Symptoms Based Detection and Removal of Bot Processes



Similar documents
Implementation of Botcatch for Identifying Bot Infected Hosts

A Critical Investigation of Botnet

A Review on IRC Botnet Detection and Defence

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Botnet Detection by Abnormal IRC Traffic Analysis

An Efficient Methodology for Detecting Spam Using Spot System

Multifaceted Approach to Understanding the Botnet Phenomenon

An Anomaly-based Botnet Detection Approach for Identifying Stealthy Botnets

Detecting P2P-Controlled Bots on the Host

P2P-BDS: Peer-2-Peer Botnet Detection System

Network Based Intrusion Detection Using Honey pot Deception

Detecting peer-to-peer botnets

Multi-phase IRC Botnet and Botnet Behavior Detection Model

BotNets- Cyber Torrirism

Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Botnet Attacks

Botnet Detection Based on Degree Distributions of Node Using Data Mining Scheme

Botnet Detection Based on Degree Distributions of Node Using Data Mining Scheme

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

A Proposed Architecture of Intrusion Detection Systems for Internet Banking

Detection of Botnets Using Honeypots and P2P Botnets

Index Terms: DDOS, Flash Crowds, Flow Correlation Coefficient, Packet Arrival Patterns, Information Distance, Probability Metrics.

The HoneyNet Project Scan Of The Month Scan 27

Security workshop Protection against botnets. Belnet Aris Adamantiadis Brussels 18 th April 2013

Taxonomy of Hybrid Honeypots

A Novel Distributed Denial of Service (DDoS) Attacks Discriminating Detection in Flash Crowds

BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation

A SYSTEM FOR DENIAL OF SERVICE ATTACK DETECTION BASED ON MULTIVARIATE CORRELATION ANALYSIS

Seminar Computer Security

Networking for Caribbean Development

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

TIME SCHEDULE. 1 Introduction to Computer Security & Cryptography 13

Guidance Regarding Skype and Other P2P VoIP Solutions

Botnets: The Advanced Malware Threat in Kenya's Cyberspace

Taxonomy of Intrusion Detection System

Protecting the Infrastructure: Symantec Web Gateway

SECURING APACHE : DOS & DDOS ATTACKS - II

Intrusion Detection System

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

Second-generation (GenII) honeypots

Inspecting DNS Flow Traffic for Purposes of Botnet Detection

Countermeasures against Bots

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

DDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR

Chapter 9 Firewalls and Intrusion Prevention Systems

GFI White Paper PCI-DSS compliance and GFI Software products

Intruders and viruses. 8: Network Security 8-1

Use of Honeypot and IP Tracing Mechanism for Prevention of DDOS Attack

THE BEST WAY TO CATCH A THIEF. Patrick Bedwell, Vice President, Product Marketing

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

LASTLINE WHITEPAPER. The Holy Grail: Automatically Identifying Command and Control Connections from Bot Traffic

End-user Security Analytics Strengthens Protection with ArcSight

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

INSTANT MESSAGING SECURITY

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

Keywords Intrusion detection system, honeypots, attacker, security. 7 P a g e

CSCI 4250/6250 Fall 2015 Computer and Networks Security

SURVEY OF INTRUSION DETECTION SYSTEM

Two State Intrusion Detection System Against DDos Attack in Wireless Network

Review Study on Techniques for Network worm Signatures Automation

Botnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno

Adaptive Discriminating Detection for DDoS Attacks from Flash Crowds Using Flow. Feedback

Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool

Social Networking for Botnet Command and Control

Top tips for improved network security

Extending Black Domain Name List by Using Co-occurrence Relation between DNS queries

IDS : Intrusion Detection System the Survey of Information Security

Firewalls and Intrusion Detection

Security Engineering Part III Network Security. Intruders, Malware, Firewalls, and IDSs

Banking Security using Honeypot

Global Partner Management Notice

DoS: Attack and Defense

WHITE PAPER. Understanding How File Size Affects Malware Detection

How To Stop A Ddos Attack On A Website From Being Successful

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

On A Network Forensics Model For Information Security

Network Monitoring and Forensics

Certified Ethical Hacker Exam Version Comparison. Version Comparison

CYBERTRON NETWORK SOLUTIONS

Peer-to-Peer Botnets. Chapter Introduction

A Literature Survey About Recent Botnet Trends

Lesson 5: Network perimeter security

Threat Events: Software Attacks (cont.)

