; Botnets - PowerPoint
Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out
Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

Botnets - PowerPoint

VIEWS: 19 PAGES: 19

  • pg 1
									Botnets


   ECE 4112 Lab 10
   Group 19
Botnets
   Collection of compromised machines running
    programs (malicious) under a common
    command and control infrastructure
   Attackers target Class B networks
   Once vulnerable system detected
       System compromised  control client (bot)
        installed
   These bots further attack networks 
    exponential growth in a tree like fashion
Botnets - Uses
   Distributed Dos attacks
   Spamming
   Sniffing Traffic
   Keylogging
   Attacking other networks
   Identity theft
   Google Adsense abuse
   Spyware/Malware infestation
Lab Procedures

   I. Setup: Setting up the IRCd server
   II. SDBot
   III. q8Bot
   IV. HoneyNet Botnet capture analysis
IRCd Server

   IRC networks considered part of the
    “underground” Internet
   Home to many hacking groups and illegal
    software release groups
   Setup on WS 4.0 machine
            Infected XP
              machine       IRC client
              (Victim)      (Attacker)


              Infected      IRCd
              RedHat
              machine
              (Victim)    Redhat WS4.0
SDBot/RBot/UrBot/UrXbot
   The most active family of bots
   Published under GPL
   Poorly implemented in C
   provides a utilitarian IRC-based command
    and control system
   easy to extend
   large number of patches to provide more
    sophisticated malicious capabilities
       scanning, DoS attacks, sniffers, information
        harvesting & encryption features
SDBot
   Setup on Windows XP VM using lccwin32
    compiler
   Created executable using bat file
   Edited host file to include ircserver
   Bot Login
       Random username joins channel – Bot
       Login
       .repeat 6 .delay 1 .execute 1 winmine.exe
           Started 6 instances of minesweeper on the victim
SDBot
   General Commands
       .execute causes the bot to run a program.
       .download causes the bot to download the file
        specified by url
       .redirect lets the bot to start a basic port redirect.
        everything sent to the port
       .sysinfo causes the bot to reply with information
        on the host system
       .netinfo causes the bot to reply with information on
        the bot's network connection
       .visit lets the bot to invisibly visit the specified url
SDBot – UDP/Ping Flood
   .udp <RH 7.2 IP> 1000 4096 100 23
       command causes a UDP flood
   For 1 Gbit link
       Avg packet size = 1169 bytes
       Bots required = 106,928
   .ping <RH 7.2 ip> 1000 4096 1
       Initiates a ping flood
   For 1 Gbit link
       Avg packet size = 1351 bytes
       Bots required = 92,532 (approx)
SDBot – Pay per click

   .visit http://57.35.6.10/index.html
    http://<anything>.com
       Ethereal – Tcp stream with http packets
        illustrating http://<anything>.com as referrer
SDBot – Bot Removal

   Kill Process
   Remove registry entries:

       HKEY_LOCAL_MACHINE\SOFTWARE\MICROS
        OFT\WINDOWS\CURRENTVERSION\RUN\CON
        FIGURATION LOADER
       HKEY_LOCAL_MACHINE\SOFTWARE\MICROS
        OFT\WINDOWS\CURRENTVERSION\RUNSERV
        ICES\CONFIGURATION LOADER
q8Bot
   Small bots with 926 lines of C code
   Written only for Unix based systems
   Features
       DDos attacks
       Dynamic updating
       Flooding
   Versions with spreaders available
q8Bot

   Installation after changes to C file
   ps –e
       Shows the bot file running with a pid
   ps –ef
       Same pid shown as „-bash‟
           F flag gives full listing with the command line process
            name -> replaced by FAKENAME in source code
           E flag gives the pid with the executable used
q8Bot – Commands

   PAN <target> <port> <secs> - SYN flood
    which disables most network drivers

   TSUNAMI <target> <secs> - packets that can
    bypass any firewall

   GET <target> <save as> - Download/rename
    files
q8Bot
   Tsunami Attack –
       Basic Dos attack
       Packets directed to port 80 (http) – hence ignored
        by firewalls
   PAN
       Add statement:
           Sendto(get, &send_tcp, 40+psize, 0, (struct
            sockaddr*)&sin, sizeof(sin);
           Change return()  break in final if block
       PAN <WIN XP IP> <port> <delay in ms>
HoneyNet Botnet Capture Analysis
   Data Forensics
   View IRC connections
       Ip.dst == 172.16.134.191 && tcp.srcport==6667
   Sniff IRC packets
       (Ip.dst== 172.16.134.191 && (tcp.srcport==6667||
        tcp.dstport==6667)
   Usernames sniffed:
       Eohisou – Unsuccessful login attempt
       Rgdiuggac – Successful login attempt
HoneyNet Botnet Capture Analysis

   Once logged in, chanserv sets modes
       i – Invisible mode (hidden)
       x – provides random hostname to user


   Source attack ips – Analyze through ethereal
    filter
       209.196.44.172
       63.241.174.144
       217.199.175.10
Botnets – Defense
   keep your system updated, downloading
    patches
   careful with opening suspicious attachments
    in email
   Control use of scripting languages such as
    ActiveX and JavaScript
   fundamental to use an updated antivirus /
    antitrojan
Botnets – Defense
   main signs of bot presence are connection
    and system slowdown
       netstat –an
   Admins - subscription to mailing lists (eg.
    Bugtraq)
   study the logs generated by
    IDS/firewall/mail/DHCP servers for abnormal
    activity
   Most important – user awareness

								
To top