Capturing Malicious Bots

Using a Beneficial Bot and WikiTakashi Yamanoue, Kentaro Oda,

Koichi ShimozonoKagoshima University

Contents

• Introduction• Implementation• Usage Example• Related Research• Concluding Remarks

Introduction

• A bot– runs automated tasks over the Internet. – usually a malicious application– controlled by a malicious herder

• Herder– the master of the bot

Introduction

• Many resent viruses• are used for recruiting a host into a

botnet– Botnet

• is a collection of malicious bots. – Malicious bots - in a campus LAN

• Leak private information of students, research secrets

• spam other people• attack other web sites via DDos.

Introduction

• A campus with malicious bots– may be considered to be

engaging in criminal activity.

Introduction

• The manager of the campus LAN – has to be careful about malicious bots

and remove the bot quickly when found

Introduction

• A fire-wall and a Network Address Translation (NAT) – enhance network security of a LAN.

Introduction

• NAT or fire-wall– defend the LAN against

intrusion of a malicious bot. – like a house protected

by a door with a key.– Only permitted IP packets may pass

through the fire-wall or the NAT – much like only people who have the key

may pass through the door of the house.

Introduction

Introduction

• When a host in the sub-LAN is compromized by a malicous bot– it is hard to identify the compromized

host from the outside of the LAN, much like it is hard to find a robber who is hidden in the house or the building.

– DHCP and IPv6 with privacy address extension (RFC 3041) also make it difficult

– the IP address is changed dynamically.

Introduction

Introduction

• A campus’s LAN– a central network infrastructure + sub-

LANs. • Some sub-LANs

– may be protected by a fire-wall or a NAT. The Internet Sub-

LAN

Sub-LAN

Sub-LANCentral Network Infrastructure

Introduction

• Network managers sometimes have to find out bots which are hidden in such protected sub-LANs.

Introduction

• One way to realize this is to prohibit use of a fire-wall or a NAT for a sub-LAN.

Introduction

• It is easy to define the rule, but unrealistic because broadband routers with fire-wall or NAT function are so common.

Laws are made to be broken

Introduction

• When malicious communication between a bot in a protected sub-LAN and another host on the outside is discovered by the manager of the central network infrastructure (or the central manager),

?

？ ? ??

Introduction

• the central manager usually directs the manager of the sub-LAN to disconnect the sub-LAN from the central network infrastructure immediately.

? ??

Introduction

• The sub-manager inspects all PCs in the sub-LAN using anti-virus software.

? ?

?

Introduction

• Cannot always find the bot because – anti-virus software can not find 0-day

attacks, – the central manager can not observe

the malicious communication in the sub-LAN.

? ?

?

Introduction

• Sometimes, the central manager would like to monitor sub-LANs in order to find the compromized host. The compromized host should be found as quickly as possible.

Introduction

• The central manager can monitor the sub-LAN by re-configuring the LAN.

?

Introduction

• However such re-configuration without care may cause serious trouble. Ex. Loop – Such re-configuration usually takes a

long time.

Introduction

•The manager should have an easy and fast way to monitor and control sub-LANs.

Introduction

• We have made a network security controlling system which uses – a remote security device and – a web site with wiki software.

(PukiWiki)

Introduction

• The device can be deployed fast and easily because it is portable.

Introduction

• The central manager can monitor and control the sub-LAN behind a fire-wall or a NAT easily from a web site with common wiki software, using the remote security device.

Introduction

Introduction

• The remote security device is a kind of bot which is controlled by the central manager.

Introduction

• The device can do the following:– Monitor traffic between hosts in the

sub-LAN and outside hosts.

– Filter out malicious packets of the traffic.

Introduction

– Intercept DNS query packets from the suspicious host and return the IP address of the fake host which pretends the herder’s host.

– Pretend the herder’s host such like returning the fake syn-ack packet to the syn packet from the suspicious host.

Introduction

• The Internet

• Organization’sCentral Networ

k Infrastructure

• The Wiki Site• Porta

ble Remote Security Device

• Sub-LAN

• Auxiliary

Switch

• NAT or Router

• IDS• Fire-Wall

• Virus Infected Host• This Security Controlling System• Original

Connection

• Auxiliary Wi-fi AP

Implementation

Portable Remote Security Device

Implementation

• Filter/Controller– If the packet matches up to a “select

pattern”,• pass through the packet (from one DAQ to

another DAQ) and • send the information of the frame of the

packet to the wiki access engine with the status.

