Botnets

Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Botnet ● ● Collection of infected systems Controlled by one party .

Most commonly used Bot families ● ● ● ● Agobot SDBot SpyBot GT Bot .

Agobot ● ● ● ● Most sophisticated 20.000 lines C/C++ code IRC based command/control Large collection of target exploits ● ● ● ● ● Capable of many DoS attack types Shell encoding/polymorphic obfuscation Traffic sniffers/key logging Defend/fortify compromised system Ability to frustrate dissassembly .

2.SDBot ● ● ● ● Simpler than Agobot.000 lines C code Non-malicious at base Utilitarian IRC-based command/control Easily extended for malicious purposes      Scanning DoS Attacks Sniffers Information harvesting Encryption .

000 lines C code Possibly evolved from SDBot   Similar command/control engine No attempts to hide malicious purposes .SpyBot ● ● <3.

exploits for RPC and NetBIOS . DoS attacks.GT Bot ● ● ● Functions based on mIRC scripting capabilities HideWindow program hides bot on local system Port scanning.

complexity.● ● Variance in codebase size. structure. implementation Convergence in set of functions  Possibility for defense systems effective across bot families ● ● Bot families extensible Agobot likely to become dominant .

Control ● All of the above use IRC for command/control    ● Disrupt IRC. disable bots Sniff IRC traffic for commands Shutdown channels used for Botnets ● ● IRC operators play central role in stopping botnet traffic Automated traffic identification required Future botnets may move away from IRC   Move to P2P communication Traffic fingerprinting still useful for identification .

software keys. etc.Host control ● ● ● Fortify system against other malicious attacks Disable anti-virus software Harvest sensitive information   PayPal. Economic incentives for botnets ● ● Stresses need to patch/protect systems prior to attack Stronger protection boundaries required across applications in OSes .

Propagation ● Horizontal scans  Single port across address range Single IP across range of ports Fingerprinting to identify scans Flash . more stealthy Propagation models ● Vertical scans  ● Current scanning techniques simple  ● Future methods  ● Source code examination  .

similar to SDBot  Variants include more GTBot  RPC-DCOM exploits  ICMP Floods. variants include UDP/TCP SYN floods . various flooding mechanisms for DDoS SDBot  None in standard  UDP/ICMP packet modules usable for flooding  Variants include DDoS SpyBot  NetBIOS attacks  UDP/TCP/ICMP SYN Floods.Exploits/Attacks ● ● ● ● Agobot  Has the most elaborate set  Several scanners.

● Required for protection    Host-based anti-virus Network intrusion detection Prevention signatures sets More bots capable of launching multiple exploits ● Future  ● DDoS highlight danger of large botnets .

shell encoders for distribution Malware packaged in single script Agobot separates exploits from delivery  Exploit vulnerability ● Buffer overflow     ● Open shell on host Upload binary via HTTP or FTP Encoder can be used across multiple exploits Streamlines codebase ● NIDS/NIPS need knowledge of shell codes/perform simple decoding NIDS incorporate follow-up connection detection for exploit/delivery separation prevention .Delivery ● ● ● Packers.

evades signature matching  Agobot ● ● ● ● POLY_TYPE_XOR POLY_TYPE_SWAP (swap consecutive bytes) POLY_TYPE_ROR (rotate right) POLY_TYPE_ROL (rotate left) ● NIDS/Anti-virus eventually need to develop protection against polymorphism .Obfuscation ● ● ● ● Hide details of network transmissions Only slightly provided by encoding Same key used in encoding => signature matching Polymorphism – generate random encodings.

rootkits Agobot     Debugger tests VMWare tests Anti-virus process termination Pointing DNS for anti-virus to localhost Honeynet monitors must be aware of VM attacks Better tools for dynamic malware analysis Improved rootkit detection/anti-virus as deception improves ● Shows merging between botnets/trojans/etc.Deception ● ● ● Detection evasion once installed a.    .k.a.

943706:70/ :9:70-4930982.1742# 4.94785.3/8 $:9/43..11..11..422:3.11.90/97. :942..943 ..094!!.422.11.0.3308:80/147493098 Â Â Â #4507.147.43974 87:59# /8.0397.943 %7../0391.24.13075739389:801:147/0391..-0-498 $311#97.7403894553 -4930997.

8 8.031472.08147-493098 Â Â $9708808300/945.039.08980389..38949072.!.7.9.7:88419.70 .4:8.. .4342.7008 09..39 .3.489.943 !.43974 Â Â Â 479188902.-0.99. 8419..

708706:70/..943-4:3/..9889028574794 .57490. $97430757490.99.7488 .55.94383 $08 ..

!745.943 .//70887..304154798 3075739394/03918.8 2470890.8.74887.38 Â :770398.0.33390.4/00.38 $305479..7488..9 !745.943 Â 47439.94324/08 Â '079....38 ...23.30 $30!.36:088250 Â :9:702094/8 Â $4:7..8.

5498.

..07..90809 $0.8 Â Â Â Â 4-49 .74:8144/320.38281474$ $49 430389.99.3/..7/ &!.8.89024890.33078 .-47.

!5.8 &!..0924/:08:8.99.:/04$ $549 09 $.-0147144/3 '.3983..7.

%!.

7.794$49 '.7.3983.:/0&!.!$44/8 82.3983..:/02470 %49 #!  05498 !44/8 .

%!$144/8 .

5.80/. #06:70/14757490.943 489 -.7:8 0947397:843/090.:3.30741.39 .-041.70-493098 ..32:95005498  :9:70  4$9/.0394383.9:7088098 470-498.943 !70.

078 8003.7.759 4-49805.4/0-.0..705.07 549..4/07..%%!47%! 3.908054981742/0.7.3-0:80/../-3.:307..0/38308.4/078147/897-:943 ..07 Â Â Â !.-9 Â :11074.80 Â $.74882:95005498 $970.0714 Â 5038043489 &54.2308..

4/08.!$300/340/04180.

5071472 8250/0.4330.943147 0549.47547.90144 :5.4/3 $3.943/090.

/0.07805.03943 .7.943570.

943 Â Â Â Â /0/09.5.3 4-49 Â Â Â Â ! ! ! ! *%!* # *%!*$! 8.9.-1:8.9:702./08 83.4/38 0.3 !4247582 0307...9079 *%!*#  749.9./0/-03.200:80/303.3/4203.90019 Â $.:9.907.4/3 $.38288438 389574.4380.8413094797.4/383.9:702.0-908 *%!*# # 749.

.39 .38954247582 .04557490.039:.943 .300/94/0.7:80.

3..943.7090898 39 .8 099079448147/3..943 !4393$147.0. 744998 4-49 0-:0790898 '.  ..05943 Â Â Â 090.70.88 2574.7:8944.0/ .7041'.2.7:8574..0/74499/090.0389.9430.99.489 43030924394782:89-0.08890723.84343..2.39 .

05943 2574.8/0.7:8..39 .08 Â $482073-09003-493098.

974.38.

09. .

Sign up to vote on this title
UsefulNot useful