Symptoms Based Detection and Removal of Bot Processes

Transcription

1 Symptoms Based Detection and Removal of Bot Processes 1 T Ravi Prasad, 2 Adepu Sridhar Asst. Prof. Computer Science and engg. Vignan University, Guntur, India 1 Thati.Raviprasad@gmail.com, 2 sridharuce@gmail.com Abstract Botnet is one of the most dangerous threats in internet. Botnet [10] consists of a network of compromised computers connected to the network that is controlled by a remote attacker (Botmaster). Botnets perform various attacks such as DDoS attacks, Click Fraud attacks, and are also involved in distribution of spam s, key loggers etc. Existing techniques for the detection of bot includes deployment of Honey pots, Usage of signatures for detection of various attacks, Monitoring Network traffic for anomaly detection. Disadvantage in Honey pot detection is to captures and tracks the activity only attacker directly interact with it. In Signature based detection only known attacks can be detected and further, it needs regular update of rules. A network-based detection monitors the network traffic which involves deep packet inspection requires high computing performance. To overcome the disadvantages of the existing solutions, A new Symptoms Based Detection and Removal of Bot Processes algorithm is proposed. The proposed algorithm provides a host based solution, which enables online bot process detection and its removal. The Detection process is based on the detection of illegitimate process which uses TCP connections. This involves observing the Digital signature of the process, installed Programs path and also the registry entries associated with the process. The proposed solution when tested on a bot infected machine, was found to detected as well as remove the malicious Bot processes. Keywords: Botnet, Digital Signature, Honey pots, Bot. application running as an automated task. Botmaster controls the botnet through commandand-control (C&C) mechanism. The type of communication used between a bot client and its command and control server can be differentiated into two types [13] as follows: Push-based Pull-based In a push-based communication, the botmaster pushes the commands that the Bot has to be run. Communication lies in the fact that botmaster can instantaneously request bots to perform a certain task. In a pull-based communication, each bot is allowed to periodically send status report to botmaster and retrieve command to run from a server. Now a day s home PCs are a desirable target for attackers as they are not properly patched or secured behind a firewall, leaving them vulnerable to attack. The remainder of this paper is organised as follows Chapter two presents the botnet life cycle. Chapter three presents the classification of botnets. Chapter four presents the existing solutions and its drawbacks. Chapter five provides proposed solution for the problem. Chapter six presents the results and discussion on the implementation of the proposed solution. 1. Introduction Botnet [10] is a group of hosts at different locations controlled by an individual host referred to as Botmaster to initiate malicious activity. One can hardly trace back to the origin due to the usage of proxies over network. The victim hosts controlled by the botmaster are called bots. The term bots is commonly referred to software Figure 1. Life cycle of Botnet 793

