SlideShare a Scribd company logo

A short visit to the bot zoo

U
UltraUploader
1 of 4
Download to read offline
form networks of compromised ma- chines (botnets) to further enhance theeffectivenessoftheirattacks. A short history of bots The first bots programs were used in Internet Relay Chat (IRC) net- works; they reacted to events in IRC channels and offered services to users. Inappropriate behavior started to evolve around 1993, resulting in the IRC wars that caused the first distributed denial- of-service (DDoS) attacks. Inrecentyears,maliciousbotshave become commonplace, with botnets in particular posing a severe threat to the Internet community. Attackers primarily use them for DDoS attacks, massidentitytheft,orsendingspam.A detailed introduction to botnets, how they work, and who uses them ap- pears elsewhere (see http://honey net.org/papers/bots/). Bot characteristics Three attributes characterize a bot: a remote control facility, the imple- mentationofseveralcommands,and a spreading mechanism to propagate it further. Let’s look at each one in more detail. A remote control lets an attacker manipulate infected machines. Bots currently implement several differ- ent approaches for this mechanism: • Typically, the bots controller uses a central IRC server for com- mand and control (C&C). All bots join a specific channel on this server and interpret all the mes- sages they receive here as com- mands. This structure is usually secured with the help of pass- words to connect to the server, join a specific channel, or issue commands. Several bots also use SSL-encrypted communication. • In other situations, such as when somebotsavoidIRCandusecovert communication channels, the con- trolleruses,forexample,communi- cation channels via an HTTP or DNS tunnel instead of an inappro- priate IRC protocol. They can, for example, encode commands to the bots inside HTTP requests or within DNS TXT records. An- other possibility is to hide com- mandsinimages(steganography). THORSTEN HOLZ RWTH Aachen University T his past year has seen a new attack trend emerge: bots. Afterasuccessfulcompromise,theattackerinstallsabot (alsocalledazombieordrone)onthesystem;thissmall program enables a remote control mechanism to then command the victim. Attackers use this technique repeatedly to A Short Visit to the Bot Zoo bot: n [common on IRC, MUD, and among gamers; from “robot”] 1. An IRC or MUD user who is actually a program. On IRC, typically the robot provides some useful service. Examples are NickServ, which tries to prevent random users from adopting nicks already claimed by others, and MsgServ, which allows one to send asynchronous messages to be delivered when the recipient signs on. —The Jargon File, version 4.4.7 76 PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/05/$20.00 © 2005 IEEE ■ IEEE SECURITY & PRIVACY Attack Trends Elias Levy, aleph1@securityfocus.com Iván Arce, ivan.arce@coresecurity.com
Attack Trends www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 77 • Some bots use peer-to-peer (P2P) communication mechanisms to avoid a central C&C server be- cause it’s a single point of failure. Expect to see more bots imple- ment P2P communication similar to the protocol Slapper used.1 Typically, two types of com- mands are implemented over the re- mote control network: DDoS at- tacks and updates. DDoS attacks include SYN and UDP flooding or more clever ones such as spidering attacks—those that start from a given URL and follows all links in a recursive way—against Web sites. Update commands instruct the bot to download a file from the Internet and execute it. This lets the attacker issue arbitrary commands on the victim’s machine and dynamically enhance the bot’s features. Other commands include functions for sending spam, stealing sensitive in- formation from the victim (such as passwords or cookies), or using the victim’s computer for other nefari- ous purposes. The remote control facility and the commands that can be executed from it differentiate a bot from a worm, a program that propagates it- self by attacking other systems and copying itself to them. But similar to a worm, most bots also include a mechanismtospreadfurther,usually by automatically scanning whole network ranges and propagating themselves via vulnerabilities. These vulnerabilities usually appear in the Windows operating system, the most common being DCOM (MS03-026, buffer overrun in RPC interface could allow code execu- tion) and LSASS (MS04-011, secu- rityupdateforMicrosoftWindows). Attackers also integrate recently published exploits into their bots to react quickly to new trends. Propagation via network shares and weak passwords on other ma- chines is another common tech- nique.Thebotusesalistofpasswords and usernames to log on to remote shares and then drops its copy. Some bots propagate by using P2P file- sharing protocols, such as Kazaa and Bear Share; using interesting file- names, the bot drops copies of itself intotheseprograms’sharedfolders.It generates the filename by randomly choosing from sets of strings. An additional characteristic ap- plies to bots that the German Hon- eynet Project captured in the wild: most of them have at least one exe- cutable packer, a small program that compresses/encrypts the actual bi- nary.Typically,theattackerusestools such as UPX (http://upx.source forge.net/) or Morphine (http://hx def.czweb.org/download/Mor phine27.zip) to pack the executable. Examples and classification Let’s examine some specific bots in more detail. Table 1 gives a quantita- tiveoverviewoftheevolutionofdif- ferent bot types. It shows that Agobot, the bot that dominated the year 2004, is now less common. In contrast, attackers are increasingly using SDBot, and new variants ap- pear daily. Agobot and variants Probably the best-known family of bots is Agobot/Gaobot, and its variants Phatbot (www.lurhq.com/ phatbot.html), Forbot, and Xtrm- Bot. The antivirus vendor Sophos currently lists more than 1,100 known different versions of Agobot, and this number is steadily increasing. Agobot’s source code was published on various Web sites in April 2004, leading to new vari- ants every week since. A young German man using the pseudonym Ago first wrote Agobot in 2003; in May 2004, German au- thorities arrested and charged him with creating malicious computer code under the country’s computer sabotage law. The bot is written in C++withcross-platformcapabilities, anditshowsahighabstractdesign.It’s structured in a very modular way, whichmakesiteasytoaddcommands orscannersforothervulnerabilities. For remote control, this family of bots typically uses a central C&C IRC server. Some variants also use P2P communication via the decen- tralized WASTE network (http:// waste.sourceforge.net/), thus avoid- ingacentralserver. Agobot and its variants use a packet-sniffing library (libpcap) and Perl-compatible regular expressions to sniff and sort network traffic pass- ing through the victim’s computer. This malware can use the New Technology File System (NTFS) al- ternate data stream and offers rootkit capabilities such as file and process hiding to hide its own presence on a compromised host. As an added complication, reverse engineering thismalwareisdifficultbecauseitin- cludes functions to detect debuggers andvirtualmachines,anditencrypts the configuration in the binary. Onstartup,theprogramattempts to run a speed test for Internet con- nectivity.Byaccessingseveralservers and sending data to them, the bot triestoestimatethevictim’savailable bandwidth. Fortunately, this activity can help us estimate the actual num- ber of hosts compromised by this particular bot: essentially, we look at the log files. If Agobot uses www. belwue.de as one of the domains for a speed test, for example, the do- main’s administrators can make an www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 77 MONTH AGOBOT SDBOT May 2004 543 332 June 2004 249 654 July 2004 339 1018 August 2004 133 977 September 2004 123 818 October 2004 158 1111 November 2004 113 1156 December 2004 196 1637 January 2005 227 1539 February 2005 97 2010 March 2005 200 1689 Table 1. New bot variants by month.
