Proyecto Educativo del Programa de Administración de Empresas de la Universidad de la Amazonía.

Though detecting C & C traffic and eliminating all bots on a given local network is a step in the right direction, it still doesn’t allow the takedown of an entire botnet at once. To achieve this goal in a centralized botnet, access

34 E. Stinson and J. Mitchell, “ Characterizing bots ’ remote con-

trol behavior, ” in Proc. 4th International Conference on Detection

of Intrusions & Malware and Vulnerability Assessment (DIMVA),

Lucerne, Switzerland, July 12 – 13, 2007.

35 J. Goebel and T. Holz, “ Rishi: Identify bot contaminated hosts by IRC nickname evaluation, ” in Proc. First Workshop on Hot Topics in Understanding Botnets (HotBots), Cambridge, April 10, 2007. 36 J. Binkley and S. Singh, “ An algorithm for anomaly-based botnet detection, ” in Proc. 2nd Workshop on Steps to Reducing Unwanted Traffi c on the Internet (SRUTI), San Jose, July 7, 2006, pp. 43 – 48.

37 G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee,

“ BotHunter: Detecting malware infection through IDS-driven dialog

correlation, ” in Proc. 16th USENIX Security Symposium, Boston,

August 2007.

38 A. Karasaridis, B. Rexroad, and D. Hoeflin, “ Wide-scale botnet detection and characterization, ” in Proc. First Workshop on Hot Topics in Understanding Botnets (HotBots), Cambridge, MA, April 10, 2007.

39 A. Ramachandran, N. Feamster, and D. Dagon, “ Revealing bot-

net membership using DNSBL counter-intelligence, ” in Proc. 2nd

Workshop on Steps to Reducing Unwanted Traffi c on the Internet (SRUTI), San Jose, CA, July 7, 2006, pp. 49 – 54.

PART | I Overview of System and Network Security: A Comprehensive Introduction

126

to the C & C servers must be removed. This approach assumes that the C & C servers consist of only a few hosts that are accessed directly. If hundreds or thousands of hosts are used in a fast-flux proxy configuration, it becomes extremely challenging to locate and neutralize the true C & C servers.

In work similar to BotHunter, researchers Gu et al. developed BotSniffer in 2008. This approach repre- sents several improvements, notably that BotSniffer can handle encrypted traffic, since it no longer relies only on content inspection to correlate messages. A major advantage of this approach is that it requires no advance knowledge of the bot’s signature or the identity of C & C servers. By analyzing network traces, BotSniffer detects the spatial-temporal correlation among C & C traffic belonging to the same botnet. It can therefore detect both the bot members and the C & C server(s) with a low false positive rate. 40

Most of the approaches mentioned under “ Detecting C & C Traffic ” can also be used to detect the C & C serv- ers, with the exception of the DNSBL approach. 39 However, their focus is mainly on detection and removal of individual bots. None of these approaches mentions targeting the C & C servers to eliminate an entire botnet.

One of the few projects that has explored the feasi- bility of C & C server takedown is the work of Freiling et al. in 2005. 41 Although their focus is on DDoS preven- tion, they describe the method that is generally used in the wild to remove C & C servers when they are detected. First, the bot binary is either reverse-engineered or run in a sandbox to observe its behavior, specifically the hostnames of the C & C servers. Using this information, the proper dynamic DNS providers can be notified to remove the DNS entries for the C & C servers, preventing any bots from contacting them and thus severing contact between the botmaster and his botnet. Dagon et al. used a similar approach in 2006 to obtain experiment data for modeling botnet propagation, redirecting the victim’s connections from the true C & C server to their sinkhole host. 42 _{Even though effective, the manual analysis and}

contact with the DNS operator is a slow process. It can

take up to several days until all C & C servers are located and neutralized. However, this process is essentially the best available approach for shutting down entire botnets in the wild. As we mentioned, this technique becomes much harder when fast-flux proxies are used to conceal the real C & C servers or a P2P topology is in place.

Attacking Encrypted C & C Channels

Though some of the approaches can detect encrypted C & C traffic, the presence of encryption makes bot- net research and analysis much harder. The first step in dealing with these advanced botnets is to penetrate the encryption that protects the C & C channels.

