Botnets

byMehedy Masud

September 16, 2009

Botnets● Introduction● History● How to they spread?● What do they do?● Why care about them? ● Detection and Prevention

Bot● The term 'bot' comes from 'robot'.

● In computing paradigm, 'bot' usually refers to an automated process.

● There are good bots and bad bots.● Example of good bots:

– Google bot– Game bot

● Example of bad bots:– Malicious software that steals information

Botnet● Network of compromised/bot-infected

machines (zombies) under the control of a human attacker (botmaster)

IRC Server

Botmaster

IRC channel

CodeServer

Updates

Vulnerable machines

Attack

IRC channelC&C traffic

BotNet

History● In the beginning, there were only good

bots.– ex: google bot, game bot etc.

● Later, bad people thought of creating bad bots so that they may– Send Spam and Phishing emails– Control others pc– Launch attacks to servers (DDOS)

● Many malicious bots were created– SDBot/Agobot/Phatbot etc.

● Botnets started to emerge

TimeLine

1989 1999 2000 2002 2003 Present2006

RPCSS

GM (by Greg, Operator)

recognized as first IRC bot.

Entertained clients with games

GT bots

combined

mIRC client, hacking scripts & tools (port -scanning, DDos)

W32/Agobot bot

family added

modular

design and significant functionality

W32/Mytob hybrid bot,

major

e-mail outbreak

W32/PrettyPark

1st worm to

use IRC as

C&C.

DDoS capable

W32/Sdbot

First family

of bots developed

as a single binary

Russian named sd

W32/Spybot family emerged

2001 2004 2005

Cases in the news● Axel Gembe

– Author or Agobot (aka Gaobot, Polybot)– 21 yrs old– Arrested from Germany in 2004 under

Germany’s computer Sabotage law

● Jeffry Parson– Released a variation of Blaster Worm– Infected 48,000 computers worldwide– 18 yrs old– Arrested , sentenced to 18 month & 3yrs of

supervised released

How The Botnet Grows

How The Botnet Grows

How The Botnet Grows

How The Botnet Grows

Recruiting New Machines● Exploit a vulnerability to execute a short

program (exploits) on victim’s machine– Buffer overflows, email viruses, Trojans etc.

● Exploit downloads and installs actual bot● Bot disables firewall and A/V software● Bot locates IRC server, connects, joins

– Typically need DNS to find out server’s IP address

– Authentication password often stored in bot binary

● Botmaster issues commands

Recruiting New Machines

What Is It Used For● Botnets are mainly used for only one

thing

How Are They Used● Distributed Denial of Service (DDoS)

attacks● Sending Spams● Phishing (fake websites)● Addware (Trojan horse)● Spyware (keylogging, information

harvesting)● Storing pirated materials

Example : SDBot● Open-source Malware● Aliases

– Mcafee: IRC-SDBot, Symantec: Backdoor.Sdbot

● Infection– Mostly through network shares– Try to connect using password guessing

(exploits weak passwords)● Signs of Compromise

– SDBot copies itself to System folder - Known filenames: Aim95.exe, Syscfg32.exe etc..

– Registry entries modified – Unexpected traffic : port 6667 or 7000– Known IRC channels: Zxcvbnmas.i989.net

etc..

Example : RBot● First of the Bot families to use encryption● Aliases

– Mcafee: W32/SDbot.worm.gen.g, Symantec: W32.Spybot.worm

● Infection– Network shares, exploiting weak passwords– Known s/w vulnerabilities in windows (e.g.:

lsass buffer overflow vulnerability)● Signs of Compromise

– copies itself to System folder - Known filenames: wuamgrd.exe, or random names

– Registry entries modified – Terminate A/V processes– Unexpected traffic: 113 or other open ports

Example : Agobot

● Modular Functionality– Rather than infecting a system at once, it

proceeds through three stages (3 modules)● infect a client with the bot & open backdoor● shut down A/V tools● block access to A/V and security related sites

– After successful completion of one stage, the code for the next stage is downloaded

● Advantage? – developer can update or modify one

portion/module without having to rewrite or recompile entire code

Example : Agobot● Aliases

– Mcafee: W32/Gaobot.worm, Symantec: W32.HLLW.Gaobot.gen

● Infection– Network shares, password guessing– P2P systems: Kazaa etc..– Protocol: WASTE

● Signs of Compromise– System folder: svshost.exe, sysmgr.exe etc..– Registry entries modification– Terminate A/V processes– Modify %System\drivers\etc\hosts file

● Symantec/ Mcafee’s live update sites are redirected to 127.0.0.1

Example : Agobot● Signs of Compromise (contd..)

