THIS IS HISTORY! Check fabien.benetou.fr for news.

Seedea, scalable creativity

Xye, consultancy for serious creators

Information

RSS

(Updates)

back to the article index Page feed

back to the botnets article

Schemas on botnets

Overall step by step process

(:pmgraphviz -- digraph { "drive" -> "writing"; "drive" -> "injection" [label="use of existing code"]; "writing" -> "injection"; "injection" -> "propagation"; "propagation" -> "propagation" [label=" +=1 machine"]; "propagation" -> "stagnation"; "stagnation" -> "stagnation" [label=" stealth wait for request"]; "stagnation" -> "propagation"; "stagnation" -> "synchronization" [style=dashed]; "stagnation" -> "action"; "synchronization" -> "action" [style=dashed]; "stagnation" -> "upgrade" [style=dashed]; "writing" -> "upgrade" [style=dashed]; "upgrade" -> "stagnation" [style=dashed]; "synchronization" -> "stagnation" [style=dashed]; "action" -> "stagnation"; } :)

DriveWritingInjectionPropagationStagnation SynchronizationActionUpgrade
what motivates one to use a botnethow can one build one, based on existing code or delegating ithow does one initiate it (bootstrap phase, injection in the network)how does the botnet agents propagate from machine to machine to gather more agentshow each agent stay stealth while waiting for more commandshow all the agents synchronize themselves when organization are required (for example DDoS) which is mainly communicationfinally doing one the possible action (the real payload)being able to upgrade itself in order to do more action, stay more stealth, ...)

Transmission vectors

Without user-interaction

(:pmgraphviz -- digraph { "infected node" -> "infected node" [label="0 - scans network"]; "infected node" -> "vulnerable targeted node" [label="1 - scan for exploit"]; "vulnerable targeted node" -> "infected node" [label="2 - unknowingly request payload"]; "vulnerable targeted node" -> "vulnerable targeted node" [label="3 - execute payload and becomes another infected node"]; } :)

(:pmgraphviz -- digraph { "infected node" -> "infected node" [label="0 - scans external devices"]; "infected node" -> "external device" [label="1 - infect device\n(if possible autoruns)"]; "vulnerable targeted node" -> "external device" [label="2 - unknowingly request payload"]; "vulnerable targeted node" -> "vulnerable targeted node" [label="3 - execute payload and becomes another infected node"]; } :)

With user-interaction

(:pmgraphviz -- digraph { "infected node" -> "infected node" [label="0 - mines contacts"]; "infected node" -> "targeted node" [label="1 - social engineering\nfor drive-by download"]; "targeted node" -> "relay server" [label="2 - knowingly click on link"]; "targeted node" -> "targeted node" [label="3 - execute payload and becomes another infected node"]; } :)

Communication

Central C&C

(:pmgraphviz -- digraph { "herder" -> "C&C" [label="request action"]; "C&C" -> "node A"; "C&C" -> "node B"; "C&C" -> "node C"; "node A" -> "target"; "node B" -> "target"; "node C" -> "target"; } :)

  1. group the botnet nodes

P2P

(:pmgraphviz -- digraph { "herder" -> "node A" [label="request action"]; "node A" -> "node B"; "node A" -> "node C"; "node B" -> "node C"; "node B" -> "node D"; "node A" -> "target"; "node B" -> "target"; "node C" -> "target"; "node D" -> "target"; } :)

  1. group the botnet nodes

Fast flux / Double Fast Flux / Domain Flux

... right, later on.

Components

(:pmgraphviz -- digraph { cleannode [shape=record,label="uncontrolled node"]; target [shape=record,label="target"]; herder [shape=record,label="{herder control|{<r1>request action|request upgrade}}"]; subgraph clusterbotnet { label="Botnet"; style=filled; fillcolor=grey; nodeA [shape=record,style=filled,fillcolor=lightgrey,label="controlled node"]; nodeB [shape=record,style=filled,fillcolor=lightgrey,label="stealth mechanism\nunpacking\nxoring\nrewriting (polymorphism/metamorphism) |{ actual payload|{<a1>action1|action2|action3}| upgrade}| <com>communication | <pv>propagation vectors\nemail\ndrive-by download\nexploit"]; nodeA -> nodeB:com [label="transmit request"]; } herder:r1 -> nodeA [label="request action1 on target"]; nodeB:a1 -> target; nodeB:pv -> cleannode [label="propagation"]; cleannode -> clusterbotnet [label="join if succeed"]; } :)

Cognitive and technological arm-race

(simplified version) (:pmgraphviz -- digraph G { subgraph cluster_bh { style=filled; color=lightgrey; node [style=filled,color=white]; label = "black hat\n(accumulated knwoledge,\nhighly secretive and competitive culture of the community)"; improving_malware; new_protection_threat_detected; new_protection_threat_detected -> improving_malware; improving_malware -> improving_malware [label="anticipating_protection_threat"]; } subgraph cluster_wh { node [style=filled]; label = "white hat\n(accumulated knowledge, culture of the community)"; color=blue; improving_protection; new_malware_threat_detected; new_malware_threat_detected -> improving_protection; improving_protection -> improving_protection [label="anticipating_malware_threat"]; } //[label="anticipation"] //[label="response"] drive [shape=Mdiamond,label="need to bypass\nlocal legislation"]; drive -> improving_malware; improving_protection -> new_protection_threat_detected; improving_malware -> new_malware_threat_detected; } } :)

  1. show the notion of time delay and the consequence
    1. freshness of exploits
    2. pace of infections
    3. speed of attacks
  2. add the loop on counter-measure and machines to "recruit"
  3. eventually details detections mechanisms
    1. honeypots
    2. user submission
    3. active research
  4. show that the loop produces complexity at a (potentially) increasing rate
    1. show that double loop and that it produces "model inclusion" (cf also the picture from the drive page)
  5. highlight the differences of culture
    1. requirement to respect the law vs ... not having to
    2. cooperation/competition on both sides but with subtleties
    3. ?

Generalized theory

(to move to research)

  1. synthesize in 1 loop
    1. inclusion of others loops (like biomimicry) have to be included to allow the loop to keep on working
      1. hypothesis : it is possible to generalize this phenomenon as each arm-race knowledge increasing loop requires other loops to fuel it, thus have an interconnection of loops
    2. one considers intelligent something that, instead of following an order, gives a result that is more valuable regarding an overarching goal than what would have resulted from the initial given order (as a note on 22nd Century: “World Wide Mind”) which could tend to lead to see external loops as "intelligence" compared to the "local loop"
  2. advantage == time_required(knowledge_delta==0) > time_required(knowledge_delta++)
    1. meaning : supposing that every effect can have a counter effect to cancel it, I have the advantage if and only if the time to acquire my current knowledge by the other party is superior to the time I need to acquire more knowledge (supposedly a better model)
    2. time is only a part of the total cost of acquisition of a "piece" of knowledge, other variables should compose it to be more accurate (but it can be limited to time to start)
    3. see also the derivatives for trends
  3. visual of increasing number of variables taken into account (or whatever we consider to be gradual improvement contributing to the quality of the model)
    1. each loop being always an increase (really? pure positivism?)
    2. result being a predictive model with increasing accuracy (lowering entropy of the model)

increasing amount of parameters taken into account over time

decreasing amount of imprecision of the model over time eventually replace with GNUPlot

PS : the term "loop" is probably too blurry, it should be replace by epistemic improvement, acquisition of knowledge, ...

Page last modified on May 29, 2009, at 11:02 AM