2. Overviews
Botnet topologies
Command and Control centers (C&C) protocols
Botnet objectives
Botnet establishment and operations
Detection methods and evolution
Taxonomy generalized communication patterns
UML sequence diagrams
Data exchange options
Encryption and hiding techniques
Building protocol and topology independent
networks-based detectors
3. Introduction
Networked computers enable distributed
computing and sharing of resources. Distributing
tasks over multiple machines allow the execution
of tasks.
The are divided into Bots (doing task/sub-task)and
Master(C&C)
Internet consist vast amount of unused processing power
and network bandwidth
This is achieved by malware coordinating a botnet using
compromised machine for computation
4. Malicious Botnet
These offer various task & service like theft
(identity theft), service disruption (network
architecture)
Thus various taxonomies and recommendations
categorizing different aspects of botnet and
ways of detections seen
These are protected from takeover from 3 rd
parties thus many ways arise to mitigate
bringing down of botnet via single point of failure
Botmasters the controllers stay stealthy to avoid
potential prosecution by using little traffic and
less possible direct connection
5. Botnet Detector
We can target communication pattern as network
is paramount for operation (network based)
Or extract communication excerpts and compare
result with traffic (signature based)
Classify network traffic normal/anomalous
(behaviour based)
Countermeasures padding (add sequence of
data), protocol encryption
As no inspection of payload is needed
generalized properties of obfuscated network
traffic can be theoretically used to detect
unknown bots
6. Machine Learning
Analyzing packet meta data to predict
expected output from given inputs (training)
not necessarily correlating data
Filtering step introduced for automated feature
selection (scoping)
Black list for false positive benign nodes as
C&C
Thus high accuracy seen during training for
related botnet detected goal of unknown
botnet not realised
7. Related work (I)
Analysis of attack classes , propagation mechanisms
from OS to applications and social engineering (spam)
Bot life cycle consisting infection , rallying ,
commands/report and abandon
Changing botnet techniques and environment , single
bot and HTTP based botnet detection
Comparing stationary and mobile botnets
Without need of training for signatures based on basic
infection consisting inbound scan , implying infection ,
egg(executable bin) download , outbound scan for C&C
communication
8. Related Work (II)
Detector using IDS to match event to rules from
infection dialogue
Infection model split as per network activity and
cross co-relating with common botmaster
Detector based on bayesian network
As the events evolve and parts responsible change
Communication perspective (in depth look)
C&C description
Sequence messages (botnet communication
pattern)
Framework for building detectors (UML sequence
diagrams)
11. Centralized
Centralized dedicated server easy to set up , low
latency high scalability no special requirements
(protocol)
Low robustness C&C being single point of failure
Address needs to be hardcoded thus obfuscated
Mitigates using DGA algo can create fast-flux
network
Query local system or internet for DGA to stop
takeover
URL based spam detection defeated
13. P2P
Every bot potential server
Low communication latency , high robustness ,
less scalability
OS limits bot size max no. of bots on concurrent
TCP connection
Increased visibility low stealth
High no. of coordinating messages thus not fully
mesh
Does maintain cache server (peer list) or is
hardcoded
Neoteric protocol for fallback channel if comms
16. Botnet Protocols (I)
Protocols are tailored to stealthiness achieved
by mimicking legitimate traffic
They depend on development , network
restrictions
Generally used are existing and neoteric
protocol
Types are
1) IRC : Text based may be password protected
2) HTTP : Request response based high
latency, major problem loops flooding bot with
17. Botnet Protocols (II)
3) SMB : Server Message Block (eg. Shared
printers) there we request list of available file
shares/services pool , (IPC) named pipes call
specific functions
4) P2P Protocol : WASTE and KADEMLIA used to
store value hashes uses cache servers and used
for file sharing
5) Neoteric Protocol : UDP/TCP unreliable single
packets vs. reliable stream may require network
overhead and payload can be binary/text based
18. Communication Hiding &
Obfuscation
Covert Channel : Using unused header bits eg.
Identifier field
of ICMP
Encryption : Stream/Block based ;
Symmetric/Asymmetric cipher
Multiple Protocols
Compression : Replace repeating sequence
Steganography : carrier files not meant for comms (eg.
Images)
Proxying
19. Communication Patterns (I)
Notation
Sequence of exchange mssg. for task draws UML
diagram
Mssg. are synchronous/asynchronous
Contains request page and page contents (arrow) ,
additional combined fragment and operator kind
(box/bracket) , interaction use ie. parts without
constraint
Divided into :
1)Coordinate 2)Scan 3)Data 4)Register
5)Store/Execute/Infect/Compute
20. Communication Pattern(II)
Overview
C&C traffic can be bot or server
Action can be monitored stealth of
coordination required
Communication can be push/pull
Botnet communication diveded into
operationand propogation
21. Communication Pattern(III)
Propogation
This happens actively or passively
Passive : 1)Click fraud
2)Drive by
Active : 1)Existing vulnerability exploit
2)Coordination of scan OS and network
Registration
23. Conclusion
Event generation engines can be used (IDS)
Machine learning to reorganize message
exchange
Identifying botnet communication
Detection of encrypted protocol C&C patterns
Detector capable of matching comms. pattern
from independent C&C protocol , topology ,
family
36. References
Symantec corporations knowledge base
Kaspersky threat list
R M Lee “Analysis of cyber attack on ukranian
power grid”
W32.Stuxnet dossier
APT advanced persistent Threats