Analyze & Classify Intrusions to Detect Selective Measures to Optimize Intrusions in Virtual Network

CHAPTER 1 INTRODUCTION

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

F-Secure Anti-Virus for Mac 2015

Global Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

Keywords Attack model, DDoS, Host Scan, Port Scan

Transcription:

Symptoms Based Detection and Removal of Bot Processes 1 T Ravi Prasad, 2 Adepu Sridhar Asst. Prof. Computer Science and engg. Vignan University, Guntur, India 1 Thati.Raviprasad@gmail.com, 2 sridharuce@gmail.com Abstract Botnet is one of the most dangerous threats in internet. Botnet [10] consists of a network of compromised computers connected to the network that is controlled by a remote attacker (Botmaster). Botnets perform various attacks such as DDoS attacks, Click Fraud attacks, and are also involved in distribution of spam emails, key loggers etc. Existing techniques for the detection of bot includes deployment of Honey pots, Usage of signatures for detection of various attacks, Monitoring Network traffic for anomaly detection. Disadvantage in Honey pot detection is to captures and tracks the activity only attacker directly interact with it. In Signature based detection only known attacks can be detected and further, it needs regular update of rules. A network-based detection monitors the network traffic which involves deep packet inspection requires high computing performance. To overcome the disadvantages of the existing solutions, A new Symptoms Based Detection and Removal of Bot Processes algorithm is proposed. The proposed algorithm provides a host based solution, which enables online bot process detection and its removal. The Detection process is based on the detection of illegitimate process which uses TCP connections. This involves observing the Digital signature of the process, installed Programs path and also the registry entries associated with the process. The proposed solution when tested on a bot infected machine, was found to detected as well as remove the malicious Bot processes. Keywords: Botnet, Digital Signature, Honey pots, Bot. application running as an automated task. Botmaster controls the botnet through commandand-control (C&C) mechanism. The type of communication used between a bot client and its command and control server can be differentiated into two types [13] as follows: Push-based Pull-based In a push-based communication, the botmaster pushes the commands that the Bot has to be run. Communication lies in the fact that botmaster can instantaneously request bots to perform a certain task. In a pull-based communication, each bot is allowed to periodically send status report to botmaster and retrieve command to run from a server. Now a day s home PCs are a desirable target for attackers as they are not properly patched or secured behind a firewall, leaving them vulnerable to attack. The remainder of this paper is organised as follows Chapter two presents the botnet life cycle. Chapter three presents the classification of botnets. Chapter four presents the existing solutions and its drawbacks. Chapter five provides proposed solution for the problem. Chapter six presents the results and discussion on the implementation of the proposed solution. 1. Introduction Botnet [10] is a group of hosts at different locations controlled by an individual host referred to as Botmaster to initiate malicious activity. One can hardly trace back to the origin due to the usage of proxies over network. The victim hosts controlled by the botmaster are called bots. The term bots is commonly referred to software Figure 1. Life cycle of Botnet 793

