Learning Center
Plans & pricing Sign in
Sign Out

Bots and Botnets


									  Bots and Botnets


Forensic analysis of a bot

• Wayne Hauber

• Computer consultant since 1984 at Iowa
 State University

• Started analyzing bots as a major focus in
         Bots and Botnets

Bot – nothing more than a remotely
controlled program
A collection of bots controlled at a central
source are botnets
Most bots have their origin in some
segment of the IRC community
Botnet controllers are either public IRC
servers or custom private IRC servers
              Not New
Floodbots appeared at ISU in early 1990s.
Mostly a nuisance to staff from fringe IRC
First SYN Flood denial of service attacks
in 1997
See the Hank Nussbacher presentation for
a good chronology
           What is new
Complete disregard for the values of
mainstream society
IRC Society drives the problem
In late 2001 and early 2002, the first
Pubstros appeared at ISU
Pubstros are servers created on a
vulnerable system
They serve movies, games, software and
Usually some other software is installed,
expect password crackers, keyloggers,
proxies and network scanners
Pubstros were created by a highly
organized and developed society of IRC
Pubstro/distro tutorials were published on
the web
Hierarchical duties were assigned to those
establishing pubstros
One group scanned for proxy systems and
installs scanning tools
Another group scanned for vulnerable
systems and posts a list
Another group laid down the server and
the contraband
Quotas determined status in group
A group in the far east supplies movies
often prior to US release dates
At ISU, we locate some pubstros because
they are in our top-20 network traffic list
Others are detected because they “look
the same” as a top-20 pubstro
Some are detected because other activity
is detected by netflow monitoring
Some are detected when a hacker is
Becoming more sophisticated
Are well hidden – Hacker Defender is a
suite of tools to hide your favorite trojan
Still common – I detected a pubstro on a
departmental server at 5:00 p.m. last
           Organized crime
See From Russia with Malice handout
               IRC Society
Slides are from a presentation by Hank
      Frequency of attacks
Page 84 of Nussbacher presentation
Page 32 of the Vunderink presentation
         Size of botnets
It is common to see botnets with a
strength of 1,000 to 2,000 bots
One record botnet had a strength of
hundreds of thousands of bots
            Easy tools
Tools that we have seen at ISU have
grown in sophistication and power
Professional hackers are writing tools
Many of today’s new viruses are nothing
more than hacker tools in active use
Quote from page 14 of Vunderink
         Easy Tools
     Optix – a sdbot variant
Detailed DescriptionThe backdoor's file is a PE
executable about 93 kilobytes long, packed with
Yoda and PECompact file compressors.
When the backdoor's file is started, it copies
itself as SNDCFG16.EXE to Windows System
folder, sets hidden, system and read-only
attributes for itself and then creates the following
startup keys in the Registry…
The backdoor monitors Registry changes and
re-creates these keys if they are deleted or
    Optix – a sdbot variant
SDBot.MB kills the processes of security
and anti-virus software and also processes
of certain malware (for example Bagle).
The processes with the following names
are killed:
regedit.exe msconfig.exe …a long list…
      Optix – a sdbot variant
The backdoor can scan for vulnerable computers using
different types of exploits and tries to locate other
backdoors installed on remote hosts. Here's the list of
scanner capabilities:
* WebDav (port 80) * NetBios (port 139) * NTPass (port
445) * DCom (ports 135, 1025) * DCom2 (port 135) *
MSSQL (port 1433) * LSASS (port 445) * UPNP (port
5000) * Optix backdoor (port 3140) * Bagle backdoor
(port 2745) * Kuang backdoor (port 17300) * Mydoom
backdoor (port 3127) * NetDevil backdoor (port 903) *
SubSeven backdoor (port 27347) * DameWare remote
management software (port 6129)
     Optix – a sdbot variant
The backdoor starts IDENTD server on
port 113.
A hacker can control the backdoor via a
bot that it creates in a certain IRC channel.
    Optix – a sdbot variant
Backdoor capabilities are the following:
start HTTP server on an infected computer
start FTP server on an infected computer
scan for vulnerable computers (open ports
and exploits)
make use of exploits and spread to remote
    Optix – a sdbot variant
start/stop keylogger
get system information including
information about OS, network and drives
operate backdoor's bot (nick change, dcc
send/receive, join/part channels, etc.)
perform DDoS (Distributed Denial of
Service) attack, SYN, ICMP, UDP flood
    Optix – a sdbot variant
find, download and run files
search for passwords
start/stop remote services
create/delete remote shares
flush DNS cache
    Optix – a sdbot variant
ping any host
list, start and kill processes
sniff network traffic
start remote command shell
capture video from a webcam
    Optix – a sdbot variant
capture a screenshot
redirect traffic on certain ports
perform portscan
send e-mails (work as an e-mail proxy)
open a URL with default web browser
SDBot.MB steals CD keys for the following games if they are installed on an
infected computer:

