While many botnets such as Storm, Kraken and Conficker can carry out their destructive campaigns without detection or any particular means to stop them, a group of researchers says it has come up with a way to use a botnet's own technology to defeat it.
At next month's Usenix conference University of Illinois at Urbana-Champaign will present a paper that states: "Starting with the Storm botnet a few years ago, a number of new botnets have moved away from a centralized command and control design to a P2P architecture. This lets them carry out sophisticated coordination activities while being resilient to the loss of infected machines. However the use of structured P2P design can also be used to defend against botnets. We show that this increase is resilience also leads to a loss of stealth."
What the group is proposing is called BotGrep. BotGrep is what's known as an inference algorithm that takes in a set of observations - an IP address pair with no port or packet level information -- of a communication graph and outputs a list of hosts suspected as being part of the botnet, the researchers stated.
"Specifically BotGrep works by searching for connections within the communication graph-since these botnet topologies are much more highly structured than background Internet traffic, we can partition by detecting sub-graphs that exhibit different topological patterns from each other or the rest of the graph. To use this observation, BotGrep first analyzes the graph structure to determine several metrics regarding the connectivity of hosts to different hosts. It then attempts to partition the graph into two (or more) pieces based on this metric, to separate bot from non-bot hosts," researchers state.
The researchers said that while graph analysis has been applied to botnet and P2P detection in the past, their work exploits the relationships in communication traffic to a significantly larger extent than these works. "Based on experimental results, we find that under typical workloads and topologies our techniques localize 93-99% of hosts with a false positive probability of less than 0.6%. While our techniques do not achieve perfect accuracy, we believe they can be used in conjunction with previously proposed techniques like traceback and anomaly detection to speed up or improve confidence in botnet detections," the researchers stated.
In their Botgrep paper the group defines a number of key botnet tracking challenges:
- An ideal botnet detection infrastructure would be able to observe traffic and tag packets (or flows, or hosts) that are suspected as being part of a botnet. However, botnet traffic may be encrypted, use arbitrary ports, have arbitrary packetsizes and interarrival delays, and hence seems hard to detect just by looking at packets and their payloads.
- Background traffic on the Internet is highly variable and continuously changing, and likely dwarfs the small amount of control traffic exchanged between botnet hosts. Moreover, the botnet structure and communication patterns may not be known in advance.
- While it is clear that multiple networks, or multiple routers within a single network, may cooperate to isolate traffic, it is less clear specifically how that isolation should be done in an algorithmic fashion.
Over time there have been a few big successful take-downs of botnets. For example, the Federal Trade Commission in May got a judge to effectively kill off the Internet Service Provider 3FN who the agency said specialized in spam, porn, botnets, phishing and all manner of malicious Web content. The ISP's computer servers and other assets were seized and will be sold by a court and the operation has been ordered to give back $1.08 million to the FTC.
According to the FTC in June 2009, it charged that 3FN, which does business as Triple Fiber Network, APS Telecom, APX Telecom, APS Communications, APS Communication and Pricewert LLC, actively recruited and colluded with criminals to distribute harmful electronic content including spyware, viruses, trojan horses, phishing schemes, botnet command-and-control servers, and pornography featuring children, violence, bestiality, and incest. The FTC alleged that the defendant advertised its services in the darkest corners of the Internet, including a chat room for spammers.
In June 2009 when a court issued a preliminary injunction against 3FN, spam volumes dropped by about 15% according to M86.
Follow Michael Cooney on Twitter: nwwlayer8
Layer 8 Extra
Check out these other hot stories: