Prototype Software Sniffs Out, Disrupts Botnets

coondoggie writes "Earlier this week researchers unveiled a system to identify and eradicate botnets in the wild. While currently only a prototype, Georgia Tech's BotSniffer would use network-based anomaly detection to identify botnet command and control channels in a LAN. The system wouldn't require any prior knowledge of signatures or server addresses. 'The researchers said their prototype, which was presented at the Internet Society's Network and Distributed System Security Symposium this week, is based on the fact that botnets engage in coordinated communication, propagation, and attack and fraudulent activities.'"

Does it detect torrents?

[imbaczek]

I can see RIAA and friends going green with envy if it worked.

Prior art ...

[tomhudson]

I can see RIAA and friends going green with envy if it worked.

Won't happen ... From the summary:

is based on the fact that botnets engage in coordinated communication, propagation, and attack and fraudulent activities

The RIAA / MPAA / Congresscritters / Lobbyists / Subprime Lenders ? BushCheneyHalliburtonCo all claim prior art ...

way easier idea

[ILuvRamen]

We don't need AI and network scanners and blah blah blah. It's crazy easy to detect just by the traffic patterns and amount of data sent if a computer is infected. So ISPs detect everyone that sent data to known botnet targets or controllers and disconnect that customer until they disinfect themselves. Then everyone will be convinced to practice better overall security and they won't crack down on p2p as much because botnet traffic will no longer bog down entire ISP networks and I'll have lots of business as a computer repairer :-P it's the perfect idea really.

Re:

[Anonymous Coward]

My college had this policy when I was an undergrad. They used it on a Windows box I didn't care much about since I only used it to play movies on my TV. It was enough to keep me from ever using Windows again. I'd wager that most people would come up with more temporary solutions (changing ISPs, buying a new computer, etc.). One can always dream, though.

Re:

[ILuvRamen]

what planet do you live on? Spam takes up such a huge amount of all internet traffic, they thought it was going to crash the entire internet at the current rate of increase just a few years ago. Wasn't it like half of all traffic or something? And like 90% of spam is sent by botnet comps.

Useful but fundamentally flawed....

[DigitalisAkujin]

This will work for plain text IRC connections but what if the bot is on an encrypted IRC connection?

While this is a step in the right direction it will be out maneuvered quickly.

Re:Useful but fundamentally flawed....

[Anonymous Coward]

Don't be so quick to say that it won't work. We don't have enough information as to how it is designed and you don't understand anomaly based detection works. The idea behind network anomaly based detections is to identify communication between two or more host that aren't supposed to exist or that didn't in the past. That is the 5 cents explanation of it.

Re:Useful but fundamentally flawed....

[eonlabs]

This brings me to several questions:

What happens if a new host, or several new hosts are added to the network?
What happens if this is a public wifi where new hosts are added and dropped all the time?

If the functionality is as described in the article summary and it looks for coordinated communications, how will it interpret bittorrent style communications where a lot of different computers, some possibly infected, most not, transferring data to and from a single host trying to download?

It sounds like swarming algorithms are the kind of behavior it would be looking for.
Just thinking out loud...

Re:

[Dextrously]

This could end up making life easier on the ring leaders of most botnets. The two purposes I generally see these botnets used for when I worked at a data center were generally to nuke a host offline, or slowly and subtly raise the average bandwidth of a host thereby incurring extreme monthly bandwidth charges to them. Generally, they will extort money from the victim by these means.

Say that this technology is tricked into believing that uninvolved host "X" is part of a botnet; now host "X" is effectively

Re:Useful but fundamentally flawed....

[TubeSteak]

"For instance, at a similar time, the bots within a botnet will execute the same command -- obtain system information, scan the network -- and report to the command and control server with the progress/result of the task. Normal network activities are unlikely to demonstrate such a synchronized or correlated behavior."

That is why it won't matter if the botnet is using encrypted communications or not.

Unfortunately, it wouldn't be much of a challenge to institute a randomized delay between receiving commands, executing them, and reporting back to the C&C. The C&C could even change the randomization factor depending on how many bots are in that specific subnet of IPs. More bots = more time delay to thwart the sniffer.

Re:Useful but fundamentally flawed....

[Professr3]

The very nature of botnet activities usually requires a coordinated effort. You can't DDOS a website with randomly-delayed attacks from each host, because then it wouldn't be a DDOS, just a slower increase in traffic. Spam campaigns usually only work for the first few minutes before services catch on, and then that particular spam campaign is over. Unless all the bots participate reasonably simultaneously, they can't accomplish their goals as well.

Re:

[TubeSteak]

You can't DDOS a website with randomly-delayed attacks from each host, because then it wouldn't be a DDOS, just a slower increase in traffic.

On average, Botnets are no longer hundreds or thousands strong, they've grown into the tens of thousands...
As an exceptional case, F-Secure claims Storm is a million strong [networkworld.com].

Do you really need tens/hundreds of thousands of bots attacking all at once? Even if the answer to that question is yes, the bots are still polled for status & told to fetch updates. Introducing a randomized delay will certainly help hide non-attack behavior, which will undoubtedly prolong the life of the botnet.

