Revealing Botnets Using Network Traffic Statistics

Transcription

1 Revealing Botnets Using Network Traffic Statistics P. Čeleda, R. Krejčí, V. Krmíček {celeda Security and Protection of Information 2011, May 2011, Brno, Czech Republic

2 Part I Introduction P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 2 / 19

3 Modern Home With a Network Connected Devices Internet Web services and web content Commonly protected local devices P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 3 / 19

4 Modern Home With a Network Connected Devices Internet Web services and web content Commonly protected local devices P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 3 / 19

5 Modern Home With a Network Connected Devices Web services and web content Internet Unprotected local network devices & systems Commonly protected local devices P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 3 / 19

6 Modern Home With a Network Connected Devices Attacker Internet Unprotected local network devices & systems Web services and web content Commonly protected local devices P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 3 / 19

7 Insecurity of Embedded Network Devices Embedded Network Devices Threats DDoS attacks large-scale denial of service attacks. Data leakage MITM attacks, traffic sniffing, log analysis. Missing anti-virus or anti-malware software to protect them. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 4 / 19

8 Insecurity of Embedded Network Devices Embedded Network Devices Threats DDoS attacks large-scale denial of service attacks. Data leakage MITM attacks, traffic sniffing, log analysis. Missing anti-virus or anti-malware software to protect them. Number of Vulnerable Embedded Devices 1 540,000 publicly accessible embedded devices configured with factory default root passwords. 96 % of 102,000 vulnerable devices remain vulnerable after a 4-month period. 1 Ang Cui and Salvatore J. Stolfo: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 4 / 19

9 Part II Unix-like Embedded Malware P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 5 / 19

10 Unix-like Embedded Malware Linux as cheap and customizable system for SOHO devices. Weak attention is paid to the security. Outdated software (e.g. Linux kernel 2.4) with known flaws. General Linux malware can be used as a cross-platform malware for embedded devices. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 6 / 19

11 Unix-like Embedded Malware Overview I Kaiten Simple IRC client with an ability for DDoS attacks. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 7 / 19

12 Unix-like Embedded Malware Overview I Kaiten Hydra Simple IRC client with an ability for DDoS attacks. Similar functions to Kaiten, but Hydra in addition scans for vulnerable devices. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 7 / 19

13 Unix-like Embedded Malware Overview I Kaiten Hydra Simple IRC client with an ability for DDoS attacks. Similar functions to Kaiten, but Hydra in addition scans for vulnerable devices. Publicly available source code. Originally Linux malware used on commodity PCs. Currently used as a base for about a dozen of botnets wa-goraku, m0dd3d, PsIk0,... P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 7 / 19

14 Unix-like Embedded Malware Overview II PSYB0T The first botnet targeting SOHO devices. Operated in spring 2009 with estimated size about thousands of bots. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 8 / 19

15 Unix-like Embedded Malware Overview II PSYB0T The first botnet targeting SOHO devices. Operated in spring 2009 with estimated size about thousands of bots. Chuck Norris Botnet Disclosed in December 2009, operates with some modifications till this time. Originally used only Telnet, newly supports infection via SSH. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 8 / 19

16 Architecture of Unix-like Embedded Botnets vulnerable device 1 1 Initial infection. botnet P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 9 / 19

17 Architecture of Unix-like Embedded Botnets vulnerable device 2 web server Initial infection. 2 Bot update. botnet P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 9 / 19

18 Architecture of Unix-like Embedded Botnets C&C server 3 vulnerable device 2 web server botnet 1 Initial infection. 2 Bot update. 3 Listening (usually via IRC) for orders from C&C center. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 9 / 19

19 Architecture of Unix-like Embedded Botnets botmaster C&C server vulnerable device web server botnet 1 Initial infection. 2 Bot update. 3 Listening (usually via IRC) for orders from C&C center. 4 Maintenance and malicious commands from botmaster. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 9 / 19

20 Part III Embedded Malware Detection Chuck Norris Botnet Use Case P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 10 / 19

21 NetFlow Based CNBv2 Detection Methods Chuck Norris Botnet Version 2 Detection Methods scanning detection. initialization and update detection. communication with C&C centers detection. DNS spoofing attack detection. Detection Corresponds to Botnet Lifecycle Applied to NetFlow Data Defined as NFDUMP filters. Implemented to NfSen collector. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 11 / 19

