11

Active Botnet Probing to Identify Obscure Command and Control Channels G Gu, V Yegneswaran, P Porras, J Stoll, and W Lee - on Annual Computer Security Applications Conference 2009 (ACSAC

2009 )

Reporter: 高嘉男Advisor: Chin-Laung Lei2010/3/15

2

OutlineIntroductionProblem statement &

assumptionsActive botnet probing:

architecture & algorithmsExperiments with BotProbeConclusion

3

IntroductionBotnet C&C channel: existing protocols

◦ IRC, HTTP & P2PBotnet detection: passive

◦ Signature-based detection◦ Honeypot-based detection◦ Behavior-based botnet detection

Contemporary IRC botnet◦ Obfuscated IRC messages◦ Small sizes◦ Infrequent C&C interactions

4

Active Method

Collect evidence actively

Assume there is only one round of (obscure) chat-like botnet C&C interaction from one bot, can we still detect the bot with a high probability?

5

Key ObservationsBotnet C&C interaction has a clear

command-response pattern◦A bot will behave deterministically to

replayed commands

Bots are preprogrammed to respond to the set of commands they receive◦Bots have limited tolerance for

typographical errors in conversations

6

Adversary AssumptionA bot should respond when it receives a

predefined command in a reasonable time

Message response◦ IRC PRIVMSG message

Activity response◦ Scan response◦ Third-party response◦ Spam response

7

Architecture Design

8

Active Probing Techniques

9

Active Probing Techniques (Cont’d)P0 (Explicit-Challenge-Response)

◦Reverse Turing test◦Request the user to visit a website to

read and translate a CAPTCHA

P1 (Session-Replay-Probing)◦Replay the same application

command to the client several times

10

Active Probing Techniques (Cont’d)P2 (Session-Byte-Probing)

◦The BotProbe monitor randomly permutes certain bytes of the application command

P3 (Client-Replay-Probing)◦Register a new user into the channel◦Send the observed command(s) to the

selected clientP4 (Man-In-The-Middle-Probing)

◦Intercept the new command and launch a man-in-the-middle-like chat message injection

11

Turing-Test-Hypothesis AlgorithmPerform one or more rounds of P0 probingH1: the hypothesis “botnet C&C”

H0: the hypothesis “normal chat”Binary random variable D: whether or not

we observe a wrong reply for a challenge from the client (D = 1: an incorrect reply)

θ1 = Pr( D=1 | H1), θ0 = Pr( D=1 | H0)

θ1 ≒ 1, θ0 ≒ 0α : false positive rate, β : false negative raten : rounds of probing Define

)|(

)|(ln

)|(

)|(ln

0

1

0

1

HDP

HDP

HDP

HDP

ir

iri

ii r

ii r

n

12

Turing-Test-Hypothesis Algorithm (cont’d)

Threshold random walk (TRW)◦ Walk starts from origin(0)◦ Walk goes up with length ln(θ1/θ0) if Di = 1

◦ Walk goes down with length ln(1-θ1/1-θ0) if Di = 0

After n rounds◦ If Λn > ln(1-β/α): H1 is true, it is a botnet C&C

◦ If Λn < ln(β/1-α): H0 is true, it is a normal IRC dialog

◦ If else: additional rounds of testing

13

Single-Binary-Response-Hypothesis Algorithm

Perform one or more rounds of P1 probing

D: whether or not a response from the client is observed

Iterate the TRW process at different scales depending on the responses

Multiple different types of responses corresponding to the same command◦ Choose the one that provides highest

confidence (walks a largest step)

14

Interleaved-Binary-Response-Hypothesis AlgorithmPerform one or more rounds of

interleaved P1 and P2 probingD = 1: the observation of a response

from the replayed packets and no response from modified packets

Bots◦ Respond to replayed packets reliably◦ Do not recognize the modified command

Human◦ Respond to a message with typographical

error◦ How normal users may respond to two

replayed IRC messages?

15

Evaluating User DisturbanceThe degree of disturbance

◦ The number of rounds (packets modified/replayed)

To produce a botnet C&C declaration

To produce a human user IRC channel declaration

16

Evaluating User Disturbance (cont’d)

17

BotProbe: an Active Botnet Probing System

18

Test the False Negative RateHow many bot C&Cs are missed by BotProbe?Execute the bot in Windows XP (VMware)Monitor with BotProbe on LinuxThree classes of real-world IRC bots

◦ Open-source bots with obfuscated communication Spybot

◦ Bot binaries with cleartext communication Phatbot, Rbot, Rxbot, Sdbot

◦ Bot binaries with obfuscated communication W32.Wargbot, Trojan.Dropper.Sramler.C

19

Test the False Negative Rate (cont’d)

Parameters of testing algorithm◦ θ1 =0.99, θ0 =0.15, α (FP)=0.001, β

(FN)=0.01

◦ θ0scan

=0.01, θ03rd-party-access

=0.02

20

Test the False Negative Rate (cont’d)W32.Wargbot

◦ Put an encrypted command in the IRC TOPIC message for bots to execute

Trojan.Dropper.Sramler.C

21

Test the False Positive RateHow frequently could normal chatting

sessions be mislabeled as botnet C&C Study design

◦Human users periodically sent messages that simulate the effect of botnet probing to real users at diverse channels

Test on two different platforms◦ IRC & mebbo.com

22

Test the False Positive Rate (cont’d)Study design

◦Design six different questions to test 123 different users

◦Questions “what’s up” “nice weather” “you like red?”

“how may I help you?” “English only! I play nice fun”

◦Modified questions “ waat’s up” “noce weather” “aou like red?”

“Bow may I help you?” “Eaglish only! I play nice fun”

◦Turing test messages “what’s 3+6=?”

23

Test the False Positive Rate (cont’d)

24

ConclusionThe first feasibility study of the use

of active techniques in botnet detection◦Collect evidence actively◦Shorten the detection time

A hypothesis testing framework & a prototype system implementation◦Separates deterministic botnet

communication from human conversations effectively

25

ReferenceG Gu, V Yegneswaran, P Porras, J

Stoll, and W Lee, “Active Botnet Probing to Identify Obscure Command and Control Channels.” in Annual Computer Security Applications Conference, 2009.