Heejo Lee, Hyunsang Choi. Computer and Communication Security Lab Korea University

Transcription

1 Botnet and Mass DDoS Attack Heejo Lee, Hyunsang Choi {heejo, ac kr Computer and Communication Security Lab Korea University June 25, 2009

2 Contents Introduction to Botnet Recent Botnet Trends Botnet Detection Researches BotGAD: Botnet Group Activity Detector Conclusion 2

3 Botnet Botnet: A group of zombie computers under the remote control of an attacker via a command and control system Wei Lu et. al.,"automatic Discovery of Botnet Communities on Large-Scale Communication Networks, ACM ASIACCS 09 3

4 Why Botnet? Botconomics: for generating $$$$ 4

5 Purchasing Botnets Buy a bot code Report on the Underground Economy, Symantec, Nov 2008 Buy or rent an already constructed botnet Emerging Information Security Threats, Lenny Zeltser,

6 Botnet Attacks (1) Spamming, DDoS attacks, identity theft, phishing attacks J. Davis, Web War I, Wired Magazine, Sep

7 Botnet Attacks (2) Recent botnet targeted attack (Damballa) Storm (P2P bot), Kraken, Bobax (HTTP bot), RAT-Pro (RAT) 7

8 Botnet Statistics (1) Symantec report 75,158 active bots/day in 2008, an increase of 31% from 2007 China had the most bot-infected computers in 2008, 13% of total 8

9 Botnet Statistics (2) Number of new zombies (top 10 countries ) McAfee Threats Report: First Quarter

10 Botnet Statistics (3) Top 10 infected countries and spam volume in 2009 Trend Micro 2008 Annual Threat Roundup and 2009 Forecast 10

11 Botnet Statistics (4) Damballa report, ~5% of PCs connected Internet are zombies 78% of botnet malware uses HTTP ports for communications More than 60% of targeted attack malware will never be caught by any signature-based AV or IDS/IPS solution MessageLab annual security report % of spam was being distributed by botnets (May. ~ Oct., 2008) 11

12 Botnet History EggDrop, discovered, RPCSS recognized as first benign IRC bot Agobot, robust, flexible, and modular design and significant functionality Storm, (peacomm) Kademlia based P2P botnet, the largest spam bot till 2007 Ghostnet, remote access trojan for spying activities Present GTbots, 1 st botnet to use IRC as C&C Snit/Phatbot, P2P botnets appeared Srizbi, HTTP botnet for spamming (the largest spam bot from 2008) Asprox, HTTP botnet used to launch mass SQL injection attacks to web Conficker, largest botnet ever, hybrid P2P botnet 12

13 Contents Introduction to Botnet Recent Botnet Trends Botnet Detection Researches BotGAD: Botnet Group Activity Detector Conclusion 13

14 Recent Botnet Trends: Summary Recent botnet trends Size Light-weight: mini-bot, RAT bot Structure re Service Size diversified Complexed :Hybrid/custom protocol Specialized: DDoS bot, spam bot, RAT bot Mini-bots: Netbot, Clampi(Rscan), Torpig, Zeus(zbot), Idpinch, etc Structure complicated Conficker, Netbot, Ghostnet, Spybot, etc Evade detection systems using customized protocol (Ghostnet, Netbot, Spybot) or hybrid(comlicated) protocol (Conficker) Service specialized Single-purposed botnets: DDoS bots(netbot, Panda DDoS), spam bots, spying bots(rat) 14

15 Recent Botnets: NetBot NetBot attacker Botnet for DDoS attack: launch(ransom) DDoS attacks to web sites Launch DDoS attacks several times on itembay ( 15

16 Recent Botnets: Ghostnet RAT Ghostnet Gh0st RAT (Remote Access Trojans): hosts are controllable remotely Use HTTP based protocol Cyber espionage network based in China, has infected about 1,300 computers in 103 countries, (Univ. of Toronto, "Tracking GhostNet: Investigating a Cyber Espionage Network", Mar ) Information gathering on Tibetan activities and Dalai Lama Infection is typical social-engineering g (e.g. attachments in ) 16

17 Recent Botnets: Conficker (1) Conficker.C Aka Kido/Downad/Downadup From Nov. 2008, spreaded using Windows netbios and Microsoft-DS service vulnerability: MS (139/tcp, 445/tcp) Also uses USB drives to infect: DLL + rundll32.exe e The largest worm infection since the 2003 SQL Slammer. 9M: F-Secure 15M: UPI (United Press Intl.) Delay system/network speed, cannot access to MS update Setup, security product terminators, P2P, Internet rendezvous modules 17

18 Recent Botnets: Conficker (2) Conficker domain generation for rendezvous Domain flux: Conficker.C uses domain names, daily The PRNG is seeded by the current time Time synchronization: downloads web pages (google,yahoo, ) and uses the time data (day, month, year) in the HTTP response 18

19 Recent Botnets: Asprox (1) Asprox botnets are used to acquire user information, distribute spams, launch phishing attacks In 2008, SQL injection module is added to Asprox Anatomy of the Asprox Botnet, Oct

20 Recent Botnets: Asprox (2) (1) Asprox search.asp webpages using google (2) Launch mass SQL injection attacks to the pages (3) Insert iframe-based redirection link to vulnerable pages (4) Infected webpage visitors become Asprox hosts Anatomy of the Asprox Botnet, Oct

21 CAPTCHA Breaking Botnets CAPTCHA breaking Mechanical Turks Some anti-captcha tools target the audio alternative offered by sites Audio alternative waveform analysis is easier process than the image. In early 2008, these algorithms were 20-30% successful. CAPTCHA-breakers b k may also combine two approaches Page 21

22 DNS Cache Poisoning using Botnet DNS cache poisoning using a botnet (1) Send DNS queries to Local NS (2) Overload authoritative NS using botnet flooding attacks (3) Send reply before recursive answer arrival N. Chatzis et. al., Motivation for Behaviour-Based DNS Security, SECURWARE

23 Contents Introduction to Botnet Recent Botnet Trends Botnet Detection Researches BotGAD: Botnet Group Activity Detector Conclusion 23

24 Botnet Detection Approaches (1) Host-based vs. Network-based Signature-based vs. Anomaly-based 24

25 Botnet Detection Approaches (2) IRC detection + botnet activity detection IRC Botnet t Binkley et. al., IRC botnet detection, USENIX SRUTI 06 Detection Botnet Group Detection Spam Bot Detection Host-based Detection Karasaridis et. al., Wild scale botnet detection, USENIX HotBot 07 Gu et. al., BotHunter, USENIX Security 07 Challenges: HTTP bots appeared, channel encryption, stealth attacks Botnet group activity detection Gu et. al., BotSniffer, NDSS 08 Gu et. al., BotMiner, USENIX Security 08 Hyunsang et. al., BotGAD, COMSWARE 09 Challenges: sensitive time window, mini-bot, single-purpose bots Spamming botnet detection using data Ramachandran et. al., SpamTracker, ACM CCS 07 Xie et. al., AutoRE, ACM SIGCOMM 08 Duan et. al., SPOT, INFOCOM 09 Zhao et. al., BotGraph, USENIX NSDI 09 Challenges: spam bot only, not early detection, only detect relay IPs Host-based botnet detection approaches Stinson et. al., BotSwat, DIMVA 07 Liu et. al., BotTracer, ISC 08 Al-Hammadi et. al., Keylogging botnet detection, ARES 08 Al-Hammadi et. al., DCA for bot dection, CEC 08 Challenges: too much 25 false alarms

26 IRC Botnet Detection Algorithm (1) J. R. Binkley (at Portland State Univ), An algorithm for anomalybased botnet detection, USENIX SRUTI 06 Goal: Detect IRC-based botnet Approach: IRC mesh detection + TCP scan detection (TCP work weight) Easy to evade: Channel encryption, stealthy scanning Too much false alarms, can not detect HTTP, P2P botnet IRC mesh detection TCP scan detection (TCP work weight) Count of TCP control packets (SYN s (SYNACKs sent) + FIN s sent + RESETS) / total number of TCP packets (Tsr). 26

27 Wide-scale Botnet Detection (2) A. Karasaridis (at AT&T Labs), Wide-scale Botnet Detection and Characterization, USENIX Hotbot 07 Goal: Anomaly-based botnet detection Approach: IDS log-based botnet sequence(stage) detection Can not detect HTTP, P2P botnet, false alarms, IDS/IPS log dependent, weak to stealthy scanning IDS Logs 27

