BotnetsSlide 2BotBotnetHistoryTimeLineCases in the newsHow The Botnet GrowsSlide 9Slide 10Slide 11Recruiting New MachinesSlide 13What Is It Used ForHow Are They UsedExample : SDBotExample : RBotExample : AgobotSlide 19Slide 20DDos AttackDDoS attackWhy DDoS attack?Botnet DetectionHost-based detectionNetwork Intrusion Detection SystemsAnomaly DetectionIRC NicknamesHoneyPot and HoneyNetSlide 30Slide 31SummaryQuestions ?BotnetsbyMehedy MasudSeptember 16, 2009Botnets●Introduction●History●How to they spread?●What do they do?●Why care about them? ●Detection and PreventionBot●The term 'bot' comes from 'robot'.●In computing paradigm, 'bot' usually refers to an automated process.●There are good bots and bad bots.●Example of good bots:–Google bot–Game bot●Example of bad bots:–Malicious software that steals informationBotnet●Network of compromised/bot-infected machines (zombies) under the control of a human attacker (botmaster)IRC Server BotmasterIRC channelCodeServerUpdatesVulnerable machinesAttackIRC channelC&C trafficBotNetHistory●In the beginning, there were only good bots.–ex: google bot, game bot etc.●Later, bad people thought of creating bad bots so that they may–Send Spam and Phishing emails–Control others pc–Launch attacks to servers (DDOS)●Many malicious bots were created–SDBot/Agobot/Phatbot etc.●Botnets started to emergeTimeLine1989 1999 2000 2002 2003 Present2006 RPCSS GM (by Greg, Operator)recognized as first IRC bot.Entertained clients with gamesGT botscombinedmIRC client, hacking scripts & tools (port -scanning, DDos)W32/Agobot bot family addedmodular design and significant functionalityW32/Mytob hybrid bot, major e-mail outbreakW32/PrettyPark1st worm touse IRC as C&C.DDoS capableW32/SdbotFirst familyof bots developed as a single binaryRussian named sdW32/Spybot family emerged2001 20042005Cases in the news●Axel Gembe–Author or Agobot (aka Gaobot, Polybot)–21 yrs old–Arrested from Germany in 2004 under Germany’s computer Sabotage law●Jeffry Parson–Released a variation of Blaster Worm–Infected 48,000 computers worldwide–18 yrs old–Arrested , sentenced to 18 month & 3yrs of supervised releasedHow The Botnet GrowsHow The Botnet GrowsHow The Botnet GrowsHow The Botnet GrowsRecruiting New Machines●Exploit a vulnerability to execute a short program (exploits) on victim’s machine–Buffer overflows, email viruses, Trojans etc.●Exploit downloads and installs actual bot●Bot disables firewall and A/V software●Bot locates IRC server, connects, joins–Typically need DNS to find out server’s IP address–Authentication password often stored in bot binary●Botmaster issues commandsRecruiting New MachinesWhat Is It Used For●Botnets are mainly used for only one thingHow Are They Used●Distributed Denial of Service (DDoS) attacks●Sending Spams●Phishing (fake websites)●Addware (Trojan horse)●Spyware (keylogging, information harvesting)●Storing pirated materialsExample : SDBot●Open-source Malware●Aliases–Mcafee: IRC-SDBot, Symantec: Backdoor.Sdbot●Infection–Mostly through network shares–Try to connect using password guessing (exploits weak passwords)●Signs of Compromise–SDBot copies itself to System folder - Known filenames: Aim95.exe, Syscfg32.exe etc..–Registry entries modified –Unexpected traffic : port 6667 or 7000–Known IRC channels: Zxcvbnmas.i989.net etc..Example : RBot●First of the Bot families to use encryption●Aliases–Mcafee: W32/SDbot.worm.gen.g, Symantec: W32.Spybot.worm●Infection–Network shares, exploiting weak passwords–Known s/w vulnerabilities in windows (e.g.: lsass buffer overflow vulnerability)●Signs of Compromise–copies itself to System folder - Known filenames: wuamgrd.exe, or random names–Registry entries modified –Terminate A/V processes–Unexpected traffic: 113 or other open portsExample : Agobot●Modular Functionality–Rather than infecting a system at once, it proceeds through three stages (3 modules)● infect a client with the bot & open backdoor● shut down A/V tools● block access to A/V and security related sites–After successful completion of one stage, the code for the next stage is downloaded●Advantage? –developer can update or modify one portion/module without having to rewrite or recompile entire codeExample : Agobot●Aliases–Mcafee: W32/Gaobot.worm, Symantec: W32.HLLW.Gaobot.gen●Infection–Network shares, password guessing–P2P systems: Kazaa etc..–Protocol: WASTE●Signs of Compromise–System folder: svshost.exe, sysmgr.exe etc..–Registry entries modification–Terminate A/V processes–Modify %System\drivers\etc\hosts file●Symantec/ Mcafee’s live update sites are redirected to 127.0.0.1Example : Agobot●Signs of Compromise (contd..)–Theft of information: seek and steal CD keys for popular games like “Half-Life”, “NFS” etc..–Unexpected Traffic: open ports to IRC server etc..–Scanning: Windows, SQL server etc..DDos Attack●Goal: overwhelm victim machine and deny service to its legitimate clients●DoS often exploits networking protocols–Smurf: ICMP echo request to broadcast address with spoofed victim’s address as source–Ping of death: ICMP packets with payloads greater than 64K crash older versions of Windows–SYN flood: “open TCP connection” request from a spoofed address–UDP flood: exhaust bandwidth by sending thousands of bogus UDP packetsDDoS attack●Coordinated attack to specified hostVictimAttackerMaster (IRC Server) machinesZombie machinesWhy DDoS attack?●Extortion–Take down systems until they pay–Works sometimes too!●Example: 180 Solutions – Aug 2005–Botmaster used bots to distribute 180solutions addware–180solution shutdown botmaster–Botmaster threatened to take down 180solutions if not paid–When not paid, botmaster use DDoS –180Solutions filed Civil Lawsuit against hackersBotnet Detection●Host Based●Intrusion Detection Systems (IDS)●Anomaly Detection●IRC Nicknames●HoneyPot and HoneyNetHost-based detectionVirus scanningWatching for SymptomsModification of windows hosts fileRandom unexplained popupsMachine slownessAntivirus not workingWatching for Suspicious network trafficSince IRC is not commonly used, any IRC traffic is suspicious. Sniff these IRC trafficCheck if the host is trying to communicate to any Command and Control (C&C) CenterThrough firewall logs, denied connectionsNetwork Intrusion Detection
View Full Document
Unlocking...