© Fraunhofer FKIE
A General-purpose Laboratory for
Large-scale Botnet Experiments
Cyber Defense
Thomas Barabosch, Sebastian Eschweiler, Mohammad Qasem, Daniel
© Cyber Defense Research Group, Fraunhofer FKIE
2
http://images.techhive.com/images/article/2013/04/botnet-100034898-orig.jpg© Cyber Defense Research Group, Fraunhofer FKIE
3
http://michaelhyatt.com/wp-content/uploads/2009/06/the-wow-is-in-the-details1.jpg© Cyber Defense Research Group, Fraunhofer FKIE
4
http://www.doc.govt.nz/pagefiles/58827/big-picture-223.jpg© Cyber Defense Research Group, Fraunhofer FKIE
5
Botnet Analysis Approaches
Mathematical modelling
Stochastic simulation
Real world data analysis
© Cyber Defense Research Group, Fraunhofer FKIE
6
Reasons for us to design a new laboratory
Previous work already exists, e.g. Deter or SecSI/LHS labs
Need for own laboratory due to confidentiality requirements
Complementary analysis to our in-house reverse engineering process
© Cyber Defense Research Group, Fraunhofer FKIE
7
Design of our Botnet Analysis Laboratory
© Cyber Defense Research Group, Fraunhofer FKIE
8
Design Criteria
Design criteria based on Calvet et. Al, “Isolated virtualised clusters:
testbeds for high-risk security experimentation and training
Security
Scale
Realism
Flexibility
Sterilizability
© Cyber Defense Research Group, Fraunhofer FKIE
9
Architectural key aspects
Realistic simulation of selected parts of the Internet
Total isolation of the laboratory
© Cyber Defense Research Group, Fraunhofer FKIE
© Cyber Defense Research Group, Fraunhofer FKIE
© Cyber Defense Research Group, Fraunhofer FKIE
© Cyber Defense Research Group, Fraunhofer FKIE
© Cyber Defense Research Group, Fraunhofer FKIE
14
Network nodes
© Cyber Defense Research Group, Fraunhofer FKIE
16
© Cyber Defense Research Group, Fraunhofer FKIE
17
Architectural key aspects
Realistic simulation of selected parts of the Internet
Total isolation of the laboratory
© Cyber Defense Research Group, Fraunhofer FKIE
18
© Cyber Defense Research Group, Fraunhofer FKIE
19
© Cyber Defense Research Group, Fraunhofer FKIE
20
© Cyber Defense Research Group, Fraunhofer FKIE
21
© Cyber Defense Research Group, Fraunhofer FKIE
22
© Cyber Defense Research Group, Fraunhofer FKIE
23
© Cyber Defense Research Group, Fraunhofer FKIE
24
Architectural key aspects
Realistic simulation of selected parts of the Internet
Total isolation of the laboratory
© Cyber Defense Research Group, Fraunhofer FKIE
25
Using our Botnet Analysis Labratory
© Cyber Defense Research Group, Fraunhofer FKIE
26
Setting up an experiment: infrastructure
Select network-template and VM templates
Experimenter can also provide his own templates
In case additional infrastructure is needed
Provide entities
© Cyber Defense Research Group, Fraunhofer FKIE
27
Setting up an experiment: information gathering
Network-based sensors
Choose routers that should capture network traffic
Easy adjustment using BPF syntax
Host-based sensors
© Cyber Defense Research Group, Fraunhofer FKIE
28
Setting up an experiment: roll out
Once properly configured: roll it out!
Initial setup time
32 VMs ~ 50 minutes
512 VMs ~ 7 hours
© Cyber Defense Research Group, Fraunhofer FKIE
© Cyber Defense Research Group, Fraunhofer FKIE
30
© Cyber Defense Research Group, Fraunhofer FKIE
31
What is Citadel?
Zeus
© Cyber Defense Research Group, Fraunhofer FKIE
32
Communication with C&C server
DNS
1
Citadel bot
2
3
4
CnC server
11.22.33.44
© Cyber Defense Research Group, Fraunhofer FKIE
33
Countermeasure
Takedown via domain replacement
DNS
CnC server
2
Citadel bot
3
55.66.77.88
4
DNS entry
citadel-cnc.com ->
11.22.33.44
Sinkhole
1
citadel-cnc.com ->
55.66.77.88
11.22.33.44
What shall I do?
© Cyber Defense Research Group, Fraunhofer FKIE
34
© Cyber Defense Research Group, Fraunhofer FKIE
35
© Cyber Defense Research Group, Fraunhofer FKIE
36
© Cyber Defense Research Group, Fraunhofer FKIE
© Cyber Defense Research Group, Fraunhofer FKIE
38
Architectural key aspects
Realistic simulation of selected parts of the Internet
Total isolation of the laboratory
Total observability within the laboratory
secure analysis of malware
© Cyber Defense Research Group, Fraunhofer FKIE
39
© Cyber Defense Research Group, Fraunhofer FKIE
40
Countermeasure
Takedown via domain replacement
DNS entry
citadel-cnc.com ->
11.22.33.44
citadel-cnc.com ->
55.66.77.88
Malicious DNS entry is replaced by benign DNS entry at certain point in
time
© Cyber Defense Research Group, Fraunhofer FKIE
© Cyber Defense Research Group, Fraunhofer FKIE
42
Architectural key aspects
Realistic simulation of selected parts of the Internet
Total isolation of the laboratory
Total observability within the laboratory
secure analysis of malware
© Cyber Defense Research Group, Fraunhofer FKIE
43
© Cyber Defense Research Group, Fraunhofer FKIE
44
Conclusion & Outlook
Presentation of a general-purpose laboratory for large-scale botnet
experiments
Realistic simulation of selected parts of the Internet
Total isolation of the laboratory
Total observability within the laboratory
Future work
Integration of bare-metal machines
© Cyber Defense Research Group, Fraunhofer FKIE
