Chintan Shah McAfee
Internet Relay Chat (IRC) protocol has been exploited extensively in the past for botnet activity. However, careful scrutinization of IRC traffic by intrusion prevention systems has led to a decline in the use of IRC protocol for C&C activity. This decline has resulted in a gradual shift towards use of the more vulnerable HTTP protocol for command and control activities. HTTP is a preferred choice, as traffic generated due to bot activity blends well with regular web traffic and it is almost impossible for network administrators to single out bot activity.
We have developed a practical solution to detect web-based botnets and advance persistent threats. Our approach provides near real-time detection of botnets which use HTTP protocol for their C&C activities. This technique uses behavioural analysis and heuristics to detect 0-day botnets including APTs without any a priori knowledge of their characteristics.
We actively monitor the amount of HTTP traffic generated from the host and determine its state (an 'idle' state would be when the traffic does not cross a set threshold). On 'idle' hosts our detection algorithm looks for repetitive HTTP connects even at a very low rate or done in a stealthy manner. Once the threshold for repetitive HTTP connects is crossed for a domain from an 'idle' host, the flow is labelled as 'suspicious flow', and is further scrutinized. On having identified 'suspicious repetitive HTTP activity from an idle/asleep host' or 'suspicious flow', we apply several near-impossible-to-defeat heuristics on 'suspicious flow' and assign a score based on our evaluation.
The efficacy of our approach is demonstrated by a very low false positive rate for university traffic and detection of well-known bots such as BlackEnergy, Zeus, Duqu and Darkness with a medium to high confidence level.
VB2013 takes place 2-4 October 2013 in Berlin, Germany.
The full programme for VB2013, including abstracts for each paper, can be viewed here.