A Multifaceted Approach to Understanding the Botnet Phenomenon

1
A Multifaceted Approach to Understanding the
Botnet Phenomenon

• Aurthors Moheeb Abu Rajab, Jay Zarfoss, Fabian
  Monrose, Andreas Terzis
• Publication Internet Measurement Conference,
  IMC'06, Brazil, October 2006
• Presenter Richard Bares

2
What Is A Botnet?

• Botnet is used to define Networks of infected
  end-hosts, called bots, that are under the
  control of a human operator commonly known
• Botnets like other malware use software
  vulnerabilities to infect or recruit other
  machines

3
What Makes A Botnet Different From Other Malware?

• Their defining characteristic is the use of a
  command and control channels.
• These channels include
• IRC Internet Relay Chat
• P2P Peer to Peer
• HTTP

4
How A Botnet Works
5
How To Find Out More about Botnets?

• Malware collection of Binary code
• Binary analysis via grey-box testing
• Longitudinal tracking of IRC Botnets Through IRC
  and DNS tracking

6
What kind of system is needed?
7
Malware Collection

• Use of a modified Nepethes Platform
• Mimics replies of vulnerable services
• Used to collect data on Botnets using known
  exploits
• HoneyPot Made of up VMware
• To collect data Botnets using unknown exploits

8
Binary Analysis

• Creation of a Network Fingerprint
• Monitored VMware Windows XP
• Collect IPs, DNS, Ports, and scans
• Extraction of IRC-related features
• Used UnrealIRC daemon
• Monitored infected VMware to find IRC channel
  passwords
• Learns botnet dialect and commands

9
Tracking of Botnets

• IRC Tracker
• Modified IRC Client that mimics an infected PC
• Responses to CC while connecting data
• DNS Tracker
• Monitors major DNS Severs
• Keeps track of requests for Domain names found in
  Botnet code

10
Botnet Structure

• 318 Botnet Observed, 60 of those IRC
• 70 of IRC Botnets connected to one server
• 30 of IRC Botnets connected to multiple servers
• IRC severs connected together
• Allowing for large number of bots to be
  controlled

11
Botnet Software Taxonomy

• Turns off anti-virus/firewalls
• Installs TCP Identification software
• Installs System Security Monitor
• Installs Registry Monitor
• Support for multiple exploits
• Code allows for updates from Botmaster and add
  new exploits to Botnet code

12
Contributions

• Expanded knowledge of Botnet
• Formulated way to Tracked and Estimated growth
  and size of Botnet
• Formulated way to capture Botnet code
• Examined common Botnet code

13
Weaknesses

• Did not cover HTTP or P2P Botnets even though
  both of these make up 30 of the Botnets they
  observed
• Would need considerable amount of research to
  find ways to track these Botnets