Attack Trends 78 IEEE SECURITY & PRIVACY ■ MAY/JUNE 2005 educated guess about the bot’s de- ployment by monitoring how often the speed test is performed. In May 2004, the University of Stuttgart’s Computer Emergency Response Team (RUS-CERT) identified ap- proximately 300,000 unique IP ad- dresses per day in this fashion.2 Thistypeofmalwarecanalsoter- minate the processes that belong to antivirus and monitoring applica- tions;somevariantscanevenmodify the host file (which contains the host-name-to-IP-address map- pings). The malware appends a list of Web site addresses—of antivirus vendors, for example—and redirects them to the loopback address, pre- venting the infected user from ac- cessing the specified location. SDBot and variants At the moment, SDBot and its vari- ants RBot, UrBot, UrXBot, and Spybot, are the most active bots in the wild. The whole family is writ- ten in C, and literally thousands of different versions exist because the source code is public. SDBot’s source code isn’t as well designed or writtenasAgobot’s,butitofferssim- ilar features, although the command setisn’taslarge,northeimplementa- tion as sophisticated. We can see bot evolution through time by looking at this par- ticular family of bots: each new ver- sion integrates new features, and eachnewvariantresultsinmajoren- hancements. Attackers integrate new vulnerabilities quickly, and once one version has a new spread- ing capability, all the others integrate it immediately. Moreover, small modifications that can implement specific features (such as password encryption within the malware) can be integrated in all variants. mIRC-based bots We subsume all mIRC-based bots into the category of GT-bots: so many different versions of them exist thatgivinganoverviewofalltheforks would be close to impossible. mIRC isapopularIRCclientforWindows, and GT is an abbreviation for global threat, which is the common name usedforallmIRC-scriptedbots. GT-bots launch an instance of the mIRC chat client with a set of scripts and other binaries. One bi- nary we usually find is a Hide- Window executable that hides the mIRC instance from the user. The other binaries are mainly dynamic link libraries (DLLs) linked to mIRC that add some new features that the mIRC scripts can use to Mid Atlantic (product/recruitment) Dawn Becker Phone: +1 732 772 0160 Fax: +1 732 772 0161 Email: db.ieeemedia@ieee.org New England (product) Jody Estabrook Phone: +1 978 244 0192 Fax: +1 978 244 0103 Email: je.ieeemedia@ieee.org New England (recruitment) Robert Zwick Phone: +1 212 419 7765 Fax: +1 212 419 7570 Email: r.zwick@ieee.org Connecticut (product) Stan Greenfield Phone: +1 203 938 2418 Fax: +1 203 938 3211 Email: greenco@optonline.net Midwest (product) Dave Jones Phone: +1 708 442 5633 Fax: +1 708 442 7620 Email: dj.ieeemedia@ieee.org Will Hamilton Phone: +1 269 381 2156 Fax: +1 269 381 2556 Email: wh.ieeemedia@ieee.org Joe DiNardo Phone: +1 440 248 2456 Fax: +1 440 248 2594 Email: jd.ieeemedia@ieee.org Southeast (recruitment) Thomas M. Flynn Phone: +1 770 645 2944 Fax: +1 770 993 4423 Email: flynntom@mindspring.com Southeast (product) Bill Holland Phone: +1 770 435 6549 Fax: +1 770 435 0243 Email: hollandwfh@yahoo.com Midwest/Southwest (recruitment) Darcy Giovingo Phone: +1 847 498-4520 Fax: +1 847 498-5911 Email: dg.ieeemedia@ieee.org Southwest (product) Josh Mayer Phone: +1 972 423 5507 Fax: +1 972 423 6858 Email: jm.ieeemedia@ieee.org Northwest (product) Peter D. Scott Phone: +1 415 421-7950 Fax: +1 415 398-4156 Email: peterd@pscottassoc.com Southern CA (product) Marshall Rubin Phone: +1 818 888 2407 Fax: +1 818 888 4907 Email: mr.ieeemedia@ieee.org Northwest/Southern CA (recruitment) Tim Matteson Phone: +1 310 836 4064 Fax: +1 310 836 4067 Email: tm.ieeemedia@ieee.org Japan Tim Matteson Phone: +1 310 836 4064 Fax: +1 310 836 4067 Email: tm.ieeemedia@ieee.org Europe (product) Hilary Turnbull Phone: +44 1875 825700 Fax: +44 1875 825701 Email: impress@impressmedia.com A D V E R T I S E R / P R O D U C T I N D E X M A Y / J U N E 2 0 0 5 Black Hat Briefings 2005 Cover 3 John Wiley & Sons Cover 2 Morgan KaufmannPublishers 13 Naval Reserve Cover 4 Boldface denotes advertisements in this issue. Advertising PersonnelAdvertiser Page Number Marion Delaney IEEE Media, Advertising Director Phone: +1 212 419 7766 Fax: +1 212 419 7589 Email: md.ieeemedia@ieee.org Marian Anderson Advertising Coordinator Phone: +1 714 821 8380 Fax: +1 714 821 4010 Email: manderson@computer.org Sandy Brown IEEE Computer Society, Business Development Manager Phone: +1 714 821 8380 Fax: +1 714 821 4010 Email: sb.ieeemedia@ieee.org Advertising Sales Representatives
Attack Trends control the bot. The bots can access the spreading functions in the DLLs and thus enable further propagation. GT-bots spread by exploiting weaknesses on remote computers and uploading themselves to com- promised hosts. One handicap is their large file size—they’re some- times bigger than a megabyte. Other types of bots Although some bots aren’t as wide- spread as the ones we’ve just exam- ined, some of them have interesting features that are worth reviewing. XotanditssuccessorXTBotim- plement a feature called dynamic re- mote settings stub. DRSS hides the communication flow between at- tacker and bots by embedding the commands in a file (for example, within an image). The attacker then uploads this file to a server, and the bot on the victim’s computer down- loads it, extracts the information, and interprets the commands. The Dataspy Network X bot is written in C++ and has a conve- nient interface that lets attackers writescannersandspreadersasplug- ins and extend the bot’s features. This bot has a major disadvantage— the default version doesn’t come with any spreaders—but plugins are availabletoovercomethisgap.Addi- tional plugins also offer services such as DDoS attacks, portscan interface, or hidden HTTP server. Bobax uses HTTP requests as its communication channel and thus implements a stealthier remote con- trol than IRC-based C&C. It also implements mechanisms to spread further by downloading and execut- ing arbitrary files. In contrast to otherbots,Bobax’sprimarypurpose is to send spam. A detailed analysis of it appears elsewhere (www.lurhq. com/bobax.html). aIRCBotisverysmall(only2,560 bytes); it’s not a typical bot because it implements a rudimentary remote control mechanism, and it only un- derstandsrawIRCcommands.Italso completely lacks the functions to spread further. Likewise, Q8Bot and kaiten are small bots, consisting of only a few hundred lines of source code, but they have an additional noteworthiness: they’re written for Unix/Linuxsystems.Theseprograms implement all common bot features: dynamic updating via HTTP-down- loads, various DDoS attack capabili- ties, execution of arbitrary com- mands,andmanymore.Intheversion we’ve captured, the spreaders are missing,butweassumeotherversions ofthesebotshavespreaders.Manydif- ferentversionsofsimplebotsbasedon the programming language Perl exist, but these bots usually contain only a few hundred lines of source code and offer a rudimentary set of commands (most often just for DDoS attacks). This type of bot is typically used on Unix-basedsystems. Bots are constantly evolving: at- tackers can integrate new vul- nerabilitieswithinanincrediblyshort time span, sometimes in a matter of hours or days. Furthermore, new techniques to hide the communica- tion channel between bot and con- troller, new remote control mecha- nisms in the form of P2P communi- cation, and other innovative ideas demonstrate that bots constitute an emerging security concern. The German Honeynet Project’s current research focuses on automated ways tocollectandanalyzemalware.We’re developing techniques to observe botnetsandtolearnmoreaboutbots. Asthesethreatscontinuetoadaptand change, so too must the security community. References 1. I. Arce and E. Levy, “An Analysis of the Slapper Worm,” IEEE Secu- rity & Privacy, vol. 1, no. 1, 2003, pp. 82–87. 2. T. Fischer, “Botnetze,” Proc. 12th DFN-CERT Workshop, DFN- CERT Services, 2005, p. E1–E7. Thorsten Holz is a research student at the Laboratory for Dependable Distrib- uted Systems at RWTH Aachen Univer- sity. His research interests include the practical aspects of secure systems, but he’s also interested in more theoretical considerations of dependable systems. Holz is one of the founders of the German Honeynet Project. Contact him at holz@ i4.informatik.rwth-aachen.de. www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 79 JAN./FEB.: Economics of Information Security MAR./APR.: Trusted Computing MAY/JUN.: Infrastructure Security JUL./AUG.: Enterprise Security Management SEPT./OCT.: Policy and Regulation NOV./DEC.: Consumer Devices www.computer.org/security/ 2005 EDITORIAL CALENDAR2005 EDITORIAL CALENDAR

