Wednesday, February 21, 2007

Botnet Discussion




The following papers were presented by members of the Botnet Team on February 16th 2007.

Understanding the Network Level Behavior of Spammers

Anirudh Ramachandran and Nick Feamster

Network level characteristics of Spammers are discussed in this paper.

The points covered are as follows:

1. A vast majority of spam are sent through Windows Host.

2. The received Spams are from concentrated portions of IP address space.

3. Spammers target specific area. Asia is the top most among all.

4. Spammers make use of different untraceable methods. Example: making short-lived route announcements.

5. Following are some of the Spamming techniques:

Direct spamming: Here the Spamming is done directly through Spam-friendly Internet service Providers.

Open relays and proxies: They are Mail Servers that lead to unwanted/Un-authorized internet hosts to send emails through them.

Botnets: These are machines that are corrupted to send spams and infect other set of machines. Bot-Networks are controlled centrally. They grow as the number of infected machines grow.

6. There are two main Spam filtering techniques:

Content-based filters: These filters monitor the content of the emails(headers or body) to check if there is anything suspicious.

Drawbacks:

High cost to filter maintainers: Regular updates of Filtering rules need to be deployed in order to meet with the new alternatives that spammers bring to avoid detection.

Low cost to evasion: The Email contents can be easily adjusted to avoid detection.

DNS Blacklist (DNSBL) lookups: DNSBL is a spam identifying technique in which the presence of an IP-address in a blacklist database is checked, to verify that the IP adds is of the spammer.

Challenge: How do Domain Name Server get involved for Internet Protocol Blacklisting?

Revealing Botnet Membership Using DNSBL Counter-Intelligence

Anirudh Ramachandran, Nick Feamster and David Dagon

DNS Blacklisting as a technique against Botnet is discussed here.

  1. A bot can be differentiated from other threats by a communication channel to a controller.
  2. DNSBL is developed as a technique to counter measure Bots.
  3. Botmasters perform DNSBL lookups to determine whether their spamming bots are blacklisted or not.

Example: Considering three Bots in the Network, A, B and C. To check whether either one of them is blacklisted- A performs checks for B and C . Similarly B checks if C and A are Blacklisted. And same does C for A and B.

Challenge:

1. How do you trust the content existing as Blacklists?

2. Is DNSBL only for spams?

The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets

Evan Cooke,* Farnam Jahanian,*† Danny McPherson

The discussion is about various systems and how they are infected with a bot. This Bot in turn communicates with a bot controller and other bots to form a zombie army or botnet.

  1. The use of anti-virus software, firewalls, and automatic patching mechanisms can detect and disrupt the working of botnets.

  1. A monitoring can be done for the TCP port 6667 which is the standard port for Internet relay Chat
    (IRC)

Modeling Botnet Propagation Using Time Zones

David Dagon1 Cliff Zou2 Wenke Lee

The discussion from this paper outlines the importance of Time and Location in the spread of Botnets.

  1. Problem Domain: The Study of the actual Scenario and how it spreads.
  2. Ability to respond to an attack: This is reactive approach that is on the basis of some action.
  3. There are models that predict the behavior of future botnets by observing previous botnets.

Semantics-Aware Malware Detection

Mihai Christodorescu Somesh Jha

This paper is about Malware detection and polymorphic behavior of worms.

  1. There are various techniques used in Malware detectors in order to detect malicious activities.

One of which is Pattern Matching.

Pattern matching has a deficiency of considering the syntactic part and not semantics instructions.

  1. To avoid detection from malware detectors, hackers use obfuscation to morph malwares.

  1. Polymorphism and metamorphism are two common obfuscation techniques used by malware writers.

.

  1. A polymorphic virus obfuscates its decryption loop using several transformations.

Example: nop-insertion and code transposition.

  1. Metamorphic viruses attempt to evade detection by obfuscating the entire virus. After replication, these viruses change their code in a variety of ways, such as code transposition, substitution of equivalent instruction sequences, change of conditional jumps, and register reassignments.




A Virtual Honeypot Framework
Niels Provos

  1. One of the ways to get early warnings of new vulnerabilities is to install and monitor computer systems on a network that we expect to be broken. Such computer systems are known as Honeypots.
  2. Even the attempt to contact honeypot is a suspect.

  1. A physical honeypot is a real machine with its own IP address.

  1. A virtual honeypot is a simulated machine with modeled behaviors, one of which is the

ability to respond to network traffic.



Challenge: How useful is a honeypot for detecting Spam emails?

Vigilante: End-to-End Containment of Internet Worms

Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron,

Lidong Zhou, Lintao Zhang and Paul Barham

The discussion introduces to Vigilante, a technique that provides automation containment for the fast spreading worms.

  1. Vigilante introduces the concept of a self-certifying alert (SCA).

SCA is a machine-verifiable proof of vulnerability.

  1. SCAs remove the need for trust between hosts.

  1. When hosts receive an SCA, they generate filters that block infection by analyzing the SCA-guided execution of the vulnerable software.

  1. An SCA contains a sequence of messages that, when received by the vulnerable service, cause it to reach a disallowed state

  1. Vigilante introduces a mechanism to generate host-based filters automatically by performing dynamic data and control flow analysis.

  1. Thus Vigilante is able to detect polymorphic worms and other worms like Slammer, CodeRed and Blaster.

  1. The Flow of Vigilante.

No comments: