Botnet Detection Based on ICMP Infiltrations Correlation Pattern
Botnet Detection Based on ICMP Infiltrations Correlation Pattern Navaneethan C. Arjuman Phd Candidate and My. Brain Fellow nava@nav 6. usm. my National Advanced IPv 6 Centre February 2012 Copyright Nava 2012 1
Agenda Objective What are Botnets ? ◦ Botnet History ◦ Botnets Usage ◦ Botnet Command Control (C&C) Mechanism ◦ Botnet Classification Botnet Detection Techniques ◦ Anomalies Detection Correlation Techniques Inbound Scanning ◦ Proposed new area on ICMP based scanning ◦ Mitigation Technique ◦ Research Outcome Copyright Nava 2012 2
What are Botnets? An Internet Relay Chat (IRC) based, command control network of compromised hosts (bots) A bot is a client program that runs in the background of a compromised host ◦ Watches for certain strings on an IRC channel ◦ These are encoded commands for the bot Purpose ◦ Do. S, ID Theft, Phishing, keylogging, spam Fun AND profit Copyright Nava 2012 3
Botnet History First existence of botnet started in August 1988 when IRC invented at University of Oulu, Finland 1989 - First bot - “GM” ◦ -assist user to manage their own IRC Connections May 1999 – Pretty park ◦ Reported in June 1999 in Central Europe ◦ Internet Worm – a password stealing trojan 1999 – Subseven ◦ Remote controlled trojan Copyright Nava 2012 4
Botnet History 2000 – GTbot (Global Threat) ◦ New capabilities - port scanning, flooding and cloning ◦ Support UDP and TCP socket connections ◦ Support IRC Server to run malicious script 2002 ◦ ◦ – SDbot Written by Russian Programmer by the name ‘SD’ 40 Kb – C++ Code First to publish the code for hackers via website Provided e-mail and chat for support 2002 – Agobot ◦ Modular update ◦ Spread through Kazaa, Grokser and etc Copyright Nava 2012 5
Botnet History 2003 – Spybot or Milkit ◦ Derived from SDbot ◦ Come with spyware capabilities ◦ Spread via file sharing applications and e-mail 2003 – Rbot ◦ Backdoor trojan on IRC ◦ Compromised Microsoft vulnerable share Port 139 and 445 ◦ Based on MSRT Report in June 2006 by Microsoft - 1. 9 million PCs affected worldwide 2004 – Poly. Bot ◦ Polymorphism capabilities ◦ Based on Agobot Copyright Nava 2012 6
Botnet History 2005 – My. Bot ◦ New version of Spy. Bot ◦ Hybrid coding ◦ Spread via file sharing applications and e-mail 2006 – P 2 P Based Bot ◦ 1 st generation - “Spam. Thru”, “Nugache” Basd on “Gnutella” file sharing ◦ 2 nd Generation – “Peacomm’ Pure Distributed P 2 P 2007 – “Storm Botnet” ◦ Truly pure P 2 P ◦ No single point of failure ◦ Provided high resilience, scalability and difficulty in tracking Copyright Nav a 2012 7
What is the latest? 2010 – Stuxnet ◦ spreads via Microsoft Windows, and targets Siemens industrial software and equipment ◦ malware that spies on and subverts industrial systems ◦ targeted five Iranian organizations - uranium enrichment infrastructure in Iran September 2011 – Duqu ◦ Duqu is a computer worm discovered on 1 st September, 2011 ◦ Operation Duqu is the process of only using Duqu for unknown goals Copyright Nav a 2012 8
Botnet Usage DDOS Spam Sniffing traffic Keylogging Installing Advertisement Addons and Browser Helper Objects (BHOs) Manipulating online polls/games Mass ID theft Copyright Nava 2012 9
Botnet Command Control (C&C) Mechanism From the Botmaster point of view Centralized ◦ Pro - easy to setup, fast commands dissemination ◦ Cons - easy to detect , single point of failure Peer-to-Peer Topology ◦ Pro – decentralized, not easy to detect , not single point of failure ◦ Cons – not easy to setup (more complex), message delivery not guaranteed and high latency Copyright Nava 2012 10
Botnet Command Control (C&C) Mechanism…. . Unstructured Topology – extreme peer topology, one to one communication ◦ Pro – easy to setup, decentralized, not easy to detect , not single point of failure ◦ Cons –message delivery not guaranteed and high latency Copyright Nava 2012 11
Botnet Classification Command & Control (C&C) IRC Based – C&C using IRC Server HTTP Based – C&C using Web Server P 2 P Based – C&C on peer-to-peer protocol DNS Based – C&C use Fast-flux networks Copyright Nava 2012 12
Botnet Detection Signature Based – able to detect only known bots Anomaly Based – detect bots based traffic anomalies DNS Based – detect based DNS information Mining Based – detect based machine learning, classification and clustering Copyright Nava 2012 13