Recommended

Tracing Back The Botmaster
Tracing Back The BotmasterTracing Back The Botmaster
Tracing Back The BotmasterIJERA Editor
 
about botnets
about botnetsabout botnets
about botnetsAlain Bindele
 
Botnets
BotnetsBotnets
BotnetsKavisha Miyan
 
Botnet Detection in Online-social Network
Botnet Detection in Online-social NetworkBotnet Detection in Online-social Network
Botnet Detection in Online-social NetworkRubal Sagwal
 
A Survey of Botnet Detection Techniques
A Survey of Botnet Detection TechniquesA Survey of Botnet Detection Techniques
A Survey of Botnet Detection Techniquesijsrd.com
 
All you know about Botnet
All you know about BotnetAll you know about Botnet
All you know about BotnetNaveen Titare
 
Botnet
BotnetBotnet
BotnetJoshin Gomez
 
Botnet Architecture
Botnet ArchitectureBotnet Architecture
Botnet ArchitectureBhagath Singh Jayaprakasam
 

Recommended

Tracing Back The Botmaster
Tracing Back The BotmasterTracing Back The Botmaster
Tracing Back The BotmasterIJERA Editor
 
about botnets
about botnetsabout botnets
about botnetsAlain Bindele
 
Botnets
BotnetsBotnets
BotnetsKavisha Miyan
 
Botnet Detection in Online-social Network
Botnet Detection in Online-social NetworkBotnet Detection in Online-social Network
Botnet Detection in Online-social NetworkRubal Sagwal
 
A Survey of Botnet Detection Techniques
A Survey of Botnet Detection TechniquesA Survey of Botnet Detection Techniques
A Survey of Botnet Detection Techniquesijsrd.com
 
All you know about Botnet
All you know about BotnetAll you know about Botnet
All you know about BotnetNaveen Titare
 
Botnet
BotnetBotnet
BotnetJoshin Gomez
 
Botnet Architecture
Botnet ArchitectureBotnet Architecture
Botnet ArchitectureBhagath Singh Jayaprakasam
 
Botnets
BotnetsBotnets
BotnetsVishwadeep Badgujar
 
A review botnet detection and suppression in clouds
A review botnet detection and suppression in cloudsA review botnet detection and suppression in clouds
A review botnet detection and suppression in cloudsAlexander Decker
 
What is botnet?
What is botnet?What is botnet?
What is botnet?Milan Petrásek
 
BOTNET
BOTNETBOTNET
BOTNETArjo Ghosh
 
Botnet
Botnet Botnet
Botnet PriyanKa Harjai
 
Botnets 101
Botnets 101Botnets 101
Botnets 101Aung Thu Rha Hein
 
Botnets presentation
Botnets presentationBotnets presentation
Botnets presentationMahmoud Ibra
 
Study on Botnet Architecture
Study on Botnet ArchitectureStudy on Botnet Architecture
Study on Botnet ArchitectureBini Bs
 
BotNet Attacks
BotNet AttacksBotNet Attacks
BotNet AttacksRangana lakmal
 
introduction to Botnet
introduction to Botnetintroduction to Botnet
introduction to Botnetyogendra singh chahar
 
Botnets In Cyber Security
Botnets In Cyber SecurityBotnets In Cyber Security
Botnets In Cyber Securitysumit saurav
 
A Brief Incursion into Botnet Detection
A Brief Incursion into Botnet DetectionA Brief Incursion into Botnet Detection
A Brief Incursion into Botnet DetectionAnant Narayanan
 
Botnets
BotnetsBotnets
Botnetsrichashri3
 
Botnet Detection Techniques
Botnet Detection TechniquesBotnet Detection Techniques
Botnet Detection TechniquesTeam Firefly
 
Botnet
BotnetBotnet
Botnetlokenra
 
Software security
Software securitySoftware security
Software securityjes_d
 
Botnets And Alife
Botnets And AlifeBotnets And Alife
Botnets And AlifeZotronix
 
computer vipin kumar ppt
computer vipin kumar pptcomputer vipin kumar ppt
computer vipin kumar pptvipinkumar940
 
Ce hv6 module 63 botnets
Ce hv6 module 63 botnetsCe hv6 module 63 botnets
Ce hv6 module 63 botnetsVi Tính Hoàng Nam
 