However, with a mill

Re:

[Kent Recal]

And, just to add another datapoint, it wouldn't be hard to synchronize the bots to a common timesource
and simply schedule your attack in advance. Think CronBot(tm).

Re:

[gr8scot]

Unfortunately, it wouldn't be much of a challenge to institute a randomized delay between receiving commands, executing them, and reporting back to the C&C. The C&C could even change the randomization factor depending on how many bots are in that specific subnet of IPs. More bots = more time delay to thwart the sniffer.

That's why I think these kinds of reports should be available only in pay-per-view journals and university CS/engineering departments.

Re:

[kvezach]

This will work for plain text IRC connections but what if the bot is on an encrypted IRC connection?

Or Achord [thalassocracy.org] for that matter. If the botnet is based on a peer to peer structure and the author has added public-key encryption, all he has to do is connect to an arbitrary bot host and insert the (signed) command which propagates through the network to all the other nodes; there'll be no fixed master server to home in on.

Re:

[irc.goatse.cx troll]

Obviously the solution is to legislate against internet terrorist tools like IRC encryption.

Really though, I don't think they're just grepping for .udpflood here, that would not be news. What I gut from the summary was that they were using anomaly detection to see for example that 25 hosts all started sending mass data after having a communication with one ip. Doesn't matter whats in that connection, it at least gives you somewhere to start.

Re:

[somersault]

I knew there was something evil about our WSUS server

Re:

[ultranova]

What I gut from the summary was that they were using anomaly detection to see for example that 25 hosts all started sending mass data after having a communication with one ip.

Unless, of course, they got their instructions in an e-mail. Spam is already semi-randomized to get past filters, so it wouldn't be hard to have it carry encoded instructions too.

Or have them use instant messaging. The zombie worm should detect which IM program the user uses, and send a message to the control (or one of various f

applications of abstract theory you say?

[machine of god]

It just occurred to me that there is going to be a point in this arms race where I am going to be interested enough to want to participate. Now how do I go about bringing myself up to speed on the subject I wonder.

Even easier way ... .

[Anonymous Coward]

Just run a web server where you allow things like .. .

    index.php?main=xxx

and then watch the attempts that come in for xxx, they will
all be scripts that trigger the botnets. grab the scripts
and you have the irc server, the channel, etc.

A recent one that I saw was one katana.webchat.org in channel
#msdos -- no idea if it is still running (ironic since webchat
is supposed to have a security team). I reported it, but never
heard anything back).

Here are a bunch of other ones, access to botnets, free of
charge.

http://www.forestfamily.org/garc/.php/meifase.txt [forestfamily.org]
http://bialoka123.fileave.com/script9.txt [fileave.com]
http://raptortx.googlepages.com/inc3.txt [googlepages.com]
http://snock.host.sk/spread.txt [snock.host.sk]
http://bialoka123.fileave.com/script9.txt [fileave.com]
http://members.lycos.co.uk/enviescraps/pbot.txt [lycos.co.uk]
http://gikowns.googlepages.com/BOTNET-GIKO.txt [googlepages.com]
http://www.ligseg.com.br/Etc/24.gif [ligseg.com.br]
http://76.162.170.34/Photos/pbot [76.162.170.34]
http://www.hotjazz.xpg.com.br/ty.txt [xpg.com.br]

Use at your own risk, and maybe, these folks will get off their rear ends and shut these things down.

Re:

[0100010001010011]

ROFL this is tons of fun.

I just took over a bot net. Read the source code and figured out what's going on how to login to them. Man these things are semi-complex.

I just took over one and killed it. Dude was none to happy:
16:20 macacao> l3
16:21 macacao> SE EU TE PEGO
16:21 macacao> EU VO CUMER
16:21 macacao> TEU CU
16:21 macacao> FILHO DA PUTA

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[0100010001010011]

Because script kiddies are getting lazier and lazier.

All the ones I was messing with were the php ones that had a config file like this:
--
var $config = array("server"=>"katana.webchat.org",
"port"=>6667,
"pass"=

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[0100010001010011]

Yes, that's what I was showing they accept authentication from ANYONE. .user and i'm in.

And all these idiots did was ban my *!user@host. I reconnected via irssi after changing my username and I got back in. I'm trying to script up something entertaining but sadly the IRC server masks host names :(. They already uploaded and made changes to the original link, I wonder if they have any idea their config file bookmarked on Slashdot.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[MikeS2k]

http://gikowns.googlepages.com/BOTNET-GIKO.txt [googlepages.com]

I'm now in one particular channel on Quakenet, and it'll only let you issue the .user command (or indeed any other command) if your hostname matches that in the config - this one in particular will only accept "Giko.users.quakenet.org" as the hostname.

I tried to login to his Quakenet account, but alas, the password doesn't match the one he chose for his bot's authpass :-(

The channel had about 7 bots anyhow, so either he's moved them along or just isn't very luck

They need to think about this...

[twotailakitsune]

BotSniffer, can capture network command and control protocols and utilize statistical algorithms to detect botnets.

