Bots and Botnets

Document Sample
Bots and Botnets Powered By Docstoc
					  Bots and Botnets

           plus

Forensic analysis of a bot
               Introduction


• Wayne Hauber

• Computer consultant since 1984 at Iowa
 State University

• Started analyzing bots as a major focus in
 2002
         Bots and Botnets

Bot – nothing more than a remotely
controlled program
A collection of bots controlled at a central
source are botnets
Most bots have their origin in some
segment of the IRC community
Botnet controllers are either public IRC
servers or custom private IRC servers
              Not New
Floodbots appeared at ISU in early 1990s.
Mostly a nuisance to staff from fringe IRC
users
First SYN Flood denial of service attacks
in 1997
See the Hank Nussbacher presentation for
a good chronology
           What is new
Organization
Talent
Skills
Complete disregard for the values of
mainstream society
IRC Society drives the problem
         Pubstros/distros
In late 2001 and early 2002, the first
Pubstros appeared at ISU
Pubstros are servers created on a
vulnerable system
They serve movies, games, software and
pornography
Usually some other software is installed,
expect password crackers, keyloggers,
proxies and network scanners
         Pubstros/distros
Pubstros were created by a highly
organized and developed society of IRC
users
Pubstro/distro tutorials were published on
the web
         Pubstros/distros
Hierarchical duties were assigned to those
establishing pubstros
One group scanned for proxy systems and
installs scanning tools
Another group scanned for vulnerable
systems and posts a list
Another group laid down the server and
the contraband
Quotas determined status in group
         Pubstros/distros
A group in the far east supplies movies
often prior to US release dates
         Pubstros/distros
At ISU, we locate some pubstros because
they are in our top-20 network traffic list
Others are detected because they “look
the same” as a top-20 pubstro
Some are detected because other activity
is detected by netflow monitoring
Some are detected when a hacker is
clumsy
         Pubstros/distros
Becoming more sophisticated
Are well hidden – Hacker Defender is a
suite of tools to hide your favorite trojan
Still common – I detected a pubstro on a
departmental server at 5:00 p.m. last
night!
           Organized crime
See From Russia with Malice handout
http://www.vnunet.com/analysis/1160302
               IRC Society
Slides are from a presentation by Hank
Nussbacher
http://www.interall.co.il/presentations/first-16.pdf
      Frequency of attacks
Page 84 of Nussbacher presentation
Page 32 of the Vunderink presentation
http://www.garion.org/tmp/ircdrones.pdf
         Size of botnets
It is common to see botnets with a
strength of 1,000 to 2,000 bots
One record botnet had a strength of
hundreds of thousands of bots
            Easy tools
Tools that we have seen at ISU have
grown in sophistication and power
Professional hackers are writing tools
Many of today’s new viruses are nothing
more than hacker tools in active use
Quote from page 14 of Vunderink
presentation
         Easy Tools
Sdbot
Korgo
Optix
Spybot
     Optix – a sdbot variant
Detailed DescriptionThe backdoor's file is a PE
executable about 93 kilobytes long, packed with
Yoda and PECompact file compressors.
When the backdoor's file is started, it copies
itself as SNDCFG16.EXE to Windows System
folder, sets hidden, system and read-only
attributes for itself and then creates the following
startup keys in the Registry…
The backdoor monitors Registry changes and
re-creates these keys if they are deleted or
modified.
    Optix – a sdbot variant
SDBot.MB kills the processes of security
and anti-virus software and also processes
of certain malware (for example Bagle).
The processes with the following names
are killed:
regedit.exe msconfig.exe …a long list…
      Optix – a sdbot variant
The backdoor can scan for vulnerable computers using
different types of exploits and tries to locate other
backdoors installed on remote hosts. Here's the list of
scanner capabilities:
* WebDav (port 80) * NetBios (port 139) * NTPass (port
445) * DCom (ports 135, 1025) * DCom2 (port 135) *
MSSQL (port 1433) * LSASS (port 445) * UPNP (port
5000) * Optix backdoor (port 3140) * Bagle backdoor
(port 2745) * Kuang backdoor (port 17300) * Mydoom
backdoor (port 3127) * NetDevil backdoor (port 903) *
SubSeven backdoor (port 27347) * DameWare remote
management software (port 6129)
     Optix – a sdbot variant
The backdoor starts IDENTD server on
port 113.
A hacker can control the backdoor via a
bot that it creates in a certain IRC channel.
    Optix – a sdbot variant
Backdoor capabilities are the following:
start HTTP server on an infected computer
start FTP server on an infected computer
scan for vulnerable computers (open ports
and exploits)
make use of exploits and spread to remote
computers
    Optix – a sdbot variant
start/stop keylogger
get system information including
information about OS, network and drives
operate backdoor's bot (nick change, dcc
send/receive, join/part channels, etc.)
perform DDoS (Distributed Denial of
Service) attack, SYN, ICMP, UDP flood
    Optix – a sdbot variant
find, download and run files
search for passwords
start/stop remote services
create/delete remote shares
flush DNS cache
    Optix – a sdbot variant
ping any host
list, start and kill processes
sniff network traffic
start remote command shell
capture video from a webcam
    Optix – a sdbot variant
capture a screenshot
redirect traffic on certain ports
perform portscan
send e-mails (work as an e-mail proxy)
open a URL with default web browser
SDBot.MB steals CD keys for the following games if they are installed on an
infected computer:

