AN INSIDE LOOK AT BOTNETS ARO-DHS SPECIAL WORKSHOP ON MALWARE DETECTION, 2005 Written By: Paul Barford and Vinod Yegneswaran University of Wisconsin, Madison Presented By: Jarrod Williams OUTLINE Motivation/Goals Botnets Botnet Attributes Conclusion/Review MOTIVATION/GOALS Increase in BOTNET usage Spam, DDOS, Identity theft The objective of the paper is to understand how Botnets work and find communalities between them Botnets: Agotbot (4.0 Pre-Release), SDBot (05B), SpyBot (1.4), GT Bot with DCOM MOTIVATION/GOALS Architecture Botnet control mechanisms Host control mechanisms Propagation mechanisms Exploits and attack mechanisms Malware delivery mechanisms Obfuscation methods Deception mechanisms BOTNETS A collection of compromised computers running software controlled by a single user Botnets are controlled by a botmaster Compromised host machines are called zombies Zombies communicate using IRC A botnet can have many different versions of the same bot making botnet families BOTNETS INTERNET RELAY CHAT is a form of real-time Internet text messaging. It is mainly designed for group communication, but it also allows one-toone communication via private message and data transfers via direct client-to-client Created by Jarkko Oikarinen in August 1988 BOTNET ATTRIBUTES CONSIDERED Architecture Botnet control mechanisms Host control mechanisms Propagation mechanisms Exploits and attack mechanisms Malware delivery mechanisms Obfuscation methods Deception mechanisms AGOBOT (4.0 PRE-RELEASE) Most sophisticated Released October, 2002 Hundreds of variants of this bot and it is also commonly referred to as Phatbot Roughly 20,000 lines of C/C++ The ability to launch different kinds of DoS attacks The ability to harvest the local host for PayPal passwords and AOL keys through traffic sniffing, key logging or searching registry entries SDBOT (05B) Fairly simple Released October, 2002 Hundreds of variants of this bot Slightly over 2,000 lines of C Does not include any overtly malicious code modules The code is obviously easy to extend and patch Patches contain malicious code for attackers need 80 patches for SDBot were found through internet web searching SPYBOT (1.4) Relatively small like SDBot Released April, 2003 Under 3,000 lines of C The command and control engine appears to be shared with SDBot, and it is likely, that it evolved from SDBot Includes NetBIOS/Kuang/Netdevil/KaZaa exploits Contains modules for launching flooding attacks and has scanning capabilities GT BOT WITH DCOM Simple design providing a limited set of functions Released April, 1998 Global Threat Bot has hundreds of variants and is also referred to as Aristotle's Easy to modify but there is nothing that suggests it was designed with extensibility in mind Capabilities include port scanning, DoS attacks, and exploits for RPC and NetBIOS services Includes the HideWindow program which keeps the bot hidden on the local system BOTNET ATTRIBUTES CONSIDERED Architecture Botnet control mechanisms Host control mechanisms Propagation mechanisms Exploits and attack mechanisms Malware delivery mechanisms Obfuscation methods Deception mechanisms AGOBOT (4.0 PRE-RELEASE) Simple vertical and horizontal scanning Scanning is based on the network ranges (network prefixes) that are configured on individual bots SDBOT (05B) By virtue of its benign intent, SDBot does not have scanning or propagation capability in its base distribution Many variants of SDBot include scanning and propagation capability SPYBOT (1.4) Simple command interface for scanning Horizontal and vertical scanning capability Scans are sequential Command: scan<startIP address><port><delay><spreaders><logfilename> Example: scan 127.0.0.1 17300 1 netbios portscan.txt GT BOT WITH DCOM Includes support for simple horizontal and vertical scanning BOTNET ATTRIBUTES CONSIDERED Architecture Botnet control mechanisms Host control mechanisms Propagation mechanisms Exploits and attack mechanisms Malware delivery mechanisms Obfuscation methods Deception mechanisms AGOBOT (4.0 PRE-RELEASE) Has the most elaborate set of exploit modules out of the four bots analyzed Bagle scanner: scans for back doors left by Bagle variants on port 2745 Dcom scanner: scans for the well known DCE-RPC buffer overflow MyDoom scanner: scans for back doors left by variants of the MyDoom worm on port 3127 Dameware scanner: scans for vulnerable versions of the Dameware network administration tool NetBIOS scanner: brute force password scanning for open NetBIOS shares Radmin scanner: scans for the Radmin buffer overflow SDBOT (05B) SDBot does not have any exploits packaged in its standard distribution It does include modules for sending both UDP and ICMP packets which could be used for simple flooding attacks Other variants of SDBot contain exploit more modules SPYBOT (1.4) This version of SpyBot only included a module which attacked NetBIOS open shares DDoS interface is closely related to SDBot and includes the capabilities for launching simple UDP, ICMP, and TCP SYN floods Other variants of SpyBot contain more exploit modules GT BOT WITH DCOM Developed to include RPC-DCOM exploits Has the capability to launch simple ICMP floods Other variants of GT Bot contain DDoS capabilities such as UDP and TCP SYN floods as well as other known exploits BOTNET ATTRIBUTES CONSIDERED Architecture Botnet control mechanisms Host control mechanisms Propagation mechanisms Exploits and attack mechanisms Malware delivery mechanisms Obfuscation methods Deception mechanisms AGOBOT (4.0 PRE-RELEASE) Of the four bots analyzed, only Agobot had elaborate deception mechanisms Mechanisms included: Tests for debuggers such as OllyDebug, SoftIce and Procdump Test for VMWare Killing anti-virus processes Altering DNS entries of anti-virus software companies to point to the local host CONCLUSION Botnets are widely used and communicate using IRC The details of this paper include descriptions of the functional components of botnets categorized into eight components Understand your enemy STRENGTHS Presents information in an organized fashion on the different Bots Is the first step to codifying Botnet capabilities WEAKNESSES Only presents a high-level over view of a limited number of Bots and only presents one specific Bot version More detail should be paid to a Bot family and not a specific Bot REFERENCES An Inside Look at Botnets Wikipedia http://pages.cs.wisc.edu/~pb/botnets_final.pdf http://en.wikipedia.org/wiki/Botnet Wikipedia http://en.wikipedia.org/wiki/IRC