– If the packet matches up to a “drop pattern”,• do not pass through the packet and send

the information of the frame of the packet to the wiki access engin with the status.

– If the packet matches up to a “forward pattern”, • replace the destination IP address and

destination port with the IP address and port of a pseudo application of a pseudo host, and pass the replaced packet to another DAQ.

• Send the information of the frame of the original packet to the wiki access engine with the status.

– Sends a packet to one of the bridges from one of the DAQs. The sending packet is one of the following.• The pseudo syn-ack packet to a syn packet

of dropped packets.• The pseudo DNS answer packet to a DNS

query packet.

Implementation

Usage ExampleBooting and Setting

Usage ExampleBooting and Setting

Usage ExampleBooting and Setting

Usage ExampleBooting and Setting

Usage ExampleMonitoring and

ControllingClick here, and here

Usage ExampleMonitoring and

Controlling

Usage ExampleMonitoring and

Controlling

Usage ExampleCommands and

Results

• get ip=<IP address>• get startsWith <String constant>

– Ex. “PING”, “PONG”, “NIC” , “USER” for IRC.

• lan2wan drop ip=<IP address>• wan2lan drop ip=<IP address>

Usage ExampleCommands and

Results

• lan2wan return-syn-ack ip=<IP address>

• lan2wan forward ip=<IP address 1> to <IP address2>:<Port>

• lan2wan dns-intercept ip=<IP address 1> to <IP address 2>

Usage ExampleCommands and

Results

Usage Example Responding

Infection• The central manager identifies the

suspicious sub-LAN by using an IDS or a firewall or managed security monitoring service.

？ ? ??

Usage Example Responding

Infection• The central manager asks the sub-

manager of the sub-LAN to disconnect the NAT or router of the sub-LAN from the central network infrastructure.

? ??

Usage Example Responding

Infection• The central manager writes

commands on the wiki page to capture and filter out the suspicious packets. The manager configures the remote security device to connect the device to the wiki page.

Usage Example Responding

Infection• The central manager sends the

portable sensor device to the sub-manager– after the sub-manager agrees with the

need for identifying the suspicious host. • The sub-manager connects the

remote security device to the sub-LAN and starts it.

?

Usage Example Responding

Infection• The remote security device reads

the commands on the wiki page periodically.

• When the device detects suspicious packets, the device drop the packets and writes information of the packets with the MAC address of the suspicious host in the sub-LAN on the wiki page.

?

Usage Example Responding

Infection• The central manager confirms the

information of the suspicious packets on the wiki page, and if the manager judges the packets to be malicious,

• the central manager asks the sub-manager to disconnect the host from that sub-LAN.

Usage Example Responding

Infection• If the central manager feels more

deep analysis on the traffic, the manager can prepare a telnet server and s/he can write commands for forwarding the packets from the suspicious host to the telnet server on the wiki page.

Usage Example Responding

Infection• When a suspicious packet is

forwarded to the telnet server, the central manager can see the contents of the packet and can response to the packet on the telnet server.

Usage Example Responding

Infection• When the sub-manager cannot

identify the suspicious host, the central manager writes the command, which transfers packets from the host to a notification web server, on the wiki page.

?

Usage Example Responding

Infection• The notification web server

– notifies the user of the suspicious host that the host is suspicious and asks the user of the host to call the sub-manager.

• The sub-manager – disconnects the suspicious host,

Usage Example Responding

Infection

Related research

• Security Monitoring System• Snort• Observing MAC address at the WAN

side• Unix device with two NICs• KASEYA and UNIFAS

Concluding Remarks

• Bot for Bot• An Easy way of incident response• Wiki• Not so stable now for real using

– Hope to have your support, assistant, ..– https://github.com/takashiyamanoue/

TrafficController• Should not turn into dark side.

• Masato Masuya, Takashi Yamanoue, Shinichiro Kubota"An Experience of Monitoring University Network Security Using a Commercial Service and DIY Monitoring" ,Proceedings of the 34nd annual ACM SIGUCCS conference on User services, pp.225-230, Edmonton, Alberta, Canada. 5-8 Nov. 2006.