Botnets

Dan Boneh
 Dan Boneh

Virus and Worms Vs Botnet

● Viruses and worms are equipped with a
certain fixed behaviour. Any time they
migrate to a new host, they try to engage in
that same behaviour.
● A bot, on the other hand, is usually equipped
with a larger repertoire of behaviours.
● Additionally, a bot maintains, directly or
indirectly, a communication link with a
human handler, known typically as a
bot-master or a bot-herder.
 Botnet
● The word "botnet" is a formed from the words "robot" and
"network
● A botnet is a logical collection of Internet-connected
devices such as computers, smartphones or IoT devices
whose security have been breached and control ceded to a
third party.
● Each compromised device, known as a "bot", is created
when a device is penetrated by software from a malware
(malicious software) distribution.
● The controller of a botnet is able to direct the activities of
these compromised computers through communication
channels formed by protocols, such as IRC and Hypertext
Transfer Protocol (HTTP).

Botnet Taxonomy
A taxonomy model is necessary to develop the intelligence to
identify, detect, and mitigate the risk of an attack.

Classification Scheme

● Attacking Behavior
● C&C Models
● Rally Mechanisms
● Communication Protocols
● Observable botnet activities
● Evasion Techniques
 Attacking Behaviors
● Infecting new hosts
● Social engineering and distribution of malicious emails or other
electronic communications (i.e. Instant Messaging)
● Example - Email sent with botnet diguised as a harmless attachment.
● Stealing personal information
● Keylogger and Network sniffer technology used on compromised
systems to spy on users and compile personal information
● Phishing and spam proxy
● Aggregated computing power and proxy capability make allow
spammers to impact larger groups without being traced.
● Distributed Denial of Service (DDoS)
● Impair or eliminate availability of a network to extort or disrupt
business

Botnet Threat
● Botnets are a major threat to the Internet because:
● Consist of a large pool of compromised computers that are
organized by a master.
● a.k.a., Zombie Armies
● Carry out sophisticated attacks to disrupt, gather sensitive
data, or increase armies
● Can perform Distributed Denial-of-Service (DDoS) attacks,
steal data, send spam, and allows the attacker to access
the device and its connection.
● Armies are in the 1000’s to aggregate computing power
● Communication network allows bots to evolve on a
compromised host
● Process of stealing computing resources as a result of a
system being joined to a "botnet" is sometimes referred to
as "scrumping".
Botnet Architecture
Collection of bots working together for the same
bot-master constitutes a botnet.

Botmaster

Bot Bot
Bot

Recruiting Recruiting
Recruiting

Observable Behaviors
● Three categories of observable Botnet
behaviors:
● Network-based
● Host-based
● Global Correlated
 Network-Based
● Network patterns can be used to detect Botnets
● IRC & HTTP are the most common forms of Botnet
communications
● Detectable by identifying abnormal traffic patterns.
● IRC communications in unwanted areas
● IRC conversations that human’s can not understand
● DNS domain names
● DNS queries to locate C&C server
● Hosts query improper domain names
● IP address associated with a domain name keeps changing
periodically
● Traffic
● Bursty at times, and idle the rest of the time
● Abnormally fast responses compared to a human
● Attacks (eg: Denial of Service) - Large amounts of invalid
TCP SYN Packets with invalid source IP addresses

Host-Based
Botnet behavior can be observed on the host
machine.
● Exhibit virus like activities
● When executed, Botnets run a sequence of
routines.
● Modifying registries
● Modifying system files
● Creating unknown network connections
● Disabling Antivirus programs
Global Correlated
● Global characteristics are tied to the
fundamentals Botnets
● Not likely to change unless Botnets are completely
redesigned and re-implemented
● Most valuable way to detect Botnets
● Behavior the same regardless if the Botnets
are communicating via IRC or HTTP
● Global DNS queries increase due to assignment of
new C&C servers
● Network Flow disruptions

Evasion Techniques
● Sophistication of Botnets allow them to evade
● AV Engines
● Signature base intrusion detection systems (IDS)
● Anomaly-based detection systems

● Techniques
● Executable packers
● Rootkits
● Protocols
Evasion Techniques
● Moving away from IRC
● Taking control of
● HTTP
● VoIP
● IPV6
● ICMP
● Skype protocols

