/23
Hussain 18
DNS Cache Snooping
This technique deals with the caching properties that can be implemented by almost
all DNS servers. If a query is made to the DNS server that has no specific entry, the DNS
server issues a query to the authoritative servers. It stores the results in a local cache. Caching
helps in increasing the overall performance of the name server by reducing the traffic load.
Here there are two variants. In case of the first variant, DNS server is queried with a
variable. The server can send the direct answer or sends the answer with the names of
authoritative servers. Sometimes this may not work for all the DNS servers.
The second variant works with all DNS servers. In this approach, the variable is not
set. The DNS server can forward the queries to all other servers. This technique gives
complete parallelization of the process in determining the cached answer by analyzing the
name queries. This can be tracked by the TTL (Time to Live) response values.
By this approach, we can exploit the general partition of the web. All the required
information can be derived from these well-defined partitions.
Reverse Engineering
Recovering the functionality of a program without the source code is known as
reverse engineering. The malware reverse engineering technique helps in extracting the
details of the installation and spreading of malware. The process involves static analysis and
dynamic analysis. In case of static analysis, the binary is not executed. This phase deals with
the reconstruction of certain aspects of the functionality.
-
7/22/2019 Hussain Arshad, Botnet Tracking and Intrusion Detection
19/23
Hussain 19
The dynamic analysis deals with the execution of the sample. The behavior of the
malware can be determined by monitoring the host. The behavior includes credential
searching and key-logging.
Port Blocking
This technique is usually implemented by ISPs to minimize spam messages. As 87%
of the emails have been reported as SPAM, this threat should be mitigated. Some services
such as Direct Mail Exchange are operated through port 25. Their sole purpose is to distribute
spam messages. So the best approach is to block port 25 at ISP level. The ports used for IRCs
and FTP applications should also be blocked. Certain legitimate services should be
whitelisted.
Detecting Fast F lux Networks
These networks can change the DNS records very quickly and can point to larger
hosts. They can be treated as a proxy layer. Many IP addresses can be linked with few
domain names or only one domain name. The domain records of flux networks are valid for a
short period and can be traced by TTL response values. By tracing the domains with low TTL
response values, the fast flux domains could be identified.
Another way of extracting the network hosts is by sending repeated queries and
collecting the records.
Walled Gardens
Walled gardens can protect the customers of an ISP and the other users of the internet.
A walled garden intercepts and isolates the outgoing connections from the infected hosts.
This process involves detection, notification and removal stages.
-
7/22/2019 Hussain Arshad, Botnet Tracking and Intrusion Detection
20/23
Hussain 20
The initial detection of botnet can be handled by one of the DNS based methods.
After the confirmation of the infection for a connection, that user should be placed in a
walled garden.
Here the users connectivity is constrained and depends on the policy of ISP. This
notification is sent to the user. A walled garden forbids most of the attempts for connection
by this isolated user. The user can only connect to certain services of malware mitigation.
Such DNS queries should be handled by providing crafted solutions and redirecting the user
to ISPs website. The website provides the necessary instructions and the links to tools that
can remove the malware. This is known as self-remediation.
Social M easures
We need to raise the user awareness to prevent botnets.
Users should be trained in tackling the malware infected systems.
Up to date software patches can protect the systems.
Good password management can help in reducing the damage.
Employees should be trained through security awareness programs and courses from
their organization.
Effective cooperation among the stakeholders is one of the important initiatives in
tackling the botnets.
Researchers may have all the necessary details regarding some botnets.
Law enforcement can order to implement the measures of eliminating the botnets.
All these stakeholders should contribute in order to enhance the botnet mitigation
mechanisms and processes.
-
7/22/2019 Hussain Arshad, Botnet Tracking and Intrusion Detection
21/23
Hussain 21
Global collaboration can help in understanding the overall view of malware effect and
the latest developments in analyzing and tackling the infected systems. This is very essential
as almost all the countries have been affected by botnets.
Conclusion
The measures and techniques provided in this report generally operate at various
levels. Sinkholding technique works well on the top tier of the infrastructure. Walled gardens
can detect the root cause of the infection by including the hosts. One of the countermeasures
that can be used to target the malware operators is through legislations and regulations on
cybercrime. These cybercrime laws should offer the flexibility in facing cybercrime and the
botnet evolution globally. All these global efforts can significantly impact the success.
-
7/22/2019 Hussain Arshad, Botnet Tracking and Intrusion Detection
22/23
Hussain 22
References
B. Stone-Gross, T. Holz, G. Stringhini, and G. Vigna. The underground economy of Spam: A
Botmasters perspectiveof coordinating large-scale Spam campaigns. In 4thUSENIX
Workshop on Large-Scale Exploits and Emerging Threats (LEET),Mar. 2011.
C. P. Lee.Framework for Botnet Emulation and Analysis.PhD thesis, Georgia Institute of
Technology, Atlanta, Georgia, May 2009.
Damballa Labs, Threat Report, 2011.
Husna, H., Phithakkitnukoon, S. and Dantu, R. (2008) Trafficshaping of spam botnets,
ICCNC 2008. 5th IEEE.
J. B. Grizzard, V. Sharma, C. Nunnery, B. B. Kang, and D. Dagon. Peer-to-peer botnets:
Overview and case study. InFirst Workshop on Hot Topics in Understanding Botnets,
2007.
Joseph Massi, Sudhir Panda, Girisha Rajappa, Senthil Selvaraj, and Swapana Revankar.
Literature Review from Botnet Detection and Mitigation, Pace University, White
Plains, NY, May. 2010.
J. Reed, A. J. Aviv, D.Wagner, A. Haeberlen, B. C. Pierce, and J. M. Smith. Differential
privacy for collaborative security. In 3rd EuropeanWorkshop on System Security
(EuroSec), Apr. 2010.
K. Ono, I. Kawaishi, and T. Kamon, Trend of botnetactivities, inProceedings of the
-
7/22/2019 Hussain Arshad, Botnet Tracking and Intrusion Detection
23/23
Hussain 23
41st Annual IEEE Carnahan Conference on Security Technology (ICCST 07), pp.
243249, Ottawa, Canada, October 2007.
M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. A multifaceted approach to
understanding the botnet phenomenon. InProc. of the 6th ACM SIGCOMM on
Internet Measurement Conference (IMC), 2006.
S. Nagaraja, P. Mittal, C. Y. Hong, M. Caesar, and N. Borisov. BotGrep: Finding P2P Bots
with Structured Graph Analysis. In USENIX Security Symposium,Aug. 2010
Stinson, E & Mitchell, JC 2008, 'Towards Systematic Evaluation of the Evadability of
Bot/Botnet Detection Methods'. WOOT08: Proceedings of the 2nd conference on
USENIX Workshop on offensive technologies, pp. 19, USENIX Association,
Berkeley, CA, USA.
Y. Xie, F. Yu, K. Achan, R. Panigrahy, G. Hulten, and I. Osipkov, Spamming botnets:
signatures and characteristics,inProceedings of the ACM SIGCOMM Conference on
Data Communication (SIGCOMM 08), vol. 38, Seattle, August 2008.