BotSpam.doc
Upcoming SlideShare
Loading in...5
×
 

BotSpam.doc

on

  • 752 views

 

Statistics

Views

Total Views
752
Views on SlideShare
752
Embed Views
0

Actions

Likes
0
Downloads
12
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

BotSpam.doc BotSpam.doc Document Transcript

  • ECE4112 Internetwork Security Final Project Lab: Botnets – Email Spamming and Prevention Group Number: _________ Member Names: ___________________ _______________________ Date Assigned: Date Due: Last Edited: December 7, 2006 Lab Authored by: Talha Ansari, Hsin Kuo, Edwin Niculaescu Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions in the Answer Sheet and be sure you turn in ALL materials listed in the Turn-in Checklist on or before the Date Due. Goal: The goal of this lab is to introduce and demonstrate how email spammers use the botnets to collect lists of valid email addresses from mail server and send junk emails undetectably from other people’s machines to the email address lists obtained. Summary: In this lab, you will be seeing how a botnet is used by a spammer to first acquire emails and then use the botnet to send spam. Before getting started, you will set up a webserver, along with an smtp mail server, and an irc server. Then, you will use the bots to collect a list of valid email addresses from a webpage. Next, you will use the bots to send junk emails from infected machines to the acquired email address. Special Thanks: Special thanks to Chris Lee for providing us with the pybot.py code, along side his help to make this a successful lab. Background: Today most people receive a few or dozen of spam emails (or “junk emails”) daily. The growth of the spam emails has increased exponentially over the years. As of today, there are approximately 60 billion spam emails being sent per day and spammers have no sign of slowing down. Over the years, the government, FBI, and many internet security organizations have tried to solve this spam problem, but yet they have not being able to do so. What makes it so difficult to catch these damn spammers? Why can’t the FBI just use highly sophisticated technology and techniques to trace these spammers and put all of them in jail for wasting people’s money and time deleting dozens of junk mails everyday? The answer to these questions is that the spammers are now using the botnets to do their dirty jobs for them. They are almost impossible to detect through IPs, and hence very hard to trace. Fig. 1 shows the real world scenario of botnets. The most common bots that the spammers use today are the “Bobax” and the “Agobot”. With the help of a botnet and a large amount of bots, a spammer can remotely and undetectably send massive amounts of junk emails to people. There exists botnets consisting 1
  • of more then 10,000 bots. Whether you like it or not, you’ll receive these junk emails if you are on their so-called “VIP” lists. Since these emails are often sent from bots (or infected computers), it is extremely difficult to trace who are the spammers. Therefore, the spammers stay anonymous and we all suffer. Figure 1. A real-world simulation diagram of botnets. Prelab Questions: No Prelab Questions! However, it is suggest you read through the lab and all appendices before starting. Yes, read all of them!! Lab Scenario: For this lab, you will be simulating how a spammer will use botnets to send junk emails to people. A Web Server and IRC server will first be installed and setup on your RedHat WS4.0 machine. You will be using the IRC X-Chart program on your RedHat WS4.0 to communicate with the IRC server. A simple botnet program that is specific designed for spam email (designed and provided by Chris Lee) will be installed and executed on another Red Hat 4.0 machine that will be running in VMware and will also have a SMTP client, which the bots will use to send spam. The RH 4.0 copy will be the infected machine and we will run four bots on it since we can’t infect multiple computers in lab. In order for the bots to communicate with the IRC server that we setup, IRClib will be installed and run on the “Copy Machine” and x-chat will used by the controlling bot. 2
  • Figure 2. Lab scenario network diagram. Section 1: Setup Before proceeding, please take a look at Appendix A on how to create a copy of Red Hat WS4.0 on the vmare. You will need this copy machine, as it serves the purpose of an infected machine. Section 1.1: Setting up the Web Server (apache2) To begin off we will need to first install the web server, which in our case will be apache2 if not already installed from an earlier lab. Log into NAS and copy the httpd-2.0.54.tar.gz file from LABXX folder into /home/tools. Open a terminal and go into the folder where you saved httpd-2.0.54.tar.gz. Now type in the following command in the terminal: # tar xvzf httpd-2.0.54.tar.gz # cd httpd-2.0.54 # ./configure –prefix=/home/apache2 (this command sets the default directory of the server) # make # make install # cd /home/apache2/bin/ # ./apachect1 start 3 View slide
  • If you already have the apache server installed then just do the following: # cd /home/apache2/bin/ # ./apachect1 start If you get an error regarding port 80, then type the following # service httpd stop then retry starting the apache server by # ./apachect1 start Open mozilla and enter the web address http://localhost. If a default apache webpage appears, the web server was properly installed. You can look at Appendix B for a list of different commands that you may find helpful. Now that the webserver has been setup, copy email.html and template.html from the NAS to the folder /home/apache2/htdocs. You can do this by just copying from NAS and pasting in the appropriate folder using the graphical interface. Section 1.2: Setting up the IRC Server In this section you will be installing the IRC server. The server acts like a hub and is used as a command-and-control server by the bot master. It is from here that the bot master gives commands to the bots to do certain tasks. Go to NAS and copy dancer-ircd_1.0.36.orig.tar.gz and save it to your /home/tools directory. Open up a terminal go into the folder and type the following commands in the terminal window: # tar xvzf