Storm Worm & Botnet
Storm Worm & BotnetStorm Worm & Botnet
Storm Worm & BotnetKendiv
 
061812 Current Acctg Fin Roles Lkdin
061812 Current Acctg Fin Roles Lkdin061812 Current Acctg Fin Roles Lkdin
061812 Current Acctg Fin Roles LkdinCandice Meade - Senior Partner
 
A parallel string matching engine for use in high speed network intrusion det...
A parallel string matching engine for use in high speed network intrusion det...A parallel string matching engine for use in high speed network intrusion det...
A parallel string matching engine for use in high speed network intrusion det...UltraUploader
 

More Related Content

What's hot

A review botnet detection and suppression in clouds
A review botnet detection and suppression in cloudsA review botnet detection and suppression in clouds
A review botnet detection and suppression in cloudsAlexander Decker
 
Botnets presentation
Botnets presentationBotnets presentation
Botnets presentationMahmoud Ibra
 
Study on Botnet Architecture
Study on Botnet ArchitectureStudy on Botnet Architecture
Study on Botnet ArchitectureBini Bs
 
Botnets In Cyber Security
Botnets In Cyber SecurityBotnets In Cyber Security
Botnets In Cyber Securitysumit saurav
 
A Brief Incursion into Botnet Detection
A Brief Incursion into Botnet DetectionA Brief Incursion into Botnet Detection
A Brief Incursion into Botnet DetectionAnant Narayanan
 
Botnet Detection Techniques
Botnet Detection TechniquesBotnet Detection Techniques
Botnet Detection TechniquesTeam Firefly
 
Software security
Software securitySoftware security
Software securityjes_d
 
Botnets And Alife
Botnets And AlifeBotnets And Alife
Botnets And AlifeZotronix
 
computer vipin kumar ppt
computer vipin kumar pptcomputer vipin kumar ppt
computer vipin kumar pptvipinkumar940
 
Storm Worm & Botnet
Storm Worm & BotnetStorm Worm & Botnet
Storm Worm & BotnetKendiv
 

What's hot (20)

Botnets
BotnetsBotnets
Botnets
 
A review botnet detection and suppression in clouds
A review botnet detection and suppression in cloudsA review botnet detection and suppression in clouds
A review botnet detection and suppression in clouds
 
What is botnet?
What is botnet?What is botnet?
What is botnet?
 
BOTNET
BOTNETBOTNET
BOTNET
 
Botnet
Botnet Botnet
Botnet
 
Botnets 101
Botnets 101Botnets 101
Botnets 101
 
Botnets presentation
Botnets presentationBotnets presentation
Botnets presentation
 
Study on Botnet Architecture
Study on Botnet ArchitectureStudy on Botnet Architecture
Study on Botnet Architecture
 
BotNet Attacks
BotNet AttacksBotNet Attacks
BotNet Attacks
 
introduction to Botnet
introduction to Botnetintroduction to Botnet
introduction to Botnet
 
Botnets In Cyber Security
Botnets In Cyber SecurityBotnets In Cyber Security
Botnets In Cyber Security
 
A Brief Incursion into Botnet Detection
A Brief Incursion into Botnet DetectionA Brief Incursion into Botnet Detection
A Brief Incursion into Botnet Detection
 
Botnets
BotnetsBotnets
Botnets
 
Botnet Detection Techniques
Botnet Detection TechniquesBotnet Detection Techniques
Botnet Detection Techniques
 
Botnet
BotnetBotnet
Botnet
 
Software security
Software securitySoftware security
Software security
 
Botnets And Alife
Botnets And AlifeBotnets And Alife
Botnets And Alife
 
computer vipin kumar ppt
computer vipin kumar pptcomputer vipin kumar ppt
computer vipin kumar ppt
 
Ce hv6 module 63 botnets
Ce hv6 module 63 botnetsCe hv6 module 63 botnets
Ce hv6 module 63 botnets
 
Storm Worm & Botnet
Storm Worm & BotnetStorm Worm & Botnet
Storm Worm & Botnet
 

Viewers also liked

A parallel string matching engine for use in high speed network intrusion det...
A parallel string matching engine for use in high speed network intrusion det...A parallel string matching engine for use in high speed network intrusion det...
A parallel string matching engine for use in high speed network intrusion det...UltraUploader
 
A cost analysis of typical computer viruses and defenses
A cost analysis of typical computer viruses and defensesA cost analysis of typical computer viruses and defenses
A cost analysis of typical computer viruses and defensesUltraUploader
 
Evaluación 01
Evaluación 01Evaluación 01
Evaluación 01carolina
 
Evaluación 12
Evaluación 12Evaluación 12
Evaluación 12carolina
 
Approaches to integrated malware detection and avoidance
Approaches to integrated malware detection and avoidanceApproaches to integrated malware detection and avoidance
Approaches to integrated malware detection and avoidanceUltraUploader
 
Artista a network for ar tifical immune sys tems
Artista a network for ar tifical immune sys temsArtista a network for ar tifical immune sys tems
Artista a network for ar tifical immune sys temsUltraUploader
 
Biological aspects of computer virology
Biological aspects of computer virologyBiological aspects of computer virology
Biological aspects of computer virologyUltraUploader
 
A proposed taxonomy of software weapons
A proposed taxonomy of software weaponsA proposed taxonomy of software weapons
A proposed taxonomy of software weaponsUltraUploader
 
Delicious chocolates
Delicious chocolatesDelicious chocolates
Delicious chocolatesisma0316
 
A bit of viral protection is worth a megabyte of cure
A bit of viral protection is worth a megabyte of cureA bit of viral protection is worth a megabyte of cure
A bit of viral protection is worth a megabyte of cureUltraUploader
 
A unified prediction of computer virus spread in connected networks
A unified prediction of computer virus spread in connected networksA unified prediction of computer virus spread in connected networks
A unified prediction of computer virus spread in connected networksUltraUploader
 
Mn resume2014 ____
Mn resume2014 ____Mn resume2014 ____
Mn resume2014 ____mr240816
 
A network worm vaccine architecture
A network worm vaccine architectureA network worm vaccine architecture
A network worm vaccine architectureUltraUploader
 
No caminho do milagre
No caminho do milagreNo caminho do milagre
No caminho do milagrelucassoares02
 
Introduction to manufacturing system and cnc machines
Introduction to manufacturing system and cnc machinesIntroduction to manufacturing system and cnc machines
Introduction to manufacturing system and cnc machinesThulasikanth Vaddi
 

Viewers also liked (19)

061812 Current Acctg Fin Roles Lkdin
061812 Current Acctg Fin Roles Lkdin061812 Current Acctg Fin Roles Lkdin
061812 Current Acctg Fin Roles Lkdin
 
A parallel string matching engine for use in high speed network intrusion det...
A parallel string matching engine for use in high speed network intrusion det...A parallel string matching engine for use in high speed network intrusion det...
A parallel string matching engine for use in high speed network intrusion det...
 
A cost analysis of typical computer viruses and defenses
A cost analysis of typical computer viruses and defensesA cost analysis of typical computer viruses and defenses
A cost analysis of typical computer viruses and defenses
 
081312 Current Finance Openings In Houston 6.18.12.
081312 Current Finance Openings In Houston 6.18.12.081312 Current Finance Openings In Houston 6.18.12.
081312 Current Finance Openings In Houston 6.18.12.
 
Evaluación 01
Evaluación 01Evaluación 01
Evaluación 01
 
Evaluación 12
Evaluación 12Evaluación 12
Evaluación 12
 
Approaches to integrated malware detection and avoidance
Approaches to integrated malware detection and avoidanceApproaches to integrated malware detection and avoidance
Approaches to integrated malware detection and avoidance
 
Artista a network for ar tifical immune sys tems
Artista a network for ar tifical immune sys temsArtista a network for ar tifical immune sys tems
Artista a network for ar tifical immune sys tems
 
Biological aspects of computer virology
Biological aspects of computer virologyBiological aspects of computer virology
Biological aspects of computer virology
 
A proposed taxonomy of software weapons
A proposed taxonomy of software weaponsA proposed taxonomy of software weapons
A proposed taxonomy of software weapons
 
Delicious chocolates
Delicious chocolatesDelicious chocolates
Delicious chocolates
 
A bit of viral protection is worth a megabyte of cure
A bit of viral protection is worth a megabyte of cureA bit of viral protection is worth a megabyte of cure
A bit of viral protection is worth a megabyte of cure
 
A unified prediction of computer virus spread in connected networks
A unified prediction of computer virus spread in connected networksA unified prediction of computer virus spread in connected networks
A unified prediction of computer virus spread in connected networks
 
Mn resume2014 ____
Mn resume2014 ____Mn resume2014 ____
Mn resume2014 ____
 
A network worm vaccine architecture
A network worm vaccine architectureA network worm vaccine architecture
A network worm vaccine architecture
 
Autoimmune viruses
Autoimmune virusesAutoimmune viruses
Autoimmune viruses
 
No caminho do milagre
No caminho do milagreNo caminho do milagre
No caminho do milagre
 
Introduction to manufacturing system and cnc machines
Introduction to manufacturing system and cnc machinesIntroduction to manufacturing system and cnc machines
Introduction to manufacturing system and cnc machines
 
Basic-CV-template copy
Basic-CV-template copyBasic-CV-template copy
Basic-CV-template copy
 

Similar to A short visit to the bot zoo

Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Aniq Eastrarulkhair
 
Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkEditor IJCATR
 
lab3cdga.ziplab3code.c#include stdio.h#include std.docx
lab3cdga.ziplab3code.c#include stdio.h#include std.docxlab3cdga.ziplab3code.c#include stdio.h#include std.docx
lab3cdga.ziplab3code.c#include stdio.h#include std.docxsmile790243
 
Paper-ComputerWormClassification.pdf
Paper-ComputerWormClassification.pdfPaper-ComputerWormClassification.pdf
Paper-ComputerWormClassification.pdfRishikhesanALMuniand
 
A Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior AnalysisA Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior Analysisidescitation
 
5 worms and other malware
5 worms and other malware5 worms and other malware
5 worms and other malwaredrewz lin
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)Wail Hassan
 
Defending Against Botnets
Defending Against BotnetsDefending Against Botnets
Defending Against BotnetsJim Lippard
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
 
Botnet detection by Imitation method
Botnet detection by Imitation methodBotnet detection by Imitation method
Botnet detection by Imitation methodAcad
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsAndrea Bissoli
 
Computer worm
Computer wormComputer worm
Computer wormzelkan19
 
Computer worm
Computer wormComputer worm
Computer wormzelkan19
 
Ids 006 computer worms
Ids 006 computer wormsIds 006 computer worms
Ids 006 computer wormsjyoti_lakhani
 
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...IRJET Journal
 
Formative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering AttacksFormative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering AttacksDamaineFranklinMScBE
 

Similar to A short visit to the bot zoo (20)

Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1
 
Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social Network
 
Analysis of rxbot
Analysis of rxbotAnalysis of rxbot
Analysis of rxbot
 
lab3cdga.ziplab3code.c#include stdio.h#include std.docx
lab3cdga.ziplab3code.c#include stdio.h#include std.docxlab3cdga.ziplab3code.c#include stdio.h#include std.docx
lab3cdga.ziplab3code.c#include stdio.h#include std.docx
 
Paper-ComputerWormClassification.pdf
Paper-ComputerWormClassification.pdfPaper-ComputerWormClassification.pdf
Paper-ComputerWormClassification.pdf
 
A Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior AnalysisA Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior Analysis
 
5 worms and other malware
5 worms and other malware5 worms and other malware
5 worms and other malware
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
 
Survey on Computer Worms
Survey on Computer WormsSurvey on Computer Worms
Survey on Computer Worms
 
Defending Against Botnets
Defending Against BotnetsDefending Against Botnets
Defending Against Botnets
 
Bots and Botnet
Bots and BotnetBots and Botnet
Bots and Botnet
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
 
Botnet detection by Imitation method
Botnet detection by Imitation methodBotnet detection by Imitation method
Botnet detection by Imitation method
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systems
 
Computer worm
Computer wormComputer worm
Computer worm
 
Computer worm
Computer wormComputer worm
Computer worm
 
Ids 006 computer worms
Ids 006 computer wormsIds 006 computer worms
Ids 006 computer worms
 
Botnet
BotnetBotnet
Botnet
 
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
 
Formative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering AttacksFormative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering Attacks
 

More from UltraUploader

01 le 10 regole dell'hacking
01 le 10 regole dell'hacking01 le 10 regole dell'hacking
01 le 10 regole dell'hackingUltraUploader
 
00 the big guide sz (by dr.to-d)
00 the big guide sz (by dr.to-d)00 the big guide sz (by dr.to-d)
00 the big guide sz (by dr.to-d)UltraUploader
 
[E book ita] php manual
[E book ita] php manual[E book ita] php manual
[E book ita] php manualUltraUploader
 
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...UltraUploader
 
[Ebook ita - database] access 2000 manuale
[Ebook ita - database] access 2000 manuale[Ebook ita - database] access 2000 manuale
[Ebook ita - database] access 2000 manualeUltraUploader
 
(E book) cracking & hacking tutorial 1000 pagine (ita)
(E book) cracking & hacking tutorial 1000 pagine (ita)(E book) cracking & hacking tutorial 1000 pagine (ita)
(E book) cracking & hacking tutorial 1000 pagine (ita)UltraUploader
 