Counter-Strike (Retail) The Gladiators Gunman Chronicles Half-Life Industry
Giant 2 Legends of Might and Magic Soldiers Of Anarchy Unreal Tournament
2003 Unreal Tournament 2004 IGI 2: Covert Strike Freedom Force Battlefield
1942 Battlefield 1942 (Road To Rome) Battlefield 1942 (Secret Weapons of
WWII) Battlefield Vietnam Black and White Command and Conquer: Generals
(Zero Hour) James Bond 007: Nightfire Command and Conquer: Generals
Global Operations Medal of Honor: Allied Assault Medal of Honor: Allied
Assault: Breakthrough Medal of Honor: Allied Assault: Spearhead Need For
Speed Hot Pursuit 2 Need For Speed: Underground Shogun: Total War:
Warlord Edition FIFA 2002 FIFA 2003 NHL 2002 NHL 2003 Nascar Racing
2002 Nascar Racing 2003 Rainbow Six III RavenShield Command and
Conquer: Tiberian Sun Command and Conquer: Red Alert Command and
Conquer: Red Alert 2 NOX Chrome Hidden & Dangerous 2 Soldier of Fortune
II - Double Helix Neverwinter Nights Neverwinter Nights (Shadows of
Undrentide) Neverwinter Nights (Hordes of the Underdark)

Also the backdoor steals Microsoft Windows Product ID.
Protecting client systems

  Comments from Vunderink
       Some conclusions
Security threats have changed
        Some conclusions
Security threats have changed
Our clients have no idea that the security
paradigm has changed
        Some conclusions
Security threats have changed
Our clients have no idea that the security
paradigm has changed
Policy makers do not know that security
threats have changed
        Some conclusions
Security threats have changed
Our clients have no idea that the security
paradigm has changed
Policy makers do not know that security
threats have changed
I am less pessimistic than Vunderink. I
think that we will succeed in educating
policy makers…but we won’t succeed in
educating our clients.
1. A good overview of BotNets: Malicious Bots Threaten Network
Security, David Geer. IEEE Computer, January 2005
2. An article that provides examples of organized crime and botnets:
From Russia with Malice,
3. Slides from a presentation that provide a good history of DDOS
and techniques for fighting DDOS: Fighting Internet Diseases: DDos,
worms and miscreants, Hank Nussbacher and Nicolas Fishbach.

4. Slides from a presentation by an IRC administrator who is fighting
botnets: IRC and Drones: Investigating botnets on IRC, Joost
"Garion" Vunderink.

5. A paper that presents a complete forensic analysis of a
compromised system: GIAC Certified Forensic Analyse (GCFA)
Practical Assignment, Jennifer Kolde, Sans Institute.
               Hank Nussbacher’s picks for DDOS references

A large number of papers and presentations can be found at the public page:

                  In addition, I have found these to be useful:
                        Other good references

A good overview of DDOS
Using SNORT to detect rogue IRC Bot Programs
                        My slides
      Detecting a new bot
Good free tools from
Process explorer

To top