Anomaly Based Detection Detect based on traffic anomalies such as High Network Latency High Volumes of Traffic on unusual ports Unusual System Behaviour Major Advantage Solve the unknown bots Copyright Nava 2012 14
Correlation Techniques Inbound Scanning Exploit Usage Egg Downloading Outbound bots coordination dialog Outbound attack propagation Malware P 2 P communication Copyright Nava 2012 15
Scanning for recruits Black – C&C Red – Scan info VASCAN 2005 Copyright Marchany 2005 16
Bot Attack Strategy Recruitment of the agent network ◦ Finding vulnerable systems ◦ Breaking into vulnerable systems Protocol attack Middleware attack Application or resource attack Controlling the agent network ◦ Direct, Indirect commands ◦ Updating malware ◦ Unwitting agents Copyright Nava 2012 17
Finding Vulnerable Systems Blended threat scanning ◦ Program(s) that provide command & control using IRC bots IRC commands tells bot(e. g. Power) to do a netblock scan Bot builds list of vulnerable hosts, informs attacker via botnet Attacker gets file and adds to master list Copyright Nava 2012 18
Inbound Scanning There several inbound ports scanning methods available. All port scanning methods work if target host satisfied the RFC 793 – Transmission Control Protocol (TCP). Internet Control Message Protocol (ICMP) Transmission Control Protocol (TCP) User Datagram Protocol (UDP) SYN ACK Window Copyright Nava 2012 FIN 19
Inbound Scanning…. . Other Types (Uncommon) X-mas and Null Protocol Proxy Idle Cat. SCAN Copyright Nava 2012 20
Why use ICMP Scanning ? Understanding ICMP Based Attacks Attackers preferred to do inbound scanning based on ICMP because ICMP scanning provide high level target scanning Elimination of Target Network (Type 3, Code 0 - Destination network unreachable) Copyright Nava 2012 21
Why use ICMP Scanning ? …. Elimination target host networks - Type 3, Code 1 -Destination host unreachable Elimination of particular protocol – Type 3, Code 2 - Destination protocol unreachable Elimination of particular port – Type 3, Code 3 - Destination port unreachable Copyright Nava 2012 22
Why use ICMP Scanning ? . . . Smaller payload - unnoticeable in terms of volume increment for detection More reliable in reply – return by error message compare to TCP and UDP Copyright Nava 2012 23
Understanding ICMP Currently there are two (2) types ICMPv 4 ICMPv 6 Copyright Nava 2012 24
ICMPv 4 Core Protocol of Internet Protocol Suite Defined under RFC 792 Mainly used to provide error message ICMP messages are typically generated in response to errors in IP datagrams (as specified in RFC 1122) or for diagnostic or routing purposes ICMP errors are always reported to the original source IP address of the originating datagram. Copyright Nava 2012 25
ICMPv 4 – IP Datagram Bits 0 -7 8 -15 0 TYPE CODE 32 16 -23 24 -31 CHECKSUM REST OF HEADER Type – ICMP type as specified below. Code – Subtype to the given type. Checksum – Error checking data. Calculated from the ICMP header+data, with value 0 for this field. The checksum algorithm is specified in RFC 1071. Rest of Header – Four byte field. Will vary based on the ICMP type and code. Copyright Nava 2012 26
ICMPv 4 - Type Range There are 0 -255 types 0 till 41 – already defined 42 till 255 – reserved Special attention focused on the following type Type 3 Type 9 and 10 Type 15 and 16 Type 17 and 18 Copyright Nava 2012 Type 37 and 38 27
ICMPv 4 - Type 3 Below are special codes that required main attention Code Range 0 - Destination network unreachable 1 - Destination host unreachable 2 - Destination protocol unreachable 3 - Destination port unreachable 6 - Destination network unknown 7 - Destination host unknown Copyright Nava 2012 28
ICMPv 4 - Type 3 8 - Source host isolated 9 - Network administratively prohibited 10 - Host administratively prohibited 11 - Network unreachable for TOS 12 - Host unreachable for TOS 13 - Communication administratively prohibited Copyright Nava 2012 29
ICMPv 4 - Others Type 9, Code 0 -Router Advertisement Type 10, Code 0 - Router discovery/selection/ solicitation Type 15, Code 0 - Information Request Type 16, Code 0 - Information Reply Type 17, Code 0 - Address Mask Request Type 18, Code 0 - Address Mask Reply Type 37, Code 0 - Domain Name Request Type 38, Code 0 - Domain Name Reply Copyright Nava 2012 30