dancer-ircd_1.0.36.orig.tar.gz # cd dancer-ircd_1.0.36.orig # ./install Once you have installed the dancer, go back into NAS and copy the ircd.conf file and save it to the /usr/local/etc folder. Yes we need to replace the old file in there. Once you have replaced the file, open the file up with text editor and change every instance of 127.0.0.1 to the IP of your host Red Hat 4.0 IP, which should be 57.35.6.XXX (where XXX in your specific IP). Once this is done save the file and close the text editor. Now open up a terminal and cd into /usr/local/sbin and then type in ./ircd. This will start your IRC Server. Section 1.3: Setting up IRClib on the infected machine IRClib is a daemon used by the bots to connect to the IRC server we created earlier. Start VMWare and go to your Red Hat 4.0 copy machine that you created earlier at the beginning of lab. If you haven’t don’t that yet, refer to Appendix A on how to do create it. Once done creating the virtual image, connect to NAS and copy python-irclib-0.4.6.tar.gz to your /home/tools directory. Open up a terminal, cd into that folder in type: # tar xvzf python-irclib-0.4.6.tar.gz 4 View slide
  • # cd python-irclib-0.4.6 # python setup.py install This should now install irclib on the infected host (Red Hat W4.0 Copy). Section 1.4 Editing your pybot file. Open up ircbot.py in the pybot directory with a text editor. Find the line that says ‘server’(’localhost’,6667) and change local host to the ip of the IRC server. This will allow the pybot to connect to the IRC server. Section 2: Connecting Controller and Bots successfully to the IRC Server: This is where we start to get into action with the bots. Here we will connect both the Host Red Hat 4.0 and the Copy machine to the IRC Server. Then we will do a test run, to see if your bots are responding to our commands. Start off by logging into NAS and copying pybot_lab.tgz onto your /home/tools directory in the RH 4.0 Copy machine. Open up a terminal, go into the /home/tools folder and type the following: # tar xvzf pybot_lab.tgz # cd pybot_lab # Python ircbot.py This will start four instances of the pybot. You should now have a screen similar to Figure 3. This means that the bots have started and are now ready to join the IRC Server we created earlier. Figure 3. Terminal showing the successful running of the bots. 5
  • Q1. Type in “print hello” in the channel irclib. What is displayed in the terminal from which you started up the bots? Take a screenshot of the terminal window showing the message (Screenshot #1) Now its time for your bot controller to join the IRC Server. Start off by opening up X-chat in your Host Red Hat 4.0 machine. Go to Applications Internet  X Chat. Once the GUI opens, at the bottom type # /server 57.35.6.XXX (where XXX represents the IP of your Host 4.0 where the IRC server is) After you have connected type # /nick scholar01 # /join #irclib Now tab over to the irclib channel. You should see yourself (scholar01) along with four instances of pybots. If for some reason you don’t see your bots or if they crash, restart them on the RH 4.0 copy then go to Server  Reconnect in X-chat. This will reconnect you to the server. Your x-chat window should look like figure 4. Figure 4. Pybots and bot controller both connected to the IRC server 6
  • Screenshot #2: Take a screenshot of the X-Chat window showing the successful connection of the Host Machine along with the bots. Section 3: Spam Attack Section 3.1: Setting up emails for being spammed We now need to create two email accounts that will be the victims of our spam attack. To do this go into the RH 4.0 copy and open a terminal. In the terminal type the following: # adduser spamvictim1 # adduser spamvictim2 then set passwords to the two accounts # passwd spamvictim1 # passwd spamvictim2 You also have to start the SMTP server to be able to send email. We will use Send Mail for this and it should be already installed. To start the send mail, type: # service sendmail start If you don’t have send mail on your computer, download it from the Nas and follow the instructions to install in the text file provided with the program. Section 3.2: Start Spamming Now you have created a botnet of four bots and a bot controller, we are ready to start spamming. First make sure that the apache web server is running, this is necessary because the bots have to download the emails that they want to spam and download the template for the email. Now we will use x-chat to start spamming. In the #irclib tab in x-chat, type the following commands # getemails http://57.35.6.xxx/email.html ip of machine with apache server # gettemplate http://57.35.6.xxx/template.html ip of machine with apache server # startspam The first command will tell the bots to download the email list from the web server. The second command will tell the bots to download the template which includes the email from the web server. The third command actually sends the emails. Figure 5 shows how x-chat should be set up. In real world scenarios, these email lists can contain 100,000 emails or more. To terminate the bots, you can use the command # shutdown 7
  • Figure 5. Spamming victims Section 3.3: Checking Emails To check if the bots actually spammed the victims, we will need to do the following: Go into the /var/spool/mail/ directory and open the file spamvictim1 on and spamvictim2. There should be four emails since all four bots sent the email to the accounts. Screenshot# 3: Take a screenshot of the emails in spamvictim1’s inbox. Q2. What other stuff can a bot master do once he has control of his bots? (hint: you might need to search the internet for this one) Section 3.4 Manipulating Pybot source code The Pybot we are using is fairly simple and was written in Python language which is pretty easy to understand. Spamming bots used by real spammers are much more complicated and have many more functions. To understand this pybot, open up the ircbot.py with a text editor and change how many bots will run on the infected machine from four to ten. Save it, and re-run the whole spamming process. 8