22 Detection of CNBv2 Scanning Incoming and outgoing TCP SYN scans on port 22 and 23. infected device NFDUMP detection filter P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 12 / 19

23 Detection of CNBv2 Scanning Incoming and outgoing TCP SYN scans on port 22 and 23. infected device local network NFDUMP detection filter (net local_network) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 12 / 19

24 Detection of CNBv2 Scanning Incoming and outgoing TCP SYN scans on port 22 and 23. list of C class networks to scan infected device x x x x local network NFDUMP detection filter (net local_network) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 12 / 19

25 Detection of CNBv2 Scanning Incoming and outgoing TCP SYN scans on port 22 and 23. list of C class networks to scan infected device TCP/22, x x x x local network NFDUMP detection filter (net local_network) and (dst port 22 or dst port 23) and (proto TCP) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 12 / 19

26 Detection of CNBv2 Scanning Incoming and outgoing TCP SYN scans on port 22 and 23. list of C class networks to scan infected device TCP/22, x x x x x local network x NFDUMP detection filter (net local_network) and (dst port 22 or dst port 23) and (proto TCP) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 12 / 19

27 Detection of CNBv2 Scanning Incoming and outgoing TCP SYN scans on port 22 and 23. list of C class networks to scan infected device TCP/22,23 SYN/RESET flags x x x x x local network x NFDUMP detection filter (net local_network) and (dst port 22 or dst port 23) and (proto TCP) and ((flags S and not flags ARPUF) or (flags SR and not flags APUF)) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 12 / 19

28 Detection of CNBv2 Initialization and Update Bot s web download requests from infected host. local network NFDUMP detection filter P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 13 / 19

29 Detection of CNBv2 Initialization and Update Bot s web download requests from infected host. infected device local network NFDUMP detection filter (src net local_network) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 13 / 19

30 Detection of CNBv2 Initialization and Update Bot s web download requests from infected host. botnet distribution web server botnet distribution web server local network infected device botnet distribution web server NFDUMP detection filter (src net local_network) and (dst ip web_servers 2 ) 2 IP addresses of attacker s botnet distribution web servers P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 13 / 19

31 Detection of CNBv2 Initialization and Update Bot s web download requests from infected host. botnet distribution web server botnet distribution web server local network TCP/80 infected device botnet distribution web server NFDUMP detection filter (src net local_network) and (dst ip web_servers 2 ) and (dst port 80) and (proto TCP) 2 IP addresses of attacker s botnet distribution web servers P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 13 / 19

32 Detection of CNBv2 Initialization and Update Bot s web download requests from infected host. botnet distribution web server botnet distribution web server local network TCP/80 SYN/ACK flags infected device botnet distribution web server NFDUMP detection filter (src net local_network) and (dst ip web_servers 2 ) and (dst port 80) and (proto TCP) and (flags SA and not flag R) 2 IP addresses of attacker s botnet distribution web servers P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 13 / 19

33 Detection of CNBv2 Communication with C&C Bot s IRC traffic with command and control center. local network NFDUMP detection filter P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 14 / 19

34 Detection of CNBv2 Communication with C&C Bot s IRC traffic with command and control center. infected device local network NFDUMP detection filter (src net local_network) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 14 / 19

35 Detection of CNBv2 Communication with C&C Bot s IRC traffic with command and control center. botnet C&C server :6667 botnet C&C server :6667 infected device local network botnet C&C server :12000 NFDUMP detection filter (src net local_network) and (dst ip IRC_server and dst port IRC_server_port 3 ) 3 IP addresses and ports of an attacker s IRC server (Botnet C&C centers) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 14 / 19

36 Detection of CNBv2 Communication with C&C Bot s IRC traffic with command and control center. botnet C&C server :6667 botnet C&C server :6667 TCP infected device local network botnet C&C server :12000 NFDUMP detection filter (src net local_network) and (dst ip IRC_server and dst port IRC_server_port 3 ) and (proto TCP) 3 IP addresses and ports of an attacker s IRC server (Botnet C&C centers) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 14 / 19

37 Detection of CNBv2 Communication with C&C Bot s IRC traffic with command and control center. botnet C&C server :6667 botnet C&C server :6667 TCP SYN/ACK flags infected device local network botnet C&C server :12000 NFDUMP detection filter (src net local_network) and (dst ip IRC_server and dst port IRC_server_port 3 ) and (proto TCP) and (flags SA and not flag R) 3 IP addresses and ports of an attacker s IRC server (Botnet C&C centers) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 14 / 19

38 Detection of CNBv2 DNS Spoofing Attack Detecting Attacker s DNS or OpenDNS Queries Common DNS requests forwarded to OpenDNS servers. Targeted DNS requests forwarded to attacker s DNS. local network NFDUMP detection filter P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 15 / 19

39 Detection of CNBv2 DNS Spoofing Attack Detecting Attacker s DNS or OpenDNS Queries Common DNS requests forwarded to OpenDNS servers. Targeted DNS requests forwarded to attacker s DNS. infected device local network NFDUMP detection filter (src net local_network) P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 15 / 19

40 Detection of CNBv2 DNS Spoofing Attack Detecting Attacker s DNS or OpenDNS Queries Common DNS requests forwarded to OpenDNS servers. Targeted DNS requests forwarded to attacker s DNS. OpenDNS server infected device local network NFDUMP detection filter (src net local_network) and ((dst ip OpenDNS servers 4 ) or 4 IP addresses of a common OpenDNS servers P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 15 / 19

41 Detection of CNBv2 DNS Spoofing Attack Detecting Attacker s DNS or OpenDNS Queries Common DNS requests forwarded to OpenDNS servers. Targeted DNS requests forwarded to attacker s DNS. spoofed DNS server OpenDNS server infected device local network NFDUMP detection filter (src net local_network) and ((dst ip OpenDNS servers 4 ) or (dst ip DNS servers 5 )) 4 IP addresses of a common OpenDNS servers 5 IP addresses of a spoofed attacker s DNS servers P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 15 / 19

42 Detection of CNBv2 DNS Spoofing Attack Detecting Attacker s DNS or OpenDNS Queries Common DNS requests forwarded to OpenDNS servers. Targeted DNS requests forwarded to attacker s DNS. spoofed DNS server OpenDNS server DNS UDP/53 infected device local network NFDUMP detection filter (src net local_network) and ((dst ip OpenDNS servers 4 ) or (dst ip DNS servers 5 )) and (proto UDP) and (dst port 53) 4 IP addresses of a common OpenDNS servers 5 IP addresses of a spoofed attacker s DNS servers P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 15 / 19

43 Part IV Conclusion P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 16 / 19

44 Conclusion I Irresponsible Operators and Poor Configured Networks Large networks exist with installed vulnerable devices. Trivially exploitable devices with default factory passwords. Unattended large-scale attacks nobody care about it! P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 17 / 19

45 Conclusion I Irresponsible Operators and Poor Configured Networks Large networks exist with installed vulnerable devices. Trivially exploitable devices with default factory passwords. Unattended large-scale attacks nobody care about it! Unix-like Embedded Botnets Spread worldwide with focus on poor configured networks. Operating on the last mile ISP home network. Hard to detect by end user, unsolved by network operator. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 17 / 19

46 Conclusion II How to Fight with Embedded Botnets Current embedded botnets still use well-known techniques. Flow data can detect illicit activities of embedded devices. Nobody will stop botnet operators to do their business. Vulnerable devices must be fixed and secured. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 18 / 19

47 Conclusion II How to Fight with Embedded Botnets Current embedded botnets still use well-known techniques. Flow data can detect illicit activities of embedded devices. Nobody will stop botnet operators to do their business. Vulnerable devices must be fixed and secured. Perfect Embedded Malware Devices with built-in malware firmware no way to disinfect. Stealthy malware working undetected as long as possible. Robust C&C to make efforts to shut down botnet hard. P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 18 / 19

48 Thank You For Your Attention! Revealing Botnets Using Network Traffic Statistics Pavel Čeleda et al. Project CYBER This material is based upon work supported by the Czech Ministry of Defence under Contract No. OVMASUN P. Čeleda et al. Revealing Botnets Using Network Traffic Statistics 19 / 19