Trapping Botnets by DNS failure graphs: Validation, Extension and Application to a

3G Network

Arian Bär, Antonio Paciello, Peter Romirer-MaierhoferTelecommunications Research Center Vienna (FTW)

Contact: baer@ftw.at

- 2 -© FTW 2012

Recent Botnet attacks

Dec. 2012 – Eurograbber Bot steals € 36 Million– Infects PCs and Smartphones, modified version of Zeus

Mar. 2013 – Attack on Spamhouse– Up to 300Gbps incoming traffic, using DNS reflection

Apr. 2013 – Attack on WordPress– 90k distinct IP adresses, approx. 100k Bots

Very common application: Email Spam

Do we have bots in our network?

- 3 -© FTW 2012

Botnet Introduction

Zombie

Zombie

Zombie

- 4 -© FTW 2012

Botnet Introduction

BotmasterZombie

Zombie

Zombie

- 5 -© FTW 2012

Botnet Introduction

Internet

BotmasterZombie

Zombie

Zombie

- 6 -© FTW 2012

Botnet Introduction

Internet

9.9.9.9

- 7 -© FTW 2012

Botnet Introduction

Internet

9.9.9.9

- 8 -© FTW 2012

Botnet Introduction

Internet

9.9.9.9

- 9 -© FTW 2012

Botnet Introduction

Internet

evil-botnet.com

- 10 -© FTW 2012

Botnet Introduction

Internet

evil-botnet.com

- 11 -© FTW 2012

Botnet Introduction

Internet

hasdaflv.orgfjruswfx.orgeufoewui.orgpqcfedte.org

- 12 -© FTW 2012

Botnet Introduction

Internet

pqcfedte.org hasdaflv.orgfjruswfx.orgeufoewui.orgpqcfedte.org

- 13 -© FTW 2012

Problem Description and Data

Mobile networks are very attractive for botnets– Always-on mobile devices with high computational capabilities

Mobile network specific threats– Cell/Core overload– Network specific attacks (e.g. malicious calls)– Steal critical information (e.g. mobile TAN)

Data from a major European mobile operator– Serving hundreds of thousands of hosts– 83 days analyzed for botnet tracking– Provides stable anonymized Mobile Station IDentifier (MSID)

- 14 -© FTW 2012

Our Approach

DNS failure graph analysis– Graph formed by hosts requesting non-existing domain names

– Target: Find botnets using Domain Generation Algorithms (DGA)– Based on methods presented by Jiang et al. (*)

(*) Nan Jiang, Jin Cao, Yu Jin, L.E. Li, and Zhi-Li Zhang. Identifying suspicious activities through DNS failure graph nalysis. In Network Protocols (ICNP), 2010 18th IEEE International Conference on, pages 144 –153, October 2010.

yotube.comfacebook.coniluysad.orgkjnnwwx.org

- 15 -© FTW 2012

Our Approach

DNS failure graph analysis– Graph formed by hosts requesting non-existing domain names

– Target: Find botnets using Domain Generation Algorithms (DGA)– Based on methods presented by Jiang et al. (*)

(*) Nan Jiang, Jin Cao, Yu Jin, L.E. Li, and Zhi-Li Zhang. Identifying suspicious activities through DNS failure graph nalysis. In Network Protocols (ICNP), 2010 18th IEEE International Conference on, pages 144 –153, October 2010.

