4 - Application-Layer Security (Botnets) Flashcards
Internet attacks types
Distributed Denial-of-Service (DDoS) attacks mainly aim at reducing the availability of a service (e.g. [Spamhaus13])
Spam emails contain information crafted to be delivered to a large number of recipients, whether they wish it or not
Phishing is a fraudulent activity defined as the creation of a replica of an existing Web site (or other online resource) to deceive a user into submitting personal, financial, or password data
Data stealing using malware techniques like file inspection,
keyloggers, cookie stealing, etc.
Click fraud is inducing, by deceit, users to click on online ads or to visit certain Web sites to increase the Web site’s revenues or exhaust an advertiser’s budget
Internet attacks: Why And How?
financial gains are the motivation for these attacks
activism (e.g. Anonymous) and vandalism are motivations to launch these attacks
thousands (or even millions) of hosts volunteer involuntarily as members of botnets
Botnets
The term “botnet” has been coined from “robot network”, where robots are highly adaptable programs which do their masters bidding over a broad net (such as the Internet)
Bots are considered to be a combination of Trojans and worms
Botnets are owned by the botnetmaster (botherder) and can be “rented” for launching attacks at an arbitrary large scale
Botnet Roles
Developer
- Person or group of people who design and implement the botnet
- The developer is not necessarily the botmaster
Client
- Some clients rent botnet services (such as DDoS) from the botmaster
- Others seek to become botmasters themselves to use the botnet (or parts of it) for their own purposes
Victim
- System, person, or network which constitutes the object of the attack
- Many different kinds: receiver of spam, a company whose site is down, someone from whom information is stolen
Passive participant
- Owner of a host which has been infected and turned into a bot
- Can run into serious legal problems
Botnet Components
A botnet is a network of infected machines (bots) under the control of a human operator (botmaster)
The botmaster controls its botnet through the transmission of C&C (command and control) messages among the bots using C&C channels
- Distributed (peer-to-peer botnets) vs. centralized (server-based) C&C infrastructure
Botnet Architectures:
Centralized
Distributed
Hybrid
Botnet Architectures: Centralized
Bots contact a central C&C server to receive information from the botmaster
Distribution of commands is easy and fast
Single point of failure
- If security researchers or authorities shut down all C&C servers, the botmaster looses its botnet
Botnet Architectures: Distributed
Bots act as server and client simultaneously
More resilient to failures
Time required for a message to reach all bots is much greater
Botnet Architectures: Hybrid
Combines advantages of centralized and distributed botnets by using one or more distributed networks, each with one or more centralized servers
In the worst case, a part of the botnet becomes dismantled on failure of a C&C server
Botnet Infection Process
Botmasters use software bugs or standard passwords to gain access to a system
- Usually done automatically (by using scripts and tools such as nmap)
After successful exploitation, the binary containing the bot’s functionality is downloaded to the host using HTTP, FTP, or other protocols
Once the binary is on the compromised host, it is started and tries to contact the C&C server or other bots in P2P botnets
Some bots replicate themselves and try to spread via e.g. the local network of the compromised host (like worms)
Then it waits for further commands from the C&C channel
Command & Control
C&C is the most critical part of the botnet
C&C typically done using IRC, Web-based, or using P2P techniques
IRC is used traditionally because it is easy to set up and manage
- Used to be stealthy as IRC has been used heavily in the Internet
Web-based C&C is even easier to use and can be bought on the black market
- Web-based C&C is hidden in port 80 traffic
- “Pull” instead of “push” lowers the traffic
- Scalable: one Web server can handle hundreds of thousands of bots while, IRC chat rooms are usually limited to a few thousands
- To evade shutdown efforts, multiple home servers are usually used
Encryption and other obfuscation techniques (e.g. weird commands or encodings) are used for higher stealthiness
Botnet Attack Execution
DDoS: a sufficiently large number of bots use a service (e.g. a website) simultaneously
- Source IP-based filtering does not work
- Bots cannot be distinguished from legitimate users
Spamming: bots send emails to a large number of addresses in a few seconds
- Bots can use the passive participants email resources (address book, email configuration)
Data stealing: bots are used to gather sensitive information
(e. g. credentials) from their host
- Can be done using common malware techniques such as keylogging, file inspection or cookie stealing
Click fraud: hundreds of thousand bots induce clicks on online ads or visits to certain websites on behalf of their host
Botnet Hiding Mechanisms
Botnets need to be kept secret to not be shut down by authorities and security researchers
C&C communication is encrypted in modern botnets to prevent analysis of C&C channel
As in other malware, the binaries which contain the malicious code are obfuscated to conceal the source code of a bot, to prevent reverse engineering, and to prevent detection by malware scanners
Usage of multiple proxies (potentially in different countries) by the botmaster for C&C to prevent tracking
Polymorphic bots provide the same functionality with different source codes
IP and email spoofing to conceal the origin of attacks
How To Detect & Defend Botnets?
Botnets are oftentimes detected by using honeypots and honeynets
- The whole infection process is usually emulated and monitored, including downloading the malicious code for further inspection and sniffing the C&C communications
Then the binaries are examined to get insights on the botnet’s architecture and C&C structure
In case it’s (semi-)centralized, authorities and providers try to shut down the C&C servers
In case it’s a P2P botnet, the botnet must be “attacked”, which is much harder [Rossow13]
- The botnet could be taken over by authorities and commanded to kill itself
- The fingerprints of the malicious code must be distributed to malware scanners in order to remove it from hosts
- Some P2P botnets have been alive for more than 5 years, although they have been discovered (e.g. Sality)
Mobile Botnets
Botnets could also use mobile devices (such as smartphones) to launch certain attacks
Mobile devices have special drawbacks such as connectivity, bandwidth, battery, or performance
But they have great advantages, too
- Hackers can use them to send emails or flood other subscribers with SMS or phone calls
- Smartphones usually carry lots of personal data (contacts, photos, messages, emails, …)
- Smartphones are additionally equipped with plenty of sensors (microphone, camera, GPS)
- Mobile devices often don’t run malware scanners
- App markets are a great way to distribute bots
Botnets for basically every mobile platform have been reported
