A Multifaceted Approach to Understanding the Botnet Phenomenon - PowerPoint PPT Presentation

About This Presentation
Title:

A Multifaceted Approach to Understanding the Botnet Phenomenon

Description:

A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science Department – PowerPoint PPT presentation

Number of Views:95
Avg rating:3.0/5.0
Slides: 28
Provided by: stud66
Learn more at: http://www.cs.ucf.edu
Category:

less

Transcript and Presenter's Notes

Title: A Multifaceted Approach to Understanding the Botnet Phenomenon


1
A Multifaceted Approach to Understanding the
BotnetPhenomenon
  • Authors
  • Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose,
    Andreas Terzis
  • Computer Science Department
  • Johns Hopkins University
  • Presented at
  • Internet Measurement Conference, IMC'06, Brazil,
    October 2006
  • Presented By
  • Ramanarayanan Ramani

2
Outline
  • Working of Botnets
  • Measuring Botnets
  • Inference from Measurement
  • Strengths
  • Weaknesses
  • Suggestions

3
Botnets
  • A botnet is a network of infected end-hosts
    (bots) under the command of a botmaster.
  • 3 Different Protocols Used
  • IRC
  • HTTP
  • P2P

4
Botnets (contd.)
  • 3 Steps of Authentication
  • Bot to IRC Server
  • IRC Server to Bot
  • Botmaster to Bot

() Optional Step
5
Measuring Botnets
  • Three Distinct Phases
  • Malware Collection
  • Collect as many bot binaries as possible
  • Binary analysis via gray-box testing
  • Extract the features of suspicious binaries
  • Longitudinal tracking
  • Track how bots spread and its reach

6
Measuring Botnets
Darknet Denotes an allocated but unused portion
of the IP address space.
7
Malware Collection
  • Nepenthes is a low interaction honeypot
  • Nepenthes mimics the replies generated by
    vulnerable services in order to collect the first
    stage exploit
  • Modules in nepenthes
  • Resolve DNS asynchronous
  • Emulate vulnerabilities
  • Download files Done here by the Download
    Station
  • Submit the downloaded files
  • Trigger events
  • Shellcode handler

8
Malware Collection
  • Honeynets also used along
  • with nepenthes
  • Catches exploits missed by nepenthes
  • Unpatched Windows XP are run which is base copy
  • Infected honeypot compared with base to identify
    Botnet binary

9
Gateway
  • Routing to different components
  • Firewall Prevent outbound attacks self
    infection by honeypots
  • Detect Analyze outgoing traffic for infections
    in honeypot
  • Only 1 infection in a honeypot
  • Several other functions

10
Binary Analysis
  • Two logically distinct phases
  • Derive a network fingerprint of the binary
  • Derive IRC-specific features of the binary
  • IRC Server learns Botnet dialect - Template
  • Learn how to correctly mimic bots behavior -
    Subject bot to a barrage of commands

11
IRC Tracker
  • Use template to mimic bot
  • Connect to real IRC server
  • Communicate with botmaster using bot dialect
  • Drones modified and used to act as IRC Client by
    the tracker to Cover lot of IP addresss

12
DNS Tracker
  • Bots issue DNS queries to resolve the IP
    addresses of their IRC servers
  • Tracker uses DNS requests
  • Has 800,000 entries after reduction
  • Maintain hits to a server

13
Measuring Botnets
Darknet Denotes an allocated but unused portion
of the IP address space.
14
Botnet Traffic Share
15
Botnet Traffic Share
16
DNS Tracker Results
17
Bot Scan Method
  • 2 Types
  • Immediately start scanning the IP space looking
    for new victims after infection 34 / 192
  • Scan when issued some command by botmaster

18
Botnet Growth - DNS
19
Botnet Growth IRC Tracker
20
Botnet Online Population
21
Botnet Online Population
22
Botnet Software Taxonomy
Services Launched in Victim Machine OS of
Exploited Host
23
Botmaster Analysis
24
Strengths
  • All aspects of a botnet analyzed
  • No prior analysis of bots
  • Ability to model various types of bots

25
Weakness
  • Only Microsoft Windows systems analyzed
  • Focus on IRC-based bots as they are predominant

26
Suggestions
  • Use the analysis to model new bots
  • Use the analysis to model protection methods

27
Questions
Write a Comment
User Comments (0)
About PowerShow.com