2. Botnet Life Cycle Figure 1 depicts the Life cycle of botnet. First process involves the infection spreads from Botmaster through E-mail attachments, USB autoruns, via messages posted on Social Networking websites etc. Secondly, Bot connects to the C&C server. This could be done using HTTP, IRC or any other protocol Finally, Botmaster transmit commands to bot through C&C server to perform malicious activity. 3. Classifications of Botnets Based on the protocols used for communication botnet can be categorized into three ways, First one is Internet Relay Chat Botnet, Second one is HTTP Botnet, third one is Peer to Peer Botnet. 3.1 Internet Relay Chat (IRC) Botnet In the beginning, most botnets used a centralized approach for managing botnets. This was done using IRC protocol. The main reasons for using IRC were its interactive nature for two way communication between the server and the client. IRC server acts as a botmaster and uses IRC channel for sending commands to bots. 3.2 HTTP Botnet In HTTP botnet, Bots connect to a HTTP server and wait for commands from a botmaster to get commands that are coded into site files or HTTP bots have to periodically issue requests to the target C&C server. These requests commonly consist of a status report, on the basis of report the server decides which commands are to be transferred to that bot. 3.3 Peer to Peer (P2P) Botnet In a peer-to-peer network any node in the network can act both as a client as well as server. In P2P botets [9], commands are communicated through push/pull mechanism. Botmaster publishes a command file over the P2P network. The bots then use the pull mechanism to obtain the command file. P2P bots have to constantly communicate with their neighbours for commands and have to send KEEP ALIVE messages to other bots in the network. P2P botnets do not suffer from single point of failure but coordination of bots is difficult compared to the centralized in this architecture. Hence, Identification of Botmaster becomes difficult. 4. Related Work In this section we are discussing previous works in this area. Here we are discussing mainly four related works. 4.1 Honeypots Honeypot[12] is trap set to detect unauthorized use of information system. Any interaction with honey pot is most likely to perform malicious activity. Honey pot traps new attacks and gathers information about attacker. Honeypots also have their disadvantages. Honeypots only capture and detect attacks targeted at itself only. If an attacker penetrates into the organization and attacks other systems, the honeypot will not pick up any activity. Especially, if the attacker has identified the honeypot, then avoiding that system, penetration into the organization s network is possible to attack other systems. In worst case scenario, the attacker can even spoof the other systems in the network and use them to attack the honeypot. 4.2 Network Signature-Based Detection In this approach [3], the detector draws upon a catalog of botnet signatures. However, instead of being based on the bot software's binary image on disk or in memory, it is based on observed network track generated by the botnets. An example of such a signature for a IRC bot would be the following tuple[3]: fnet = (Hosts, Ports, Nick, Pass, Channel) The fingerprint includes the collection of hosts and ports known to be associated with a particular botnet's command-and-control architecture, along with the IRC nicknames, passwords, and channel join requests associated with that botnet. It therefore captures the packet details of the command-and-control interaction. Once these values are known for a particular botnet, these signatures can be fed into signature-based network intrusion detection systems such as Snort [1] Two difficulties with this approach are as follows: A signature is needed to identify bot network activity. Such a signature must exist. This approach need to analyze every incoming packet for signature. 4.3 Anomaly-based Detection Botnets often generate high volume of traffic that may cause high network latency, and traffic on unusual ports [15]. An effective TCP based anomaly detection technique with IRC tokenization 794

and IRC message statistics to detect botnet clients and reveal botnet servers has been proposed in [6]. First, this anomaly based system implements an IRC parsing component to collect information on TCP packets and to determine an IRC channel. Next, the IRC channel traffic are correlated over a large set of sampled data in search of scanning activities. At last, the IRC channels with high scanning count would be stamped as the possible botnet channel. A three-metric based measurement to detect abnormal botnet behaviour under the assumption that bots from the same botnet will have regularities in relationship, response, and synchronization has been proposed in [8]. Another botnet detection system(bothunter[6]) that recognizes the bot by running a correlation algorithm with the help of the user defined bot infection life cycle model. Botsniffer [7], which is based on a anomaly based detection algorithm designed to detect botnet C&C channels in a local area network using the observation that bots within the same botnet would demonstrate strong synchronization in their response and activities (e.g., sending spam, scanning, and binary downloading).this technique cannot be used if communication is encrypted. 4.4 Signature based detection Signature based detection [14] is the most common method that antivirus software s use to identify malware. This method is limited by the fact that it can only identify a limited amount of threats. When antivirus software scans a file for malicious code, it checks the contents of a file against a dictionary of malicious code signatures. If a signature is found in a file, the antivirus software can take action to remove the virus. New viruses are being created each day; the signature based detection approach requires frequently updates of the virus signature dictionary. 5. Proposed Model The main focus of proposed model as shown in Figure 2 is to detect malicious bot processes running in the system. We implemented by using following algorithm gives the detailed description of proposed solution. Step 1: Get TCP Process List and their path. Step 2: while (! TCP Process List Empty) If (Digital Signature of process exists) Then Legitimate Process Push Process details to Unsigned Process list Step 3: If (Unsigned Process List empty) Then No Malicious Process While (!Unsigned Process List Empty) If (Process manually installed) Then not malicious process Push to Suspected Malicious Process List Step 4: if (Suspected Malicious Process list is Empty) Then No Malicious Processes While (! Suspected Malicious Process List empty) If (Process is independent) If (image path of the process is available in registry start up entries Or Logon entries) Then submit process to Procedure Remove () Not a Malicious Process -Identify the monitor process - submit Monitor process to Procedure Remove () - submit dependent process to Procedure Remove () Step 5: End Procedure Remove () - Kill Process -Remove Registry Entries of Process -Delete.exe from the system In this method first, we get the TCP processes and paths of TCP processes. If TCP process list not empty then, we check process is having Digital Signature or not. If it having Digital Signature it is a legitimate process. If process not having Digital Signature we send those processes to list called Unsigned process list. Then we check Unsigned process list, whether in this processes manually installed or not. If not manually installed we send that process to suspect malicious process list. If in this list process is independent and image path of the process is available in registry start up entries or Logon entries then it is malicious process remove it. In this proposed algorithm, to identify whether Process is dependent or independent by using the Process Explorer tool. Process Explorer[15] is an 795

