CAP6135: Malware and Software
Vulnerability Analysis
Botnets
Cliff Zou
Spring 2014
Acknowledgement

This lecture uses some contents from the lecture notes
from:



Dr. Dawn Song: CS161: computer security
Richard Wang – SophosLabs: The Development of Botnets
Randy Marchany - VA Tech IT Security Lab: Botnets
2
Botnets

Collection of compromised hosts





Spread like worms and viruses
Once installed, respond to remote commands
A network of ‘bots’
robot :
an automatic machine that can be
programmed to perform specific tasks.
Also known as ‘zombies’
3

Platform for many attacks





Spam forwarding (70% of all spam?)
Click fraud
Keystroke logging
Distributed denial of service attacks
Serious problem


Top concern of banks, online merchants
Vint Cerf: ¼ of hosts connected to Internet
4
What are botnets used for?
5
IRC (Internet Relay Chat) based Control
6
IRC (Internet Relay Chat) based Control
7
Why IRC?

IRC servers are:





freely available
easy to manage
easy to subvert
Attackers have experience with IRC
IRC bots usually have a way to remotely
upgrade victims with new payloads to
stay ahead of security efforts
8
How bad is the problem?


Symantec identified a 400K node botnet
Netadmin in the Netherlands discovered
1-2M unique IPs associated with Phatbot
infections.


Phatbot harvests MyDoom and Bagel infected
machines.
Researchers in Gtech monitored
thousands of botnets
9
Spreading Problem

Spreading mechanism is a leading cause
of background noise


Port 445, 135, 139, 137 accounted for 80%
of traffic captured by German Honeynet
Project
Other ports




2745
3127
3410
5000
–
–
–
–
bagle backdoor
MyDoom backdoor
Optix trojan backdoor
upnp vulnerability
10
Most commonly used Bot families

Agobot

SDBot

SpyBot

GT Bot
Agobot









Most sophisticated
20,000 lines C/C++ code
IRC based command/control
Large collection of target exploits
Capable of many DoS attack types
Shell encoding/polymorphic obfuscation
Traffic sniffers/key logging
Defend/fortify compromised system
Ability to frustrate dissassembly
SDBot




Simpler than Agobot, 2,000 lines C code
Non-malicious at base
Utilize IRC-based command/control
Easily extended for malicious purposes
 Scanning
 DoS Attacks
 Sniffers
 Information harvesting
 Encryption
SpyBot


<3,000 lines C code
Possibly evolved from SDBot
 Similar command/control engine
 No attempts to hide malicious purposes
GT Bot


Functions based on mIRC scripting
capabilities
HideWindow program hides bot on local
system


Basic rootkit function
Port scanning, DoS attacks, exploits for
RPC and NetBIOS


Variance in codebase size, structure, complexity,
implementation
Convergence in set of functions



Possibility for defense systems effective across bot
families
Bot families extensible
Agobot likely to become dominant
Control

All of the above use IRC for command/control

Disrupt IRC, disable bots
Sniff IRC traffic for commands
Shutdown channels used for Botnets

But a botnet could use its own IRC server





IRC operators play central role in stopping botnet
traffic
Automated traffic identification required
Future botnets may move away from IRC


Move to P2P communication
Traffic fingerprinting still useful for identification
Host control



Fortify system against other malicious attacks
Disable anti-virus software
Harvest sensitive information




PayPal, software keys, etc.
Economic incentives for botnets
Stresses need to patch/protect systems prior to
attack
Stronger protection boundaries required across
applications in OSes
Example Botnet Commands

Connection





Pass hierarchy info


CLIENT: PASS <password>
HOST : (if error, disconnect)
CLIENT: NICK <nick>
HOST : NICKERROR | CONNECTED
BOTINFO <nick> <connected_to> <priority>
BOTQUIT <nick>
19
Example Botnet Commands

IRC Commands






CHANJOIN <tag> <channel>
CHANPART <tag> <channel>
CHANOP <tag> <channel>
CHANKICK <tag> <channel>
CHANBANNED <tag> <channel>
CHANPRIORITY <ircnet> <channel>
<LOW/NORMAL/HIGH>
20
Example Botnet Commands

pstore


bot.execute


Run executable on remote system
bot.open


Display all usernames/passwords stored in
browsers of infected systems
Reads file on remote computer
bot.command

Runs command with system()
21
Example Botnet Commands

http.execute







Download and execute file through http
ftp.execute
ddos.udpflood
ddos.synflod
ddos.phaticmp
redirect.http
redirect.socks
22
Current Botnet Control Architecture
botmaster
C&C
C&C
bot
bot
bot
•More than one C&C server
•Spread all around the world
23
Botnet Monitor: Gatech KarstNet
A lot bots use DynDNS name to find C&C




C&C
C&C
cc1.com
KarstNet informs DNS
provider of cc1.com

attacker
Detect cc1.com by its abnormal DNS
queries
bot
DNS provider maps
cc1.com to Gatech sinkhole
(DNS hijack)
bot
bot
KarstNet sinkhole
All/most bots attempt to
connect the sinkhole
24
Botnet Monitor: Honeypot Spy

Security researchers set up honeypots




Honeypots: deliberately set up vulnerable machines
When compromised, put close monitoring of malware’s behaviors
Tutorial:
http://en.wikipedia.org/wiki/Honeypot_%28computing%29
When compromised honeypot joins a botnet



Passive monitoring: log all network traffic
Active monitoring: actively contact other bots to obtain more
information (neighborhood list, additional c&c, etc.)
Representative research paper:

A multifaceted approach to understanding the botnet phenomenon,
Abu Rajab, Moheeb and Zarfoss, Jay and Monrose, Fabian and Terzis,
Andreas, 6th ACM SIGCOMM conference on Internet measurement
(IMC), 2006.
25
The Future Generation of Botnets

Peer-to-Peer C&C

Polymorphism

Anti-honeypot

Rootkit techniques
26