  • Q3. What line of code did you change? Screenshot# 4 and 5 Take a screen shot of the infected computer showing ten instances of pybot running and take a screen shot of ten pybots displayed in x-chat. To understand how the template.html works with the bots, open it up in a text editor and change the “from” address to your group number. Then run the spamming functions on the bots again and open up the emails from the victims to see if your new template was emailed. Make sure that you reload the template.html in x-chat. Screen shot# 6: Take a screen shot of the email inbox, showing your group number in the email header. Section 4: Prevention In this section, we will describe and suggest a few methods and techniques to prevent your machines being used as spammer’s bots to send spam emails. These methods and techniques may not provide100% protection for your computers from being infected, but they will definitely help to reduce the risk. For Linux system 1. Always install and use Anti-virus or Anti-spyware software - Most anti-virus and anti-spyware software block and prevent backdoors activities in your machine. Therefore, they definitely can protect your machine from spammers to gain illegal access to your machine to send junk emails to people. 2. Always Turn on your firewall - Personal firewalls can be used to block unwanted applications from being able to connect to the network. In our case, firewalls can stop the bots from connecting to the botnet. Therefore, the bots won’t be able to get orders from the bot- controller even though there are bots running in your machine. 3. Close unused ports - Most IRCbots connect to your computer through ports 6667 and 6668. If we closed these ports, it is likely to prevent hackers to get access to your computer. We can do this by turning on the iptables in the ntsysv. For Window system 1. Always install and use Anti-virus or Anti-spyware software - Most anti-virus and anti-spyware software block and prevent backdoors activities in your machine. Therefore, they definitely can protect your machine from spammers to gain illegal access to your machine to send junk emails to people. 2. Always Turn on your firewall 9
  • - Personal firewalls can be used to block unwanted applications from being able to connect to the network. In our case, firewalls can stop the bots from connecting to the botnet. Therefore, the bots won’t be able to get orders from the bot-controller even though there are bots running in your machine. 3. Close unused ports - Most IRCbots connect to your computer through ports 6667 and 6668. If we closed these ports, it is likely to prevent hackers to get access to your computer. - Network Connection -> right click wireless or local network connection and select properties -> Click on Advance tab and firewall settings -> select on. 4. Use “IRCBots Detector” to scan your computers frequently Program such as IRCBots Detector is designed to scan your computer and find if there are bots running on your computer. - 10
  • Appendix A: How to setup Red Hat 4.0 on Vmware: First, you will need to go to the NAS drive and copy the Red Hat 4.0 over to your host machine. # mount /mnt/nas4112 (pw: secure_class) Click on the NAS drive from your desktop Click on Lab6 and drag the folder “Protected” over to your host machine. Now turn on your vmware if you haven’t done so. # service vmware start # vmware We will need to create a new WS4.0 virtual machine. File -> new -> Virtual Machine Select “Custom”, “next”, “Lagacy”, “next”, “Linux”, and then “next” again. You can name it “RedHat 4.0 Copy” and place it in the vmware folder. Click “next” and “next” again for the Memory section (it should be 256 MB). Select “Use bridged networking” and click on “next”. Click “next” for the SCSI Adapter setting (it should be BusLogic). Select “Use an existing virtual disk” and browse the “Red Hat Linux WS4.vmdk” file from the “Protected” folder you copy from NAS. Finally click “Finish” and you’re done! Refer to Lab1 for setting up virtual machine’s configuration if you forgot how to do so. 11
  • Appendix B: Commands for Apache2: NAME man - format and display the on-line manual pages SYNOPSIS man [-acdfFhkKtwW] [--path] [-m system] [-p string] [-C config_file] [-M pathlist] [-P pager] [-S section_list] [section] name ... DESCRIPTION man formats and displays the on-line manual pages. If you specify section, man only looks in that section of the manual. name is nor- mally the name of the manual page, which is typically the name of a command, function, or file. However, if name contains a slash (/) then man interprets it as a file specification, so that you can do man ./foo.5 or even man /cd/foo/bar.1.gz. See below for a description of where man looks for the manual page files. OPTIONS -C config_file Specify the configuration file to use; the default is /etc/man.config. (See man.config(5).) -M path Specify the list of directories to search for man pages. Sepa- rate the directories with colons. An empty list is the same as not specifying -M at all. See SEARCH PATH FOR MANUAL PAGES. -P pager Specify which pager to use. This option overrides the MANPAGER environment variable, which in turn overrides the PAGER vari- able. By default, man uses /usr/bin/less -iRs. -S section_list List is a colon separated list of manual sections to search. This option overrides the MANSECT environment variable. -a By default, man will exit after displaying the first manual page it finds. Using this option forces man to display all the manual pages that match name, not just the first. -b Disable any reference to color in the roff source. NOCOLOR in the configuration file will have the same effect. -c Reformat the source man page, even when an up-to-date cat page exists. This can be meaningful if the cat page was formatted for a screen with a different number of columns, or if the pre- formatted page is corrupted. -d Don’t actually display the man pages, but do print gobs of debugging information. 12
