Module 03 -

Botnets
 Botnet Threat
 Botnets are a major threat to the Internet because:
 Consist of a large pool of compromised computers that are
organized by a master.
 a.k.a., Zombie Armies

 Carry out sophisticated attacks to disrupt, gather sensitive

data, or increase armies
 Armies are in the 1000’s to aggregate computing power
 Communication network allows bots to evolve on
compromised hosts
Evolution of Botnets
 Motivation change in computer hacking
 Vandalism  Financial gains
 Loss of $67.2 billion (2006 figure)
 eCrime Market Operation
Raw Materials Goods (Re)Application Goal

Market Wealth

S
SS
Buy, Sell, & Trade

4
Sensitive Data and Market
Significance
Percentage of Labeled Credit Card #s

SSNsAccount #s
Bank
Data

Sensitive Data
Type

5
Botnet Architecture

Botmaster

Bot Bot
Bot

Recruiting Recruiting
Recruiting
Botnet Taxonomy
A taxonomy model is necessary to develop the intelligence to
identify, detect, and mitigate the risk of an attack.

Classification Scheme
 Attacking Behavior
 C&C Models
 Rally Mechanisms
 Communication Protocols
 Observable botnet activities
 Evasion Techniques
Attacking Behaviors
 Infecting new hosts
 Social engineering and distribution of malicious emails or other
electronic communications (i.e. Instant Messaging)
 Example - Email sent with botnet diguised as a harmless
attachment.
 Stealing personal information
 Keylogger and Network sniffer technology used on compromised
systems to spy on users and compile personal information
 Phishing and spam proxy
 Aggregated computing power and proxy capability make allow
spammers to impact larger groups without being traced.
 Distributed Denial of Service (DDoS)
 Impair or eliminate availability of a network to extort or disrupt
business
Command and Control (C&C)
 Essential for operation and support of botnet
 3 Styles – Centralized, P2P and Randomized
 Weakest link of the botnet because:
 Elimination of botmaster takes out the botnet
 High level of activity by botmaster makes them
easier to detect than their bots
C&C Centralized Model
 Advantage: Simple to deploy, cheap, short latency for
large scale attacks
 Disadvantage: Easiest to eliminate
C&C Centralized Model
Example
3 Steps of
Authentication
 Bot to IRC
Server
 IRC Server to
Bot
 Botmaster to
Bot

(*) : Optional Step

Peer to Peer Model
 Advantage: Resilient to failures, hard to discover,
hard to defend.
 Disadvantage: Hard to launch large scale attacks
because P2P technologies are currently only
capable of supporting very small groups (< 50
peers)
P2P Botnet Example: Storm
The Overnet network Storm uses is extremely dynamic. Peers come and go and
can change OIDs frequently. In order to stay “well connected” peers must
periodically search for themselves to find nearby peers:

Storm
Node
Rallying Mechanisms
 Hard-coded IP address
 The bot communicates using C&C ip addresses that are
hard-coded in it’s binary files.
 Easy to defend against, as ip addresses are easily
detectable and blocked, which makes the bot useless.
Rallying Mechanisms
 Dynamic IP address with DNS domain name resolution
 Hard-coded C&C domains names.
 Detection harder when botmaster randomly changes the
mapped IP address
 If connection fails the bot performs DNS queries to obtain
the new C&C address for redirection.
Rallying Mechanisms
 Distributed DNS Service
 Hardest to detect & destroy. Newest mechanism.
Sophisticated.
 Botnets run own DNS service out of reach of authorities
 Bots use the DNS addresses to resolve the C&C servers
 Use high port numbers to avoid detection by security
devices and gateways
Communication Protocols
 In most cases botnets use well defined and accepted
Communication Protocols. Understanding the
communication protocols used helps to:
 Determine the origins of a botnet attack and the software
being used
 Allow researchers to decode conversations happening
between the bots and the masters

