Prototype Software Sniffs Out, Disrupts Botnets
Submitted by Layer 8 on Fri, 02/15/2008 - 2:49pm

Researchers this week detailed a prototype system to identify and eradicate botnets in the wild.

Georgia Tech’s BotSniffer uses network-based anomaly detection to identify botnet command and control channels in a local area network without any prior knowledge of signatures or server addresses, the researchers said. The idea is to ultimately detect and disrupt botnet infected hosts in the network.

The researchers said their prototype, which was presented at the Internet Society's Network and Distributed System Security Symposium this week, is based on the fact that botnets engage in coordinated communication, propagation, and attack and fraudulent activities. BotSniffer, can capture network command and control protocols and utilize statistical algorithms to detect botnets. The researchers also said they built BotSniffer detectors as plug-ins on top of the popular open source Snort intrusion/detection system but that BotSniffer is independent of Snort and not included in Snort distribution.

“We evaluated BotSniffer using many real-world network traces. The results show that BotSniffer can detect real-world botnets with high accuracy and has a very low false positive rate,” the researchers said.

Botnet command and control traffic, which often uses Internet Relay Chat (IRC) or HTTP protocols, is difficult to detect because it follows normal protocol usage and is similar to normal network traffic. Botnet traffic volume is low as well and may contain encrypted communication, adding to the difficulty, researchers said.

“However, we observe that the bots of a botnet demonstrate spatial-temporal correlation and similarities due to the nature of their pre-programmed response activities to control commands. This helps us identify command and control within network traffic. For instance, at a similar time, the bots within a botnet will execute the same command -- obtain system information, scan the network -- and report to the command and control server with the progress/result of the task. Normal network activities are unlikely to demonstrate such a synchronized or correlated behavior. Using BotSniffer’s sequential hypothesis testing algorithm, when we observe multiple instances of correlated and similar behaviors, we can conclude that a botnet is detected.”

The researchers said they consider the botnet’s use of command and control channels to be the weakest link of a botnet. “If we can take down an active command and control or simply interrupt the communication to the command and control, the botmaster will not be able to control his botnet. Moreover, the detection of the command and control channel will reveal the command and control servers and the bots in a monitored network. Therefore, understanding and detecting the command and controls has great value in the battle against botnets,” researchers said.

BotSniffer joins BotHunter, BotMiner and BotProbe as emerging techniques to fight botnets. BotHunter, for example, is a dialog-correlation-based engine that recognizes the communication patterns of malware-infected computers within a network.

Certainly tracking and eradicating botnets is a growing business. The Storm botnet , which has grown into a large remotely controlled botnet since the initial worm appeared a year ago to infect victims' machines, has a realtime tracker on Secure Computing's TrustedSource.org research portal which displays real-time information compiled through sensors maintained in 75 countries.

Big security software vendors such as McAfee, Symantec and Trend Micro, have added botnet-fighting features to their packages. Others such as Endeavor Security working through a Department of Homeland Security funded research program are introducing products that can help combat malware.

In their third annual survey of network infrastructure security, network security firm Arbor Networks found that botnets are seen as the most significant threat by ISPs. It marked the first time that Arbor had listed botnets as a survey option for potential threats to Internet service; in previous editions of the survey, DDoS attacks had been the overwhelming choice as the top threat.

The Federal Bureau of Investigation's Director Robert Mueller called botnets one of the Internet’s most grave dangers. "Once under their thumbs, [botnets] can wreak all kinds of havoc, from shutting down a power grid to flooding an emergency call center with millions of spam messages."

The FBI in November said its Operation ‘Bot Roast’ had netted eight individuals that have been indicted, pled guilty, or been sentenced for crimes related to botnet activity. Additionally, 13 search warrants were served in the U.S. and by overseas law enforcement partners in connection with the operation, the FBI said. This ongoing effort has thus far uncovered more than $20 million in economic loss and more than one million victim computers.

NetworkWorld.com

__________________