  • -D Both display and print debugging info. -f Equivalent to whatis. -F or --preformat Format only - do not display. -h Print a one-line help message and exit. -k Equivalent to apropos. -K Search for the specified string in *all* man pages. Warning: this is probably very slow! It helps to specify a section. (Just to give a rough idea, on my machine this takes about a minute per 500 man pages.) -m system Specify an alternate set of man pages to search based on the system name given. -p string Specify the sequence of preprocessors to run before nroff or troff. Not all installations will have a full set of prepro- cessors. Some of the preprocessors and the letters used to designate them are: eqn (e), grap (g), pic (p), tbl (t), vgrind (v), refer (r). This option overrides the MANROFFSEQ environ- ment variable. -t Use groff -Tps -man to format the manual page, passing the out- put to stdout. The output from groff -Tps -man may need to be passed through some filter or another before being printed. -w or --path Don’t actually display the man pages, but do print the loca- tion(s) of the files that would be formatted or displayed. If no argument is given: display (on stdout) the list of directo- ries that is searched by man for man pages. If manpath is a link to man, then "manpath" is equivalent to "man --path". -W Like -w, but print file names one per line, without additional information. This is useful in shell commands like man -aW man | xargs ls -l CAT PAGES Man will try to save the formatted man pages, in order to save format- ting time the next time these pages are needed. Traditionally, for- matted versions of pages in DIR/manX are saved in DIR/catX, but other mappings from man dir to cat dir can be specified in /etc/man.config. No cat pages are saved when the required cat directory does not exist. No cat pages are saved when they are formatted for a line length dif- ferent from 80. No cat pages are saved when man.conf contains the line NOCACHE. It is possible to make man suid to a user man. Then, if a cat direc- tory has owner man and mode 0755 (only writable by man), and the cat files have owner man and mode 0644 or 0444 (only writable by man, or 13
  • not writable at all), no ordinary user can change the cat pages or put other files in the cat directory. If man is not made suid, then a cat directory should have mode 0777 if all users should be able to leave cat pages there. The option -c forces reformatting a page, even if a recent cat page exists. SEARCH PATH FOR MANUAL PAGES man uses a sophisticated method of finding manual page files, based on the invocation options and environment variables, the /etc/man.config configuration file, and some built in conventions and heuristics. First of all, when the name argument to man contains a slash (/), man assumes it is a file specification itself, and there is no searching involved. But in the normal case where name doesn’t contain a slash, man searches a variety of directories for a file that could be a manual page for the topic named. If you specify the -M pathlist option, pathlist is a colon-separated list of the directories that man searches. If you don’t specify -M but set the MANPATH environment variable, the value of that variable is the list of the directories that man searches. If you don’t specify an explicit path list with -M or MANPATH, man develops its own path list based on the contents of the configuration file /etc/man.config. The MANPATH statements in the configuration file identify particular directories to include in the search path. Furthermore, the MANPATH_MAP statements add to the search path depend- ing on your command search path (i.e. your PATH environment variable). For each directory that may be in the command search path, a MAN- PATH_MAP statement specifies a directory that should be added to the search path for manual page files. man looks at the PATH variable and adds the corresponding directories to the manual page file search path. Thus, with the proper use of MANPATH_MAP, when you issue the command man xyz, you get a manual page for the program that would run if you issued the command xyz. In addition, for each directory in the command search path (we’ll call it a "command directory") for which you do not have a MANPATH_MAP statement, man automatically looks for a manual page directory "nearby" namely as a subdirectory in the command directory itself or in the parent directory of the command directory. You can disable the automatic "nearby" searches by including a NOAU- TOPATH statement in /etc/man.config. In each directory in the search path as described above, man searches 14
  • for a file named topic.section, with an optional suffix on the section number and possibly a compression suffix. If it doesn’t find such a file, it then looks in any subdirectories named manN or catN where N is the manual section number. If the file is in a catN subdirectory, man assumes it is a formatted manual page file (cat page). Otherwise, man assumes it is unformatted. In either case, if the filename has a known compression suffix (like .gz), man assumes it is gzipped. If you want to see where (or if) man would find the manual page for a particular topic, use the --path (-w) option. For a complete list, you can cd into your apache2 folder and type # man man. 15
  • Appendix C: Article on Bot and Spamming: [4] Introduction to Bots and Botnets The word bot is an abbreviation of the word robot. Robots (automatized programs, not robots like Marvin the Paranoid Android) are frequently used in the Internet world. Spiders used by search engines to map websites and software responding to requests on IRC (such as eggdrop) are robots. Programs which respond autonomously to particular external events are robots, too. This article will describe a special kind of a robot, or bot (as we will call them from now on) – an IRC bot. It uses IRC networks as a communication channel in order to receive commands from a remote user. In this particular case the user is an attacker and the bot is a trojan horse. A good programmer can easily create his own bot, or customize an existing one. This will help hide the bot from basic security systems, and let it easily spread. IRC IRC stands for Internet Relay Chat. It is a protocol designed for real time chat communication (reference to RFC 1459, update RFC 2810, 2811, 2812, 2813), based on client-server architecture. Most IRC servers allow free access for everyone. IRC is an open network protocol based on TCP (Transmission Control Protocol), sometimes enhanced with SSL (Secure