Botnets

Question 1

Bot Definition

Answer 1

Malware die remote über Kommandos gesteuert werden kann

Question 2

Botnetz Definition

Answer 2

Collectively controlled collection of bots
-> require a communication channel to facilitate Command & Control (C&C, C2)

Question 3

Bots Takedown

Answer 3

• Remove Bots: (Remotely) disinfect/wipe machine
• Disconnect from C2: Prevent bots from receiving commands

Question 4

Zentralisierte Architektur

Answer 4

• Simple, efficient, scalable
• Single point of failure

Question 5

Locating the C2

Answer 5

• Hardcoded IPs & Domains: Blacklisting
• DGAs: rendezvous points
  -> seed can be predictable (counter, date) or unpredictable
  -> predictability makes C2 infrastructure easier to manage for the botmaster, but also easier to monitor for defenders

Question 6

Basic Takedown of a DGA Botnet

Answer 6

1) Reverse-engineer DGA
2) Run DGA, calculate valid domains
3) Monitor network activity (e.g. passive DNS)
4) Identify actual C2 servers
5) Proceed with takedown (contact hosting provider, cooperate with authorities)

Question 7

Basic Monitoring of DGA Botnet

Answer 7

1) Reverse-engineer DGA
2) Run DGA, calculate valid domains
3) Register (first few, some, all) domains
4) Set up honeypot server
5) Monitor connecting bots

Question 8

Fast Flux Network

Answer 8

• DNS A records of C2 domain change rapidly (Zuweisung von Domain zu IPv4 Adresse)
• Shuffle in benign IPs to disguise actual C2s

Question 9

Double Flux Networks

Answer 9

• DNS A and NS records of C2 domain change rapidly
  -> NS Record: Welcher Nameserver ist für die eingetragene Domain zuständig?
• Also possibility to add proxies to forward traffic to actual C2s
  -> existing bots can be used as flux network

Question 10

Examples for alternative C2 channels

Answer 10

• Twitter
• Bitcoin
• Tor
• P2P file sharing protocols

Question 11

P2P style: Parasitic

Answer 11

• Leverages an existing P2P protocol for communication
  -> Bots identified via file advertisement
  -> Communication established via “watchwords”
  -> Commands pulled via file advertisement by botmaster & periodic file search by bots
  -> Commands pushed via file seach by botmaster

Question 12

P2P Countermeasures: Index Poisoning (pull)

Answer 12

• With a pull mechanism bots need to know what to query for
  1) Reverse-engineer watchwords
  2) Add defender nodes to P2P network
  3) Respond to watchword queries with bogus data

Question 13

P2P Countermeasures: Index Poisoning (Push)

Answer 13

• With a pull mechanism bots need to know that to listen for
  1) Reverse-engineer command format
  2) Add defender nodes to P2P network
  3) Drop file search broadcasts that match the command format

Question 14

P2P Styles: Bot-Only

Answer 14

• Constructs a separate network (on top of basic transport protocols like TCP)
  -> Communication established via (bootstrap) peer lists
  -> Bots identified via peer list exchange
  -> Commands pulled by polling peers
  -> Commands pushed by connecting directly to listening bots

Question 15

P2P Styles: Bot-Only: Bootstrap Peer Lists

Answer 15

• Hardcoded: simple, but creates “few points of failure” and isn’t updatable
• Server-based: bootstrap list can be rotated/updated, but creates same problems as centralized botnet
• Propagated: self-contained, potentially lacks interconnection between infection paths

Question 16

P2P Countermeasures: P2P Crawling

Answer 16

1) Reverse-engineer peer exchange algorithm
2) Find bootstrap peers
3) Iteratively request peer list from peers
-> Degree of success depends on implementation

Question 17

P2P Countermeasures: Sybil Attacks & Peer List Poisoning

Answer 17

1) Reverse-engineer peer exchange algorithm
2) Send bogus/defender peers to known peers
-> Degree of success depends on implementation