Botnets

wallbroadΑσφάλεια

3 Δεκ 2013 (πριν από 3 χρόνια και 4 μήνες)

102 εμφανίσεις


Collection of connected programs
communicating with similar programs to
perform tasks


Legal


IRC bots to moderate/administer channels


Origin of term botnet


Illegal


Bots usually added through infections


Communicate through standard network
protocols


Named after malware that created the
botnet


Multiple botnets can be created by same malware


Controlled by different entities


“Bot master” can control entire group of
computers remotely through Command and
Control(C&C) system


Botnets used for various purposes


Distributed Denial of Service Attacks(DDOS)


SMTP mail relays for spam


Click Fraud


Simulating false clicks on advertisements to earn money


Theft of information


Application serial numbers


Login information


Financial information


Personal information


Bitcoin

mining


Three main connection models


Centralized


P2P
-
based


Unstructured



Central point(server) that forwards messages
to bots


Advantages


Simple to implement


Customizable


Disadvantages


Easier to detect and destroy


Most botnets use this model


Mainly used to avoid problems with centralized
model


Does not use server as central location


Instead the bots are connected to each other


Advantages


Very hard to destroy


Commands can be injected at any point


Hard for researchers to find all bots


Disadvantages


Harder to implement and design


Bots will not actively contact other bots or
botmaster


Only listens for incoming connections


Botmsater

randomly scans internet for bots


When bot is found
botmaster

sends encrypted
commands


Botnets use well defined communication protocols


Helps blend in with traffic


Protocol examples


IRC


Most common


Used for one
-
to
-
many or one
-
on
-
one


HTTP


Difficult to be detected


Allowed through most security devices by default


P2P


More advanced communication


Not always allowed on network


Two main detection methods


Signature
-
based


Relies on knowing connection methods


Cannot detect new threats


Anomaly
-
based


Relies on anomalies from base
-
line traffic


High false
-
positive rates


Not useful in cases where base
-
line traffic cannot
be
established


Malware writers constantly looking for new
ways to avoid detection


Recent botnets employ new methods to
avoid detection


Fast flux


Domain flux


Use a set of IP addresses that all correspond
to one domain name


Use short TTL(Time To Live) and large IP
pools


Can be grouped in two categories.


Single flux


Double flux


Domain resolves to different IP in different
time ranges


User accesses same domain twice


First time DNS query returns 11.11.11.11


TTL expires on DNS query


User performs another DNS query for domain


DNS server returns 22.22.22.22


More sophisticated counter
-
detection


Repeated changes of both flux agents and
registration in DNS servers


Authoritative DNS server part of fluxing


Provides extra redundancy


Critical step in detecting fast flux network is
to distinguish fast fluxing attack
network(FFAN) and fast fluxing service
network(FFSN)


All agents in FFSN should be up 24/7


Agents within FFAN have unpredictable alive time


Botmaster

does not have physical control over bots


Two metrics developed to distinguish these


Average Online Rate(AOR)


Minimum Available Rate(MAR)


Uses AOR and MAR to track FFANs and FFSNs


Broken up into four components


Dig tool


Gather information and add new IP addresses to database


Agents monitor


Sends HTTP requests records response


IP lifespan records database


Stores service status


Detector


Judges between FFAN and FFSN by using AOR and MAR


To avoid single point of failure domain flux
was created


Uses a set of domain names that are
constantly, and automatically, generated


Occasionally correspond to IP address


Bots and server both run domain name
generation algorithm.


Bots try to contact C&C server by using
generated domain names


If no answer is received at one, it moves on


Torpig

was botnet that used domain flux


Eventually taken over by researchers


First calculated domain names by current
week and current year


“weekyear.com” or “weekyear.net”


If those fail it moves on to calculated the daily
domain


If all other methods fail, a
T
orpig

bot will try
to connect to a hard
-
coded domain within its
configuration files


Reverse
-
engineering domain generation
algorithm not always possible


Only a few domains will resolve to IP addresses


One detection method is to watch DNS query
failures


Small percentage will be user error/poor configuration


Larger part of errors will be from malicious activity


With enough data one should be able to find
patterns in DNS query errors


Fast Flux networks mitigated by blacklisting
domain name associated with flux


Contact registrar


ISP block requests in DNS


ISP monitor DNS queries to domain


Domain flux is harder to mitigate


In order to register domain names before attackers
one must know the algorithm used


Automated techniques to block DNS queries not
always accurate


Registrars used by attackers usually do not listen to
abuse reports


BredoLab


Created May, 2009


30,000,000 bots


Mariposa


Created 2008


12,000,000 bots


Zeus


Banking credentials for all major banks


3,600,000 bots in US alone


Customizable