Jointly presented by: Nurefsan Sertbas and Asamoah K. Acheampong Web Server ■ DDoS traffic peaked at 500Gbps in 2015 [Arbor Networks, 2016] ■ ZeroAccess : Crooks can milk '$100k a day' from 1-millionDDoS-zombie [The Register, Sept-2012] Botmaster C2 Server

Updates/Commands ■ Centralized ■ Uses Command and Control (C2) servers (HTTP / IRC servers) ■ Single point of failure / monitoring ■ Botmaster Distributed (P2P) ■ No C2 servers / No centralized monitoring ■ Bots (inter)connected via an overlay ■ Hop-by-hop command dissemination ■ Resilient to node failures and attacks

§ Three major approaches: § Honeypot-based detection (Generic) § Intrusion Prevention/Detection Systems (IPS/IDS) § Communication/Flow-based Detection Mechanisms

Examples: • BotGrep • Botyacc • PeerHunter • PeerDigger • PeerRush • … § Motivation: - Drawbacks of signature & anomaly based detection • Signature based detection: – Cannot detect previously unknown – Encrypted malicious communications • Anomaly based detection: – Produces large # of FPs – Longer setup times

- Idea: Observe flows instead individual packets § Proposed Solution:

Flow based detection

- Extract metadata by NetFlow - (who talks to whom, when, how..) - No need to have a knowledge of a complete communication - Assumes only limited knowledge on flows n Walk when k=4

1 19-18-1-3-11 2 16-14-15-13-11

… …

READER WALKER

• Reads NetFlow data • Random Walker algorithm • Creates communication graph NORMALIZER CLUSTERER • Calculates how likely a • DBSCAN to perform the vertex is to be the end final clustering node • Results probability distribution http://try.bro.org/#/?example=hello Get a Pcap from https://github.com/ixiacom/ATI/tree/master/PCAPS

Assuming a part of attack signature is first 4 byte of "\x00\x00\x00\x01"

Goal: Write a basic script to check that pattern and detect those packets Solution:

You can also try with following functions By Asamoah K. Acheampong ■ Enumerate infected machines ■ Infection cleanup ■ Alert stakeholders, e.g., ISPs ■ Identify control infrastructure(s) ■ Arrest the botmaster Botmaster ■ Takedown servers Reverse engineer to discover or understand: Protocols ■ Botnet messages / communication protocols ■ Seed list (or bootstrap list) or C&C Servers

Seed list

Reverse Engineering § Usage of honeypots

§ Infiltration of C&C servers (e.g., IRC or HTTP Servers)

§ IP flow correlation at ISP/Network level § ‘Vulnerable’ devices which have the sole purpose of getting infected § Two types: § Low-interaction Honeypot: (Limited) Protocol emulations § High-interaction Honeypot: Complete System interaction, e.g., physical machine. § Usage: Useful to detect ongoing propagation of malware and understanding the behaviour of the malware § Honeypots can emulate ANYTHING:

• HTTPS, FTP, MySQL, SIP, SSH

• Modbus, S7, SNMP, SMB, HTTP, Telnet, SMTP

eduroam

Multi-stage attack detection and signature generation with ICS honeypots. Vasilomanolakis et al. NOMS 2016 B

E A Superpeers D F

J C G MM I

Bot D H Membership Maintenance (MM) mechanism No. NeighborNAT ■ Ensures overlay remains connected 1 E ■ Periodically maintains a Neighborlist (NL) ■ Probes responsiveness of neighbors every 2 F MM-interval (256 sec up to 40 min) 3 GI ■ Update/Replace entries as needed *TheNon-superpeers size of an NL ranges between 50-1000■ entriesRequest additional neighbors Firewall ■ Non-superpeers rely on superpeers to stay connected § A Windows OS-based virus first seen in 2003 § File infector, i.e., via Removable devices and SMB § Backdoor, FTP password stealer, … § Disables general security applications upon infection

§ Adoption of P2P communication architecture since 2009 § Business Model: Malware (component) dropper via infected URLs § Lack of a centralized architecture: Impossible to take down the botnet § Only through a coordinated takedown (P2P botnet takedown strategies like Sinkholing attacks) § It’s resiliency is evident from the ‘track record’ of Sality since 2003.

§ Network communications (UDP) encrypted with RC4 § Dynamic keys using packet’s payload-data hash and size § Implication : No easy pattern-matching signatures for IDS/IPS

§ Two active versions : V3 and V4 § URLPack : Update issued by botmasters to instruct infected bots to download and install additional (new) malware or components. § Each update consists of up to 10 different URLs, camouflaged as graphic files § The only malware delivery mechanism to the bots Update Frequency of URLPacks in Sality V3 (Since April 2015)

URLPack Seq. Number Date Issued http://pisochne.net/bottom.gif230 - http://prabhuinfotech.com/images/bottom.gif231 24th April 2015 http://winmark.co.in/image.gif232 25th May 2015 http://dom.lapok.hu/pdf/image.gif234 27th May 2015 http://agruse.com/image.gif236 9 th July 2015 http://tangnhung.50webs.com/anh/image.gif240 24th August 2015 http://67.225.144.42/images/image.gif241 6th October 2015 350 11th November 2015