yotube.comfacebook.coniluysad.orgkjnnwwx.org

- 16 -© FTW 2012

Adjacency Matrix of Failed DNS Queries

- 17 -© FTW 2012

Hamming Distance Reordering

1 1 1

0 0 1

1 0 1Original Matrix Re-ordered Matrix

- 18 -© FTW 2012

Hamming Distance Reordering

1

1

1

1 1 1

0 0 1

1 0 1Original Matrix Re-ordered Matrix

- 19 -© FTW 2012

Hamming Distance Reordering

1 1

1 0

1 1

1 1 1

0 0 1

1 0 1Original Matrix Re-ordered Matrix

- 20 -© FTW 2012

Hamming Distance Reordering

1 1 1

1 0 0

1 1 0

1 1 1

0 0 1

1 0 1Original Matrix Re-ordered Matrix

- 21 -© FTW 2012

Hamming Distance Reordering

1 1 1

1 0 0

1 1 0

1 1 1

0 0 1

1 0 1Original Matrix Re-ordered Matrix

Apply the same for rows

- 22 -© FTW 2012

Approach: Adjacency Matrix Reordering

Matrix reordering according to hamming distance

X and Y axis are re-ordered separately

- 23 -© FTW 2012

Approache: Cluster Identification

Zoom reveals clusters of hosts and Domain names

Identify clusters by DBSCAN Clustering

Are all those clusters caused by botnets?

Clusters

- 24 -© FTW 2012

Found Clusters

Top 5 identified Clusters in one day

- 25 -© FTW 2012

Found Clusters

Top 5 identified Clusters in one day

Tracking Clusters– By active suspicious domain names requested by cluster K– Utilizing stable MSID

- 26 -© FTW 2012

Cluster A (Conficker)

- 27 -© FTW 2012

Cluster B (tang0-hote1.com)

- 28 -© FTW 2012

Conclusion

We identified bots in a 3G mobile network

Our Approach: Stable MSID – Robust to IP churn– Allows tracking of botnet size over long periods of time– Reveals posible much larger botnet size (up-to 6 times)

We speculate that botnets are larger than reported by current botnet trackers

- 29 -© FTW 2012

Outlook

Study impact of IP churn– Compare number of different IPs with MSIDs

Combine results from different networks– Combine data from different data sources– If a name is suspicious in two networks it is more suspicious

Combined with active domain name analysis– e.g. with the approach presented by Andreas Berger

- 30 -© FTW 2012

Contact: baer@ftw.at

Thank you for your attention

- 31 -© FTW 2012

Backup - Slides

- 32 -© FTW 2012

System Overview

- 33 -© FTW 2012

Cluster Tracking

Track clusters by active domain names

Domain Cluster Ratio (DCR)– Was the name mainly requested by cluster K?

Cluster Internal Ratio (CIR)– How common was it in cluster K?

Find domains mainly requested by hosts of a cluster

Tracking was applied to two largest clusters– Cluster A (Conficker) tracked over 14 days– Cluster B (tang0-hote1.com) tracked over 83 days

- 34 -© FTW 2012

Analyzing Found Clusters

Sort Clusters by distinct Second Level Domains (SLD)

– SLD(D(K)) - number of distinct SLD for Cluster K– D(K) - number of Domains of Cluster K

Top 5 Clusters according to

- 35 -© FTW 2012

Analyzing Found Clusters

Sort Clusters by distinct Second Level Domains (SLD)

– SLD(D(K)) - number of distinct SLD for Cluster K– D(K) - number of Domains of Cluster K

Top 5 Clusters according to

- 36 -© FTW 2012

Cluster A (Conficker)

- 37 -© FTW 2012

Outline

Why do we need this

Mobile network data

DNS filtering and labeling

Clustering queries

Describe found clusters

Explain Churn

Show Tracking

Summary

- 38 -© FTW 2012

Effect of IP churn

Previous approaches– Botnet tracking uses IPs to estimate the total size of the botnet– Many ISPs assign dynamic IPs to hosts (i.e. IP adresses may be

shared among different hosts)

Our Approach: Stable MSID – Reveal much larger botnet size (up-to 6 times)– Botnets might by larger than expected– Allows tracking of botnet size over long periods of time

We speculate that botnets are larger than reported by current botnet trackers

- 39 -© FTW 2012

Conclusion

Validatation of the Approach of Jiang et al.

Applied to a larger 3G network

Extended by a efficient DBSCAN cluster identification

5 Clusters of suspicious hosts analyzed

2 Clusters tracked over long time

Our study indicates a much larger botnet size