Malware

Can botnets be beaten?


This week, Georgia Tech unveiled BotSniffer, a prototype system designed to detect and disable botnets.  Using traffic analysis the BotSniffer tries to identify botnet members by looking for command and control channels.Apparently the BotSniffer detector has been built as an independent plug-in for the popular open source intrusion detection system Snort.  With a host system that's as widely used as Snort, there could be a good possibility of such a system eventually making it in to the real-world.  The paper released by Georgia Tech's School of Computer Science says, "We evaluated BotSniffer using many real-world network traces. The results show that BotSniffer can detect real-world botnets with high accuracy and has a very low false positive rate."

The paper suggests that botnets' command and control mechanism may be their Achilles heel.  These command and control channels are used by botmasters to relay instructions to the infected hosts.  Instructions are either delivered ‘live' via IRC channels or via HTTP where the bot will connect at pre-specified intervals and collect instructions from a Web server.  If these channels of communication are detected and cut off then the botmaster no longer has control of his zombies: "If we can take down an active command and control or simply interrupt the communication to the command and control, the botmaster will not be able to control his botnet. Moreover, the detection of the command and control channel will reveal the command and control servers and the bots in a monitored network."

There are normally multiple bots on a network so thorough analysis of traffic or host activity can pick out behavioural traits and detect bot-like activity: "We observe that the bots of a botnet demonstrate spatial-temporal correlation and similarities due to the nature of their pre-programmed response activities to control commands. This helps us identify command and control within network traffic. For instance, at a similar time, the bots within a botnet will execute the same command -- obtain system information, scan the network -- and report to the command and control server with the progress/result of the task."

BotSniffer is certainly not the only attempt to stamp out what has quickly become one of the Internets biggest problems.  Desktop antivirus and security packages from all of the big brand security vendors are incorporating features aimed at locking out botnets by detecting and removing the malicious software that turns so many desktop computers in to evil zombies!   I think this highlights an important point-if botnets can be beaten then the problem has to be attacked from several different angles. ISPs trying to detect command and control channels will most likely never have complete success. Once ISPs or network admins start to detect and isolate infected hosts, bots will undoubtedly find ways to avoid detection in just the same way that viruses do. They can encrypt communications, randomize behaviour, and so on.  The analysis will get smarter, but it becomes a game of catch-up.  If botnets are losing hosts due to improved desktop protection, then they come under pressure on several fronts and will find it hard to grow.

Spam blocking would be a good example of how various types of filtering can work together to block unsolicited junk e-mail. Around 85 percent of all incoming e-mail is blocked by my Barracuda Spam Firewall. This is achieved by combining techniques such as virus scanning, user policies, rate control, Bayesian analysis, rule-based scoring, and IP reputational analysis.  Alone, no one of these forms of detection would be adequate-however, once combined they form a sturdy defence blocking 90-95 percent of the unwanted junk mail thrown at our servers daily.

Network based detection of botnets seems like a very good idea and with programs like BotSniffer able to plug in to existing Intrusion Detection Systems, we could well see that tables turn on Botmasters. I could see this type of traffic analysis being very effective at an ISP level-they already analyse traffic for illegal downloads, so I couldn't see that listening for bots would be much of an additional burden.

Do you currently take any measures to detect or block unwanted and potentially dangerous network traffic? Bots or even P2P and other rogue applications can have a massive impact on network security and performance. If you do, I'd be interested to know what techniques you use-leave a comment and share your experience.

22 comments
ecjb
ecjb

With the Micro$haft .NET platform, do y'all think it's going to be easier to create/deploy bots, and how can .NET nasties be defeated?

rlabelle
rlabelle

You may want to review the work that the ITU's cybersecurity division is doing on this, including look at some of their reports and their online toolkit now under development. While focused on developing countries, I found it useful as it places things in a global context, which is where Bots evolve. Check out the following and related urls: http://www.itu.int/ITU-D/cyb/cybersecurity/projects/botnet.html Richard

