CAP6135: Malware and Software
Vulnerability Analysis
Botnets
Cliff Zou
Spring 2010
Acknowledgement

This lecture uses some contents from the lecture notes
from:



Dr. Dawn Song: CS161: computer security
Richard Wang – SophosLabs: The Development of Botnets
Randy Marchany - VA Tech IT Security Lab: Botnets
2
Botnets

Collection of compromised hosts





Spread like worms and viruses
Once installed, respond to remote commands
A network of ‘bots’
robot :
an automatic machine that can be
programmed to perform specific tasks.
Also known as ‘zombies’
3

Platform for many attacks





Spam forwarding (70% of all spam?)
Click fraud
Keystroke logging
Distributed denial of service attacks
Serious problem


Top concern of banks, online merchants
Vint Cerf: ¼ of hosts connected to Internet
4
What are botnets used for?
5
IRC (Internet Relay Chat) based Control
6
IRC (Internet Relay Chat) based Control
7
Why IRC?

IRC servers are:





freely available
easy to manage
easy to subvert
Attackers have experience with IRC
IRC bots usually have a way to remotely
upgrade victims with new payloads to
stay ahead of security efforts
8
How bad is the problem?


Symantec identified a 400K node botnet
Netadmin in the Netherlands discovered
1-2M unique IPs associated with Phatbot
infections.


Phatbot harvests MyDoom and Bagel infected
machines.
Researchers in Gtech monitored
thousands of botnets
9
Spreading Problem

Spreading mechanism is a leading cause
of background noise


Port 445, 135, 139, 137 accounted for 80%
of traffic captured by German Honeynet
Project
Other ports




2745
3127
3410
5000
–
–
–
–
bagle backdoor
MyDoom backdoor
Optix trojan backdoor
upnp vulnerability
10
Most commonly used Bot families

Agobot

SDBot

SpyBot

GT Bot
Agobot









Most sophisticated
20,000 lines C/C++ code
IRC based command/control
Large collection of target exploits
Capable of many DoS attack types
Shell encoding/polymorphic obfuscation
Traffic sniffers/key logging
Defend/fortify compromised system
Ability to frustrate dissassembly
SDBot




Simpler than Agobot, 2,000 lines C code
Non-malicious at base
Utilize IRC-based command/control
Easily extended for malicious purposes
 Scanning
 DoS Attacks
 Sniffers
 Information harvesting
 Encryption
SpyBot


<3,000 lines C code
Possibly evolved from SDBot
 Similar command/control engine
 No attempts to hide malicious purposes
GT Bot


Functions based on mIRC scripting
capabilities
HideWindow program hides bot on local
system


Basic rootkit function
Port scanning, DoS attacks, exploits for
RPC and NetBIOS


Variance in codebase size, structure, complexity,
implementation
Convergence in set of functions



Possibility for defense systems effective across bot
families
Bot families extensible
Agobot likely to become dominant
Control

All of the above use IRC for command/control

Disrupt IRC, disable bots
Sniff IRC traffic for commands
Shutdown channels used for Botnets

But a botnet could use its own IRC server





IRC operators play central role in stopping botnet
traffic
Automated traffic identification required
Future botnets may move away from IRC


Move to P2P communication
Traffic fingerprinting still useful for identification
Host control



Fortify system against other malicious attacks
Disable anti-virus software
Harvest sensitive information




PayPal, software keys, etc.
Economic incentives for botnets
Stresses need to patch/protect systems prior to
attack
Stronger protection boundaries required across
applications in OSes
Example Botnet Commands

Connection





Pass hierarchy info


CLIENT: PASS <password>
HOST : (if error, disconnect)
CLIENT: NICK <nick>
HOST : NICKERROR | CONNECTED
BOTINFO <nick> <connected_to> <priority>
BOTQUIT <nick>
19
Example Botnet Commands

IRC Commands






CHANJOIN <tag> <channel>
CHANPART <tag> <channel>
CHANOP <tag> <channel>
CHANKICK <tag> <channel>
CHANBANNED <tag> <channel>
CHANPRIORITY <ircnet> <channel>
<LOW/NORMAL/HIGH>
20
Example Botnet Commands

pstore


bot.execute


Run executable on remote system
bot.open


Display all usernames/passwords stored in
browsers of infected systems
Reads file on remote computer
bot.command

Runs command with system()
21
Example Botnet Commands

http.execute







Download and execute file through http
ftp.execute
ddos.udpflood
ddos.synflod
ddos.phaticmp
redirect.http
redirect.socks
22
Current Botnet Control Architecture
botmaster
C&C
C&C
bot
bot
bot
•More than one C&C server
•Spread all around the world
23
Botnet Monitor: Gatech KarstNet
A lot bots use DynDNS name to find C&C




C&C
C&C
cc1.com
KarstNet informs DNS
provider of cc1.com

attacker
Detect cc1.com by its abnormal DNS
queries
bot
DNS provider maps
cc1.com to Gatech sinkhole
(DNS hijack)
bot
bot
KarstNet sinkhole
All/most bots attempt to
connect the sinkhole
24
The Future Generation of Botnets

Peer-to-Peer C&C

Polymorphism

Anti-honeypot

Rootkit techniques
25