RE: detecting network crowd surges




I've seen use of HTTP by bots on the rise a bit and have seen two
implementations in some detail. Much of it is fairly trivial to detect,
like IRC protocol running on port 80. I've seen a couple examples I've
seen were harder to spot.

One was a request for a page that looked like most any normal auth form
for webmail services. It was hosted on a compromised box belonging to a
major website so it the traffic we had looked mostly harmless. I showed
it to some engineers at an IDS vendor and the consensus was that it was
pretty tough to write a signature against; the traffic it produced was
pretty small and what we had looked pretty normal. We ended up detecting
it by the user agent which was a bit different owing to the use of some
HTTP library for Delphi used by the bot developer. We used a simple
snort rule (only useful in this specific case, but the approach was
somewhat interesting):

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Trojan control get???
command"; content:"User-Agent: UtilMind HTTPGet|0D 0A|"; )

Another clever example was a bot which issued a GET for a normal looking
page and parsed for base64 encoded commands contained in HTML comments.
There were three commands: sleep, download & execute file, and reverse
shell. This isn't hard to spot once you know the pattern but there's
bound to be better stuff out there.

Looking for misshapen traffic symmetry, like HTTP sessions with large
outbound data streams, is one technique I've heard people have some
success with. Regular expressions can spot data outbound if you're
looking for structured data like account numbers. Some products also
look for high outbound HTTP connection rates that are too fast to be
human or HTTP sessions that cross a time threshold. Simple data volume
thresholds are too easily triggered by streaming apps, in my experience,
unless you consider the direction and traffic shape as in the misshapen
symmetry example above.

Craig Chamberlain
craig@xxxxxxxxxx

-----Original Message-----
From: Jose Nazario [mailto:jose@xxxxxxxxxx]
Sent: Tuesday, August 08, 2006 1:11 PM
To: mikeiscool
Cc: Ron Gula; focus-ids@xxxxxxxxxxxxxxxxx
Subject: Re: detecting network crowd surges

On Tue, 8 Aug 2006, mikeiscool wrote:

I wonder, though, is this how real botnets are controlled?

based on our measurements and observations, IRC is the
dominant method for botnet control at this time. but HTTP
methods, similar to the ones you described, are coming on in
popularity. poll frequencies range from 5 seconds to 1 hour or more.

________
jose nazario, ph.d. jose@xxxxxxxxxx
http://monkey.org/~jose/ http://monkey.org/~jose/secnews.html
http://www.wormblog.com/

--------------------------------------------------------------
----------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world
attacks from CORE IMPACT.
Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------
----------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------



Relevant Pages

  • Re: Monitoring a javascript-based web page...
    ... Probably I'd find an HTTP GET www-formurl-encoded or HTTP POST, ... And I'd consider carefully how to make the bot play very nice. ... that has a dislike for people automating their end of something, ... (One way to state the informal rule I came up with is: ...
    (comp.lang.java.programmer)
  • Re: Monitoring a javascript-based web page...
    ... Probably I'd find an HTTP GET www-formurl-encoded or HTTP POST, or maybe an HTTPS transaction if I were really lucky. ... It probably consists of contacting a mail host at your ISP on port 25 and sending stuff like HELO youraccountname MAIL FROM youraccountname headers body Control-D or whatever they do nowadays. ... This lowers the chance that someone will detect a bot being used that has a dislike for people automating their end of something, as well as that the bot will actually be a genuine problem causing excessive loads or bandwidth use. ... (One way to state the informal rule I came up with is: "If the bot emulates you or a single assistant doing something by hand, it can pretend to be a human, as it makes no difference to anyone else anyway. ...
    (comp.lang.java.programmer)
  • Re: Monitoring a javascript-based web page...
    ... Probably I'd find an HTTP GET www-formurl-encoded or HTTP POST, ... youraccountname headers body Control-D or whatever they do nowadays. ... And I'd consider carefully how to make the bot play very nice. ... (One way to state the informal rule I came up with is: ...
    (comp.lang.java.programmer)
  • Re: Question about outbound rules and security
    ... What I meant was that if you have an access rule - say allowing http trafic from 'inside' to 'outside', only trafic initiated from the 'inside' network is allowed. ... Outbound means that clients (and servers acting as clients) can initiate ...
    (microsoft.public.isa.configuration)
  • Re: how to display TCP connection limits
    ... There was no mention of whether the limits that the OP wanted to exceed were outbound or inbound connect limits. ... You only know the registry edits are for outbound HTTP and HTTPS, not what is on the other end. ... The defaults are four connections for an HTTP 1.0 server, and two connections for an HTTP 1.1 server. ...
    (microsoft.public.windowsxp.security_admin)