28 BotHunter (3) G. Gu (at Georgia Tech), BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation, USENIX Security 07 Goal: Anomaly-based botnet infection detection Approach: IDS dialog-based botnet sequence(stage) detection IDS/IPS log dependent, weak to stealthy scanning, weak to channel encrypted, can not detect HTTP, P2P botnet 28

29 BotSniffer (4) G. Gu (at Georgia Tech), BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic, NDSS 08 Goal: Botnet C&C detection system Approach: Exploiting the underlying spatial-temporal correlation and similarity property of botnet C&C (horizontal correlation) IDS/IPS log dependent, weak to stealthy scanning, weak to channel encrypted, can not detect P2P botnet 29

30 BotMiner (5) G. Gu (at Georgia Tech), BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection, USENIX Security 08 Goal: Propose the protocol and structure independent botnet detection system Approach: similar C&C and malicious attack patterns IDS/IPS log dependent, weak to stealthy scanning, weak to channel encrypted, not practical (overhead) 30

31 AutoRE (6) Yinglian Xie, (at Microsoft), Spamming Botnets: Signatures and Characteristics, SIGCOMM 08 Goal: A large scale spamming botnet characteristics analysis, Identify trends to detect botnets Approach: botnet spam mail traffic pattern burst (synchronized fashion) & distributed (a large and dispersed IP) Not real time, magic numbers, more analysis for false positives 31

32 Contents Introduction to Botnet Recent Botnet Trends Botnet Detection Researches BotGAD: Botnet Group Activity Detector Conclusion 32

33 Research Motivation BotGAD (Botnet t Group Activity it Detector) t ) Anomaly Hard to Real-time Detection Evade Detection Anomaly detection Botnets use encrypted channel Explosive amount of new/modified bots overwhelm detection methods Hard to evade Botnets adopts complicated techniques to evade detection mechanisms Real-time detection Huge amount of data is hard to be acquired and analyzed Real-time detection is more useful to response to the botnet 33

34 Group Activity Property Group activity feature Group activity: Inherent property of botnets Group activity: Frequently monitored in botnet life cycle Botnets s group activity: Different from normal group activities 34

35 Group Activities in Life Cycle Botnet life cycle Botnets t t three steps: propagation, communication and attack Group activities can be monitored 35

36 Botnet Group Activity Detector Group similarity estimation Kulczynski similarity Cosine similarity Jaccard similarity 36

37 Case Study: BotGAD Using DNS DNS is frequently used in botnet Rally: when bots find C&C, usually send DNS Update: when bots update their codes, send DNS Synchronization: Botnets use DNS to synchronize system time (NTP) Cloning and reconnection: when cloning and reconnecting, use DNS Migration: Bots migrate C&C using DNS Attack: Some attacks go with DNS 37

38 Experiment Results System design and similarity estimation 2 days DNS traces were captured from the gateway router of /16 campus network (1Gbps, 24M DNS queries) Several known/unknown botnets are detected during the experiments including IRC/HTTP/P2P(Storm) botnets Cassel HTTP bot Virut IRC bot Virut IRC bot Poison IRC bot Storm P2P bot Silly IRC bot 38

39 Benefits of Proposed Mechanism Benefits of the botnet detection mechanism Anomaly-based detection algorithm Group activity (inherent property) makes the mechanism hard to evade. Using DNS, detect botnets in its early stage (before they execute an array of malicious behaviors) Efficient to apply on large ISP networks with small portion of network traffic (DNS) 39

40 Research Project Research project The Development of Active Detection and Response Technology against Botnet supported by MKE, Korea, ~ Collaborate with KISA, ISP and security companies 40

41 Publications References H. Choi, H. Lee, H. Kim, BotGAD: Detecting Botnets by Capturing Group Activities in Network Traffic, COMSWARE, June I. Kim, H. Choi, H. Lee, Botnet Visualization using DNS Traffic, WISA, Sep H. Choi, H. Lee, H. Lee, H. Kim, Botnet Detection by Monitoring Group Activities in DNS Traffic, IEEE CIT, Oct

42 Q & A Thank you 42