Multifaceted Approach to Understanding the Botnet Phenomenon Christos P. Margiolas University of Crete A brief presentation for the paper: Multifaceted Approach to Understanding the Botnet Phenomenon
Basic concepts Botnet is a set of connected end hosts(bots), which are infected by malicious software and controlled by the botmaster(attacker). Honeynet is a network of security vulnerable end hosts (honeypots). The shell code is small binary or script code which is used to download the real bot binaries
Nepenthes is a special software which mimics known vulnerabilities in order to collect shell codes. Planetlab is a group of computers available as a testbed for computer networking and distributed systems research. UnrealIRC mimics the operations of an IRC server.
Efforts The construction and evaluation of a multifaceted infrastructure for capturing and tracking the botnets. The infrastructure is a distributed system which collects as many bots as possible and tracks the botnets with an IRC tracker(internal behavior) and an DNS prober (for footprint). The structural and behavioral analysis based on the data collected by the multifaceted infrastructure. They present results for 192 botnets.
Bot characteristics. One host( the hostmaster) controls and checks every infected host over a Command and Control channel (C&C). This channel is implemented over well known and used Internet protocols like Http and IRC protocols(or p2p protocols) Most popular is the IRC because it supports large number of clients, different network topologies, extendable protocol design
Typical botnet communication
Botnet security choices. Bot authentication to the server with a pass protocol message (IRC supported). Bot authentication to the channel with the password defined by the botmaster(irc supported). Botmaster authentication to the bots(supported by bot creator). Every botnet can use any combination of them.
After the join the bot parses and executes the default package message. In some cases the bot can see every exchanged message. It depends on the channel modes.
The measurement consists of: Malware Collection Binary analysis Tracking with the usage of IRC tracker and DNS prober.
Collection Infrastructure Darknet based on local network and 14 Planetlab nodes with IP address space (10 different /8 prefixes). Nepenthes. HoneyNet with Windows XP images running on virtual machines and VLANS.
Binary Analysis gray box method Usage of private network. Network fingerprint, looking for IPs, ports, DNS requests. IRC fingerprint, looking for PASS, NICK format, USERnames and autojoined channels. This state also creates a dialect template with the help of UnrealIRC Special tactics for managing botmaster authentication
Tracking IRC tracking based on the dialect template of the binary analysis and the network and irc fingerprints. It applies filter on the dialect template to avoid 'bad' replies. It offers special handling for statefull nature of the bots. DNS probing on a cleaned list of DNS servers. The results refer to the lower bound of the footprint because we don't check every DNS server and a cache hit doesn't give information about the number of requests.
Infrastructure Architecture
Contribution to the unwanted traffic. About the 27% of the unwanted transfers is generated by the botnet activities. They present the SYN packets number in comparison with the SYN packets generated only by the botnet, over the time. The peak values for them are aligned and in this period the botnet usually generates the 90% of the cumulative traffic
The two bot groups The worm like bots. These bots attack continuously specific ports with a single algorithm. Many times try to connect a hardcoded list of unreached servers. The result is a botnet without master. The current approach, bot supports a number of algorithms and scans only after botmaster's command or if the channel's message requests it. Their behavior can be rescheduled on the fly and they support modification options. They usually scans \8 or \16 IP prefixes.
Growth Patterns (Based on IRC tracker and DNS prober) The semi-exponential model, the bots apply permanent scanning on random selected ports. The attacking method is permanent, same port and it attacks always.. The pattern of the botnets with intermittent activity profile. In this category we have bot designs where they are almost stable when the IRC server is down but if it turns on the botnet starts expanding itself again
Time scoped botnets. In this case the botnet is active for attacking and spreading for a specific time period. This kind of botnets target specific IP prefixes.
Bot IRC structure All the bots connect to a single IRC server. This approach is good only for small infected network because an effective vulnerability attack can easily 'catch' the server's client capacity. Unexpected similarities on different bots, as the name conventions, channel names and operators ids refer to the same bot master creator.
Multiple servers consist an IRC network (IRC server farm). The bridging could been done in different ways, but the principal idea is identical, the servers share the overhead. For checking if the bot net uses multiple servers they either read the status message of the connected servers or or check for equality between the local and the connected users number. A group of bots has the feature to download updated binaries of themselves, feature which is mainly used for migration to other servers.
Common bot thread services The AV/FW killer which is located to the 50% of the bots it deactivates anti-virus and firewall processes. Identd server (40%) is a tcp based server which is used for the identification of the user over the connection. Register monitor (38%), monitors the register and informs if someone tries to disable or limit the bot. The system security monitor(40%), uses known vulnerability issues and with calls to secure() function achieves to deactivate system services.
Every binary use from 3 to 29 vulnerabilities and the average number is 15. The modular design of the bots in conjunction with exploits' variations and combination reports the same results. For testing the protection level of the end systems, they tried to classify each of the 192 bots with the ClamAv and Norton's Antivirus, the first classified the 137 and the second the 179.
Effective Size The footprint of the botnets is usually much larger from the number of the connected bots on the IRC server(effective size), this is not something unexpected because the networking infrastructure of the IRC server(s) is poor for serving thousands of connected bots, this means that a bot connects to the IRC network periodically, fact which has not any impact for the relatively permanent commands(ex the channel's status), but this point is significant for instantly-on the fly instructions, because only the connected bots at the current time execute this kind of instructions. The difference between the footprint and the lifetime of botnets is important because the life of a bot is much bigger tha the time it stays connected to the IRC server. A bot usually joins a channel in an average period of 25 minutes (the 90% stays less than 50 minutes) but it exists as a host to the infected network for about 47 days. Also death (stop of execution) which can be caused by a number of reasons like patching, system shutdown and network failure can unstabilize the difference between footprint and effective size.
The client who stays the biggest time connected at the C&C channel is the bot master, for two reasons, for giving new commands and for keeping the operator privileges. A noticed paradox is the fact that botnets which use directly static IP have bigger lifetime than the others which use domain names.
The paper presents some special characteristics that many botmaster shares. They share information about incapable prefixes and they don't scan them, guide the bots in order to do all only the necessary communication and investigate for fake bots in order to limit them and seeks for bots with big resources. A botmaster also is able to migrate bots from one network to another, in order do it, they request them to download an updated version of the binary code.