Proyecto Educativo del Programa de Administración de Empresas de la Universidad del Tolima.

Even if all three technical challenges can be solved and even if all Internet-connected organizations worldwide cooperate to monitor traffic, there are additional trace- back challenges beyond the reach of the Internet (see Figure 8.7 ). Any IP-based traceback method assumes that the true source IP belongs to the computer the attacker is using and that this machine can be physically located. However, in many scenario this is not true — for example, (1) Internet-connected mobile phone networks, (2) open wireless (Wi-Fi) networks, and (3) public com- puters, such as those at libraries and Internet caf é s.

50 A. Snoeren, C. Patridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, S. T. Kent, and W. T. Strayer, “ Hash-based IP traceback, ” in Proc. ACM SIGCOMM 2001, September 2001, pp. 3 – 14.

51 J. Li, M. Sung, J. Xu, and L. Li, “ Large-scale IP traceback in high- speed internet: Practical techniques and theoretical foundation, ” in Proc. 2004 IEEE Symposium on Security and Privacy, IEEE, 2004.

52 X. Wang, S. Chen, and S. Jajodia, “ Network fl ow watermarking attack on low-latency anonymous communication systems, ” in Proc. 2007 IEEE Symposium on Security and Privacy, May 2007.

53 X. Wang, S. Chen, and S. Jajodia, “ Tracking anonymous, peer- to-peer VoIP calls on the internet, ” in Proc. 12th ACM Conference on Computer and Communications Security (CCS 2005), October 2005. 54 X. Wang and D. Reeves, “ Robust correlation of encrypted attack traffi c through stepping stones by manipulation of interpacket delays, ” in Proc. 10th ACM Conference on Computer and Communications Security (CCS 2003), October 2003, pp. 20 – 29.

Most modern cell phones support text-messaging services such as Short Message Service (SMS), and many smart phones also have full-featured IM soft- ware. As a result, the botmaster can use a mobile device to control her botnet from any location with cell phone reception. To enable her cell phone to communicate with the C & C server, a botmaster needs to use a proto- col translation service or a special IRC client for mobile phones. She can run the translation service on a com- promised host, an additional stepping stone. For an IRC botnet, such a service would receive the incoming SMS or IM message, then repackage it as an IRC message and send it on to the C & C server (possibly via more step- ping stones), as shown in Figure 8.7 . To eliminate the need for protocol translation, the botmaster can run a native IRC client on a smart phone with Internet access. Examples of such clients are the Java-based WLIrc 55 and jmIrc 56 _{open source projects. In Figure 8.8 , a Nokia}

smartphone is shown running MSN Messenger, control- ling an Agobot zombie via MSN-IRC protocol transla- tion. On the screen, a new bot has just been infected and has joined the IRC channel following the botmaster’s .scan.dcom command.

When a botnet is being controlled from a mobile device, even a perfect IP traceback solution would only reach as far as the gateway host that bridges the Internet and the carrier’s mobile network. From there, the tracer can ask the carrier to complete the trace and disclose the name and even the current location of the cell phone’s owner. However, there are several problems with this approach. First, this part of the trace again requires lots

of manual work and cooperation of yet another organiza- tion, introducing further delays and making a real-time trace unlikely. Second, the carrier won’t be able to deter- mine the name of the subscriber if he is using a prepaid

55 “ WLIrc wireless IRC client for mobile phones, ” http://wirelessirc. sourceforge.net/ (accessed May 3, 2008).

56 “ jmIrc: Java mobile IRC-client (J2ME), ” http://jmirc.sourceforge. net/ (accessed May 3, 2008).

FIGURE 8.7 Using a cell phone to evade Internet-based traceback.

FIGURE 8.8 Using a Nokia smartphone to control an Agobot-based botnet. (Photo courtesy of Ruishan Zhang.)

PART | I Overview of System and Network Security: A Comprehensive Introduction

132

cell phone. Third, the tracer could obtain an approximate physical location based on cell site triangulation. Even if he can do this in real time, it might not be very useful if the botmaster is in a crowded public place. Short of detaining all people in the area and checking their cell phones, police won’t be able to pinpoint the botmaster.

A similar situation arises when the botmaster uses an unsecured Wi-Fi connection. This could either be a public access point or a poorly configured one that is intended to be private. With a strong antenna, the bot- master can be located up to several thousand feet away. In a typical downtown area, such a radius can contain thousands of people and just as many computers. Again, short of searching everyone in the vicinity, the police will be unable to find the botmaster.

Finally, many places provide public Internet access without any logging of the users ’ identities. Prime exam- ples are public libraries, Internet caf é s, and even the busi- ness centers at most hotels. In this scenario, a real-time trace would actually find the botmaster, since he would be sitting at the machine in question. However, even if the police are late by only several minutes, there might no longer be any record of who last used the computer. Physical evidence such as fingerprints, hair, and skin cells would be of little use, since many people use these computers each day. Unless a camera system is in place and it captured a clear picture of the suspect on his way to/from the computer, the police again will have no leads.

This section illustrates a few common scenarios where even a perfect IP traceback solution would fail to locate the botmaster. Clearly, much work remains on developing automated, integrated traceback solutions that work across various types of networks and protocols.

7. SUMMARY

Botnets are one of the biggest threats to the Internet today, and they are linked to most forms of Internet

crime. Most spam, DDoS attacks, spyware, click fraud, and other attacks originate from botnets and the shad- owy organizations behind them. Running a botnet is immensely profitable, as several recent high-profile arrests have shown. Currently, many botnets still rely on a centralized IRC C & C structure, but more and more botmasters are using P2P protocols to provide resilience and avoid a single point of failure. A recent large-scale example of a P2P botnet is the Storm Worm, widely cov- ered in the media.

A number of botnet countermeasures exist, but most are focused on bot detection and removal at the host and network level. Some approaches exist for Internet-wide detection and disruption of entire botnets, but we still lack effective techniques for combating the root of the problem: the botmasters who conceal their identities and locations behind chains of stepping-stone proxies.

The three biggest challenges in botmaster traceback are stepping stones, encryption, and the low traffic vol- ume. Even if these problems can be solved with a tech- nical solution, the trace must be able to continue beyond the reach of the Internet. Mobile phone networks, open wireless access points, and public computers all provide an additional layer of anonymity for the botmasters.

Short of a perfect solution, even a partial trace- back technique could serve as a very effective deter- rent for botmasters. With each botmaster that is located and arrested, many botnets will be eliminated at once. Additionally, other botmasters could decide that the risks outweigh the benefits when they see more and more of their colleagues getting caught. Currently, the economic equation is very simple: Botnets can generate large profits with relatively low risk of getting caught. A botmaster traceback solution, even if imperfect, would drastically change this equation and convince more bot- masters that it simply is not worth the risk of spending the next 10 – 20 years in prison.

133 Computer and Information Security Handbook

Copyright © 20092009, Morgan Kaufmann Inc. All rights of reproduction in any form reserved.

Intranet Security