2 2. Botnet Life Cycle Figure 1 depicts the Life cycle of botnet. First process involves the infection spreads from Botmaster through attachments, USB autoruns, via messages posted on Social Networking websites etc. Secondly, Bot connects to the C&C server. This could be done using HTTP, IRC or any other protocol Finally, Botmaster transmit commands to bot through C&C server to perform malicious activity. 3. Classifications of Botnets Based on the protocols used for communication botnet can be categorized into three ways, First one is Internet Relay Chat Botnet, Second one is HTTP Botnet, third one is Peer to Peer Botnet. 3.1 Internet Relay Chat (IRC) Botnet In the beginning, most botnets used a centralized approach for managing botnets. This was done using IRC protocol. The main reasons for using IRC were its interactive nature for two way communication between the server and the client. IRC server acts as a botmaster and uses IRC channel for sending commands to bots. 3.2 HTTP Botnet In HTTP botnet, Bots connect to a HTTP server and wait for commands from a botmaster to get commands that are coded into site files or HTTP bots have to periodically issue requests to the target C&C server. These requests commonly consist of a status report, on the basis of report the server decides which commands are to be transferred to that bot. 3.3 Peer to Peer (P2P) Botnet In a peer-to-peer network any node in the network can act both as a client as well as server. In P2P botets [9], commands are communicated through push/pull mechanism. Botmaster publishes a command file over the P2P network. The bots then use the pull mechanism to obtain the command file. P2P bots have to constantly communicate with their neighbours for commands and have to send KEEP ALIVE messages to other bots in the network. P2P botnets do not suffer from single point of failure but coordination of bots is difficult compared to the centralized in this architecture. Hence, Identification of Botmaster becomes difficult. 4. Related Work In this section we are discussing previous works in this area. Here we are discussing mainly four related works. 4.1 Honeypots Honeypot[12] is trap set to detect unauthorized use of information system. Any interaction with honey pot is most likely to perform malicious activity. Honey pot traps new attacks and gathers information about attacker. Honeypots also have their disadvantages. Honeypots only capture and detect attacks targeted at itself only. If an attacker penetrates into the organization and attacks other systems, the honeypot will not pick up any activity. Especially, if the attacker has identified the honeypot, then avoiding that system, penetration into the organization s network is possible to attack other systems. In worst case scenario, the attacker can even spoof the other systems in the network and use them to attack the honeypot. 4.2 Network Signature-Based Detection In this approach [3], the detector draws upon a catalog of botnet signatures. However, instead of being based on the bot software's binary image on disk or in memory, it is based on observed network track generated by the botnets. An example of such a signature for a IRC bot would be the following tuple[3]: fnet = (Hosts, Ports, Nick, Pass, Channel) The fingerprint includes the collection of hosts and ports known to be associated with a particular botnet's command-and-control architecture, along with the IRC nicknames, passwords, and channel join requests associated with that botnet. It therefore captures the packet details of the command-and-control interaction. Once these values are known for a particular botnet, these signatures can be fed into signature-based network intrusion detection systems such as Snort [1] Two difficulties with this approach are as follows: A signature is needed to identify bot network activity. Such a signature must exist. This approach need to analyze every incoming packet for signature. 4.3 Anomaly-based Detection Botnets often generate high volume of traffic that may cause high network latency, and traffic on unusual ports [15]. An effective TCP based anomaly detection technique with IRC tokenization 794

3 and IRC message statistics to detect botnet clients and reveal botnet servers has been proposed in [6]. First, this anomaly based system implements an IRC parsing component to collect information on TCP packets and to determine an IRC channel. Next, the IRC channel traffic are correlated over a large set of sampled data in search of scanning activities. At last, the IRC channels with high scanning count would be stamped as the possible botnet channel. A three-metric based measurement to detect abnormal botnet behaviour under the assumption that bots from the same botnet will have regularities in relationship, response, and synchronization has been proposed in [8]. Another botnet detection system(bothunter[6]) that recognizes the bot by running a correlation algorithm with the help of the user defined bot infection life cycle model. Botsniffer [7], which is based on a anomaly based detection algorithm designed to detect botnet C&C channels in a local area network using the observation that bots within the same botnet would demonstrate strong synchronization in their response and activities (e.g., sending spam, scanning, and binary downloading).this technique cannot be used if communication is encrypted. 4.4 Signature based detection Signature based detection [14] is the most common method that antivirus software s use to identify malware. This method is limited by the fact that it can only identify a limited amount of threats. When antivirus software scans a file for malicious code, it checks the contents of a file against a dictionary of malicious code signatures. If a signature is found in a file, the antivirus software can take action to remove the virus. New viruses are being created each day; the signature based detection approach requires frequently updates of the virus signature dictionary. 5. Proposed Model The main focus of proposed model as shown in Figure 2 is to detect malicious bot processes running in the system. We implemented by using following algorithm gives the detailed description of proposed solution. Step 1: Get TCP Process List and their path. Step 2: while (! TCP Process List Empty) If (Digital Signature of process exists) Then Legitimate Process Push Process details to Unsigned Process list Step 3: If (Unsigned Process List empty) Then No Malicious Process While (!Unsigned Process List Empty) If (Process manually installed) Then not malicious process Push to Suspected Malicious Process List Step 4: if (Suspected Malicious Process list is Empty) Then No Malicious Processes While (! Suspected Malicious Process List empty) If (Process is independent) If (image path of the process is available in registry start up entries Or Logon entries) Then submit process to Procedure Remove () Not a Malicious Process -Identify the monitor process - submit Monitor process to Procedure Remove () - submit dependent process to Procedure Remove () Step 5: End Procedure Remove () - Kill Process -Remove Registry Entries of Process -Delete.exe from the system In this method first, we get the TCP processes and paths of TCP processes. If TCP process list not empty then, we check process is having Digital Signature or not. If it having Digital Signature it is a legitimate process. If process not having Digital Signature we send those processes to list called Unsigned process list. Then we check Unsigned process list, whether in this processes manually installed or not. If not manually installed we send that process to suspect malicious process list. If in this list process is independent and image path of the process is available in registry start up entries or Logon entries then it is malicious process remove it. In this proposed algorithm, to identify whether Process is dependent or independent by using the Process Explorer tool. Process Explorer[15] is an 795

4 ISSN: advanced process management utility. It will shows detailed information about a process including its icon, command line, full image path, memory statistics, user account, security attributes, and more. Bot. When the proposed solution was installed on the Bot infected machine. It was found that the bot processes were separated from the list of genuine processes running on the system. Further the malicious bot processes were killed and removed from the system thus making it bot free. 7. Conclusion and Future Work Botnet is one of the serious threats to computer systems today. Our proposed solution is a host based method which enables online detection and removal of bot processes. The Detection and Removal of bot process is based on the detection of illegitimate process which uses TCP connections and involves observing the Digital signature, installed Programs path and also the registry entries associated with the process. This proposal has been tested on Windows operating system and found to detect and remove malicious bot processes. 8. References Figure 2. The Proposed Model Figure 3. Flow chart for Removal of Bot 6. Experiment Proposed solution was tested on a Windows XP machine with Sigcheck tool installed on it. Bot processes namely 1DE.exe, 1vvm.exe were installed Windows XP machine thus making it a [1] Zhaosheng Zhu, GuohanLu, Yan Chen. Botnet Research Survey. Annual IEEE International Computer Software and Applications Conference, pages , Abu Hamed Mohammad, MisbahUddin. [2] Detecting Botnets Based on their Behaviors Perceived from Network Data. University of Tartu, pages 82 82, [3] Gu, G., Zhang, J., Lee,W.: BotSniffer: Detecting botnet command and control channels in network traffic. In Proceedings of the 15th Annual Network and Distributed System Security Symposium, pages 1-2,February [4] J. Govil, Examining the criminology of bot zoo, in Proceedings of the 6th International Conference on Information, Communications and Signal Processing (ICICS 07), pages 1-6, Singapore, December [5] Jose Andre Morales, Areej AlBataineh, Analyzing DNS Activities of Bot Processes Institute for Cyber SecurityUniversity of Texas at San Antonio,4th International Conference on Malicious and Unwanted Software (MALWARE), pages 98-99, [6] Gu, G., Porras, Ph., Yegneswaran, V., Fong, M., Lee, W. BotHunter: Detecting malware infection through IDS drivendialog correlation, In 16th USENIX SecuritySymposium (Security 07), pages 1-3, [7] GuofeiGu, Junjie Zhang, and Wenke Lee. "BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic." In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08), San Diego, CA, page 3, February [8] M. Akiyama, T. Kawamoto, M. Shimamura, T. Yokoyama, Y. Kadobayashi, and S. Yamaguchi. A proposal of metrics for botnet detection based on its cooperative behavior. In Applications and the Internet Workshops, SAINTWorkshops International Symposium on, pages 82 83,

5 [9] HosseinRouhaniZeidanloo, Member, IACSIT, FarhoudHosseinpour and FarhoodFaridEtemad. New Approach for Detection of IRC and P2P Botnets, International Journal of Computer and Electrical Engineering, Vol.2, No.6, pages , December [10] Ping Wang, Sherri Sparks, and Cliff C. Zou. An Advanced Hybrid Peer-to-Peer Botnet. IEEE transactions on dependable and secure computing, vol. 7, no. 2, april-june [11] Wikipedia, Botnet, [12] Wikipedia, Honeypot, [13] Eric Peter, Todd Schiller, A Practical Guide to Honeypots, [14] Mark Russinovich, Sigcheck v1.71, [15] ining/ /presentations/handouts /Process_Explorer_Tutorial_Handout.pdf 797