CS 6262 - Network Security: Botnets

CS 6262 - Network Security: Botnets Professor Patrick Traynor Fall 2011

Story 2

Botnets A botnet is a network of software robots (bots) run on zombie machines which run are controlled by command and control networks IRCbots - command and control over IRC Bot herder - owner/controller of network "scrumping" - stealing resources from a computer Surprising Factoid: the IRC server is exposed. 3

Statistics (controversial) The actual number of bots, the size of the botnets and the activity is highly controversial. As of 2005/6: hundreds of thousands of bots 1/4 of hosts are now part of bot-nets Growing fast (many more bots) Assertion: botnets are getting smaller(?!?) When they become large, they are more likely to be to to be noticed and targeted for takedown. 4

What are botnets being used for? piracy mining attacks hosting Activities we have seen Stealing CD Keys: 50 botnets ying!ying@ying.2.tha.yang PRIVMSG #atta :BGR 0981901486 $getcdkeys BGR 0981901486!nmavmkmyam@212.91.170.57 100-20,000 PRIVMSG #atta :Microsoft Windows Product ID bots/net CD Key: (55274-648-5295662-23992). BGR 0981901486!nmavmkmyam@212.91.170.57 PRIVMSG #atta :[CDKEYS]: Search completed. Clients/servers spread around the world Reading a user's clipboard: B][!Guardian@globalop.xxx.xxx PRIVMSG ##chem## :~getclip Ch3m 784318!~zbhibvn@xxx-7CCCB7AA.click-network.com PRIVMSG ##chem## :- [Clipboard Data]- Ch3m 784318!~zbhibvn@xxx-7CCCB7AA.click-network.com PRIVMSG ##chem## :If You think the refs screwed the seahawks over put your name down!!! Different geographic concentrations DDoS someone: devil!evil@admin.of.hell.network.us PRIVMSG #t3rr0r0fc1a :!pflood 82.147.217.39 443 1500 s7n 2K503827!s7s@221.216.120.120 PRIVMSG #t3rr0r0fc1a :\002Packets\002 \002D\002one \002;\002>\n s7n 2K503827!s7s@221.216.120.120 PRIVMSG #t3rr0r0fc1a flooding...\n Set up a web-server (presumably for phishing): [DeXTeR]!alexo@l85-130-136-193.broadband.actcom.net.il PRIVMSG [Del]29466 :.http 7564 c:\\ [Del]38628!zaazbob@born113.athome233.wau.nl PRIVMSG _[DeXTeR] :[HTTPD]: Server listening on IP: 10.0.2.100:7564, Directory: c:\\. 5

Other goals of a botnet... SPAM relays Click fraud Spamdexing Adware 6

IRC 1988 - one-to-many or many-to-many chat (for BBS) Client/server -- TCP Port 6667 Used to report on 1991 Soviet coup attempt Channels (sometimes password protected) are used to communicate between parties. Invisible mode (no list, not known) Invite only (must be invited to participate) Server Server Server Server Server 7

IRC botnets An army of compromised hosts ( bots ) coordinated via a command and control center (C&C). The perpetrator is usually called a botmaster. IRC Server Find and infect more machines! Bots (Zombies) A botnet is comparable to compulsory military service for windows boxes -- Bjorn Stromberg 8

Typical (IRC) infection cycle optional Bots usually require some form of authentication from their botmaster 9

P2P Botnets Bots that rely on centralized communications mechanisms such as IRC are generally easy to attack. Single point of failure for the bad guys... Increasingly, botnets have turned to P2P-based architectures to avoid such weaknesses. e.g., Slapper, Phatbot, Conficker What are the challenges for a botmaster relying on a P2P architecture? 10

P2P Botnets What advantages do defenders have in this situation? How do communication patterns compare to IRC bots? How do you tell between legitimate P2P traffic and that associated with bots? 11

Wireless/Mobile 0 1 2 3 Mobile devices offer new avenues for botnets. With the ability to communicate over multiple (5) interfaces, how does a provider defend against such multi-homed botnets? How does this change the game in terms of communications strategies for botmasters? 12

Infection Worms, Tojan horses, backdoors, browser-bugs, etc... Note: the software on these systems is updated Bot theft: bot controllers penetrate/"steal" bots. 13