– Theft of information: seek and steal CD keys for popular games like “Half-Life”, “NFS” etc..

– Unexpected Traffic: open ports to IRC server etc..

– Scanning: Windows, SQL server etc..

DDos Attack● Goal: overwhelm victim machine and

deny service to its legitimate clients● DoS often exploits networking protocols

– Smurf: ICMP echo request to broadcast address with spoofed victim’s address as source

– Ping of death: ICMP packets with payloads greater than 64K crash older versions of Windows

– SYN flood: “open TCP connection” request from a spoofed address

– UDP flood: exhaust bandwidth by sending thousands of bogus UDP packets

DDoS attack● Coordinated attack to specified host

Victim

Attacker

Master (IRC Server) machines

Zombie machines

Why DDoS attack?● Extortion

– Take down systems until they pay– Works sometimes too!

● Example: 180 Solutions – Aug 2005– Botmaster used bots to distribute

180solutions addware– 180solution shutdown botmaster– Botmaster threatened to take down

180solutions if not paid– When not paid, botmaster use DDoS – 180Solutions filed Civil Lawsuit against

hackers

Botnet Detection● Host Based● Intrusion Detection Systems (IDS)● Anomaly Detection● IRC Nicknames● HoneyPot and HoneyNet

Host-based detection

Virus scanningWatching for Symptoms

Modification of windows hosts fileRandom unexplained popupsMachine slownessAntivirus not working

Watching for Suspicious network trafficSince IRC is not commonly used, any IRC traffic is suspicious. Sniff these IRC trafficCheck if the host is trying to communicate to any Command and Control (C&C) Center

Through firewall logs, denied connections

Network Intrusion Detection Systems

● Example Systems: Snort and Bro● Sniff network packets, looks for specific

patterns (called signatures)● If any pattern matches that of a

malicious binary, then block that traffic and raise alert

● These systems can efficiently detect virus/worms having known signatures

● Can't detect any malware whose signature is unknown (i.e., zero day attack)

Anomaly DetectionNormal traffic has some patterns

Bandwidth/Port usageByte-level characteristics (histograms)Protocol analysis – gather statistics about

TCP/UDP src, dest addressStart/end of flow, Byte countDNS lookup

First learn normal traffic patternThen detect any anomaly in that patternExample systems: SNMP, NetFlowProblems:

PoisoningStealth

IRC NicknamesBots use weird nicknamesBut they have certain pattern (really!)If we can learn that pattern, we can detect bots & botnetsExample nicknames:

USA|016887436 or DE|028509327Country | Random number (9 digit)RBOT|XP|48124Bot type | Machine Type | Random number

Problem: May be defeated by changing the nickname randomly

HoneyPot and HoneyNet

HoneyPot is a vulnerable machine, ready to be attackedExample: unpatched windows 2000 or windows XPOnce attacked, the malware is caught insideThe malware is analyzed, its activity is monitoredWhen it connects to the C&C server, the server’s identity is revealed

HoneyPot and HoneyNetThus many information about the bot is obtained

C&C server address, master commandsChannel, Nickname, Password

Now Do the followingmake a fake bot join the same IRC channel with the same nickname/passwordMonitor who else are in the channel, thus observer the botnetCollect statistics – how many botsCollect sensitive information – who is being attacked, when etc..

HoneyPot and HoneyNet

Finally, take down the botnetHoneyNet: a network of honeypots (see the ‘HoneyNet Project’)Very effective, worked in many casesThey also pose great security risk

If not maintained properly - Hacker may use them to attack othersMust be monitored cautiously

Summary

Today we have learnedWhat is botnetHow / why they are usedHow to detect / prevent

Questions ?