Slashdot Mirror

← Back to Stories (view on slashdot.org)

Prototype Software Sniffs Out, Disrupts Botnets

Posted by Zonk on from the are-you-john-connors dept.

coondoggie writes "Earlier this week researchers unveiled a system to identify and eradicate botnets in the wild. While currently only a prototype, Georgia Tech's BotSniffer would use network-based anomaly detection to identify botnet command and control channels in a LAN. The system wouldn't require any prior knowledge of signatures or server addresses. 'The researchers said their prototype, which was presented at the Internet Society's Network and Distributed System Security Symposium this week, is based on the fact that botnets engage in coordinated communication, propagation, and attack and fraudulent activities.'"

21 of 51 comments (clear)

  1. Does it detect torrents? by imbaczek · · Score: 2, Interesting

    I can see RIAA and friends going green with envy if it worked.

  2. way easier idea by ILuvRamen · · Score: 3, Informative

    We don't need AI and network scanners and blah blah blah. It's crazy easy to detect just by the traffic patterns and amount of data sent if a computer is infected. So ISPs detect everyone that sent data to known botnet targets or controllers and disconnect that customer until they disinfect themselves. Then everyone will be convinced to practice better overall security and they won't crack down on p2p as much because botnet traffic will no longer bog down entire ISP networks and I'll have lots of business as a computer repairer :-P it's the perfect idea really.

    --
    Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
  3. Prior art ... by tomhudson · · Score: 3, Funny

    I can see RIAA and friends going green with envy if it worked.

    Won't happen ... From the summary:

    is based on the fact that botnets engage in coordinated communication, propagation, and attack and fraudulent activities

    The RIAA / MPAA / Congresscritters / Lobbyists / Subprime Lenders ? BushCheneyHalliburtonCo all claim prior art ...

  4. Useful but fundamentally flawed.... by DigitalisAkujin · · Score: 4, Interesting

    This will work for plain text IRC connections but what if the bot is on an encrypted IRC connection?

    While this is a step in the right direction it will be out maneuvered quickly.

    1. Re:Useful but fundamentally flawed.... by Anonymous Coward · · Score: 4, Informative

      Don't be so quick to say that it won't work. We don't have enough information as to how it is designed and you don't understand anomaly based detection works. The idea behind network anomaly based detections is to identify communication between two or more host that aren't supposed to exist or that didn't in the past. That is the 5 cents explanation of it.

    2. Re:Useful but fundamentally flawed.... by TubeSteak · · Score: 4, Insightful

      "For instance, at a similar time, the bots within a botnet will execute the same command -- obtain system information, scan the network -- and report to the command and control server with the progress/result of the task. Normal network activities are unlikely to demonstrate such a synchronized or correlated behavior." That is why it won't matter if the botnet is using encrypted communications or not.

      Unfortunately, it wouldn't be much of a challenge to institute a randomized delay between receiving commands, executing them, and reporting back to the C&C. The C&C could even change the randomization factor depending on how many bots are in that specific subnet of IPs. More bots = more time delay to thwart the sniffer.
      --
      [Fuck Beta]
      o0t!
    3. Re:Useful but fundamentally flawed.... by Professr3 · · Score: 5, Informative

      The very nature of botnet activities usually requires a coordinated effort. You can't DDOS a website with randomly-delayed attacks from each host, because then it wouldn't be a DDOS, just a slower increase in traffic. Spam campaigns usually only work for the first few minutes before services catch on, and then that particular spam campaign is over. Unless all the bots participate reasonably simultaneously, they can't accomplish their goals as well.

    4. Re:Useful but fundamentally flawed.... by kvezach · · Score: 3, Interesting

      This will work for plain text IRC connections but what if the bot is on an encrypted IRC connection?

      Or Achord for that matter. If the botnet is based on a peer to peer structure and the author has added public-key encryption, all he has to do is connect to an arbitrary bot host and insert the (signed) command which propagates through the network to all the other nodes; there'll be no fixed master server to home in on.
    5. Re:Useful but fundamentally flawed.... by eonlabs · · Score: 4, Interesting

      This brings me to several questions:

      What happens if a new host, or several new hosts are added to the network?
      What happens if this is a public wifi where new hosts are added and dropped all the time?

      If the functionality is as described in the article summary and it looks for coordinated communications, how will it interpret bittorrent style communications where a lot of different computers, some possibly infected, most not, transferring data to and from a single host trying to download?