Not only for launching attacks... Some botmasters pay very close attention to their bots hence covert infiltration is important In many cases, Botmasters inspect their bots fairly regularly, and isolate certain bots ( cherry picking ) #HINDI-FILMZ :#1 294x [698M] [Movie] Dil Bechara Pyar Ka Mara DvD-RiP [ Full / AVI / 2001 ] #HINDI-FILMZ :#2 126x [141K] [English Subtitles] Dil Bechara Pyar Ka Mara #HINDI-FILMZ :** 2 packs ** 3 of 3 slots open, Record: 45.3KB/s #HINDI-FILMZ :** Bandwidth Usage ** Current: 0.0KB/s, Record: 304.5KB/s #HINDI-FILMZ :** To request a file type: /"/msg [HF]-[Street-Hunk]-30 xdcc send #x/" ** #HINDI-FILMZ :** -= #Hindi-Filmz=- ** #HINDI-FILMZ :** I M 100% Desi!! ** #HINDI-FILMZ :Total Offered: 698.5 MB Total Transferred: 206.57 GB That s a lot of movies served! ( ~ 300) 14

How are researchers learning? Honeypots are often used to attract, observer and eventually dissect bots. A number of recent efforts in this space have actually hijacked active botnets. Large portions of these networks have been monitored:... to learn about the targets of the botnet (and their success in exploiting them).... to learn about weaknesses in their architecture to use as a means of potentially interfering with the botnet.... to figure out whether deployed defenses are helping at all. 15

Lots of bots out there Level of botnet threat is supported by the conjecture that large numbers of bots are available to inflict damage Press Quotes Three suspects in a Dutch crime ring hacked 1.5 million computers worldwide, setting up a zombie network, Associated Press The bot networks that Symantec discovers run anywhere from 40 systems to 400,000, Symantec 16

Measuring botnet size Two main categories Indirect methods: inferring botnet size by exploiting the side-effects of botnet activity (e.g., DNS requests) Direct methods: exploiting internal information from monitoring botnet activity 17

Indirect Methods Mechanism DNS blacklists DNS snooping What does it provide? DNS footprint Caveats DNS footprint is only a lower bound of the actual infection footprint of the botnet DNS records with small TTLs DNS servers blocking external requests (~50%) 18

DNS Blacklist The value of a bot is related to its status on the DNS blacklists Compromised hosts often used as SMTP servers for sending spam. DNS blacklists are lists maintained by providers that indicate that SPAM has been received by them. Organizations review blacklists before allowing mail from a host. A "clean" bot (not listed) is worth a lot A listed bot is largely blocked from sending SPAM A B C D E F... 19

DNS-BL Monitoring Observation: bot controllers/users need to query for BL status of hosts to determine value. Idea: if you watch who is querying (and you can tell the difference from legitimate queries), then you know something is a bot Understanding the in/out ratio: λ n = d n,out d n,in Q: what does a high ratio mean? Low? #queries by host #queries for host 20

Direct Methods Mechanisms Infiltrate botnets and directly count online bots DNS redirection (by Dagon et al.) What do they provide? Infection footprint & effective size (infiltration) Infection footprint (DNS redirection) Caveats Cloning (infiltration) Counting IDs vs. counting IPs (infiltration) Measuring membership in DNS sinkhole (DNS redirection) Botmasters block broadcasts on C&C channel (infiltration) (~48%) 21

Estimating size [Monrose et. al] DNS redirection sinkhole Identify, then self poison DNS entries DNS cache hits Idea: query for IRC server to see if in cache If yes, at least one bot in the network within the TTL (see [14]) Limitations: TTL, not all servers answer, lower bound on bots 22

How many bots? Approach: infiltration templates based on collected honeynet data, e.g., observing compromised hosts that are identified within the channel How many? 1.1 million distinct user IDs used 425 thousand distinct IP addresses Issues: NAT/DHCP? Cloaked IP address (SOCKS proxies?) Botnet membership overlap 23

Botnet size, what does it mean? Infection Footprint: the total number of infected bots throughout a botnet s lifetime Relevance: how wide spread the botnet infection Effective Botnet Size: the number of bots simultaneously connected to the command and control channel Relevance: the botnet capacity to execute botmaster commands (e.g., flood attacks) An Example: While a botnet appeared to have a footprint of 45,000 bots, the number of online bots (i.e. its effective size) was < 3,000 24

Are we counting unique infections? Temporary migration Cloning Cloning activity observed in 20% of the botnets tracked (moving between bot channels) 130,000 bots created more than 2 million clones during our tracking period 25

Summary Size estimation is harder than it seems Botnet size should be a qualified term Different size definitions lead to radically different estimates Current estimation techniques are laden with a number of caveats Cloning, counting method, migration, botnet structures, DHCP, NAT, etc. A prudent study of the problem requires persistent multifaceted tracking of botnet activity 26