Docstoc

botnets

Document Sample
botnets Powered By Docstoc
					CAP6135: Malware and Software
    Vulnerability Analysis

          Botnets
            Cliff Zou
           Spring 2011
                Acknowledgement
   This lecture uses some contents from the lecture notes
    from:
       Dr. Dawn Song: CS161: computer security
       Richard Wang – SophosLabs: The Development of Botnets
       Randy Marchany - VA Tech IT Security Lab: Botnets




                                  2
                           Botnets
   Collection of compromised hosts
       Spread like worms and viruses
       Once installed, respond to remote commands
   A network of ‘bots’
   robot :
        an automatic machine that can be
        programmed to perform specific tasks.
   Also known as ‘zombies’




                                  3
   Platform for many attacks
       Spam forwarding (70% of all spam?)
       Click fraud
       Keystroke logging
       Distributed denial of service attacks
   Serious problem
       Top concern of banks, online merchants
       Vint Cerf: ¼ of hosts connected to Internet




                                    4
What are botnets used for?




            5
IRC (Internet Relay Chat) based Control




                   6
IRC (Internet Relay Chat) based Control




                   7
                    Why IRC?
   IRC servers are:
       freely available
       easy to manage
       easy to subvert
   Attackers have experience with IRC
   IRC bots usually have a way to remotely
    upgrade victims with new payloads to
    stay ahead of security efforts


                           8
        How bad is the problem?
   Symantec identified a 400K node botnet
   Netadmin in the Netherlands discovered
    1-2M unique IPs associated with Phatbot
    infections.
       Phatbot harvests MyDoom and Bagel infected
        machines.
   Researchers in Gtech monitored
    thousands of botnets


                          9
            Spreading Problem
   Spreading mechanism is a leading cause
    of background noise
       Port 445, 135, 139, 137 accounted for 80%
        of traffic captured by German Honeynet
        Project
   Other ports
       2745   –   bagle backdoor
       3127   –   MyDoom backdoor
       3410   –   Optix trojan backdoor
       5000   –   upnp vulnerability


                               10
Most commonly used Bot families
   Agobot

   SDBot

   SpyBot

   GT Bot
Agobot
   Most sophisticated
   20,000 lines C/C++ code
   IRC based command/control
   Large collection of target exploits
   Capable of many DoS attack types
   Shell encoding/polymorphic obfuscation
   Traffic sniffers/key logging
   Defend/fortify compromised system
   Ability to frustrate dissassembly
SDBot
   Simpler than Agobot, 2,000 lines C code
   Non-malicious at base
   Utilize IRC-based command/control
   Easily extended for malicious purposes
      Scanning
      DoS Attacks
      Sniffers
      Information harvesting
      Encryption
SpyBot
   <3,000 lines C code
   Possibly evolved from SDBot
      Similar command/control engine
      No attempts to hide malicious purposes
GT Bot
   Functions based on mIRC scripting
    capabilities
   HideWindow program hides bot on local
    system
       Basic rootkit function
   Port scanning, DoS attacks, exploits for
    RPC and NetBIOS
   Variance in codebase size, structure, complexity,
    implementation
   Convergence in set of functions
       Possibility for defense systems effective across bot
        families
   Bot families extensible
   Agobot likely to become dominant
Control
   All of the above use IRC for command/control
       Disrupt IRC, disable bots
       Sniff IRC traffic for commands
       Shutdown channels used for Botnets
   IRC operators play central role in stopping botnet
    traffic
       But a botnet could use its own IRC server
   Automated traffic identification required
   Future botnets may move away from IRC
       Move to P2P communication
       Traffic fingerprinting still useful for identification
Host control
   Fortify system against other malicious attacks
   Disable anti-virus software
   Harvest sensitive information
       PayPal, software keys, etc.
       Economic incentives for botnets

   Stresses need to patch/protect systems prior to
    attack
   Stronger protection boundaries required across
    applications in OSes
        Example Botnet Commands
   Connection
       CLIENT: PASS <password>
       HOST : (if error, disconnect)
       CLIENT: NICK <nick>
       HOST : NICKERROR | CONNECTED
   Pass hierarchy info
       BOTINFO <nick> <connected_to> <priority>
   BOTQUIT <nick>


                          19
        Example Botnet Commands
   IRC Commands
       CHANJOIN <tag> <channel>
       CHANPART <tag> <channel>
       CHANOP <tag> <channel>
       CHANKICK <tag> <channel>
       CHANBANNED <tag> <channel>
       CHANPRIORITY <ircnet> <channel>
        <LOW/NORMAL/HIGH>




                           20
        Example Botnet Commands
   pstore
       Display all usernames/passwords stored in
        browsers of infected systems
   bot.execute
       Run executable on remote system
   bot.open
       Reads file on remote computer
   bot.command
       Runs command with system()

                           21
        Example Botnet Commands
   http.execute
       Download and execute file through http
       ftp.execute
   ddos.udpflood
   ddos.synflod
   ddos.phaticmp
   redirect.http
   redirect.socks


                           22
Current Botnet Control Architecture
                 botmaster


           C&C               C&C




     bot
                 bot         bot


  •More than one C&C server
  •Spread all around the world

                       23
    Botnet Monitor: Gatech KarstNet
                                                                      attacker
           A lot bots use Dyn-
            DNS name to find C&C                            C&C                  C&C
                                                      cc1.com
   KarstNet informs DNS
    provider of cc1.com
           Detect cc1.com by its abnormal DNS
            queries                                                               bot
                                                                bot
   DNS provider maps                                                  bot

    cc1.com to Gatech sinkhole
    (DNS hijack)
                                                       KarstNet sinkhole
       All/most bots attempt to
        connect the sinkhole
                                                 24
The Future Generation of Botnets
   Peer-to-Peer C&C

   Polymorphism

   Anti-honeypot

   Rootkit techniques



                         25

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:5
posted:9/4/2011
language:English
pages:25