Sockets Layer). An IRC server connects to other IRC servers within the same network. IRC users can communicate both in public (on so-called channels) or in private (one to one). There are two basic levels of access to IRC channels: users and operators. A user who creates a channel becomes its operator. An operator has more priviledges (dependent on modes set by the initial operator) than a regular user. IRC bots are treated no different than regular users (or operators). They are daemon processes, which can run a number of automated operations. Control over these bots is usually based on sending commands to a channel set-up by the attacker, infested with bots. Of course, bot administration requires authentication and authorisation, so that only the owner can use them. An important feature of such bots is the fact that they are able to spread rapidly to other computers. Careful planning of the infection process helps achieve better results in shorter time (more compromised hosts). A number of n bots connected to a single channel and waiting for commands is called a botnet. In recent past zombie (another name for bot–infected computers) networks were controlled with the use of proprietary tools, developed intentionally by crackers themselves. Experience has lead to experiments with new remote control methods. IRC is considered the best way to launch attacks, because it is flexible, easy to use and especially because public servers can be used as a communication medium (see Inset IRC). IRC offers a simple method to control hundreds or even thousands of bots at once in a flexible manner. It also allows attackers to cover their identity with 16
  • the use of simple tricks such as anonymous proxies or simple IP address spoofing. Thanks to this, server administrators have little chance to find the origin of an attack controlled in such a manner. In most cases bots infect single user PCs, university servers or small company networks. This is because such machines are not strictly monitored, and often left totally unprotected. The reason for this is partially the lack of a real security policy, but mostly the fact that most PC users with an ADSL connection are completely unaware of the risks involved, and do not use protective software such as antivirus tools or personal firewalls. Bots and their Applications The possible uses for compromised hosts depend only on the imagination and skills of an attacker. Let's look at the most common ones. DDoS Botnets are frequently used for Distributed Denial of Service attacks. An attacker can control a large number of compromised hosts from a remote workstation, exploiting their bandwidth and sending connection requests to the target host. Many networks suffered from such attacks, and in some cases the culprits were found amongst competition (as in the case of dotcom wars). Distributed DoS Attacks (DDoS) A DDoS attack is a variation of a Flooding DoS attack; its aim is to saturate a target network, using all the available bandwidth. That being said, and presuming that an attacker should have huge total bandwidth available in order to saturate the targeted site, it is clear that the best way to launch this type of an attack is to have many different hosts under control. Each host introduces its own bandwidth (ex. PC ADSL users), and they are used all at once, thus distributing the attack on the target site. One of the most popular attacks performed with the use of the TCP protocol (a connection oriented protocol), is called TCP syn flooding. It works by sending a large number of TCP connection requests to the same web server (or to any other type of service), overloading the server's resources and leading to its saturation, preventing other users from opening their own connections. How simple and dangerously efficient! We can achieve the same by using the UDP protocol (a connectionless protocol). Attackers have spent a lot of time and effort on improving such attacks. We are now facing even better techniques, which differ from traditional DDoS attacks. They let malicious users control a very large number of zombie hosts from a remote workstation, by using, for example, the IRC protocol. Spamming 17
  • Botnets are an ideal medium for spammers. They could be used, and are used, both for exchanging collected e–mail addresses and for controlling spam streaks in the same way DDoS attacks are performed. Single spam message could be sent to the botnet and then distributed across bots, which send the spam. The spammer stays anonymous and all the blame goes to infected computers. Sniffing & Keylogging Bots can also be effectively used to enhance the ancient art of sniffing. Observing traffic data can lead to detection of an incredible amount of information. This includes user habits, TCP packet payload which could contain interesting information (such as passwords). The same applies to keylogging – capturing all the information typed in by the user (e–mails, passwords, home banking data, PayPal account info etc.). Identity Theft The abovementioned methods allow an attacker controlling a botnet to collect an incredible amount of personal information. Such data can then be used to build fake identities, which can in turn be used to obtain access to personal accounts or perform various operations (including other attacks) putting the blame on someone else. Hosting of Illegal Software Last, but not least, bot–compromised computers can be used as a dynamic repository of illegal material (pirated software, pornography, etc.). The data is stored on the disk of an unaware ADSL user. Hours could be spent talking about the possible applications of botnets (for example pay per click abuse, phishing, hijacking HTTP/HTTPS connections etc.). Bots alone are only tools, which can easily be adapted to every task which requires a great number of hosts under single control. Different Types of Bots Many types of ready–made bots are available for download from the Internet. Each of them has its own special features. Let's have a look at the most popular bots, outlining common features and distinctive elements. GT–Bot All the GT (Global Threat) bots are based on a popular IRC client for Windows called mIRC. The core of these bots is made up of a set of mIRC scripts, which are used to control the activity of the remote system. This type of bot launches an instance of the client enhanced with control scripts and uses a second application, usually HideWindow, to make mIRC invisible to the user of the host computer. An additional DLL file adds new features to mIRC in order for scripts to be able to influence various aspects of the controlled host. 18
