Speaker: Hom-Jay HomDate:2009/10/20

Botnet Research Survey

Zhaosheng Zhu.et alJuly 28-August 01 2008

OutlineIntroductionUnderstanding BotnetDetecting and Tracking BotnetDefenses Against BotnetConclusion and Possible Future Work

112/05/06 2

Introduction(1/2)Botnet is a term for a collection of software robots, or bots.They run on groups of zombie computers controlled remotely by attackers.A typical bot can be created and maintained in four phases.

112/05/06 3

Introduction(2/2)1. Initial Infection:

vulnerability , web pages , email , USB autorun2. Secondary Injection:

infected hosts download and run the bot code, The download can be via be ftp, http and P2P.

3. Malicious Activities:The bot communicates to its controller (spam , DDoS)IRC or HTTP or DNS-based and P2P protocol

4. Maintenance and Upgrade:continuously upgrades

112/05/06 4

Understanding BotnetMost current research focuses on understanding botnets. There are mainly three types area:

1. Bot Anatomy:analysis mainly focuses on its network-level use of binary analysis tools.

2. Wide-area Measurement Study:through tracking botnets to reveal different aspectssuch as botnet size, traffic generated.

3. Botnet Modeling and Future Botnet Prediction:

112/05/06 5

Bot Anatomy

IRC Botit analyzed the source code for four bots.

Agobot,SDBot, SpyBot and GT bot, ( IRC-based bots )only Agobot is a fully-developed bot.Agobot has provided the following five features.

112/05/06 6

AgoBot five features1. Exploits:

exploit OS vulnerabilities and back doors.2. Delivery:

Shell on the remote host to download bot binary encoded.3. Deception:

If it detected VMWare it stopped running.

4. Function:steal system information and monitorlocal network traffic.

5. Recruiting:Botmaster Recruits horizontal and vertical scannings.

112/05/06 7

HTTP BotAnalyzed the HTTP-based spam bot module

The command and control (C&C) is http-based.The communication channel is encrypted.IDA Pro Tool is used to analyze the binary and find the encryption key.

112/05/06 8

P2P-basedThe author claims that centralized control of botnets offers a single point of failure for the botnet.

So mare stable architectures, like P2P-based architecture.

112/05/06 9

Fast-flux Networks(1/2)The fast-flux networks are increasingly used as botnets.

phishing websites.These websites are valuable assets.

hide their IP addresses.let a user first connect to a compromised computer.which serves as a proxy.To forward the user requests to a real server and the response

from the server to the user.

112/05/06 10

Fast-flux Networks(2/2)New type of techniques called Fast-flux service networks.

round-robin IP addresses. very short Time-To-Live.

112/05/06 11

Wide-area Measurement Studya honeynet-based botnet detection system as well as some findings on botnets across the InternetThe systems are composed of three module:

1. malware collection:nepenthes and unpatched WindowsXPin a virtualized

environment.2. Graybox testing:

learn botnet ”dialect”.3. Botnets tracking:

an IRC tracker lurk in IRC channel and record commands.

112/05/06 12

Botnet Modeling and Future Botnet Prediction

It creates a diurnal propagation model based on the fact that computers that are offline are not infectious.we still have no idea how close these models are to the botnets in the real world.

112/05/06 13

Detecting and Tracking Botnet

honeynet basedfirst, there are several tools available to collect malware, but no tool for tracking the botnet.Secondly,the tracking tool needs to understand the botnet’s ”jargon” in order to be accepted by the botmaster.Moreover, the increasing use of anti-analysis techniques used by the blackhat circle.makes the development of the tool even more challenging.

112/05/06 14

Traffic monitoringIdentify botmasters based on transport layer

The core idea is based on the attack and control chain of the botnet.

The major steps are listed as follows:1. Identify bots based on their attack activities.2. Analyze the flows of these bots to find candidate controller

connections.3. Analyze the candidate controller connections to locate the

botmaster.

112/05/06 15

Defenses Against BotnetEnterprise SolutionsTrend Micro provided Botnet Identification Service

provide the customers the real-time botnet C&C botmaster address list.

112/05/06 16

Conclusion and Possible FutureWorkHTTP/P2P Botnet

The existing works are anatomy of some samples.Fast-flux Network

Who do them serve?What’s the structure of its network? Is it the same as a typical IRC botnet or not?Is their botmaster also fast-fluxed?The binary analysis of its code will be extremely helpful.

112/05/06 17

END

112/05/06 18