DanLM
DanLM

When researching this, I found the The Spamhaus Don't Route Or Peer List. [i]The Spamhaus Don't Route Or Peer List DROP (Don't Route Or Peer) is an advisory "drop all traffic" list, consisting of stolen 'zombie' netblocks and net blocks controlled entirely by professional spammers. DROP is a tiny sub-set of the SBL designed for use by firewalls and routing equipment.[/] http://www.spamhaus.org/drop/ Keep it updated by daily downloads and applying it to either router or firewall, I use it in my firewalls. If you can get your hand on the ip blocks in the RIR pool, and acquire updates every day, block them: http://www.caida.org/research/id-consumption/ipv4/exhaustion.xml#rir-pool [i]At any point in time, each RIR holds a number of addresses allocated to it by IANA that have not yet been assigned or allocated to one of the RIR's customers. This set of unassigned IPv4 addresses is called the RIR's pool.[/i] [b]Edited to add:[/b] Thats incorrect I beleive. I would want the list of unassigned ip blocks from IANA. Sorry. At one time, I found a place where I could download this.... Dang if I can remember where I seen that at though. After you have blocked what are known to be bad ip blocks, it's time to check the hen house. Ie: Check your bandiwidth, investigate anything abnormal. A threashold policy should be in place for login attempts, with the ip being blocked after so many attempts. You can always correct the situation if it is a legitimate signin attempt, but if someone gets logged in that shouldn't. You may be in serious trouble, and become one of the host's of a botnet. Virus protection a must. Monitoring of resource usage and access logs a must. I have no buisness with some nations that are known to host suspect servers. Ie, command and control. I firewall the nations. But, that is only me. Russia, Korea, China come to mind. If you ever check the statistics, the United States is one of the top nations when it comes to hosting compromised machines. Where the command and control is at is a different matter. With regard to this, there are blacklists of known or suspected ip's ip blocks(comcast is in that). Its a consideration to use these blacklists. Thank you for this article. I appriceate it... This is something I read about all the time, and the more information the better. I chose the wrong profession, I should have went into IT security or auditing. It is something that has always interested me.... Dan

SmilingSheep
SmilingSheep

First, ban Windows 95/98 from connecting to the internet. Second, educate users about patching their OS and apps. Third, no blank passwords or users running constantly as administrators. Fourth, sign your code and only allow trusted code to run. Easy, no. Cost effective, not immediately. Doable, certainly. Change the game and make the botnet designers work for their zombies. Don't give them easy targets.

john.decoville
john.decoville

I run SpyBot Annihilator but have doubts about how up-to-date it is. This article has merit and thanks Dan for your extra insights-- John

DanLM
DanLM

Snort is a monster, it's loaded with tons of rules. I tried loading it on a couple machines, and I basicatly had to ratchet down the overhead settings to the minimal. Now, my machines are not what would be found in large buisness's. I talked to a sysadmin I know at a university, and he said they have 10 gig of ram on the server they use to host snort. Not a nock, just what I've encountered. It works, that's the bottom line. Dan

wmlundine
wmlundine

...but Dan will understand. A February 9 Los Angeles Times article about University of California, Los Angeles professor Edythe London taking a $6 million grant from Philip Morris to study the brains of child smokers and monkeys addicted to nicotine once again raises questions about the appropriateness of university researchers accepting tobacco industry funding. Philip Morris denied that they have a stake in this particular project, but the denial had little credibility since the company no doubt will benefit from understanding more about youth smoking and nicotine addiction. After all, the future of their business depends on these two topics. Still, we wonder why any person curious enough to be engaged in scientific research isn't also curious enough to find out what's in it for Philip Morris before they accept the funds? These days, the answer is as close as your computer.

JCitizen
JCitizen

I don't understand IP blocking well enough to know this concept. Does the blocked host see a blocked port, or is it stealthed like every other scanning or knocking attempt? This has been the only reason I have not tried this yet with my router because I can't get a grip on whether standard port testing would tell me if my ports were truly stealthed to the entire world.

Popoyd
Popoyd

One of the most useful posts I've seen lately. I'll definitely check out these tips. Thanks!

Michael Kassner
Michael Kassner

I want to thank both Justin and Dan for some valuable information. It is as you say important to understand the concept of "bots" and what if anything you can do about them.

DanLM
DanLM

;o) Think I'll start calling you the tin man. No heart, and protecting himself from everyone. Too bad your to cold to realize how many people you hurt in the process.

DanLM
DanLM

they make an attempt access a service I have open on a port. Thats when the black lists come into play. With my setup, I have all access blocked to the ip's on the black lists I have downloaded. My threashold list's that I maintain, someone attempts too many login with failures. I alow that list access to specific services so that if it is a legitimate person that must contact me. How to block ports from being seen? I've read it can be done, but I have no idea how. good point, thank you. Chuckle, gives me something else to try and read up on. I should add here, that there are numerous and reputable spam black lists out there. Just using these to stop say suspect(suspect because the ip is on a blacklist) can save you possibly being infected. Remember, there is always a chance when using blacklists of innocents not being able to get through. But, then... It's easy enough to create a white list, always trusted users. Chuckle, just hope your trusted user never gets infected. Dan

JCitizen
JCitizen

Looks like I'll need version six at least. It they seem have some pretty good gateway appliances over there too! Interesting at the very least.

wratholix
wratholix

Ive used m0n0wall but lacks features. If it is for home use i recommend Astaro firewall. Last i tried to upgrade my 3yo fw v6 to v7 but my old machine didnt like it very much (AMD 64 1.3Ghz 256mb Ram 8Gb hdd, 2 NIC's) v6.3 is rock stable and my machine will stay up for months if necessary. v7 has a much more friendly interface to setup but as the iso's are only CD size it should be easy to try both. edit: OnlineLiveDemo: http://www.astaro.com/contact/livedemo/(type)/asg_live_demo_landing_page It runs Snort with auto updates on rulesets by Astaro. I use most services.. like squid transparent proxy, transparent smtp, vpn, nat, QoS and more probably. It generates MRTG graphs etc to get bandwidth usages and other stats like hardware. Also accounting reports and the list goes on... best fw package i have come across. Free license for 3 years or so for home users. Try before you buy :P

JCitizen
JCitizen

Maybe I should put an old box with m0n0wall between my gateway and the LAN in case they blow through. That way I have the best of both. I keep saying I'm going to start that project and never get going. If that firewall will run on Mandrake 7.0 then all I need is to buy the port cards.

DanLM
DanLM

I found on my bsd machine numerous brute force attempts in my logs. Some of them were making attempts in the thousands. China IP's are the first thing that I found consistancy in. I built my firewall, added the black lists, and wrote a perl script to parse my security log(auth.log, ftp.log) looking for a threashold exceeded. I was being hammered JC, and I seriously mean this. Sence I have firewalled, not stealthed, but firewalled with the various blacklists. I very rarely get any attempts any more. It was a matter that they seen that I wouldn't let them brute force me, which seems to be what they were after... access. They went away. I wish I could put a firewall in front of all of my windows machines that I could control. Like what I have on my bsd machine. My windows machines don't seem to take a beating... I imagine its because they do not offer services that can be brute forced(ssh, ftp, mysql, ?). That seems to be another consistancy that I seen personally. All attempts against me were to acquire login credentials. Dan

JCitizen
JCitizen

attempting entry on my stealthed ports. One of them is a Chinese government site. I would like to add a block list to these two IP sources, but if that changes the port to "closed" they would see that their handy work was getting somewhere. This is the worry I have anyway. If a Shields Up! test works as good as a directed attack, then I'm worrying about nothing! I ask this because I know some ISPs have the ability to activate port 113 (on some routers even though they are stealthed) for net administration. If directed attack port probes have this same ability it gives me pause. I prefer all ports stealthed, so they have to find the target first. I suspect the attackers already know I'm there by reverse lookup from the ISPs tables. I have a dynamic address but I never shut down my modem. Shields up will some times show this port(113) as closed, when it is set as stealthed, but not always depending on the router and the particular firmware for it.. So far none of them are hitting that port of course; I'm just using it as an example. I don't know; I feel paranoia is healthy but I'm probably bordering on schizophrenic here! I have no trusted users, thank goodness, or I would be tearing my hair out. I can get out and communicate with remote clients using service controls that I initiate inside the firewall,of course, but blacklisting/whitelisting is the worry to me. Am I goofy here or what?

Editor's Picks