  • Agobot Agobot is probably one of the most popular bots used by crackers. It is written in C++ and released on a GPL licence. What is interesting about Agobot is its source code. Highly modular, it makes it simple to add new functions. Agobot provides many mechanisms to hide its presence on the host computer. They include: NTFS Alternate Data Stream, Antivirus Killer and the Polymorphic Encryptor Engine. Agobot offers traffic sniffing and sorting functionality. Protocols other than IRC can also be used to control this bot. DSNX The Dataspy Network X bot is also written in C++ and its source code is also available on a GPL licence. Adding new functionality to this bot is very easy thanks to its simple plug–in architecture. SDBot SDBot is written in C and also available on a GPL licence. Unlike Agobot, its code is not very clear and the software itself comes with a limited set of features. Nevertheless, it is still very popular and available in different variants. The Elements of an Attack Figure 1 shows a structure of a typical botnet: Figure 1: Structure of a typical botnet • An attacker first spreads a trojan horse, which infects various hosts. These hosts become zombies and connect to the IRC server in order to listen to further commands. • The IRC server can either be a public machine in one of the IRC networks or a dedicated server installed by the attacker on one of the compromised hosts. • Bots run on compromised computers, forming a botnet. 19
  • A Practical Example The activity of the attacker can be split into four different stages: • creation • configuration • infection • control The creation stage is largely dependent on attacker skills and requirements. A cracker can decide whether to write their own bot code or simply extend or customise an existing one. A wide range of ready–made bots are available and highly configurable. This is made even easier via a graphical interface. No wonder this is the option most often used by script kiddies. The configuration stage involves supplying IRC server and channel information. Once installed on the compromised machine, the bot will connect to the selected host. An attacker first enters data necessary to restrict access to the bots, secures the channel and finally provides a list of authorised users (who will be able to control the bots). In this stage the bot can be further customised, for example by defining the target and attack method. The infection stage involves using various techniques to spread the bots – both direct and indirect. Direct techniques include exploiting vulnerabilities of the operating system or services. Indirect attacks employ other software for the dirty work – they include using malformed HTML files exploiting Internet Explorer vulnerabilities, or using other malware distributed through peer–to–peer networks or through DCC (Direct Client–to–Client) file exchange on IRC. Direct attacks are usually automated with the use of worms. All worms have to do is search the subnets for vulnerable systems and inject the bot code. Each infected system then continues the infection process, allowing the attacker to save precious resources and providing plenty of time to look for other victims. The mechanisms used to distribute bots are one of the main reasons for so–called Internet background noise. The main ports involved are the ones used by Windows, in particular Windows 2000 and XP SP1 (see Table 1). They seem to be the attackers' favourite target, because it is easy to find unpatched Windows computers or ones without firewalls installed. It is often the case with home PC users and small businesses, which overlook security issues and have an always-on broadband Internet connection. Port Service 42 WINS (Host Name Server) 80 HTTP (IIS or Apache vulnerability) 135 RPC (Remote Procedure Call) 137 NetBIOS Name Service 139 NetBIOS Session Service 20
  • Port Service 445 Microsoft–DS–Service 1025 Windows Messenger 1433 Microsoft–SQL–Server 2745 Bagle worm backdoor 3127 MyDoom worm backdoor 3306 MySQL UDF (User Definable Functions) 5000 UPnP (Universal Plug and Play) Table 1: List of ports associated with vulnerable services The control stage involves actions after the bot is installed on the target host in a selected directory. In order to start with Windows, it updates the Windows registry keys, usually HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun. The first thing the bot does after it is successfully installed is connecting to an IRC server and joining the control channel with the use of a password. The nickname on IRC is randomly generated. The bot is then ready to accept commands from the master application. The attacker must also use a password to connect to the botnet. This is necessary, so that nobody else can use the supplied botnet. Figure 2: Botnet hardening IRC not only provides the means to control hundreds of bots, but also allows the attacker to use various techniques in order to hide his real identity. This makes it difficult to respond to attacks. Fortunately botnets, by their nature, generate suspected traffic, which is easily detectable due to 21
