A General-purpose Laboratory for Large-scale Botnet Experiments Thomas Barabosch, Sebastian Eschweiler, Mohammad Qasem, Daniel Panteleit, Daniel Plohmann and Elmar Gerhards-Padilla Cyber Defense Fraunhofer FKIE
http://images.techhive.com/images/article/2013/04/botnet-100034898-orig.jpg 2
http://michaelhyatt.com/wp-content/uploads/2009/06/the-wow-is-in-the-details1.jpg 3
http://www.doc.govt.nz/pagefiles/58827/big-picture-223.jpg 4
Botnet Analysis Approaches Mathematical modelling Stochastic simulation Real world data analysis In-laboratory emulations 5
Reasons for us to design a new laboratory Previous work already exists, e.g. Deter or SecSI/LHS labs Need for own laboratory due to confidentiality requirements Complementary analysis to our in-house reverse engineering process Long term goal: improving the state-of-the-art 6
Design of our Botnet Analysis Laboratory 7
Design Criteria Design criteria based on Calvet et. Al, Isolated virtualised clusters: testbeds for high-risk security experimentation and training Security Scale Realism Flexibility Sterilizability 8
Architectural key aspects Realistic simulation of selected parts of the Internet Total isolation of the laboratory Total observability within the laboratory 9
10
11
12
13
Network nodes Virtualization 14
Network topology 16
Architectural key aspects Realistic simulation of selected parts of the Internet Total isolation of the laboratory Total observability within the laboratory 17
Experiment control 18
Usability 19
Security 20
Sensor infrastructure 21
Sensor infrastructure 22
Sensor infrastructure 23
Architectural key aspects Realistic simulation of selected parts of the Internet Total isolation of the laboratory Total observability within the laboratory 24
Using our Botnet Analysis Labratory 25
Setting up an experiment: infrastructure Select network-template and VM templates Experimenter can also provide his own templates In case additional infrastructure is needed Provide entities Adjust DNS 26
Setting up an experiment: information gathering Network-based sensors Choose routers that should capture network traffic Easy adjustment using BPF syntax Host-based sensors Choose/add plugins to Agent 27
Setting up an experiment: roll out Once properly configured: roll it out! Initial setup time 32 VMs ~ 50 minutes 512 VMs ~ 7 hours 28
29
CASE STUDY CITADEL 30
What is Citadel? Zeus Zeus 31
Communication with C&C server 3 CnC server 11.22.33.44 4 Citadel bot 2 1 DNS 32
Countermeasure Takedown via domain replacement CnC server 11.22.33.44 Citadel bot What shall I do? 2 3 4 Benign action 5 DNS DNS entry 1 citadel-cnc.com -> 55.66.77.88 11.22.33.44 Sinkhole 55.66.77.88 33
EXPERIMENTS WITH CITADEL 34
Network infrastructure of the experiment 35
SETTING UP A BOTNET 36
37
Architectural key aspects Realistic simulation of selected parts of the Internet Total isolation of the laboratory Total observability within the laboratory secure analysis of malware secure testing of countermeasures 38
BOTNET TAKEDOWN 39
Countermeasure Takedown via domain replacement Malicious DNS entry is replaced by benign DNS entry at certain point in time DNS DNS entry citadel-cnc.com -> 55.66.77.88 11.22.33.44 40
41
Architectural key aspects Realistic simulation of selected parts of the Internet Total isolation of the laboratory Total observability within the laboratory secure analysis of malware secure testing of countermeasures 42
CONCLUSION & OUTLOOK 43
Conclusion & Outlook Presentation of a general-purpose laboratory for large-scale botnet experiments Realistic simulation of selected parts of the Internet Total isolation of the laboratory Total observability within the laboratory Future work Integration of bare-metal machines Automatic provisioning of basis templates 44
45