      It sounds like swarming algorithms are the kind of behavior it would be looking for.
      Just thinking out loud...

      --
      I wouldn't consider the mad hatter mad. Just reality impaired. He sure can make a mean cup of tea.
    6. Re:Useful but fundamentally flawed.... by somersault · · Score: 2, Funny

      I knew there was something evil about our WSUS server

      --
      which is totally what she said
    7. Re:Useful but fundamentally flawed.... by TubeSteak · · Score: 2, Interesting

      You can't DDOS a website with randomly-delayed attacks from each host, because then it wouldn't be a DDOS, just a slower increase in traffic. On average, Botnets are no longer hundreds or thousands strong, they've grown into the tens of thousands...
      As an exceptional case, F-Secure claims Storm is a million strong.

      Do you really need tens/hundreds of thousands of bots attacking all at once? Even if the answer to that question is yes, the bots are still polled for status & told to fetch updates. Introducing a randomized delay will certainly help hide non-attack behavior, which will undoubtedly prolong the life of the botnet.

      However, with a million bots, you could easily afford to randomize attack behavior. If TFA's technology spreads, botnets may have to have 3*X bots spitting out data randomly instead of X bots attacking instantly with 100% of their bandwidth in an easily discerned pattern. How else do you propose to defeat a sniffer looking for patterns in the network traffic?
      --
      [Fuck Beta]
      o0t!
    8. Re:Useful but fundamentally flawed.... by ultranova · · Score: 2, Interesting

      What I gut from the summary was that they were using anomaly detection to see for example that 25 hosts all started sending mass data after having a communication with one ip.

      Unless, of course, they got their instructions in an e-mail. Spam is already semi-randomized to get past filters, so it wouldn't be hard to have it carry encoded instructions too.

      Or have them use instant messaging. The zombie worm should detect which IM program the user uses, and send a message to the control (or one of various fake identities) using that, so the control knows to send messages back using it as well.

      Heck, you could have a two-part worm which infects both Web servers and desktops. An infected desktop infects any server it contacts, and an infected server infects any desktop which contacts it. If the server and desktop are both already infected, they pass whatever new messages (commands) they have to each other.

      You can get around anomaly detection by not causing any anomalies. Piggypack your messages on already existing connections rather than starting new ones. Basic spy stuff, really.

      --

      Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

  5. Even easier way ... . by Anonymous Coward · · Score: 5, Interesting

    Just run a web server where you allow things like .. .

        index.php?main=xxx

    and then watch the attempts that come in for xxx, they will
    all be scripts that trigger the botnets. grab the scripts
    and you have the irc server, the channel, etc.

    A recent one that I saw was one katana.webchat.org in channel
    #msdos -- no idea if it is still running (ironic since webchat
    is supposed to have a security team). I reported it, but never
    heard anything back).

    Here are a bunch of other ones, access to botnets, free of
    charge.

    http://www.forestfamily.org/garc/.php/meifase.txt
    http://bialoka123.fileave.com/script9.txt
    http://raptortx.googlepages.com/inc3.txt
    http://snock.host.sk/spread.txt
    http://bialoka123.fileave.com/script9.txt
    http://members.lycos.co.uk/enviescraps/pbot.txt
    http://gikowns.googlepages.com/BOTNET-GIKO.txt
    http://www.ligseg.com.br/Etc/24.gif
    http://76.162.170.34/Photos/pbot
    http://www.hotjazz.xpg.com.br/ty.txt

    Use at your own risk, and maybe, these folks will get off their rear ends and shut these things down.

    1. Re:Even easier way ... . by 0100010001010011 · · Score: 2, Interesting

      ROFL this is tons of fun.

      I just took over a bot net. Read the source code and figured out what's going on how to login to them. Man these things are semi-complex.

      I just took over one and killed it. Dude was none to happy:
      16:20 macacao> l3
      16:21 macacao> SE EU TE PEGO
      16:21 macacao> EU VO CUMER
      16:21 macacao> TEU CU
      16:21 macacao> FILHO DA PUTA

    2. Re:Even easier way ... . by 0100010001010011 · · Score: 2, Interesting

      Because script kiddies are getting lazier and lazier.