(Ebook ita - inform - access) guida al database access (doc)
(Ebook ita - inform - access) guida al database access (doc)(Ebook ita - inform - access) guida al database access (doc)
(Ebook ita - inform - access) guida al database access (doc)UltraUploader
 
(Ebook computer - ita - pdf) fondamenti di informatica - teoria
(Ebook computer - ita - pdf) fondamenti di informatica - teoria(Ebook computer - ita - pdf) fondamenti di informatica - teoria
(Ebook computer - ita - pdf) fondamenti di informatica - teoriaUltraUploader
 
Broadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorBroadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorUltraUploader
 
Botnetsand applications
Botnetsand applicationsBotnetsand applications
Botnetsand applicationsUltraUploader
 
Bot software spreads, causes new worries
Bot software spreads, causes new worriesBot software spreads, causes new worries
Bot software spreads, causes new worriesUltraUploader
 
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...UltraUploader
 
Bird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassemblyBird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassemblyUltraUploader
 
Biologically inspired defenses against computer viruses
Biologically inspired defenses against computer virusesBiologically inspired defenses against computer viruses
Biologically inspired defenses against computer virusesUltraUploader
 
Biological versus computer viruses
Biological versus computer virusesBiological versus computer viruses
Biological versus computer virusesUltraUploader
 
Biological models of security for virus propagation in computer networks
Biological models of security for virus propagation in computer networksBiological models of security for virus propagation in computer networks
Biological models of security for virus propagation in computer networksUltraUploader
 
Binary obfuscation using signals
Binary obfuscation using signalsBinary obfuscation using signals
Binary obfuscation using signalsUltraUploader
 

More from UltraUploader (20)

1 (1)
1 (1)1 (1)
1 (1)
 
01 intro
01 intro01 intro
01 intro
 
01 le 10 regole dell'hacking
01 le 10 regole dell'hacking01 le 10 regole dell'hacking
01 le 10 regole dell'hacking
 
00 the big guide sz (by dr.to-d)
00 the big guide sz (by dr.to-d)00 the big guide sz (by dr.to-d)
00 the big guide sz (by dr.to-d)
 
[E book ita] php manual
[E book ita] php manual[E book ita] php manual
[E book ita] php manual
 
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
 
[Ebook ita - database] access 2000 manuale
[Ebook ita - database] access 2000 manuale[Ebook ita - database] access 2000 manuale
[Ebook ita - database] access 2000 manuale
 
(E book) cracking & hacking tutorial 1000 pagine (ita)
(E book) cracking & hacking tutorial 1000 pagine (ita)(E book) cracking & hacking tutorial 1000 pagine (ita)
(E book) cracking & hacking tutorial 1000 pagine (ita)
 
(Ebook ita - inform - access) guida al database access (doc)
(Ebook ita - inform - access) guida al database access (doc)(Ebook ita - inform - access) guida al database access (doc)
(Ebook ita - inform - access) guida al database access (doc)
 
(Ebook computer - ita - pdf) fondamenti di informatica - teoria
(Ebook computer - ita - pdf) fondamenti di informatica - teoria(Ebook computer - ita - pdf) fondamenti di informatica - teoria
(Ebook computer - ita - pdf) fondamenti di informatica - teoria
 
Broadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorBroadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitor
 
Botnetsand applications
Botnetsand applicationsBotnetsand applications
Botnetsand applications
 
Bot software spreads, causes new worries
Bot software spreads, causes new worriesBot software spreads, causes new worries
Bot software spreads, causes new worries
 
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
 
Blast off!
Blast off!Blast off!
Blast off!
 
Bird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassemblyBird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassembly
 
Biologically inspired defenses against computer viruses
Biologically inspired defenses against computer virusesBiologically inspired defenses against computer viruses
Biologically inspired defenses against computer viruses
 
Biological versus computer viruses
Biological versus computer virusesBiological versus computer viruses
Biological versus computer viruses
 
Biological models of security for virus propagation in computer networks
Biological models of security for virus propagation in computer networksBiological models of security for virus propagation in computer networks
Biological models of security for virus propagation in computer networks
 
Binary obfuscation using signals
Binary obfuscation using signalsBinary obfuscation using signals
Binary obfuscation using signals
 

