Analysis and characterisation of botnet scan traffic

Botnets compose a major source of malicious activity over a network and their early identification and detection is considered as a top priority by security experts. The majority of botmasters rely heavily on a scan procedure in order to detect vulnerable hosts and establish their botnets via a command and control (C&C) server. In this paper we examine the statistical characteristics of the scan process invoked by the Mariposa and Zeus botnets and demonstrate the applicability of conditional entropy as a robust metric for profiling it using real pre-captured operational data. Our analysis conducted on real datasets demonstrates that the distributional behaviour of conditional entropy for Mariposa and Zeus-related scan flows differs significantly from flows manifested by the commonly used NMAP scans. In contrast with the typically used by attackers Stealth and Connect NMAP scans, we show that consecutive scanning flows initiated by the C&C servers of the examined botnets exhibit a high dependency between themselves in regards of their conditional entropy. Thus, we argue that the observation of such scan flows under our proposed scheme can sufficiently aid network security experts towards the adequate profiling and early identification of botnet activity

Analysis and Characterization of Botnet Scan Traffic

Botnets compose a major source of malicious activity over a network and their early identification and detection is considered as a top priority by security experts. The majority of botmasters rely heavily on a scan procedure in order to detect vulnerable hosts and establish their botnets via a command and control (C&C) server. In this paper we examine the statistical characteristics of the scan process invoked by the Mariposa and Zeus botnets and demonstrate the applicability of conditional entropy as a robust metric for profiling it using real pre-captured operational data. Our analysis conducted on real datasets demonstrates that the distributional behaviour of conditional entropy for Mariposa and Zeus-related scan flows differs significantly from flows manifested by the commonly used NMAP scans. In contrast with the typically used by attackers Stealth and Connect NMAP scans, we show that consecutive scanning flows initiated by the C&C servers of the examined botnets exhibit a high dependency between themselves in regards of their conditional entropy. Thus, we argue that the observation of such scan flows under our proposed scheme can sufficiently aid network security experts towards the adequate profiling and early identification of botnet activity

PROVIDE: hiding from automated network scans with proofs of identity

Network scanners are a valuable tool for researchers and administrators, however they are also used by malicious actors to identify vulnerable hosts on a network. Upon the disclosure of a security vulnerability, scans are launched within hours. These opportunistic attackers enumerate blocks of IP addresses in hope of discovering an exploitable host. Fortunately, defensive measures such as port knocking protocols (PKPs) allow a service to remain stealth to unauthorized IP addresses. The service is revealed only when a client includes a special authentication token (AT) in the IP/TCP header. However this AT is generated from a secret shared between the clients/servers and distributed manually to each endpoint. As a result, these defense measures have failed to be widely adopted by other protocols such as HTTP/S due to challenges in distributing the shared secrets. In this paper we propose a scalable solution to this problem for services accessed by domain name. We make the following observation: automated network scanners access servers by IP address, while legitimate clients access the server by name. Therefore a service should only reveal itself to clients who know its name. Based on this principal, we have created a proof of the verifier’s identity (a.k.a. PROVIDE) protocol that allows a prover (legitimate user) to convince a verifier (service) that it is knowledgeable of the verifier’s identity. We present a PROVIDE implementation using a PKP and DNS (PKP+DNS) that uses DNS TXT records to distribute identification tokens (IDT) while DNS PTR records for the service’s domain name are prohibited to prevent reverse DNS lookups. Clients are modified to make an additional DNS TXT query to obtain the IDT which is used by the PKP to generate an AT. The inclusion of an AT in the packet header, generated from the DNS TXT query, is proof the client knows the service’s identity. We analyze the effectiveness of this mechanism with respect to brute force attempts for various strength ATs and discuss practical considerations.This work has been supported by the National Science Foundation (NSF) awards #1430145, #1414119, and #1012798

Covert Botnet Implementation and Defense Against Covert Botnets

The advent of the Internet and its benevolent use has benefited mankind in private and business use alike. However, like any other technology, the Internet is often used for malevolent purposes. One such malevolent purpose is to attack computers using botnets. Botnets are stealthy, and the victims are typically unaware of the malicious activities and the resultant havoc they can cause. Computer security experts seek to combat the botnet menace. However, attackers come up with new botnet designs that exploit the weaknesses in existing defense mechanisms and, thus, continue to evade detection. Therefore, it is necessary to analyze the weaknesses of existing defense mechanisms to find the lacunae in them and design new models of bot infection before the attackers do so. It is also necessary to validate the analysis and the design of such a model by implementing the attack and fine-tuning the design. This thesis validates the weaknesses found in existing defense mechanisms against botnets by implementing a new model of botnet and carrying out experiments on it. To merely analyze and present the weaknesses of a defense would open the door for attackers and make their job easier. Thus, creating a defense mechanism against the new attack is equally important. This thesis proposes a design against the new model of bot infection and also implements the design. Experiments were conducted to validate and fine-tune the design and eliminate flaws in the new defense mechanism

Embedded Malware - An Analysis of the Chuck Norris Botnet

This paper presents a thorough analysis of working mechanisms and threats of the Chuck Norris botnet that targets network connected embedded devices running Linux OS.Článek se zabývá podrobnou analýzou mechanismů a hrozeb botnetu Chuck Norris, který se zaměřuje na zařízení spotřební elektroniky využívající OS Linux

Revealing and Analysing Modem Malware

In this paper, we provide a formal description of modem malware life cycle. It is included a description of the modem malware evolution (history). We propose a set of techniques to perform detailed analysis of infected modem. We report on modem malware network activities in campus network and we propose NetFlow based detection method to reveal the modem malware spreading.V článku je uveden formální popis životního cyklu malwaru pro modemy. Je popsán evoluční vývoj malwaru pro modemy. Jsou navrženy techniky, které umožňují provádět detailní analýzu infikovaného modemu. Dále uvádíme informace o síťových aktivitách nakažených modemů v univerzitní síti a je navržena metoda využívající NetFlow data pro detekci šíření malwaru pro modemy