ICMPv 4 – ICMP Fault Monitoring Features Sample Capture Copyright Nava 2012 31
ICMPv 6 Internet Control Message Protocol (ICMP) for Internet Protocol version 6 (IPv 6) Defined under RFC 4443 Mainly used for error message Several extensions have been published, defining new ICMPv 6 message types as well as new options for existing ICMPv 6 message types Neighbor Discovery Protocol (NDP) is a node discovery protocol in IPv 6 which replaces and enhances functions of ARP Copyright Nava 2012 32
ICMPv 6 Secure Neighbor Discovery Protocol(SEND) is an extension of NDP with extra security. Multicast Router Discovery (MRD) allows discovery of multicast routers. ICMPv 6 messages may be classified into two categories: error messages and information messages ICMPv 6 messages are transported by IPv 6 packets in which the IPv 6 Next Header value for ICMPv 6 is set to 58. Copyright Nava 2012 33
ICMPv 6 – IP Datagram Bit Offset 0 -7 8 -15 16 -31 0 Type Code Checksum 32 Message Body Type – ICMP type as specified below. Code – Subtype to the given type. Checksum – Error checking data. Calculated from the ICMP header+data, with value 0 for this field. Copyright Nava 2012 34
ICMPv 6 - Type Special attention focused on the following type Type 128 and 137 Type 139 and 153 Copyright Nava 2012 35
ICMPv 6 - Type 1 Below is special codes that required attention when scanning take place Code Range 0 - no route to destination 1 - communication with destination administratively prohibited 2 - beyond scope of source address 3 - address unreachable 4 - port unreachable Copyright Nava 2012 36
ICMPv 6 - Type 1 7 - source address failed ingress/egress policy 8 - reject route to destination Copyright Nava 2012 37
ICMPv 6 - Others Type 128, Code 0 - Echo Request Type 129, Code 0 – Echo Reply Type 130, Code 0 - Multicast Listener Query Type 133, Code 0 - Router Solicitation (NDP) Type 134, Code 0 - Router Advertisement (NDP) Type 135, Code 0 - Neighbor Solicitation (NDP) Type 136, Code 0 - Neighbor Copyright Nava 2012 38
ICMPv 6 - Others Type 139, Code 0 till 2 - ICMP Node Information Query Type 140, Code 0 till 2 - ICMP Node Information Response Type 141, Code 0 - Inverse Neighbor Discovery Solicitation Message Type 142, Code 0 - Inverse Neighbor Discovery Advertisement Message Type 144, Code 0 - Home Agent Address Discovery Request Message Copyright Nava 2012 39
ICMPv 6 - Others Type 145, Code 0 - Home Agent Address Discovery Reply Message Type 146, Code 0 till 2 - Mobile Prefix Solicitation Type 147, Code 0 - Mobile Prefix Advertisement Type 151 - Multicast Router Advertisement (MRD) Type 152 - Multicast Router Solicitation (MRD) Copyright Nava 2012 40
Mitigating ICMP Based Scanning Attacks Capturing this ICMP error message can lead to high probability attacks take place Proposed new Profiling Algorithm Proposed new ICMP Based Scanning Profiling Applications Need to improve the existing i. Netmon ICMP Default Monitoring features Copyright Nava 2012 41
Mitigating ICMP Based Scanning Attacks…. Integration with Profiling system required to correlate with other the correlation factors such as ◦ ◦ ◦ Exploit Usage Egg Downloading Outbound bots coordination dialog Outbound attack propagation Malware P 2 P communication There already systems are available such as Bot Hunter (SNORT based correlation engine) that does correlation for the above mentioned correlation features. Copyright Nava 2012 42
Proposed Research Outcome Publish Papers (focus on ISI Standard) and Journal based on this techniques Develop the ICMP Based Scanning Profile Algorithm Build ICMP Based Scanning Profile Solution (can modify NMap and add ICMP profiling algorithm) Copyright Nava 2012 43
References www. sunbelt- software. com/ihs/alex/rmbotnets. ppt http: //www. bothunter. net/doc/users_guide. WIN. html http: //www. iana. org/assignments/icmpv 6 parameters http: //www. sans. org/securityresources/idfaq/icmp_misuse. php “Know your Enemy: Tracking Botnets”, Lance Spitzner, http: //www. honeynet. org/papers/bots Copyright Nava 2012 44
References http: //en. wikipedia. org/wiki/ICMPv 6 http: //en. wikipedia. org/wiki/Internet_Control _Message_Protocol http: //en. wikipedia. org/wiki/Stuxnet http: //en. wikipedia. org/wiki/Duqu Copyright Nava 2012 45
Thank You Copyright Nava 2012 46
- Slides: 46