BotSniffer : Detecting Botnet Command and Control Channels in Network Traffic

- Botnet : zombie army

- How does it works :

Through a malware ( email pishing ).

Exploit system vulnerability to inject malicious code inside host device.
Tries to establish a communication with the C&C ( list of IPs to elude restricions )
Downloads additional toolkit
Tries to extend to other device

IF IRC :
Push Style : the master sends direct messages to the bots and they executes ( Phatbot, SpyBot, )
Establish a channel to send a message using PRIVMSG <destination> <message>
Bot executes and sends back the result
The bot has a pre-programmed library of command that enables the master to fully control the
machine

IF HTTP :
Pull Style : Bots periodically contacts the server to obtain new commands ( Bobax)
The programmer sets the commands in a file inside the C&C server
The bots periodically connect to the server for reading new commands

- Botnet Command and Control Channels :

C&C servers
Computers that issues commads to botnet
Utilize IRC or HTTP ( also SSL encrypted to better masquerade )
Also DNS

- IRC :

Internet Relay Chat

Protocollo di comunicazione tra diversi utenti

- Topology :

Star : bots organized around a central server

Multi-server : multiple C&C for redundancy
Hierarchical : multiple server C&C organized into tiered groups
Random : coopted computers communicate as p2p botnet

- Why detecting the C&C :

The weakest point of the infrastructure
Permits to discover the C&C server and the bots

- How to detect the C&C :

- Analyzing traffic for higly correlated behavior (spatial- temporal)
- Exploit pre-programmed nature of bots
- Problems :
They use normal protocols with normal traffic
Traffic volume is low
May be very few bots in the net
May containt encrypted communications

- Invariant regardless the style :

They need to connect with the server
Bots need to perform tasks and respond to commands
Multiple bots will respond in a similar fashion ( similar messages or similar network activity )
Crowd-like behavior

Bots has stronger synchronization and correlation in responses than humans ( images )

BotSniffer :

- Monitor Engine :
Preprocessing of irrelevant data ( to improve efficiency, not the accuracy ), done by filtering out
well-known hand-coded servers ( Google, Yahoo, ) and normal servers ( dinamically calculated )

Protocol Matcher keeps record of clients using C&C protocols. Its port indipendet because nets
can use ports different from standard.

Activity/Message Response Detection monitors clients detected by the Protocol Matcher in search
of
IRC PRIVMSG for message response
High scan rate for scanning activity
MX DNS query (request for Mail server address) for spam detection

- Correlation Engine :
The clients detected are grouped by destination IP and port pair ( clients connecting to same server )
Group analysis for spatial-temporal correlation and similarity