  • known patterns. This helps IRC administrators in detection and intervention, allowing them to take the botnet down and report the abuse. Attackers are forced to refine their C&C (Control and Command) techniques, which leads to botnet hardening. The bots are therefore often configured to connect to different servers using a dynamically mapped hostname. This way an attacker can easily move the bots to new servers, keeping them under control even after detection. Dynamic DNS services such as dyndns.com or no–ip.com are used for this task. Dynamic DNS A dynamic DNS (RFC 2136) is a system which links a domain name to a dynamic IP address. Users connecting to the Internet via modems, ADSL or cable usually don't have a fixed IP address. When such a user connects to the Internet, the ISP assigns an unused IP address chosen from a selected pool. This address is usually kept only for the duration of that specific connection. This mechanism helps ISPs maximise the use of available IP pool, but penalises the users who need to make certain services available via the Internet on a permanent basis, but cannot afford a static IP. In order to solve this problem, dynamic DNS was created. Providers offering such a service use a dedicated program, which signals the DNS database every time the IP address of the user changes. In order to hide the activity, the IRC channel is configured to limit access and hide activity. Typical IRC modes for botnet channels are: +k (a password is required to enter the channel), +s (the channel is not displayed on the list of public channels), +u (only operators are visible on the userlist), +m (only users with the +v voice status can send to the channel). Most expert attackers using personalised IRC servers encrypt all the communication with the channel. They also tend to use personalized variants of IRC server software, configured to listen on nonstandard ports and using a modified version of the protocol, so that a normal IRC client cannot connect to the network. C&C in Practice – Agobot Let's now have a look at a sample attack scenario, which will allow us to see the command and control process of a botnet clearly. Two computers were used for the task. The first one ran an IRC server based on UnrealIRCd 3.2.3 and two virtual Windows XP SP1 machines based on VMware Workstation (two potential infection targets). The second one was used by the master to control the botnet through Irssi, a text IRC client. In order to make reverse engineering difficult, Agobot implements routines defending against the use of debuggers such as SoftICE or OllyDbg, and against the use of virtual machines such as VMware and Virtual PC. It was therefore necessary to hack the source code in order to bypass VMware protection, before the bot could be installed on our sample virtual systems. Configuration 22
  • The first step was to configure the bot with the use of its simple graphical interface (see Figure 3). The information entered included name and port of the IRC server, name of the channel, a list of users with master passwords, and finally – filename and directory in which the bot is to be installed. Plugins have also been activated such as sniffing support and polymorphic engine. The result of this stage was a config.h file, fundamental for bot compilation. Figure 3: Agobot configuration interface Command and Control Once the bot has been compiled, the two test systems have been infected manually. The master computer has connected to the IRC server and joined the channel in order to be able to control and command the bot (see Figure 4): 23
  • Figure 4: Master server and channel connection In order to gain control over the bots, authentication was needed. This was done by simply sending a command to the channel (see Figure 5): .login FaDe dune Figure 5: Username and password authentication Then the first bot was asked for a list of all the running processes on the infected computer (Figure 6): /msg FakeBot–wszyzc .pctrl.list 24
  • Figure 6: Master request response from the first bot Then the second bot was asked for system information and cdkeys of the applications installed (Figure 7): /msg FakeBot2–emcdnj .bot.sysinfo /msg FakeBot2–emcdnj .harvest.cdkeys Figure 7: Master request response from the second bot We used simple functions in this example, but Agobot provides a very rich set of commands and functions. Some of them are listed in Table 2. Command Description command.list List of all the available commands bot.dns Resolves an IP/hostname bot.execute Runs an .exe file on a remote computer bot.open Opens a file on a remote computer bot.command Runs a command with system() irc.server Connects to an IRC server irc.join Enters a specific channel 25
  • Command Description irc.privmsg Sends a private message to a user http.execute Downloads and executes a file through HTTP ftp.execute Downloads and executes a file through FTP ddos.udpflood Starts a UDP flood ddos.synflood Starts a Syn flood ddos.phaticmp Starts a PHATicmp flood redirect.http Starts a HTTP proxy redirect.socks Starts a SOCKS4 proxy pctrl.list List of processes pctrl.kill Kills the process Table 2: Some of Agobot commands How to Defend your Computers Let's now take a look at methods of defence against infection and bot attack both from user's and administrator's point of view. Defence Strategies for PC Users As previously mentioned, bot infection is done mainly through worms, which browse the net looking for vulnerable machines. Therefore the first step is to keep your system updated, downloading patches and system updates for both the OS and all the applications accessing the Internet. Automatic updates are a good idea. Also, be careful with opening suspicious attachments in email. It's also wise to deactivate support for scripting languages such as ActiveX and JavaScript (or at least control their use). Finally, it is fundamental to use an antivirus/antitrojan and keep it updated. However, many bots are configured to evade antivirus controls, so a personal firewall is a valuable addition to security, especially if the computer is on 24 hours a day. The main signs of bot presence are connection and system slowdown. A simple and efficient way to check for suspicious connections is the netstat tool (see Figure 8): C:/>netstat –an 26
