The basic idea is: infected computers (“bots” or “zombies”) can be be used to perform network actions on behalf of their “masters”. Some of these actions are usually done by “server class” machines. Two examples for such actions are: sending emails (because the end-user doesn’t send the email directly, rather it contacts an SMTP server which does the sending on her behalf) and hosting websites.
This discrepancy (“sever” action performed by “client” machines) can be used to classify some actions as “suspect”. One way to detect client machines is by using passive OS fingerprinting based on the characteristics of the TCP stream. One tool to do this is p0f. Even though it is quite old and doesn’t recognize many of the newish operating systems (for example Windows XP SP2), it outputs a “fingerprint” which is unique for the given OS.
Using this tool I performed the following experiment:
- A script contacted malicious and non-malicious hosts on port 80 (the malicious hosts were from fast-flux domains hosting websites)
- p0f was used to determine the fingerprint for each contacted host
The result was very interesting: the separation between “clean” and “malicious” webservers is very clear with very few errors either way (more quantitively: out of 10808 machines 186 (0.01%) were miscategorized as false positives and 58 (0.005%) as false negatives). What does this mean?
- This method can be very effective in filtering out “sever” actions which shouldn’t be done by end-users
- If such a method is widely deployed, there will be some collateral damage (like people who insist on sending mail from their home computer using blat)
- The method can be used for both outbound (like web-browsing) and inbound (like receiving mail) situations
- IANAL and this is not legal advice, but you should be ok in both cases (for inbound – the other party is contacting you, so there is no question of legality and for outbount – like trying to contact the machine on port 80 – it can be argued that the action is limited and the fact that they advertised their server trough DNS can be considered permission)
- In the realm of countermeasures we have sophisticated solutions like IPPersonality (but it only works with Linux 2.4). For Windows we can play with some of the TCP/IP registry settings or possibly go deeper and use raw sockets to send custom packets (you can look at the Network Decoys [ODF] presentation – Google Cache here)
- Again, if this method is applied at a larger scale, attackers who discover the circumvention methods will most probably hand out (free or for money) pre-made kits which perform some of the circumvention
Image taken from Roberto Berlim’s photostream with permission.