Botnets by Mohammad Mehedy Masud GUEST LECTURE Botnets Introduction History How to they spread What do they do Why care about them Detection and Prevention Bot The term bot comes from robot In computing paradigm bot usually refers to an automated process There are good bots and bad bots Example of good bots Google bot Game bot Example of bad bots Malicious software that steals information Botnet Network of compromised bot infected machines zombies under the control of a human attacker botmaster Botmaster IRC Server IRC channel Code Server IRC channel C C traffic Updates Attack Vulnerable machines BotNet History In the beginning there were only good bots Later bad people thought of creating bad bots so that they may Send Spam and Phishing emails Control others pc Launch attacks to servers DDOS Many malicious bots were created ex google bot game bot etc SDBot Agobot Phatbot etc Botnets started to emerge TimeLine GM by Greg Operator recognized as first IRC bot Entertained clients with games RPCSS 1989 W32 PrettyPark 1st worm to use IRC as C C DDoS capable GT bots combined mIRC client hacking scripts tools port scanning DDos 1999 2000 2001 2002 W32 Agobot bot family added modular design and significant functionality 2003 W32 Sdbot First family of bots developed as a single binary Russian named sd 2004 2005 W32 Mytob hybrid bot major e mail outbreak 2006 Present W32 Spybot family emerged Cases in the news Axel Gembe Author or Agobot aka Gaobot Polybot 21 yrs old Arrested from Germany in 2004 under Germany s computer Sabotage law Jeffry Parson Released a variation of Blaster Worm Infected 48 000 computers worldwide 18 yrs old Arrested sentenced to 18 month 3yrs of supervised released How The Botnet Grows How The Botnet Grows How The Botnet Grows How The Botnet Grows Recruiting New Machines Exploit a vulnerability to execute a short program exploits on victim s machine Exploit downloads and installs actual bot Bot disables firewall and A V software Bot locates IRC server connects joins Buffer overflows email viruses Trojans etc Typically need DNS to find out server s IP address Authentication password often stored in bot binary Botmaster issues commands Recruiting New Machines What Is It Used For Botnets are mainly used for only one thing How Are They Used Distributed Denial of Service DDoS attacks Sending Spams Phishing fake websites Addware Trojan horse Spyware keylogging information harvesting Storing pirated materials Example SDBot Open source Malware Aliases Infection Mcafee IRC SDBot Symantec Backdoor Sdbot Mostly through network shares Try to connect using password guessing exploits weak passwords Signs of Compromise SDBot copies itself to System folder Known filenames Aim95 exe Syscfg32 exe etc Registry entries modified Unexpected traffic port 6667 or 7000 Known IRC channels Zxcvbnmas i989 net etc Example RBot First of the Bot families to use encryption Aliases Infection Mcafee W32 SDbot worm gen g Symantec W32 Spybot worm Network shares exploiting weak passwords Known s w vulnerabilities in windows e g lsass buffer overflow vulnerability Signs of Compromise copies itself to System folder Known filenames wuamgrd exe or random names Registry entries modified Terminate A V processes Unexpected traffic 113 or other open ports Example Agobot Modular Functionality Rather than infecting a system at once it proceeds through three stages 3 modules infect a client with the bot open backdoor shut down A V tools block access to A V and security related sites After successful completion of one stage the code for the next stage is downloaded Advantage developer can update or modify one portion module without having to rewrite or recompile entire code Example Agobot Aliases Infection Mcafee W32 Gaobot worm Symantec W32 HLLW Gaobot gen Network shares password guessing P2P systems Kazaa etc Protocol WASTE Signs of Compromise System folder svshost exe sysmgr exe etc Registry entries modification Terminate A V processes Modify System drivers etc hosts file Symantec Mcafee s live update sites are redirected to 127 0 0 1 Example Agobot Signs of Compromise contd Theft of information seek and steal CD keys for popular games like Half Life NFS etc Unexpected Traffic open ports to IRC server etc Scanning Windows SQL server etc DDos Attack Goal overwhelm victim machine and deny service to its legitimate clients DoS often exploits networking protocols Smurf ICMP echo request to broadcast address with spoofed victim s address as source Ping of death ICMP packets with payloads greater than 64K crash older versions of Windows SYN flood open TCP connection request from a spoofed address UDP flood exhaust bandwidth by sending thousands of bogus UDP packets DDoS attack Coordinated attack to specified host Attacker Master IRC Server machines Zombie machines Victim Why DDoS attack Extortion Take down systems until they pay Works sometimes too Example 180 Solutions Aug 2005 Botmaster used bots to distribute 180solutions addware 180solution shutdown botmaster Botmaster threatened to take down 180solutions if not paid When not paid botmaster use DDoS 180Solutions filed Civil Lawsuit against hackers Botnet Detection Host Based Intrusion Detection Systems IDS Anomaly Detection IRC Nicknames HoneyPot and HoneyNet Host based detection Virus scanning Watching for Symptoms Modification of windows hosts file Random unexplained popups Machine slowness Antivirus not working Watching for Suspicious network traffic Since IRC is not commonly used any IRC traffic is suspicious Sniff these IRC traffic Check if the host is trying to communicate to any Command and Control C C Center Through firewall logs denied connections Network Intrusion Detection Systems Example Systems Snort and Bro Sniff network packets looks for specific patterns called signatures If any pattern matches that of a malicious binary then block that traffic and raise alert These systems can efficiently detect virus worms having known signatures Can t detect any malware whose signature is unknown i e zero day attack Anomaly Detection Normal traffic has some patterns Bandwidth Port usage Byte level characteristics histograms Protocol analysis gather statistics about TCP UDP src dest address Start end of flow Byte count DNS lookup First learn normal traffic pattern Then detect any anomaly in that pattern Example systems SNMP NetFlow Problems Poisoning Stealth IRC Nicknames Bots use weird nicknames But they have certain pattern really If we can learn that pattern
View Full Document
Unlocking...