  • Figure 8: Netstat on an infected system Netstat Netstat is a very flexible tool available both for Windows and *NIX systems. Its main function is control of the active ports. Netstat examines listening TCP and UDP ports and provides detailed information on network activity. *NIX system netstat displays all the open streams. It also uses output selection filters. Possible connection states contain: • ESTABLISHED – both hosts are connected • CLOSING – the remote host is closing the connection • LISTENING – the host is listening for incoming connections • SYN_RCVD – a remote host has asked to start a connection • SYN_SENT – the host is starting a new connection • LAST_ACK – the host must send a report before closing the connection • TIMED_WAIT, CLOSE_WAIT – a remote host is terminating the connection • FIN_WAIT 1 – the client is terminating the connection • FIN_WAIT 2 – both hosts are closing the connection Watch for ESTABLISHED connections to TCP ports in 6000–7000 range (usually 6667). If you find your computer compromised, disconnect from the Internet, clean the system, reboot and then check again. Defence Strategies for Administrators Administrators should always have up to date information on the latest vulnerabilities, and should read Internet security resources on a daily basis. A subscription to a mailing list such as Bugtraq is a good idea. Administrators should also attempt to educate their users and define security and privacy policies. 27
  • It is also necessary to study the logs generated by IDS and firewall systems, mail servers, DHCP and proxy servers. This can help spot any abnormal traffic, which could be a sign of bot presence in the network. Once such traffic is noticed, a sniffer comes in handy in order to identify the subnet and the computer generating it. All the above may seem obvious, but are often forgotten about. It is also possible to use more sophisticated techniques to study and detect threats. One of these techniques is honeybots. Honeybots are machines built to become an easy target for attacks. Their role is to become infected and allow the administrator to pinpoint the source of the problem and study the attack method. In conclusion, regardless of the tools at our disposal, the most efficient defence against botnet attacks lies in the user himself and in his awareness. 28
  • Appendix D: End Road of a Spammer… [2] Peter Francis-Macrae (born 1982) is a spammer found guilty of two counts of fraudulent trading, one of concealing criminal property, two of making threats to kill, one charge of threatening to destroy or damage property and one count of blackmail. He was running his own internet business from his father's home in Cambridge, most recent accounts filed at Companies House showed his business had a turnover of £49,000. Macrae had offered thousands of e-mail and website names when he had no right to do so. When Nominet warned him about his activities, he threatened to attack their servers. He was accused of his activities in 2004, and on November 16, 2005 it was announced in the press that Macrae had been sentenced to jail for six years. In February 2006 he was found guilty of threatening to kill police officers and blow up the Cambridgeshire force's headquarters in a letter to his solicitor from his prison cell. Judge Nicholas Coleman said: "I am deeply concerned about what this man claims he is going to do on his release." He ordered Francis-Macrae undergo psychiatric reports before sentencing. In June 2006 he was given an additional 12 months sentence for making threats against the police, and made subject to an ASBO. In October 2006, Peterborough Crown Court was told that the Crown Prosecution Service is attempting to seek out and confiscate more than £1 million. Francis-Macrae disrupted the hearing by screaming “I’m innocent”, “this is a sham,” and “al-Qaeda”, repeatedly as loud as he could. [1] Jason Smathers is a former employee of America Online. In February 2005, Smathers pled guilty to violations of the US CAN-SPAM Act of 2003. Smathers was accused and convicted of illegally selling approximately 92 million AOL member screen names, belonging to 30 million AOL customers, to a third party, who then sold the list to many spammers. Smathers made $28,000 on the initial sale. The third party, Sean Dunaway, then sold the list for $52,000 to each spammer. On August 17, 2005, Smathers was sentenced to one year and three months in prison and fined $82,000 in restitution. Jason Smathers tried to enter a guilty plea early on. However, the Court rejected his plea as at the time it was not clear to the Court that Smathers had in fact broken the law under which he was being charged, although it was clear that he had broken some law. Judge Hellerstein said that he stopped using his own AOL account back in December because he was getting too much spam. Smathers used another employee's ID in April and May 2003 to assemble a complete list of AOL's customer account screen names, zip codes, telephone numbers and credit card types. Jason Smathers was 23 years old and Sean Dunaway was 20. The maximum sentence is five years in prison and a fine of $250,000. 29
  • [3] Howard Carmack (also known as the Buffalo Spammer) was the first spammer, i.e. notorious sender of spam e-mails, to be sentenced to a time in jail. He was arrested in May 2003 and first freed for a bail of $20,000. The prosecution succeeded in demonstrating to the jury of a court in the state of New York that he had sent out 825 million spam e-mails via the Internet service provider Earthlink, using the identities of two people from the city of Buffalo as well as hundreds of aliases. The jury found him guilty in March 2004 of a New York misdemeanor, identity theft, and 14 counts of fraud. Although there now is a United States federal law restricting fraudulent practices in spam, Carmack was not convicted under this law, since it was not yet in force at the time of the offenses. However, he was convicted for violating New York state laws regarding identity theft and falsification of documents, header and sender information in this case. In May 2004 the court sentenced him to the maximum sentence for this offense, namely 7 years in prison. Before this conviction, Carmack also lost a lawsuit before a federal court in Atlanta, which required him to pay damages of US$14.5 million to the internet service provider Earthlink for the same actions. 30
  • References: [1] http://en.wikipedia.org/wiki/Jason_Smathers [2] http://en.wikipedia.org/wiki/Peter_Francis-Macrae [3] http://en.wikipedia.org/wiki/Howard_Carmack [4] http://www.windowsecurity.com/articles/Robot-Wars-How-Botnets-Work.html Additional Information: [5] http://sigcomm06.stanford.edu/discussion/showpaper.php?paper_id=28%22 31