4 - Application-Layer Security (Botnets)

Question 1

Internet attacks types

Answer 1

Distributed Denial-of-Service (DDoS) attacks mainly aim at reducing the availability of a service (e.g. [Spamhaus13])

Spam emails contain information crafted to be delivered to a large number of recipients, whether they wish it or not

Phishing is a fraudulent activity defined as the creation of a replica of an existing Web site (or other online resource) to deceive a user into submitting personal, financial, or password data

Data stealing using malware techniques like file inspection,
keyloggers, cookie stealing, etc.

Click fraud is inducing, by deceit, users to click on online ads or to visit certain Web sites to increase the Web site’s revenues or exhaust an advertiser’s budget

Question 2

Internet attacks: Why And How?

Answer 2

financial gains are the motivation for these attacks

activism (e.g. Anonymous) and vandalism are motivations to launch these attacks

thousands (or even millions) of hosts volunteer involuntarily as members of botnets

Question 3

Botnets

Answer 3

The term “botnet” has been coined from “robot network”, where robots are highly adaptable programs which do their masters bidding over a broad net (such as the Internet)

Bots are considered to be a combination of Trojans and worms

Botnets are owned by the botnetmaster (botherder) and can be “rented” for launching attacks at an arbitrary large scale

Question 4

Botnet Roles

Answer 4

Developer

• Person or group of people who design and implement the botnet
• The developer is not necessarily the botmaster

Client

• Some clients rent botnet services (such as DDoS) from the botmaster
• Others seek to become botmasters themselves to use the botnet (or parts of it) for their own purposes

Victim

• System, person, or network which constitutes the object of the attack
• Many different kinds: receiver of spam, a company whose site is down, someone from whom information is stolen

Passive participant

• Owner of a host which has been infected and turned into a bot
• Can run into serious legal problems

Question 5

Botnet Components

Answer 5

A botnet is a network of infected machines (bots) under the control of a human operator (botmaster)

The botmaster controls its botnet through the transmission of C&C (command and control) messages among the bots using C&C channels
- Distributed (peer-to-peer botnets) vs. centralized (server-based) C&C infrastructure

Question 6

Botnet Architectures:

Answer 6

Centralized
Distributed
Hybrid

Question 7

Botnet Architectures: Centralized

Answer 7

Bots contact a central C&C server to receive information from the botmaster

Distribution of commands is easy and fast

Single point of failure
- If security researchers or authorities shut down all C&C servers, the botmaster looses its botnet

Question 8

Botnet Architectures: Distributed

Answer 8

Bots act as server and client simultaneously

More resilient to failures

Time required for a message to reach all bots is much greater

Question 9

Botnet Architectures: Hybrid

Answer 9

Combines advantages of centralized and distributed botnets by using one or more distributed networks, each with one or more centralized servers

In the worst case, a part of the botnet becomes dismantled on failure of a C&C server

Question 10

Botnet Infection Process

Answer 10

Botmasters use software bugs or standard passwords to gain access to a system
- Usually done automatically (by using scripts and tools such as nmap)

After successful exploitation, the binary containing the bot’s functionality is downloaded to the host using HTTP, FTP, or other protocols

Once the binary is on the compromised host, it is started and tries to contact the C&C server or other bots in P2P botnets

Some bots replicate themselves and try to spread via e.g. the local network of the compromised host (like worms)

Then it waits for further commands from the C&C channel

Question 11

Command & Control

Answer 11

C&C is the most critical part of the botnet

C&C typically done using IRC, Web-based, or using P2P techniques

IRC is used traditionally because it is easy to set up and manage
- Used to be stealthy as IRC has been used heavily in the Internet

Web-based C&C is even easier to use and can be bought on the black market

• Web-based C&C is hidden in port 80 traffic
• “Pull” instead of “push” lowers the traffic
• Scalable: one Web server can handle hundreds of thousands of bots while, IRC chat rooms are usually limited to a few thousands
• To evade shutdown efforts, multiple home servers are usually used

Encryption and other obfuscation techniques (e.g. weird commands or encodings) are used for higher stealthiness

Question 12

Botnet Attack Execution

Answer 12

DDoS: a sufficiently large number of bots use a service (e.g. a website) simultaneously

• Source IP-based filtering does not work
• Bots cannot be distinguished from legitimate users

Spamming: bots send emails to a large number of addresses in a few seconds
- Bots can use the passive participants email resources (address book, email configuration)

Data stealing: bots are used to gather sensitive information

(e. g. credentials) from their host
- Can be done using common malware techniques such as keylogging, file inspection or cookie stealing

Click fraud: hundreds of thousand bots induce clicks on online ads or visits to certain websites on behalf of their host

Question 13

Botnet Hiding Mechanisms

Answer 13

Botnets need to be kept secret to not be shut down by authorities and security researchers

C&C communication is encrypted in modern botnets to prevent analysis of C&C channel

As in other malware, the binaries which contain the malicious code are obfuscated to conceal the source code of a bot, to prevent reverse engineering, and to prevent detection by malware scanners

Usage of multiple proxies (potentially in different countries) by the botmaster for C&C to prevent tracking

Polymorphic bots provide the same functionality with different source codes

IP and email spoofing to conceal the origin of attacks

Question 14

How To Detect & Defend Botnets?

Answer 14

Botnets are oftentimes detected by using honeypots and honeynets
- The whole infection process is usually emulated and monitored, including downloading the malicious code for further inspection and sniffing the C&C communications

Then the binaries are examined to get insights on the botnet’s architecture and C&C structure

In case it’s (semi-)centralized, authorities and providers try to shut down the C&C servers

In case it’s a P2P botnet, the botnet must be “attacked”, which is much harder [Rossow13]

• The botnet could be taken over by authorities and commanded to kill itself
• The fingerprints of the malicious code must be distributed to malware scanners in order to remove it from hosts
• Some P2P botnets have been alive for more than 5 years, although they have been discovered (e.g. Sality)

Question 15

Mobile Botnets

Answer 15

Botnets could also use mobile devices (such as smartphones) to launch certain attacks

Mobile devices have special drawbacks such as connectivity, bandwidth, battery, or performance

But they have great advantages, too

• Hackers can use them to send emails or flood other subscribers with SMS or phone calls
• Smartphones usually carry lots of personal data (contacts, photos, messages, emails, …)
• Smartphones are additionally equipped with plenty of sensors (microphone, camera, GPS)
• Mobile devices often don’t run malware scanners
• App markets are a great way to distribute bots

Botnets for basically every mobile platform have been reported

Question 16

Botnets Conclusion

Answer 16

Creating a botnet is quite easy
- There exist open source frameworks such as Metasploit or
commercial ones like Zeus botnet kit which costs around $700

There is a huge black market for botnets (including software
to create own botnets)

Botnets allow attacks at an incredibly large scale

• Spamhaus.org was attacked in 2013 by a botnet which amplified its bandwidth using IP spoofing and DNS resolvers
• During peak periods, more than 100Gbps of DNS packets arrived at Spamhaus.org
• 300Gbps attack-related traffic was reported by Tier 1 providers, which is almost enough to bring down the Internet (or huge parts of it) [Spamhaus13]

Mobile botnets become more and more attractive
- Perfectly suited for spying activity or mass surveillance