An Inside Look at Botnets

advertisement
AN INSIDE LOOK AT
BOTNETS
ARO-DHS SPECIAL WORKSHOP ON MALWARE
DETECTION, 2005
Written By:
Paul Barford and Vinod Yegneswaran
University of Wisconsin, Madison
Presented By:
Jarrod Williams
OUTLINE
Motivation/Goals
 Botnets
 Botnet Attributes
 Conclusion/Review

MOTIVATION/GOALS

Increase in BOTNET usage



Spam, DDOS, Identity theft
The objective of the paper is to understand how
Botnets work and find communalities between
them
Botnets: Agotbot (4.0 Pre-Release), SDBot (05B),
SpyBot (1.4), GT Bot with DCOM
MOTIVATION/GOALS
Architecture
 Botnet control mechanisms
 Host control mechanisms
 Propagation mechanisms
 Exploits and attack mechanisms
 Malware delivery mechanisms
 Obfuscation methods
 Deception mechanisms

BOTNETS

A collection of compromised computers running
software controlled by a single user

Botnets are controlled by a botmaster

Compromised host machines are called zombies

Zombies communicate using IRC

A botnet can have many different versions of the
same bot making botnet families
BOTNETS
INTERNET RELAY CHAT


is a form of real-time
Internet text messaging.
It is mainly designed for
group communication,
but it also allows one-toone communication via
private message and
data transfers via direct
client-to-client
Created by Jarkko
Oikarinen in August
1988
BOTNET ATTRIBUTES CONSIDERED
Architecture
 Botnet control mechanisms
 Host control mechanisms
 Propagation mechanisms
 Exploits and attack mechanisms
 Malware delivery mechanisms
 Obfuscation methods
 Deception mechanisms

AGOBOT (4.0 PRE-RELEASE)
Most sophisticated
 Released October, 2002
 Hundreds of variants of this bot and it is also
commonly referred to as Phatbot
 Roughly 20,000 lines of C/C++
 The ability to launch different kinds of DoS
attacks
 The ability to harvest the local host for PayPal
passwords and AOL keys through traffic sniffing,
key logging or searching registry entries

SDBOT (05B)
Fairly simple
 Released October, 2002
 Hundreds of variants of this bot
 Slightly over 2,000 lines of C
 Does not include any overtly malicious code
modules
 The code is obviously easy to extend and patch
 Patches contain malicious code for attackers need
 80 patches for SDBot were found through
internet web searching

SPYBOT (1.4)
Relatively small like SDBot
 Released April, 2003
 Under 3,000 lines of C
 The command and control engine appears to be
shared with SDBot, and it is likely, that it
evolved from SDBot
 Includes NetBIOS/Kuang/Netdevil/KaZaa
exploits
 Contains modules for launching flooding attacks
and has scanning capabilities

GT BOT WITH DCOM
Simple design providing a limited set of functions
 Released April, 1998
 Global Threat Bot has hundreds of variants and
is also referred to as Aristotle's
 Easy to modify but there is nothing that suggests
it was designed with extensibility in mind
 Capabilities include port scanning, DoS attacks,
and exploits for RPC and NetBIOS services
 Includes the HideWindow program which keeps
the bot hidden on the local system

BOTNET ATTRIBUTES CONSIDERED
Architecture
 Botnet control mechanisms
 Host control mechanisms
 Propagation mechanisms
 Exploits and attack mechanisms
 Malware delivery mechanisms
 Obfuscation methods
 Deception mechanisms

AGOBOT (4.0 PRE-RELEASE)


Simple vertical and horizontal scanning
Scanning is based on the network ranges (network
prefixes) that are configured on individual bots
SDBOT (05B)


By virtue of its benign intent, SDBot does not
have scanning or propagation capability in its
base distribution
Many variants of SDBot include scanning and
propagation capability
SPYBOT (1.4)
Simple command interface for scanning
 Horizontal and vertical scanning capability
 Scans are sequential


Command:


scan<startIP
address><port><delay><spreaders><logfilename>
Example:

scan 127.0.0.1 17300 1 netbios portscan.txt
GT BOT WITH DCOM

Includes support for simple horizontal and
vertical scanning
BOTNET ATTRIBUTES CONSIDERED
Architecture
 Botnet control mechanisms
 Host control mechanisms
 Propagation mechanisms
 Exploits and attack mechanisms
 Malware delivery mechanisms
 Obfuscation methods
 Deception mechanisms

AGOBOT (4.0 PRE-RELEASE)







Has the most elaborate set of exploit modules out of
the four bots analyzed
Bagle scanner: scans for back doors left by Bagle
variants on port 2745
Dcom scanner: scans for the well known DCE-RPC
buffer overflow
MyDoom scanner: scans for back doors left by
variants of the MyDoom worm on port 3127
Dameware scanner: scans for vulnerable versions of
the Dameware network administration tool
NetBIOS scanner: brute force password scanning for
open NetBIOS shares
Radmin scanner: scans for the Radmin buffer
overflow
SDBOT (05B)



SDBot does not have any exploits packaged in its
standard distribution
It does include modules for sending both UDP
and ICMP packets which could be used for simple
flooding attacks
Other variants of SDBot contain exploit more
modules
SPYBOT (1.4)



This version of SpyBot only included a module
which attacked NetBIOS open shares
DDoS interface is closely related to SDBot and
includes the capabilities for launching simple
UDP, ICMP, and TCP SYN floods
Other variants of SpyBot contain more exploit
modules
GT BOT WITH DCOM

Developed to include RPC-DCOM exploits

Has the capability to launch simple ICMP floods

Other variants of GT Bot contain DDoS
capabilities such as UDP and TCP SYN floods as
well as other known exploits
BOTNET ATTRIBUTES CONSIDERED
Architecture
 Botnet control mechanisms
 Host control mechanisms
 Propagation mechanisms
 Exploits and attack mechanisms
 Malware delivery mechanisms
 Obfuscation methods
 Deception mechanisms

AGOBOT (4.0 PRE-RELEASE)
Of the four bots analyzed, only Agobot had
elaborate deception mechanisms
 Mechanisms included:

Tests for debuggers such as OllyDebug, SoftIce and
Procdump
 Test for VMWare
 Killing anti-virus processes
 Altering DNS entries of anti-virus software
companies to point to the local host

CONCLUSION



Botnets are widely used and communicate using
IRC
The details of this paper include descriptions of
the functional components of botnets categorized
into eight components
Understand your enemy
STRENGTHS


Presents information in an organized fashion on
the different Bots
Is the first step to codifying Botnet capabilities
WEAKNESSES


Only presents a high-level over view of a limited
number of Bots and only presents one specific Bot
version
More detail should be paid to a Bot family and
not a specific Bot
REFERENCES

An Inside Look at Botnets


Wikipedia


http://pages.cs.wisc.edu/~pb/botnets_final.pdf
http://en.wikipedia.org/wiki/Botnet
Wikipedia

http://en.wikipedia.org/wiki/IRC
Download