1 ECE4112 Internetwork Security Lab 10: Botnets Group Number: _________ Member Names: ___________________ _______________________ Date Assigned: March 28, 2012 Date Due: April 5, 2012 Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions in the Answer Sheet and be sure you turn in ALL materials listed in the Turn-in Checklist on or before the Date Due. Goal: The goal of this lab is to introduce you to the concept of Botnets, and showcase some features of popular bots. Summary: You will install two different bots, use them to carry out attacks, and analyze the results. Background: Read Appendix A: An edited excerpt from the Ph.D. proposal of Chris Lee, Appendix B: “Bots, Drones, Zombies, Worms and Other Things That Go Bump in the Night” (www.swatit.org/bots) and Appendix C: “Tracking Botnets” (http://www.honeynet.org/papers/bots/). Prelab Questions: None Lab Scenario: For this lab you will set up an IRC server on your Red Hat 4.0 host machine and then infect two virtual machines (one Windows one Linux) with bots that will connect to it. To help with the transfer of files between all of the machines, it may be helpful to set up Shared folders on the virtual machines. To do so, see Appendix C. NOTE: • Some groups report getting errors during the IRC install because in a previous lab, they had run a virus that added exploit code to the beginning of the headers and they didn't restore the originals. To get it back you just need to copy back a good version: cp /usr/include/stdio.h /usr/local/include/ • If you are having trouble connecting to the IRC server (running on the WS 4.0 machine) from the virtual machines, then in a terminal in the WS 4.0 machine, type the following:2 $ service iptables stop to disable the firewall. Also make sure other firewalls are disabled. Figure 1 - Lab Scenario Network Diagram Section 1: Setup 1.1 Setting up the IRCd server IRC networks, while not as popular as many web-based chatrooms, are considered part of the “underground” Internet, and public IRC servers are home to many hacking groups and illegal software (warez) release groups, mainly because of the relative anonymity users can have while connected to IRC. Because of this, botnets are a feasible method of controlling victims without directly connecting to them. IRC servers are usually part of a network, providing multiple servers for clients to connect to (if one is closer, or less loaded), which enhances the hard-to-trace nature of IRC. For the first section of the lab, we will need to set up an IRC server on our host machine to simulate a public server where the attacker would control the infected machines. Copy the file irc2.11.1.tgz from the NAS to your host machine. Perform the following procedure to set up the IRC daemon on the WS4.0 machine: # tar –xzvf irc2.11.1.tgz # cd irc2.11.1 # ./configure # cd i686-pc-linux-gnu # make all; make install IRCd IRC client (Attacker) Infected XP machine (Victim) Redhat WS4.0 Infected RedHat machine (Victim)3 Once the IRCd is installed, we need to give it a configuration file. The example configuration file included with the installation is set up so the server acts as a node in a network. On the NAS is a pre-configured ircd.conf file, which changes around the configuration of the server so it will act as a single server. Copy this ircd.conf file to /usr/local/etc/: # cp ircd.conf /usr/local/etc/ To get the IRC software is up and running, we will need to turn off the firewall so that it won’t interfere with our incoming and outgoing connections. Open a terminal and type #service iptables stop To start the server up, run the following command: # /usr/local/sbin/ircd –s The “-s” parameter prevents the ircd process from launching iauth, a daemon which performs ident requests for incoming IRC clients. This process takes more time than necessary, since the Redhat and windows machines don’t answer these requests and they have to time out. We don’t want this for our situation, so we turn it off. Once the IRCd server is running, click on the “red hat” icon in the WS4.0 interface. Select “Internet” and then “IRC.” You can put in whatever nickname you like. Click “Skip server list on startup” and then connect to a random server. When the X-Chat window pops up, go to Server  Disconnect to cancel connecting to the server. In the bottom text bar, type the command: /server <WS4.0 IP> 6668 Once the server logs you in (there may be some time before the MOTD displays), type the following command to join a channel. /join #ece41124 Figure 2 - Connected to an IRC channel You will now be in the newly created #ece4112 channel. Note that IRC channels are similar to radio channels, if there were an infinite number of frequency bands available. The “chat rooms” are created by a user joining the same channel as other users. The channel user list is displayed on the right side of the screen; this is where the bots will appear when they are running properly on an infected machine. 1.2 Setting up the Virtual Machines You will be using two of your existing virtual machines: one Windows XP and one RedHat 7.2. No additional setup is needed. Section 2: SDBot The first bot you will work with is SDBot, which is written in C and uses IRC to communicate with the bot master. It is neither the most powerful bot nor the most popular, but the setup is straightforward, and the version of the code we have has the self-replicating routines removed, so it is easier to control. 2.1 Installation and Configuration5 Copy the SDBot folder from the NAS to your Windows XP virtual machine. Because SDBot is a C program, we have to install a windows C compiler. In the SDBot folder run the file lccwin32.exe to install the compiler. Click through the install process, leaving all of the default options in place. Once LCC is installed, open the sdbot05b.c file in Wordpad and scroll down to the section labeled “bot configuration.” Make the following changes to the listed variables: 1. botid[] = “f00f00”  botid[] = “bot1” 2. password[] = “bar”  password[] = “password” 3. server[] = “irc.dal.net”  server[] = “ircserver” 4. port = 6667  port = 6668 5. channel[] = “#foobar”  channel[] = “#ece4112”