Business Principles, Tools, and Techniques in Participating in Various Types...
ย
Rishi Hotbots
1. Rishi
Identify Bot Contaminated Hosts by
IRC Nickname Evaluation
Jan Gรถbel
Center for Computing and Communication
RWTH Aachen
Thorsten Holz
Laboratory for Dependable Distributed Systems
University of Mannheim
Rishi HotBotsยด07
2. Outline
What is Rishi?
โธ
Rishi setup and design
โธ
Nickname evaluation
โธ
Results and limitations
โธ
Discussion
โธ
Rishi HotBotsยด07
3. What is Rishi?
โธ Basic idea: IRC-based bots need a distinct nickname
โ Can we detect similarity in IRC nicknames to detect bots?
โ Detection of communication channel between botherder and
victim possible?
โธ Small Python script (~1700 lines) that passively
monitors network traffic
โธ Analyses payload for the occurrence of known IRC
commands
โ NICK, JOIN, USER, MODE, QUIT
โ Analysis function to computer score for given nickname
โธ Related work:
โ Binkley et al.: botnets use same IRC channel, offline analysis
โ Livadas et al. use machine learning techniques to detect C&C
traffic
Rishi HotBotsยด07
6. Nickname Evaluation
โธ Check nickname against dynamic and static whitelists
โ similarity check based on n-gram analysis
โธ Check if nickname contains a known extension:
โ _away, ^working, ...
โ Substract extension and check nickname again
โธ Check nickname against dynamic and static blacklists
โ similarity check based on n-gram analysis
โธ Check for suspicious substrings and special
characters in nickname
โ DEU, GBR, 2K, XP, r00t3d-, |, [, ], ...
โธ Check for suspicious pre-/suffix in nickname
โ _13, _12, l33t-, xyz-, ...
Rishi HotBotsยด07
7. Nickname Evaluation
โธ Check number of digits in nickname
โ Every two digits add one point to final score
โธ Check if target IP address is a known C&C Server
โธ Check if target port is uncommon
โธ Check nickname against regular expressions
โ Evaluation of ~4K known bot nicks resulting in 52 REs
โธ
โธ Example: RBOT|DE-6182
2 points for suspicious substrings RBOT and DE
โ
2 points for occurrence of special character | and -
โ
โ 2 points for two occurrences of consecutive digits
โ 10 points for match against regular expression
Rishi HotBotsยด07
9. Results I
โธ Detection of more than 300 bots within 3 months
โธ Comparison with Blast-o-Mat (see ;login: 31(6))
โ Custom IDS system at RWTH Aachen university
โข Detection of scanning machines via SYN threshold
โข Detection of spam-sending machines via threshold
โข Usage of honeypots to detect suspicious activities
โธ Preliminary results for period of 14 days
โ Detection of 82 machines with Rishi
34 of these were also detected by Blast-o-Mat
โ
โ Remaining 48 machines undetected
โ Blast-o-Mat detected additional 20 hosts
5 false positives
โ
Rishi HotBotsยด07
10. Results II
โธ Case study: detecting spam-bots
โ Bots that do not scan / propagate further (โ rather stealth)
โ Presumably infected via drive-by downloads
Detection of communication channel via Rishi
โ
โ Detected a couple of hours later due to spamming activity
โธ Case study: spotting botnet-tracking activity
Several TOR nodes (one exit node) within university network
โ
โ Frequently observed within Rishi output
โ Definitely not bot-infected (Linux machine, known user)
โ Caused by botnet-tracking hosts that use TOR
Rishi HotBotsยด07
11. Results III
โธ Case study: detecting modified IRC protocol
โ Rishi logged JOIN without any related info in connection
object
โ Analysis revealed: bot with modified C&C protocol
โข NICK SENDN
โข USER SENDU
โข PRIVMSG SENDP
โข But: JOIN was not modified
โ We could detect incident since one protocol element was not
changed
Rishi HotBotsยด07
12. Limitations
โธ Detection of cleartext, IRC-based botnets
โ Most prevailing type of botnets nowadays, but this changes
โ Bots can use dictionary to create nicknames
โธ Ad-hoc computation of final score
โ Better evaluation needed, taking care of false positives /
negatives
โธ Dependence on regular expressions
โ No automated learning yet
โ Inclusion of nepenthes / CWSandbox results?
โธ Monitoring at the central router
โ RWTH Aachen has 10 GBit Ethernet with spikes > 3 GBit/s
Rishi HotBotsยด07
13. Conclusion
โธ Rishi is a simple, yet effective way to detect bots
โ Based on evaluation of nickname
โ Ad-hoc scoring function
โ Generates warning e-mail (next step: automated mitigation)
โธ Detected more than 300 bot-infected machines
โธ Orthogonal to other IDS-system used within university
โ Combination of both?
Thanks a lot for your attention!
Rishi HotBotsยด07