ISSN:2229-6093 advanced process management utility. It will shows detailed information about a process including its icon, command line, full image path, memory statistics, user account, security attributes, and more. Bot. When the proposed solution was installed on the Bot infected machine. It was found that the bot processes were separated from the list of genuine processes running on the system. Further the malicious bot processes were killed and removed from the system thus making it bot free. 7. Conclusion and Future Work Botnet is one of the serious threats to computer systems today. Our proposed solution is a host based method which enables online detection and removal of bot processes. The Detection and Removal of bot process is based on the detection of illegitimate process which uses TCP connections and involves observing the Digital signature, installed Programs path and also the registry entries associated with the process. This proposal has been tested on Windows operating system and found to detect and remove malicious bot processes. 8. References Figure 2. The Proposed Model Figure 3. Flow chart for Removal of Bot 6. Experiment Proposed solution was tested on a Windows XP machine with Sigcheck tool installed on it. Bot processes namely 1DE.exe, 1vvm.exe were installed Windows XP machine thus making it a [1] Zhaosheng Zhu, GuohanLu, Yan Chen. Botnet Research Survey. Annual IEEE International Computer Software and Applications Conference, pages 967-970, 2008. Abu Hamed Mohammad, MisbahUddin. [2] Detecting Botnets Based on their Behaviors Perceived from Network Data. University of Tartu, pages 82 82, 2009. [3] Gu, G., Zhang, J., Lee,W.: BotSniffer: Detecting botnet command and control channels in network traffic. In Proceedings of the 15th Annual Network and Distributed System Security Symposium, pages 1-2,February 2008. [4] J. Govil, Examining the criminology of bot zoo, in Proceedings of the 6th International Conference on Information, Communications and Signal Processing (ICICS 07), pages 1-6, Singapore, December 2007. [5] Jose Andre Morales, Areej AlBataineh, Analyzing DNS Activities of Bot Processes Institute for Cyber SecurityUniversity of Texas at San Antonio,4th International Conference on Malicious and Unwanted Software (MALWARE), pages 98-99, 2009. [6] Gu, G., Porras, Ph., Yegneswaran, V., Fong, M., Lee, W. BotHunter: Detecting malware infection through IDS drivendialog correlation, In 16th USENIX SecuritySymposium (Security 07), pages 1-3, 2007. [7] GuofeiGu, Junjie Zhang, and Wenke Lee. "BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic." In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08), San Diego, CA, page 3, February 2008. [8] M. Akiyama, T. Kawamoto, M. Shimamura, T. Yokoyama, Y. Kadobayashi, and S. Yamaguchi. A proposal of metrics for botnet detection based on its cooperative behavior. In Applications and the Internet Workshops, 2007. SAINTWorkshops 2007. International Symposium on, pages 82 83, 2007. 796

[9] HosseinRouhaniZeidanloo, Member, IACSIT, FarhoudHosseinpour and FarhoodFaridEtemad. New Approach for Detection of IRC and P2P Botnets, International Journal of Computer and Electrical Engineering, Vol.2, No.6, pages 1039-1043, December 2010. [10] Ping Wang, Sherri Sparks, and Cliff C. Zou. An Advanced Hybrid Peer-to-Peer Botnet. IEEE transactions on dependable and secure computing, vol. 7, no. 2, april-june 2010. [11] Wikipedia, Botnet, http://en.wikipedia.org/wiki/botnet. [12] Wikipedia, Honeypot, http://en.wikipedia.org/wiki/honeypot(computing). [13] Eric Peter, Todd Schiller, A Practical Guide to Honeypots, http://www.cs.wustl.edu/~jain/cse571-09/ftp/honey/index.html#sec1.5. [14] Mark Russinovich, Sigcheck v1.71, http://www.easynetlive.info/based-detection.html. [15] http://www.k-state.edu/its/security/tra ining/2009-4-9/presentations/handouts /Process_Explorer_Tutorial_Handout.pdf 797

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information