      All the ones I was messing with were the php ones that had a config file like this:
      --
      var $config = array("server"=>"katana.webchat.org",
                                                "port"=>6667,
                                                "pass"=>"", //senha do server
                                                "prefix"=>"L",
                                                "maxrand"=>8,
                                                "chan"=>"#samera",
                                                "key"=>"fucked", //senha do canal
                                                "modes"=>"+p",
                                                "password"=>"ts", //senha do bot
                                                "trigger"=>".",
                                                "hostauth"=>"*" // * for any hostname
                                                );
      --
      And now that I went back and refreshed, they changed the channel and password.

      The commands aren't too difficult, they're in the header of a few other files that are linked in the original post. Just make sure that you have all your commands queued up and copy and paste them in at once. I didn't and the original bot owner took control and had them all die :-P

      I rewrote the script so that instead of actually doing the commands it just logs what it should have done and returns a positive response to the channel. So far I have a few UDP floods, I think I'll observe these guys for a while. Should be some entertainment for Saturday night.

    3. Re:Even easier way ... . by 0100010001010011 · · Score: 2, Informative

      Yes, that's what I was showing they accept authentication from ANYONE. .user and i'm in.

      And all these idiots did was ban my *!user@host. I reconnected via irssi after changing my username and I got back in. I'm trying to script up something entertaining but sadly the IRC server masks host names :(. They already uploaded and made changes to the original link, I wonder if they have any idea their config file bookmarked on Slashdot.

  6. Will it stop BitTorrent? by Anonymous Coward · · Score: 5, Insightful

    At the traffic level, BitTorrent looks a lot like a bot net. It has a central controllers (the tracker) and makes random connections to other peers, which then trade large amounts of data.

    So would this kill BitTorrent? I've heard network security people explain how peer-to-peer technologies are a dead end because they're impossible to run on a secure network since they do look like botnets. How does this deal with that?

  7. Botnets are easy to detect and control by colinmcnamara · · Score: 5, Informative
    Botnets are easy to detect and control. The problem is that the majority of organizations have not taken the steps to stop both their communication and control channels, and their ability to launch attacks. What should everybody do ?

    1. Deny IRC traffic at your firewalls. If there is a business need for IRC then setup a IRC proxy, or inline authentication. This simple step will stop many of the bots out there from phoning home.

    2. Enable reverse path detection on your network devices. This forces your internal routers to check whether the source ip address that the bot is sending, is available out the interface that your comprimised host exists on.

    3. Enable DHCP snooping on your edge switches. By configuring this feature the switchport that your host plugs into passively observes what IP address was given to your computer. If traffic is spoofed (a common occurrence for botnets) the switchport effectively shuts your host down.

    4. Monitor your network. There many free and commercial products that will make it clear that your traffic profiles have changed. Some good free tools for this are Cacti - http://www.cacti.net/, Nagios - http://www.nagios.org/ and NTOP - http://www.ntop.org/

    5. Utilize update antivirus technology, hopefully one that reports to a central console. These are simple steps, that frankly most people do not use in their networks. If they would the botnet issue would be greatly minimized.

    --
    Colin McNamara - CCIE #18233 "The difficult we do immediately, the impossible just takes a little longer"
  8. Comment removed by account_deleted · · Score: 3, Interesting

    Comment removed based on user account deletion

  9. It's an arms race by vinn01 · · Score: 3, Insightful


    The system as described shows promise. The current crop of botnet software all exhibit a behavior pattern that can be detected.

    Of course there's been other attempts at botnet detection software, but network deployment has been sparse. Deployment is key. Maybe Georgia Tech's good name will help get it deployed. It has be be proved useful to the large network operators or it will never spread beyond a few test systems.

    The network operators have to want this detection software enough to deploy and maintain it. It has to help their bottom line. Then it can be developed beyond a university research prototype.

    Will the bad guys update the botnet software to out maneuver the good guys? You can bet on it. But keep in mind that the the people who developed the botnet software generally are generally not the same ones who operate the largest botnets. The botnet operators will be greatly impacted until they can get updated software and then get it deployed.

    This system will cause a botnot disruption that will take time to rebuild. Then, the botnet detection software will need to be updated. And the arms race will continue...

  10. Better takedown, not DPI by Mark(ATL) · · Score: 2, Insightful

    The problem is not one of identification, it is very easy to detect members of a botnet without resorting to Deep Packet Inspection everywhere. The main problem is lack of local laws and regulation, and varying degree's of takedown management.