Evasion Techniques
● Skype, the best botnet ever??
● Very popular, 9M+ users, average 4M+ connected

● Very good firewall ”punching” capabilities

● Obfuscated and persistent network flow
● Provides network API
● Skype provides network connectivity and obfuscation
● Skype is resilient by design

● Just need nickname(s) for communications

● Things are easy
● Exploit Skype

● Install bot as Skype plugin

● Generate plugin authorization token and execute

Client server model
● Operate through Internet Relay Chat. Infected clients access a
predetermined location and await incoming commands from the
server.
● The bot herder sends commands to the server, which relays them to
the clients. Clients execute the commands and report their results
back to the bot herder.

Peer-to-peer
● Rather than communicate with a centralized server, P2P
bots perform as both a command distribution server and
a client which receives commands.
● This avoids having any single point of failure, which is
an issue for centralized botnets.
Peer to Peer Model
● Resilient to failures, hard to discover, hard to
defend.
● Hard to launch large scale attacks because P2P
technologies are currently only capable of
supporting very small groups (< 50 peers)

Command Protocols
● The specific exploits that a bot engages in at any
given time on any specific host depend, in
general, on what commands it receives from
some human/botnet-herder.
● This is known as the command-and-control (C&C)
● The program must communicate via a covert
channel to the client on the victim's machine
(zombie computer).
● IRC is a historically favoured means of C&C
Command Protocols
● A bot master can harness the power of several
bots working together to bring about a result that
could be more damaging than what can be
accomplished by a single bot (or a worm or a
virus) working all by itself.
● E.g. message :[email protected] TOPIC
#channel DDoS www.victim.com from the bot herder
alerts all infected clients belonging to #channel to begin a
DDoS attack on the website www.victim.com.
● Response :[email protected] PRIVMSG
#channel I am DDoSing www.victim.com by a bot client
alerts the bot herder that it has begun the attack.

● The bots working together could mount a

distributed denial of service (DDoS) attack
that would be much more difficult to protect
against than a regular denial of service attack
(DoS)
● Several bots working together would also be
more effective in spreading virus and worm
infections, and in corrupting the machines
with spyware, adware, etc.
Command and Control (C&C)
● Essential for operation and support of botnet
● 3 Styles – Centralized, P2P and Randomized
● Weakest link of the botnet because:
● Elimination of botmaster takes out the botnet
● High level of activity by botmaster makes them
easier to detect than their bots

Command and Control

● IRC (easy to detect and shutdown)
● Telnet /SSH
● Domains - Many large botnets tend to use domains
rather than IRC (E.g. Rustock botnet and Srizbi botnet).
● Usually hosted with bulletproof hosting services. A
zombie computer accesses a specially-designed webpage
or domain(s) which serves the list of controlling
commands.
● The advantages of using web pages or domains as C&C is that a large
botnet can be effectively controlled and maintained with very simple code
that can be readily updated.
● Disadvantages of using this method are that it uses a considerable amount
of bandwidth at large scale, and domains can be quickly seized by
government agencies
Constructions
1) A hacker purchases or builds a Trojan and/or
exploit kit and uses it to start infecting users'
computers, whose payload is a bot.
2) The bot instructs the infected PC to connect to
a particular command-and-control (C&C) server.
3) The botmaster may then use the bots to gather
keystrokes or use form grabbing to steal online
credentials and may rent out the botnet as DDoS
and/or spam as a service or sell the credentials
online for a profit.
4) Depending on the quality and capability of the
bots, the value is increased or decreased.

C&C Centralized Model

Example
3 Steps of
Authentication
● Bot to IRC
Server
● IRC Server to
Bot
● Botmaster to
Bot

(*) : Optional Step

Communication Protocols
● In most cases botnets use well defined and
accepted Communication Protocols. Understanding
the communication protocols used helps to:
● Determine the origins of a botnet attack and the software
being used
● Allow researchers to decode conversations happening
between the bots and the masters

● There are two main Communication Protocols used

for bot attacks:
● IRC
● HTTP

IRC Protocol
● IRC Botnets are the predominant version
● IRC mainly designed for one to many
conversations but can also handle one to one
● Most corporate networks due not allow any IRC
traffic so any IRC requests can determine and
external or internal bot
● Outbound IRC requests means an already infected
computer on the network
● Inbound IRC requests mean that a network computer is
being recruited
HTTP Protocol
● Due to prevalence of HTTP usage it is harder to
track a botnet that uses HTTP Protocols
● Using HTTP can allow a botnet to skirt the
firewall restrictions that hamper IRC botnets
● Detecting HTTP botnets is harder but not
impossible since the header fields and the
payload do not match usual transmissions
● Some new options emerging are IM and P2P
protocols and expect growth here in the future

HTTP Botnet Example:

Fast-flux Networks
● Commonly used
scheme
● Used to control
botnets w/
hundreds or even
thousands of nodes
Overnet Message Passing:
Overnet has three basic message types to facilitate proper function of the
network:

Connect:
A peer uses connect messages to report their OID to other peers and
to receive a list of peers somewhat close to the peer.
Search:
A peer uses search messages to find resources and other nodes
based on OID.
Publicize:
A peer uses publicize messages to report ownership of network
resources (OIDs) so that other peers can find the resource later.
● Computers can be co-opted into a botnet
when they execute malicious software. This
can be accomplished by luring users into
making a drive-by download, exploiting web
browser vulnerabilities, or by tricking the
user into running a Trojan horse program,
which may come from an email attachment.
Common frauds
● DDoS
● Spyware
● Email spamming
● Click fraud
● Ad fraud
● Bitcoin mining
● Phishing
● Self spreading functionality

Counter measures
● Individual bot must be identified.
● Firewall, Spyware for filtering
● PKI using digital signature for message
● Install AntiBot, BotHunter S/W
● Network-based approaches tend to shutting
down C&C servers, null-routing DNS entries,
or completely shutting down IRC servers.
● Study behaviour
● Use Honeypot
Evolution of Botnets
● Motivation change in computer hacking
● Vandalism 🡪 Financial gains
● Loss of $67.2 billion (2006 figure)

eCrime Market Operation

Raw (Re)Applicati
Goods Goal
Materials on

Marke Wealth
t

S
SS
Buy, Sell, &
Trade

38
Sensitive Data and Market
Significance
Credit Card #s

Percentage of Labeled Data

SSNsAccount #s
Bank

Sensitive Data
Type

39

C&C Centralized Model

● Simple to deploy, cheap, short latency for large scale
attacks
● Easiest to eliminate
P2P Botnet Example: Storm
The Overnet network Storm uses is extremely dynamic. Peers come and go and
can change OIDs frequently. In order to stay “well connected” peers must
periodically search for themselves to find nearby peers:

Storm
Node

Round 3

Bootstrapping Peer
Round 1

Round 4

Round 2
Random Mechanisms
● Theoretical architecture: Evan Cooke, et al describe the model
● Easy implementation and resilient to discovery and destruction
● Scalability limitations make it impractical for large scale attacks.
● Bots sleep and are not activated until Bot Master is ready to
attack

Rallying Mechanisms
● Hard-coded IP address
● The bot communicates using C&C ip addresses that are
hard-coded in it’s binary files.
● Easy to defend against, as ip addresses are easily detectable and
blocked, which makes the bot useless.
Rallying Mechanisms
● Dynamic DNS Domain Name
● Hard-coded C&C domains assigned by dynamical DNS providers.
● Detection harder when botmaster randomly changes the location
● Easier to resume attack with new, unblocked Domain Name
● If connection fails the bot performs DNS queries to obtain the
new C&C address for redirection.

Rallying Mechanisms
● Distributed DNS Service
● Hardest to detect & destroy. Newest mechanism. Sophisticated.
● Botnets run own DNS service out of reach of authorities
● Bots use the DNS addresses to resolve the C&C servers
● Use high port numbers to avoid detection by security devices and
gateways
Beating Evasion Techniques
● Prevention
● Find C&C servers and destroying them
● Most effective method for prevention and
cure:
● Combining traditional detection
mechanisms with those based on
anomaly network behavior

Conclusion
● By using the taxonomy and accurately
identifying what type of botnet you are
dealing with it will be easier to use the
correct evasion technique.