Exploratory Data Analysis of a Network Telescope Traffic and Prediction of Port Probing Rates

Understanding the properties exhibited by large scale network probing traffic would improve cyber threat intelligence. In addition, the prediction of probing rates is a key feature for security practitioners in their endeavors for making better operational decisions and for enhancing their defense strategy skills. In this work, we study different aspects of the traffic captured by a /20 network telescope. First, we perform an exploratory data analysis of the collected probing activities. The investigation includes probing rates at the port level, services interesting top network probers and the distribution of probing rates by geolocation. Second, we extract the network probers exploration patterns. We model these behaviors using transition graphs decorated with probabilities of switching from a port to another. Finally, we assess the capacity of Non-stationary Autoregressive and Vector Autoregressive models in predicting port probing rates as a first step towards using more robust models for better forecasting performance.Comment: IEEE Intelligence and Security Informatic

Implementation and evaluation of a botnet analysis and detection method in a virtual environment

Botnets are one of the biggest cyber threats. Botnets based on concepts that used for the development of malware or viruses before origin of the Internet in 1990s. Botnet is a form of malware controlled by a Botmaster using Command and Control (C&C). Since emerging of one of the first botnets PrettyPark in 1999, it has been a significant enhancement in last decade for botnet development techniques by hackers. Botnets of current age are with features such as P2P architecture, encrypted traffic, use of different protocols, stealth techniques and spreading through social networking websites such as Facebook and Bebo. With enhancements in botnet development, the objectives of cyber criminals advanced to get financial as well. ZeuS is one of the well known botnets of current with a main target is to get the financial gain. It uses advanced botnet techniques such as encrypted traffic, use of HTTP protocol and stealth techniques to hide itself from the OS. Overall objective of this thesis is application of botnet analysis and detection techniques on ZeuS bot to demonstrate that how these techniques are applicable to other modern botnets such as KoobFace, Torpig, and Kelihos etc. ZeuS code leaked in May 2011 to open the doors for hackers to utilise techniques used by ZeuS to develop new bots and for researchers to learn the internal working of one of the modern botnet of the current age. In this thesis, “ZeuS toolkit with Control Panel (CP)” is used. It contains tools to create a ZeuS bot executable with user defined configuration and ZeuS Control Panel (CP) developed in PHP and MySql, to install on a machine to act as a ZeuS “C&C server”. Ethically, according to “CSSR: British Computer Society Code of Conduct”, ZeuS botnet analysis is performed in a virtual environment with two machines i.e. “Bot victim with HIDS (Host Based Intrusion Detection System)” and “C&C server” that are isolated from host machine running VMware and the Internet. Bot executed to infect “Bot victim” machine with ZeuS bot to convert it into a “zombie” being controlled by “C&C server” machine running ZeuS Control Panel (CP). ZeuS bot analysis performed in three layers i.e. binary, application and communication layer. On binary layer analysis, reverse engineering tools used to reverse engineer the ZeuS executable to explore its internal. ZeuS reversed engineered C++ code by REC was not in a meaningful form. It indicates that ZeuS binary obfuscated using some algorithm. Only basic information i.e. version and header information for ZeuS bot executable could be found using PE Explorer tool. On application layer, during ZeuS bot execution, all activities related to threads/process, file system (.dll files accessed and files created) and registry changes captured using Procmon. Important information captured by Procmon is creation of a copy of bot executable (sdra64.exe) and data file “user.ds” created in windows subfolder “/system32” and in registry “Userinit” key modified by ZeuS to enable the ZeuS execution before Windows GUI appears (execution of Explorer.exe). On communication layer, packets during bot synchronisation with botmaster and bot commands sent by “C&C server” to “Bot victim” captured for to create rules for HIDS for signature based detection on “Bot victim”. These rules implemented and raised alarm as expected successfully. Anomaly based detection requires “learning” or profiling that requires interaction of machine on Internet. Ethically it is not possible in isolated virtual environment. DNS based detection and process to reveal a “rootkit” that modifies MBR (master boot record) of the hard disk, is not applicable for ZeuS analysis. Literature review of this thesis covers all aspects of botnet analysis and detection techniques regardless of that they are not applicable in this project ethically or ZeuS bot does not support them. Objective of providing this information is to give an overview of all analysis and detection techniques that are applicable to the modern botnets of current age

Sonification of Network Traffic for Detecting and Learning About Botnet Behavior

Today's computer networks are under increasing threat from malicious activity. Botnets (networks of remotely controlled computers, or "bots") operate in such a way that their activity superficially resembles normal network traffic which makes their behaviour hard to detect by current Intrusion Detection Systems (IDS). Therefore, new monitoring techniques are needed to enable network operators to detect botnet activity quickly and in real time. Here we show a sonification technique using the SoNSTAR system that maps characteristics of network traffic to a real-time soundscape enabling an operator to hear and detect botnet activity. A case study demonstrated how using traffic log files alongside the interactive SoNSTAR system enabled the identification of new traffic patterns that characteristic botnet behaviour and subsequently the effective targeting and real-time detection of botnet activity. An experiment using the 11.39 GiB ISOT Botnet Dataset, containing labelled botnet traffic data, compared the SoNSTAR system with three leading machine learning-based traffic classifiers in a botnet activity detection test. SoNSTAR demonstrated greater accuracy, precision and recall and much lower false positive rates than the other techniques. The knowledge generated about characteristic botnet behaviours could be used in the development of future IDSs