A popular approach for adding encryption to an existing protocol is to run it on top of SSL/TLS; to secure HTTP traffic, ecommerce Web sites run HTTP over SSL/TLS, known as HTTPS. Many encryption schemes that support key exchange (including SSL/TLS) are susceptible to man-in-the-middle (MITM) attacks, whereby a third party can impersonate the other two par- ties to each other. Such an attack is possible only when no authentication takes place prior to the key exchange, but this is a surprisingly common occurrence due to poor configuration.

The premise of an MITM attack is that the client does not verify that it’s talking to the real server, and vice versa. When the MITM receives a connection from the client, it immediately creates a separate connection to the server (under a different encryption key) and passes on the client’s request. When the server responds, the MITM decrypts the response, logs and possibly alters the content, then passes it on to the client reencrypted with the proper key. Neither the client or the server notice that anything is wrong, because they are commu- nicating with each other over an encrypted connection, as expected. The important difference is that unknown to either party, the traffic is being decrypted and reencrypted by the MITM in transit, allowing him to observe and alter the traffic.

In the context of bots, two main attacks on encrypted C & C channels are possible: (1) “ gray-box ” analysis, whereby the bot communicates with a local machine impersonating the C & C server, and (2) a full MITM attack, in which the bot communicates with the true C & C server. Figure 8.2 shows a possible setup for both attacks, using the DeleGate proxy 43 for the conversion to and from SSL/TLS.

40 G. Gu, J. Zhang, and W. Lee, “ BotSniffer: Detecting botnet com- mand and control channels in network traffi c, ” in Proc. 15th Network and Distributed System Security Symposium (NDSS), San Diego, February 2008.

41 F. Freiling, T. Holz, and G. Wicherski, “ Botnet tracking: Exploring

a root-cause methodology to prevent denial-of-service attacks, ” in

Proc. 10th European Symposium on Research in Computer Security (ESORICS), Milan, Italy, September 12 – 14, 2005.

42 D. Dagon, C. Zou, and W. Lee, “ Modeling botnet propagation

using time zones, ” in Proc. 13th Network and Distributed System

Security Symposium (NDSS), February 2006.

43 “ DeleGate multi-purpose application gateway, ” www.delegate.org/ delegate/ (accessed May 4, 2008).

The first attack is valuable to determine the authen- tication information required to join the live botnet: the address of the C & C server, the IRC channel name (if applicable), plus any required passwords. However, it

does not allow the observer to see the interaction with the larger botnet, specifically the botmaster. The sec- ond attack reveals the full interaction with the botnet, including all botmaster commands, the botmaster password used to control the bots, and possibly the IP addresses of other bot members (depending on the configuration of the C & C server). Figures 8.3 – 8.5 show the screenshots of the full MITM attack on a copy of Agobot configured to connect to its C & C server via SSL/TLS. Specifically, Figure 8.3 shows the botmaster’s IRC window, with his commands and the bot’s responses. Figure 8.4 shows the encrypted SSL/TLS trace, and Figure 8.5 shows the decrypted plaintext that was observed at the DeleGate proxy. The botmaster password botmasterPASS is clearly visible, along with the required username, botmaster .

Armed with the botmaster username and password, the observer could literally take over the botnet. He Plaintext Rogue C&C Server Log Real C&C Server Man-in-the-Middle Plaintext DG1 DG Bot Bot (1) (2) DG: DeleGate DG2 SSL SSL SSL

FIGURE 8.2 Setups for man-in-the-middle attacks on encrypted C & C channels.

FIGURE 8.3 Screenshot showing the botmaster’s IRC window.

PART | I Overview of System and Network Security: A Comprehensive Introduction

128

could log in as the botmaster, then issue a command such as Agobot’s .bot.remove, causing all bots to dis- connect from the botnet and permanently remove them- selves from the infected computers. Unfortunately, there are legal issues with this approach because it constitutes unauthorized access to all the botnet computers, despite the fact that it is in fact a benign command to remove the bot software.

Locating and Identifying the Botmaster