B

E A

D Protocols F

J Seed list C G

I

H Crawler Crawlers mimic bots in need of neighbors to: ■ Enumerate bots (mostly superpeers) NL-Req NAT ■ Discover interconnectivity of bots B E Drawback: A C F ■ Non-superpeers not reachable (60-90% of bots) Non-superpeers DVisual representationG Firewall of the topology of botsZeroAccess in GameOver Botnet, December 2015 Day Responsive Discovered

1 5752 6646 2 5603 6411 3 5539 6324 4 5359 6120 5 5496 6230 6 5626 6400 7 5676 6564 Discovered Peers Responsive Peers 1,521 Total Unique IPs: 5,496

702

544 Percentage of Unique IPs

Countries B

XS E A Superpeers D Protocols F

J C Crawler G

I

H Sensors mimic reliable and stable superpeers to: ■ Enumerate both superpeers and non-superpeers ■ Reliably respond to MM probing messages NAT ■ All Sality BotsBecome on 1 stpopularApril 2015among other bots ■ Hide among bots “Sensors are stealthier than crawlers”, Non-superpeers Andriesse et al., 2015 Firewall Drawback: ■ No connectivity information § About 90% of all bots are not directly reachable via crawling § Behind Firewall and NAT devices

Daily Aggregation Hourly Aggregation 120,904 Total Unique IPs: 896,638

86,210

66,591 Percentage of Unique IPs

Countries 22,131 Total Unique IPs: 198,239

21,406

12,683 Percentage of Unique IPs

Countries

Activities Dynamic nature of other Anti-monitoring of P2P Botnets (competing) countermeasures researchers Less Invasive Crawler Crawling Detection Algorithm Mechanism Botnet (LICA) Surveillance System (BoSS) Sensor Detection ZeusMilker Mechanism Inherit most of the properties of P2P networks. § Dynamic IP address allocation pools,Sality (e.g.,V3 ISPs,Crawling DHCP) (7-days) § High churn rate and diurnal effects § Network/securityAbout > 90% devices, e.g., NAT, Firewall nodes are § AbsenceNOT of unique identifiers OwhWOW!… Okay… Cool! § reachableOver/under estimating multiple nodes behind same IP Only> 12,000 about bots < ~1,400 in 7 days! bots § We viaare under-estimating crawling

690 >= Total_bots <= 1,447 Activities Dynamic nature of other Anti-monitoring of P2P Botnets (competing) countermeasures researchers Less Invasive Crawler Crawling Detection Algorithm Mechanism Botnet (LICA) Surveillance System (BoSS) Sensor Detection ZeusMilker Mechanism Many third-parties snooping around P2P botnets § Introduce a lot of noise from their activities § Attacks (e.g., Neighbor list poisoning, sybil attacks) § Spoofing of invalid addresses/IDs § Over-estimation prone to happen § Aggressive monitoring § Requests as high as 15 request/min (consistent and constant rate, 24x7) § Generate random IDs on-the-fly

§ Stress-test our crawlers and sensors § Malformed packets / commands / contents: Require a LOT of bug-fixing! § Testing our system’s assumptions: Replay REAL commands

Geo§ Sometimes-IP location ‘help of other’ you researchers/parties without being asked crawling ;-) in Sality V3 on 1st April 2015 § Help popularize our sensors (by returning as neighbors) § However, introduces bias in some measurements Activities Dynamic nature of other Anti-monitoring of P2P Botnets (competing) countermeasures researchers Less Invasive Crawler Crawling Detection Algorithm Mechanism Botnet (LICA) Surveillance System (BoSS) Sensor Detection ZeusMilker Mechanism Activities Botnet’s anti- Dynamic nature of other monitoring of P2P Botnets (competing) countermeasures researchers Less Invasive Crawler Crawling Detection Algorithm Mechanism Botnet (LICA) Surveillance System (BoSS) Sensor Detection ZeusMilker Mechanism X B Bot comes online

E A IsIf this yes, bot contacting blacklist D me too frequently?this botF

J C G

I Bot goes offline

H Crawler Challenges in crawling: ■ Delay in crawling introduces noise in crawl data X ■ Botnet anti-crawling countermeasures: B E 1. Restricted NL-reply mechanisms Disclosing only a subset of neighbors A C F 2. Automated blacklisting mechanisms Force crawlers to rate-limit their crawl D G H frequency S S S E Try to get into NL of D D F

FULL

GameOver Zeus even G prevents duplicate entries from a /20 network prefix

Bot D Botnet anti-sensor countermeasures: No. Neighbor Reputation 1. Local reputation mechanism (Sality) 1 E 1000 Prefer older bot to newly discovered ones 2 F 700 2. IP address-based filtering mechanism Cannot deploy multiple sensors using same 3 G 86 address/network to prevent sinkholing attacks Activities Botnet’s anti- Dynamic nature of other monitoring of P2P Botnets (competing) countermeasures researchers

Crawler BoSS Detection Mechanism Botnet Less Invasive Surveillance Crawling System (BoSS) Algorithm (LICA)

Sensor Detection Mechanism ZeusMilker Future ■ Advanced Anti-Monitoring Countermeasures Now ■ Collaborative Monitoring ■ (Simple) Anti-Monitoring ■ Review Existing Cyber Laws Countermeasures ■ Independent Monitoring

41/27