A short visit to the bot zoo

  • 1. form networks of compromised ma- chines (botnets) to further enhance theeffectivenessoftheirattacks. A short history of bots The first bots programs were used in Internet Relay Chat (IRC) net- works; they reacted to events in IRC channels and offered services to users. Inappropriate behavior started to evolve around 1993, resulting in the IRC wars that caused the first distributed denial- of-service (DDoS) attacks. Inrecentyears,maliciousbotshave become commonplace, with botnets in particular posing a severe threat to the Internet community. Attackers primarily use them for DDoS attacks, massidentitytheft,orsendingspam.A detailed introduction to botnets, how they work, and who uses them ap- pears elsewhere (see http://honey net.org/papers/bots/). Bot characteristics Three attributes characterize a bot: a remote control facility, the imple- mentationofseveralcommands,and a spreading mechanism to propagate it further. Let’s look at each one in more detail. A remote control lets an attacker manipulate infected machines. Bots currently implement several differ- ent approaches for this mechanism: • Typically, the bots controller uses a central IRC server for com- mand and control (C&C). All bots join a specific channel on this server and interpret all the mes- sages they receive here as com- mands. This structure is usually secured with the help of pass- words to connect to the server, join a specific channel, or issue commands. Several bots also use SSL-encrypted communication. • In other situations, such as when somebotsavoidIRCandusecovert communication channels, the con- trolleruses,forexample,communi- cation channels via an HTTP or DNS tunnel instead of an inappro- priate IRC protocol. They can, for example, encode commands to the bots inside HTTP requests or within DNS TXT records. An- other possibility is to hide com- mandsinimages(steganography). THORSTEN HOLZ RWTH Aachen University T his past year has seen a new attack trend emerge: bots. Afterasuccessfulcompromise,theattackerinstallsabot (alsocalledazombieordrone)onthesystem;thissmall program enables a remote control mechanism to then command the victim. Attackers use this technique repeatedly to A Short Visit to the Bot Zoo bot: n [common on IRC, MUD, and among gamers; from “robot”] 1. An IRC or MUD user who is actually a program. On IRC, typically the robot provides some useful service. Examples are NickServ, which tries to prevent random users from adopting nicks already claimed by others, and MsgServ, which allows one to send asynchronous messages to be delivered when the recipient signs on. —The Jargon File, version 4.4.7 76 PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/05/$20.00 © 2005 IEEE ■ IEEE SECURITY & PRIVACY Attack Trends Elias Levy, aleph1@securityfocus.com Iván Arce, ivan.arce@coresecurity.com
  • 2. Attack Trends www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 77 • Some bots use peer-to-peer (P2P) communication mechanisms to avoid a central C&C server be- cause it’s a single point of failure. Expect to see more bots imple- ment P2P communication similar to the protocol Slapper used.1 Typically, two types of com- mands are implemented over the re- mote control network: DDoS at- tacks and updates. DDoS attacks include SYN and UDP flooding or more clever ones such as spidering attacks—those that start from a given URL and follows all links in a recursive way—against Web sites. Update commands instruct the bot to download a file from the Internet and execute it. This lets the attacker issue arbitrary commands on the victim’s machine and dynamically enhance the bot’s features. Other commands include functions for sending spam, stealing sensitive in- formation from the victim (such as passwords or cookies), or using the victim’s computer for other nefari- ous purposes. The remote control facility and the commands that can be executed from it differentiate a bot from a worm, a program that propagates it- self by attacking other systems and copying itself to them. But similar to a worm, most bots also include a mechanismtospreadfurther,usually by automatically scanning whole network ranges and propagating themselves via vulnerabilities. These vulnerabilities usually appear in the Windows operating system, the most common being DCOM (MS03-026, buffer overrun in RPC interface could allow code execu- tion) and LSASS (MS04-011, secu- rityupdateforMicrosoftWindows). Attackers also integrate recently published exploits into their bots to react quickly to new trends. Propagation via network shares and weak passwords on other ma- chines is another common tech- nique.Thebotusesalistofpasswords and usernames to log on to remote shares and then drops its copy. Some bots propagate by using P2P file- sharing protocols, such as Kazaa and Bear Share; using interesting file- names, the bot drops copies of itself intotheseprograms’sharedfolders.It generates the filename by randomly choosing from sets of strings. An additional characteristic ap- plies to bots that the German Hon- eynet Project captured in the wild: most of them have at least one exe- cutable packer, a small program that compresses/encrypts the actual bi- nary.Typically,theattackerusestools such as UPX (http://upx.source forge.net/) or Morphine (http://hx def.czweb.org/download/Mor phine27.zip) to pack the executable. Examples and classification Let’s examine some specific bots in more detail. Table 1 gives a quantita- tiveoverviewoftheevolutionofdif- ferent bot types. It shows that Agobot, the bot that dominated the year 2004, is now less common. In contrast, attackers are increasingly using SDBot, and new variants ap- pear daily. Agobot and variants Probably the best-known family of bots is Agobot/Gaobot, and its variants Phatbot (www.lurhq.com/ phatbot.html), Forbot, and Xtrm- Bot. The antivirus vendor Sophos currently lists more than 1,100 known different versions of Agobot, and this number is steadily increasing. Agobot’s source code was published on various Web sites in April 2004, leading to new vari- ants every week since. A young German man using the pseudonym Ago first wrote Agobot in 2003; in May 2004, German au- thorities arrested and charged him with creating malicious computer code under the country’s computer sabotage law. The bot is written in C++withcross-platformcapabilities, anditshowsahighabstractdesign.It’s structured in a very modular way, whichmakesiteasytoaddcommands orscannersforothervulnerabilities. For remote control, this family of bots typically uses a central C&C IRC server. Some variants also use P2P communication via the decen- tralized WASTE network (http:// waste.sourceforge.net/), thus avoid- ingacentralserver. Agobot and its variants use a packet-sniffing library (libpcap) and Perl-compatible regular expressions to sniff and sort network traffic pass- ing through the victim’s computer. This malware can use the New Technology File System (NTFS) al- ternate data stream and offers rootkit capabilities such as file and process hiding to hide its own presence on a compromised host. As an added complication, reverse engineering thismalwareisdifficultbecauseitin- cludes functions to detect debuggers andvirtualmachines,anditencrypts the configuration in the binary. Onstartup,theprogramattempts to run a speed test for Internet con- nectivity.Byaccessingseveralservers and sending data to them, the bot triestoestimatethevictim’savailable bandwidth. Fortunately, this activity can help us estimate the actual num- ber of hosts compromised by this particular bot: essentially, we look at the log files. If Agobot uses www. belwue.de as one of the domains for a speed test, for example, the do- main’s administrators can make an www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 77 MONTH AGOBOT SDBOT May 2004 543 332 June 2004 249 654 July 2004 339 1018 August 2004 133 977 September 2004 123 818 October 2004 158 1111 November 2004 113 1156 December 2004 196 1637 January 2005 227 1539 February 2005 97 2010 March 2005 200 1689 Table 1. New bot variants by month.
