Researchers this week detailed a prototype system to identify and eradicate botnets in the wild.
Georgia Tech’s BotSniffer uses network-based anomaly detection to identify botnet command and control channels in a local area network without any prior knowledge of signatures or server addresses, the researchers said. The idea is to ultimately detect and disrupt botnet infected hosts in the network.
The researchers said their prototype, which was presented at the Internet Society's Network and Distributed System Security Symposium this week, is based on the fact that botnets engage in coordinated communication, propagation, and attack and fraudulent activities. BotSniffer, can capture network command and control protocols and utilize statistical algorithms to detect botnets. The researchers also said they built BotSniffer detectors as plug-ins on top of the popular open source Snort intrusion/detection system but that BotSniffer is independent of Snort and not included in Snort distribution.
“We evaluated BotSniffer using many real-world network traces. The results show that BotSniffer can detect real-world botnets with high accuracy and has a very low false positive rate,” the researchers said.
Botnet command and control traffic, which often uses Internet Relay Chat (IRC) or HTTP protocols, is difficult to detect because it follows normal protocol usage and is similar to normal network traffic. Botnet traffic volume is low as well and may contain encrypted communication, adding to the difficulty, researchers said.
“However, we observe that the bots of a botnet demonstrate spatial-temporal correlation and similarities due to the nature of their pre-programmed response activities to control commands. This helps us identify command and control within network traffic. For instance, at a similar time, the bots within a botnet will execute the same command -- obtain system information, scan the network -- and report to the command and control server with the progress/result of the task. Normal network activities are unlikely to demonstrate such a synchronized or correlated behavior. Using BotSniffer’s sequential hypothesis testing algorithm, when we observe multiple instances of correlated and similar behaviors, we can conclude that a botnet is detected.”
The researchers said they consider the botnet’s use of command and control channels to be the weakest link of a botnet. “If we can take down an active command and control or simply interrupt the communication to the command and control, the botmaster will not be able to control his botnet. Moreover, the detection of the command and control channel will reveal the command and control servers and the bots in a monitored network. Therefore, understanding and detecting the command and controls has great value in the battle against botnets,” researchers said.
BotSniffer joins BotHunter, BotMiner and BotProbe as emerging techniques to fight botnets. BotHunter, for example, is a dialog-correlation-based engine that recognizes the communication patterns of malware-infected computers within a network.
Certainly tracking and eradicating botnets is a growing business. The Storm botnet , which has grown into a large remotely controlled botnet since the initial worm appeared a year ago to infect victims' machines, has a realtime tracker on Secure Computing's TrustedSource.org research portal which displays real-time information compiled through sensors maintained in 75 countries.
Big security software vendors such as McAfee, Symantec and Trend Micro, have added botnet-fighting features to their packages. Others such as Endeavor Security working through a Department of Homeland Security funded research program are introducing products that can help combat malware.
In their third annual survey of network infrastructure security, network security firm Arbor Networks found that botnets are seen as the most significant threat by ISPs. It marked the first time that Arbor had listed botnets as a survey option for potential threats to Internet service; in previous editions of the survey, DDoS attacks had been the overwhelming choice as the top threat.
The Federal Bureau of Investigation's Director Robert Mueller called botnets one of the Internet’s most grave dangers. "Once under their thumbs, [botnets] can wreak all kinds of havoc, from shutting down a power grid to flooding an emergency call center with millions of spam messages."
The FBI in November said its Operation ‘Bot Roast’ had netted eight individuals that have been indicted, pled guilty, or been sentenced for crimes related to botnet activity. Additionally, 13 search warrants were served in the U.S. and by overseas law enforcement partners in connection with the operation, the FBI said. This ongoing effort has thus far uncovered more than $20 million in economic loss and more than one million victim computers.
Layer 8 in a box
Check out these other hot stories:
The Pentagon's one-time attempt to shoot down a satellite
Department of Energy illuminates $21 million on advanced lighting research
NASA aircraft, technology poised to test deadly flying conditions
DARPA advances artificial intelligence program for air traffic control
Layer 8 is Network World's daily home for the not-just-networking news.
Contact Layer 8
Layer 8 archive
|
|
Botnets
Lots of big important-sounding words, but I bet we don't see any effective action against spammers/hackers/botherders in 2008 either, or in 2009, or in 2010 etc.
Project Honeypot boasts that there are now >20 million honeypots out there, collecting data on spammer harvester bots so spammers can be prosecuted. What are they doing with all the data they're collecting? Nothing. It's just an intellectual exercise which has wasted the time, hopes and goodwill of everyone who's installed a honeypot.
Hackers/spammers rule the internet and no-one is going to do anything to make a difference. The USA's "You CAN spam" 'law' has been around for 4 years. What has it achieved in practical terms? Nothing. You only need to look at the Spam Cop statistics to see that.
Even some of the software
Even some of the software doesn't work. The Nepenthis honeypot software, something I have not used, is vulnerable when you do a VNC scan on a network. The Nepenthis honeypot will reply FOOBAR-MUTTER as the computer's name on the VNC scan.
Go through your VNC logs, delete all the FOOBAR-MUTTER results and you're fine.
What about infected PC's of ordinary users
It will be great to see large network operators securing their networks with this software system, but what about the millions of ordinary users connecting to the Internet with infected PC's. Take all these PC's suddenly out of the equation and you'll cripple some large botnets around the world.
Stubborn ISPs often fail to take action against infected users, will they use this software system on their networks? I guess this is something that remains to be seen.
The concept seems very promising, but I'm more worried about the implementation of such a system.
This sounds terrible
Paranoid Android is song by Radiohead and seems to be what we are all turning into. I'm for security but this obviously orwellian in nature and plain scary. I would never work for a company who implemented this.