Counter-Strike (Retail) The Gladiators Gunman Chronicles Half-Life Industry
Giant 2 Legends of Might and Magic Soldiers Of Anarchy Unreal Tournament
2003 Unreal Tournament 2004 IGI 2: Covert Strike Freedom Force Battlefield
1942 Battlefield 1942 (Road To Rome) Battlefield 1942 (Secret Weapons of
WWII) Battlefield Vietnam Black and White Command and Conquer: Generals
(Zero Hour) James Bond 007: Nightfire Command and Conquer: Generals
Global Operations Medal of Honor: Allied Assault Medal of Honor: Allied
Assault: Breakthrough Medal of Honor: Allied Assault: Spearhead Need For
Speed Hot Pursuit 2 Need For Speed: Underground Shogun: Total War:
Warlord Edition FIFA 2002 FIFA 2003 NHL 2002 NHL 2003 Nascar Racing
2002 Nascar Racing 2003 Rainbow Six III RavenShield Command and
Conquer: Tiberian Sun Command and Conquer: Red Alert Command and
Conquer: Red Alert 2 NOX Chrome Hidden & Dangerous 2 Soldier of Fortune
II - Double Helix Neverwinter Nights Neverwinter Nights (Shadows of
Undrentide) Neverwinter Nights (Hordes of the Underdark)

Also the backdoor steals Microsoft Windows Product ID.
Protecting client systems

  Comments from Vunderink
       Some conclusions
Security threats have changed
        Some conclusions
Security threats have changed
Our clients have no idea that the security
paradigm has changed
        Some conclusions
Security threats have changed
Our clients have no idea that the security
paradigm has changed
Policy makers do not know that security
threats have changed
        Some conclusions
Security threats have changed
Our clients have no idea that the security
paradigm has changed
Policy makers do not know that security
threats have changed
I am less pessimistic than Vunderink. I
think that we will succeed in educating
policy makers…but we won’t succeed in
educating our clients.
1. A good overview of BotNets: Malicious Bots Threaten Network
Security, David Geer. IEEE Computer, January 2005
2. An article that provides examples of organized crime and botnets:
From Russia with Malice, http://www.vnunet.com/analysis/1160302
3. Slides from a presentation that provide a good history of DDOS
and techniques for fighting DDOS: Fighting Internet Diseases: DDos,
worms and miscreants, Hank Nussbacher and Nicolas Fishbach.
http://www.interall.co.il/presentations/first-16.pdf

4. Slides from a presentation by an IRC administrator who is fighting
botnets: IRC and Drones: Investigating botnets on IRC, Joost
"Garion" Vunderink. http://www.garion.org/tmp/ircdrones.pdf

5. A paper that presents a complete forensic analysis of a
compromised system: GIAC Certified Forensic Analyse (GCFA)
Practical Assignment, Jennifer Kolde, Sans Institute.
http://www.giac.org/practical/GCFA/Jennifer_Kolde_GCFA.pdf
               Hank Nussbacher’s picks for DDOS references




A large number of papers and presentations can be found at the public page:
            https://puck.nether.net/mailman/listinfo/nsp-security


                  In addition, I have found these to be useful:
                 http://staff.washington.edu/dittrich/misc/ddos/
http://www.linuxsecurity.com/resource_files/intrusion_detection/ddos-faq.html
           http://www.networkcomputing.com/1201/1201f1c1.html
                     http://www.sans.org/dosstep/index.php
           http://downloads.securityfocus.com/library/sn_ddos.doc
                        Other good references



A good overview of DDOS
http://www.cisco.com/en/US/about/ac123/ac147/archived_issues/ipj_7-
4/dos_attacks.html
Using SNORT to detect rogue IRC Bot Programs
http://www.giac.org/certified_professionals/practicals/gsec/4095.php
                        My slides

http://tech.ait.iastate.edu/winsecurity/presentations/infraguard.ppt
      Detecting a new bot
Good free tools from sysinternals.com
TCPVIEW
Process explorer
Autoruns
Regmon
Filemon
Rootkitrevealer

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:21
posted:9/4/2011
language:English
pages:50