 There are two main Communication Protocols used

for bot attacks:
 IRC
 HTTP
IRC Protocol
 IRC Botnets are the predominant version
 IRC mainly designed for one to many
conversations but can also handle one to one
 Most corporate networks do not allow IRC traffic
so any IRC requests can determine and external
or internal bot
 Outbound IRC requests means an already infected
computer on the network
 Inbound IRC requests mean that a network computer is
being recruited
HTTP Protocol
 Due to prevalence of HTTP usage it is harder to
track a botnet that uses HTTP Protocols
 Using HTTP can allow a botnet to skirt the
firewall restrictions that hamper IRC botnets
 Detecting HTTP botnets is harder but not
impossible since the header fields and the
payload do not match normal HTTP traffic
 Some new options emerging are IM and P2P
protocols and expect growth in the future
HTTP Botnet Example: Fast-
flux Networks
 Commonly used
scheme
 Used to control
botnets w/
hundreds or even
thousands of nodes
Chronicle of Botnets
Observable Behaviors
 Three categories of observable Botnet
behaviors:
 Network-based
 Host-based
 Global Correlated
 Network-Based
 Network patterns can be used to detect Botnets
 IRC & HTTP are the most common forms of Botnet
communications
 Detectable by identifying abnormal traffic patterns.
 IRC communications in unwanted areas
 IRC conversations that human’s can not understand
 DNS domain names
 DNS queries to locate C&C server
 Hosts query improper domain names
 IP address associated with a domain name keeps changing
periodically
 Traffic
 Bursty at times, and idle the rest of the time
 Abnormally fast responses compared to a human
 Attacks (eg: Denial of Service) - Large amounts of invalid TCP
SYN Packets with invalid source IP addresses
Host-Based
Botnet behavior can be observed on the host
machine.
 Exhibit virus like activities
 When executed, Botnets run a sequence of
routines.
 Modifying registries
 Modifying system files
 Creating unknown network connections
 Disabling Antivirus programs
Global Correlated
 Global characteristics are tied to the
fundamentals Botnets
 Not likely to change unless Botnets are
completely redesigned and re-implemented
 Most valuable way to detect Botnets
 Behavior the same regardless if the Botnets
are communicating via IRC or HTTP
 Global DNS queries increase due to assignment of
new C&C servers
 Network Flow disruptions
Conclusion
 By using the taxonomy and accurately
identifying what type of botnet you are
dealing with it will be easier to use the
correct evasion technique.
BACKUP SLIDES
Evasion Techniques
 Sophistication of Botnets allow them to evade
 AV Engines
 Signature base intrusion detection systems (IDS)
 Anomaly-based detection systems

 Techniques
 Executable packers
 Rootkits
 Protocols
Evasion Techniques
 Moving away from IRC
 Taking control of
 HTTP
 VoIP
 IPV6
 ICMP
 Skype protocols
Evasion Techniques
 Skype, the best botnet ever??
 Very popular, 9M+ users, average 4M+ connected

 Very good firewall ”punching” capabilities

 Obfuscated and persistent network flow

 Provides network API

 Skype provides network connectivity and obfuscation

 Skype is resilient by design

 Just need nickname(s) for communications

 Things are easy

 Exploit Skype

 Install bot as Skype plugin

 Generate plugin authorization token and execute

Beating Evasion Techniques
 Prevention
 Find C&C servers and destroying them
 Most effective method for prevention and
cure:
 Combining traditional detection
mechanisms with those based on
anomaly network behavior
 Round 3

Bootstrapping Peer
Round 1

Round 4

Round 2
Overnet Message Passing:
Overnet has three basic message types to facilitate proper function of the
network:

Connect:
A peer uses connect messages to report their OID to other peers and
to receive a list of peers somewhat close to the peer.
Search:
A peer uses search messages to find resources and other nodes
based on OID.
Publicize:
A peer uses publicize messages to report ownership of network
resources (OIDs) so that other peers can find the resource later.
Random Mechanisms
 Theoretical architecture: Evan Cooke, et al describe the model
 Easy implementation and resilient to discovery and destruction
 Scalability limitations make it impractical for large scale attacks.
 Bots sleep and are not activated until Bot Master is ready to
attack