So it uses signatures.

identify botnet command and control channels in a local area network.

so you can't have a 10,000 botnet on a LAN.... Not that I would like some ISP to use this. Now some guy at Comcast will "fight the evil botnets". BotSniffer sounds like a kill the massage-girl thing.

has a very low false positive rate

So, what about when BotSniffer shutdowns things that are not an "evil botnet"? (IRC, ...)

Normal network activities are unlikely to demonstrate such a synchronized or correlated behavior.

A lot of automatic network activities are vary correlated.

I know complaining over nothing.

Will it stop BitTorrent?

[Anonymous Coward]

At the traffic level, BitTorrent looks a lot like a bot net. It has a central controllers (the tracker) and makes random connections to other peers, which then trade large amounts of data.

So would this kill BitTorrent? I've heard network security people explain how peer-to-peer technologies are a dead end because they're impossible to run on a secure network since they do look like botnets. How does this deal with that?

Botnets are easy to detect and control

[colinmcnamara]

Botnets are easy to detect and control. The problem is that the majority of organizations have not taken the steps to stop both their communication and control channels, and their ability to launch attacks. What should everybody do ?

1. Deny IRC traffic at your firewalls. If there is a business need for IRC then setup a IRC proxy, or inline authentication. This simple step will stop many of the bots out there from phoning home.

2. Enable reverse path detection on your network devices. This forces your internal routers to check whether the source ip address that the bot is sending, is available out the interface that your comprimised host exists on.

3. Enable DHCP snooping on your edge switches. By configuring this feature the switchport that your host plugs into passively observes what IP address was given to your computer. If traffic is spoofed (a common occurrence for botnets) the switchport effectively shuts your host down.

4. Monitor your network. There many free and commercial products that will make it clear that your traffic profiles have changed. Some good free tools for this are Cacti - http://www.cacti.net/ [cacti.net], Nagios - http://www.nagios.org/ [nagios.org] and NTOP - http://www.ntop.org/ [ntop.org]

5. Utilize update antivirus technology, hopefully one that reports to a central console. These are simple steps, that frankly most people do not use in their networks. If they would the botnet issue would be greatly minimized.

It Has To Be Said

[Hawkeye05]

By the time Skynet became self-aware it had spread into millions of computer servers across the planet. Ordinary computers in office buildings, dorm rooms; everywhere. It was software; in cyberspace. There was no system core; it could not be shutdown. The attack began at 6:18 PM, just as he said it would. Judgment Day, the day the human race was almost destroyed by the weapons they'd built to protect themselves. I should have realized it was never our destiny to stop Judgment Day, it was merely to survive i

Re:

[Lobster Quadrille]

Any Similarities?

Not really, no.

It's an arms race

[vinn01]

The system as described shows promise. The current crop of botnet software all exhibit a behavior pattern that can be detected.

Of course there's been other attempts at botnet detection software, but network deployment has been sparse. Deployment is key. Maybe Georgia Tech's good name will help get it deployed. It has be be proved useful to the large network operators or it will never spread beyond a few test systems.

The network operators have to want this detection software enough to deploy and maintain it. It has to help their bottom line. Then it can be developed beyond a university research prototype.

Will the bad guys update the botnet software to out maneuver the good guys? You can bet on it. But keep in mind that the the people who developed the botnet software generally are generally not the same ones who operate the largest botnets. The botnet operators will be greatly impacted until they can get updated software and then get it deployed.

This system will cause a botnot disruption that will take time to rebuild. Then, the botnet detection software will need to be updated. And the arms race will continue...

Re:

[smellotron]

The network operators have to want this detection software enough to deploy and maintain it. It has to help their bottom line. Then it can be developed beyond a university research prototype.

It does help the bottom line of last-hop ISPs. If 50% of your network traffic is from virus-infected computers, you can double your effective capacity with perfect virus detection and quarantine. It also provides a pretty strong encouragement for users to get their computers fixed, since a virus means "no internet

Better takedown, not DPI

[Mark(ATL)]

The problem is not one of identification, it is very easy to detect members of a botnet without resorting to Deep Packet Inspection everywhere. The main problem is lack of local laws and regulation, and varying degree's of takedown management.

Make your network Botnet resistant

[Yoshimetso]

1) Deploy network IPS 2) Deploy HIPS 3) Deploy Anti virus solution (symantec, kaspersky, trend micro) 4) Firewall Rules 5) Windows WSUS (updates) 6) Switch IDS cards (Cisco) 7) Sniff and monitor high traffic utilization 8) Internet Content filtering (ex. WebSense + the advanced protection option to filter requests to infected hosts) 9) Good Anti Spam solution (ex. Borderware MXstream) 10) Educate users ExtremeSecurity Blog Admin http://extremesecurity.blogspot.com/ [blogspot.com]

Time for a Paradigm Shift?

[mac_mcgrew]

Perhaps what I have to say is oversimplifying or ignorant. But I'm sure the nice people here at Slashdot will be more than willing to educate me.

The more I watch this issue, the more it seems clear to me that a losing battle is being fought. I picture an analogous world where, by default, houses are constructed with multiple doors that open to the outside world. And also by default, the doors are not locked. To make matters worse, the locks on the doors aren't visible. So even after a door has been secured,