  • 3. Attack Trends 78 IEEE SECURITY & PRIVACY ■ MAY/JUNE 2005 educated guess about the bot’s de- ployment by monitoring how often the speed test is performed. In May 2004, the University of Stuttgart’s Computer Emergency Response Team (RUS-CERT) identified ap- proximately 300,000 unique IP ad- dresses per day in this fashion.2 Thistypeofmalwarecanalsoter- minate the processes that belong to antivirus and monitoring applica- tions;somevariantscanevenmodify the host file (which contains the host-name-to-IP-address map- pings). The malware appends a list of Web site addresses—of antivirus vendors, for example—and redirects them to the loopback address, pre- venting the infected user from ac- cessing the specified location. SDBot and variants At the moment, SDBot and its vari- ants RBot, UrBot, UrXBot, and Spybot, are the most active bots in the wild. The whole family is writ- ten in C, and literally thousands of different versions exist because the source code is public. SDBot’s source code isn’t as well designed or writtenasAgobot’s,butitofferssim- ilar features, although the command setisn’taslarge,northeimplementa- tion as sophisticated. We can see bot evolution through time by looking at this par- ticular family of bots: each new ver- sion integrates new features, and eachnewvariantresultsinmajoren- hancements. Attackers integrate new vulnerabilities quickly, and once one version has a new spread- ing capability, all the others integrate it immediately. Moreover, small modifications that can implement specific features (such as password encryption within the malware) can be integrated in all variants. mIRC-based bots We subsume all mIRC-based bots into the category of GT-bots: so many different versions of them exist thatgivinganoverviewofalltheforks would be close to impossible. mIRC isapopularIRCclientforWindows, and GT is an abbreviation for global threat, which is the common name usedforallmIRC-scriptedbots. GT-bots launch an instance of the mIRC chat client with a set of scripts and other binaries. One bi- nary we usually find is a Hide- Window executable that hides the mIRC instance from the user. The other binaries are mainly dynamic link libraries (DLLs) linked to mIRC that add some new features that the mIRC scripts can use to Mid Atlantic (product/recruitment) Dawn Becker Phone: +1 732 772 0160 Fax: +1 732 772 0161 Email: db.ieeemedia@ieee.org New England (product) Jody Estabrook Phone: +1 978 244 0192 Fax: +1 978 244 0103 Email: je.ieeemedia@ieee.org New England (recruitment) Robert Zwick Phone: +1 212 419 7765 Fax: +1 212 419 7570 Email: r.zwick@ieee.org Connecticut (product) Stan Greenfield Phone: +1 203 938 2418 Fax: +1 203 938 3211 Email: greenco@optonline.net Midwest (product) Dave Jones Phone: +1 708 442 5633 Fax: +1 708 442 7620 Email: dj.ieeemedia@ieee.org Will Hamilton Phone: +1 269 381 2156 Fax: +1 269 381 2556 Email: wh.ieeemedia@ieee.org Joe DiNardo Phone: +1 440 248 2456 Fax: +1 440 248 2594 Email: jd.ieeemedia@ieee.org Southeast (recruitment) Thomas M. Flynn Phone: +1 770 645 2944 Fax: +1 770 993 4423 Email: flynntom@mindspring.com Southeast (product) Bill Holland Phone: +1 770 435 6549 Fax: +1 770 435 0243 Email: hollandwfh@yahoo.com Midwest/Southwest (recruitment) Darcy Giovingo Phone: +1 847 498-4520 Fax: +1 847 498-5911 Email: dg.ieeemedia@ieee.org Southwest (product) Josh Mayer Phone: +1 972 423 5507 Fax: +1 972 423 6858 Email: jm.ieeemedia@ieee.org Northwest (product) Peter D. Scott Phone: +1 415 421-7950 Fax: +1 415 398-4156 Email: peterd@pscottassoc.com Southern CA (product) Marshall Rubin Phone: +1 818 888 2407 Fax: +1 818 888 4907 Email: mr.ieeemedia@ieee.org Northwest/Southern CA (recruitment) Tim Matteson Phone: +1 310 836 4064 Fax: +1 310 836 4067 Email: tm.ieeemedia@ieee.org Japan Tim Matteson Phone: +1 310 836 4064 Fax: +1 310 836 4067 Email: tm.ieeemedia@ieee.org Europe (product) Hilary Turnbull Phone: +44 1875 825700 Fax: +44 1875 825701 Email: impress@impressmedia.com A D V E R T I S E R / P R O D U C T I N D E X M A Y / J U N E 2 0 0 5 Black Hat Briefings 2005 Cover 3 John Wiley & Sons Cover 2 Morgan KaufmannPublishers 13 Naval Reserve Cover 4 Boldface denotes advertisements in this issue. Advertising PersonnelAdvertiser Page Number Marion Delaney IEEE Media, Advertising Director Phone: +1 212 419 7766 Fax: +1 212 419 7589 Email: md.ieeemedia@ieee.org Marian Anderson Advertising Coordinator Phone: +1 714 821 8380 Fax: +1 714 821 4010 Email: manderson@computer.org Sandy Brown IEEE Computer Society, Business Development Manager Phone: +1 714 821 8380 Fax: +1 714 821 4010 Email: sb.ieeemedia@ieee.org Advertising Sales Representatives
  • 4. Attack Trends control the bot. The bots can access the spreading functions in the DLLs and thus enable further propagation. GT-bots spread by exploiting weaknesses on remote computers and uploading themselves to com- promised hosts. One handicap is their large file size—they’re some- times bigger than a megabyte. Other types of bots Although some bots aren’t as wide- spread as the ones we’ve just exam- ined, some of them have interesting features that are worth reviewing. XotanditssuccessorXTBotim- plement a feature called dynamic re- mote settings stub. DRSS hides the communication flow between at- tacker and bots by embedding the commands in a file (for example, within an image). The attacker then uploads this file to a server, and the bot on the victim’s computer down- loads it, extracts the information, and interprets the commands. The Dataspy Network X bot is written in C++ and has a conve- nient interface that lets attackers writescannersandspreadersasplug- ins and extend the bot’s features. This bot has a major disadvantage— the default version doesn’t come with any spreaders—but plugins are availabletoovercomethisgap.Addi- tional plugins also offer services such as DDoS attacks, portscan interface, or hidden HTTP server. Bobax uses HTTP requests as its communication channel and thus implements a stealthier remote con- trol than IRC-based C&C. It also implements mechanisms to spread further by downloading and execut- ing arbitrary files. In contrast to otherbots,Bobax’sprimarypurpose is to send spam. A detailed analysis of it appears elsewhere (www.lurhq. com/bobax.html). aIRCBotisverysmall(only2,560 bytes); it’s not a typical bot because it implements a rudimentary remote control mechanism, and it only un- derstandsrawIRCcommands.Italso completely lacks the functions to spread further. Likewise, Q8Bot and kaiten are small bots, consisting of only a few hundred lines of source code, but they have an additional noteworthiness: they’re written for Unix/Linuxsystems.Theseprograms implement all common bot features: dynamic updating via HTTP-down- loads, various DDoS attack capabili- ties, execution of arbitrary com- mands,andmanymore.Intheversion we’ve captured, the spreaders are missing,butweassumeotherversions ofthesebotshavespreaders.Manydif- ferentversionsofsimplebotsbasedon the programming language Perl exist, but these bots usually contain only a few hundred lines of source code and offer a rudimentary set of commands (most often just for DDoS attacks). This type of bot is typically used on Unix-basedsystems. Bots are constantly evolving: at- tackers can integrate new vul- nerabilitieswithinanincrediblyshort time span, sometimes in a matter of hours or days. Furthermore, new techniques to hide the communica- tion channel between bot and con- troller, new remote control mecha- nisms in the form of P2P communi- cation, and other innovative ideas demonstrate that bots constitute an emerging security concern. The German Honeynet Project’s current research focuses on automated ways tocollectandanalyzemalware.We’re developing techniques to observe botnetsandtolearnmoreaboutbots. Asthesethreatscontinuetoadaptand change, so too must the security community. References 1. I. Arce and E. Levy, “An Analysis of the Slapper Worm,” IEEE Secu- rity & Privacy, vol. 1, no. 1, 2003, pp. 82–87. 2. T. Fischer, “Botnetze,” Proc. 12th DFN-CERT Workshop, DFN- CERT Services, 2005, p. E1–E7. Thorsten Holz is a research student at the Laboratory for Dependable Distrib- uted Systems at RWTH Aachen Univer- sity. His research interests include the practical aspects of secure systems, but he’s also interested in more theoretical considerations of dependable systems. Holz is one of the founders of the German Honeynet Project. Contact him at holz@ i4.informatik.rwth-aachen.de. www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 79 JAN./FEB.: Economics of Information Security MAR./APR.: Trusted Computing MAY/JUN.: Infrastructure Security JUL./AUG.: Enterprise Security Management SEPT./OCT.: Policy and Regulation NOV./DEC.: Consumer Devices www.computer.org/security/ 2005 EDITORIAL CALENDAR2005 EDITORIAL CALENDAR