Introduction to Botnets

1
Introduction to Botnets

• Instructors
• Ali Shiravi, University of New Brunswick
• Natalia Stakhanova, University of South Alabama
• Hanli Ren, University of New Brunswick

2
Part 1 Intro to BotnetsWhat are they?
3
In the news

• July 29 2010 - Multi-Purpose Botnet Used in
  Major Check Counterfeiting Operation
• Aug 4 2010 - Zeus v2 Botnet that owned 100,000 UK
  PCs taken out
• Aug 12 2010 - dd_ssh Botnet attacks SSH servers
  
• Aug 12 2010 - Zeus Mumba Botnet Seizes
  Confidential Database sized 60GB
• Aug 12 2010 - Zeus v3 botnet raid on UK bank
  accounts

4
Introduction

• Malware is currently the major source of attacks
  and fraudulent activities on the Internet.
• Malware is used to infect computers.
• Botnet is a network of zombies, i.e. compromised
  computers under control of an attacker.
• Bot is a program loaded on zombie computer that
  provides remote control mechanisms to an
  attacker.

Attacker (Botmaster )
Zombies
5
Bot

• Bot - a small program to remotely control a
  computer
• Characterized by
• Remote control communication (CC) channels to
  command a victim
• For ex., perform denial-of service attack, send
  spam
• The implemented remote commands
• For ex., update bot binary to a new version
• The spreading mechanisms to propagate it further
• For ex., port scanning, email

6
http//en.wikipedia.org/wiki/Botnet
7
CC channel

• Means of receiving and sending commands and
  information between the botmaster and the
  zombies.
• Typical protocols
• IRC
• HTTP
• Overnet (Kademlia)
• Protocols imply (to an extend) a botnets
  communication topology.
• The topology provides trades-off in terms of
  bandwidth, affectivity, stealth, and so forth.

8
Botnet Infection Stages - Centralized
9
Part 2 How does a botnet operate?
10
Popular Botnets Propagation Methods
Spammed Messages
Install Malware Become Bot
Worm
Social Networking Websites
Removable Devices
Malicious Websites
11
Shift in the way that malware is distributed

• Every 1.3 seconds a new web page is getting
  infected
• Every month almost 2 million web pages across
  210,000 websites are infected with Malware
• Malware attacks have grown by 600 since 2008

12
Spammed Messages
13
Spammed Messages
Storm Botnet
14
Propagation Steps
Step 1 Click Link
Step 2 Link to malicious website
Step 3 Download Run Malware
15
Sample subjects and attachments

• Sample subjects
• A killer at 11, he's free at 21 and kill again!
• British Muslims Genocide
• Naked teens attack home director.
• 230 dead as storm batters Europe.
• Re Your text
• Radical Muslim drinking enemies's blood.
• Saddam Hussein alive!
• Fidel Castro dead.
• FBI vs. Facebook

Sample attachments Postcard.exe ecard.jpg FullVi
deo.exe Full Story.exe Video.exe Read
More.exe FullClip.exe GreetingPostcard.exe MoreHer
e.exe FlashPostcard.exe GreetingCard.exe ClickHere
.exe ReadMore.exe FlashPostcard.exe FullNews.exe N
flStatTracker.exe ArcadeWorld.exe Left-right-brain
-test.gif
16
Social Networking Websites e.g. Koobface
17
Social Networking Websites
Koobface Downloader
http//us.trendmicro.com
18
Koobface Spam Messages

• A typical KOOBFACE infection starts with a spam
  sent through
• Facebook
• Twitter
• MySpace
• Other social networking sites

http//us.trendmicro.com
19
Koobface Spam Messages
http//us.trendmicro.com
20
Koobface Spam Messages
http//us.trendmicro.com
21
Koobface Spam Messages
http//us.trendmicro.com
22
Koobface Malware Download
Clicking the link will redirect the user to a
website designed to mimic YouTube (but is
actually named YuoTube), which asks the user to
install an executable (.EXE) file to be able to
watch the video.
http//us.trendmicro.com
23
Malicious Websites e.g. Gumblar Zeus
24
Malicious Websites
http//www.ipa.go.jp/security/english/virus/press/
201001/E_PR201001.html
25
Gumblar Compromised Website
The malicious script embedded in the website.
http//www.van-manen.info/weblog/2010/02/gumblar-v
irus-infecteert-microsoft-website/
26
Zeus Malware Download
27
Zeus Compromised host
28
Part 3 How is a botnet organized?
29
Traditional botnet
Attacker
Botnet topology mainly refers to the organization
of CC channels between zombies and an attacker.
Your home computer
Commands controls
Zombies
Infect
Attack
Victim
30
Topology

• Based on CC channels, there are two typical
  botnet topologies
• Centralized
• Decentralized (P2P)
• Traditional botnet metrics
• Resiliency
• A botnet ability to cope with a loss of members
  (zombies) or servers
• Latency
• Reliability in message transmission
• Enumeration
• An ability to accurately estimate a botnet size
• Difficuly for security analysis
• Re-sale
• A possibility to carve off sections of the botnet
  for lease or resale to other operators.

31
Centralized botnet

• Communication between attacker and zombies goes
  via centralized server
• Classical communication method IRC (Internet
  Relay Chat)

Centralized server
32
Centralized botnet topologies

• Centralized topology can be represented in
  different shapes.
• The exact organization of botnet depends on the
  bot operator
• nothing prevents a bot operator to come up with
  a new topology.
• Often seen topologies

Hierarchical
Multi-server
Star
33
Star topology

• Communication is directly between a single
  centralized server and ALL zombies.
• When new machine is infected, it is preconfigured
  to contact the server to announce its membership.
  
• Pros Low latency
• Each zombie is issued commands directly from the
  server.
• Cons Low resilience
• Only server needs to be blocked to neutralize the
  whole botnet

34
Example

• Koobface
• Old variant employed start architecture
• Zombies connected to CC server directly

35
Multi-server topology

• Similar to start topology
• Instead of one server, multiple servers are used
  to provide instructions to zombies.
• Pros
• Better resilience
• No single point of failure
• Geographical distribution of servers
• Communication speed up
• More resistant to legal shut downs
• Cons
• Requires advance planning

36
Hierarchical topology

• Zombies are generally not aware of the server
  location
• Pros
• Ease of re-sale
• A botnet operator can easily carve off sections
  of their botnet for lease or resale to other
  operators.
• Hard to enumerate
• Hard to evaluate the size and complexity of the
  botnet
• Cons
• High latency
• makes some botnet attacks difficult.

37
Example - Gumblar

• Gumblars architecture is not well studied, fully
  built on zombies
• Website visitors are infected with the Windows
  executable, it grabs FTP credentials from the
  victim machines. The FTP account is then used to
  infect every webpage on new webserver.

38
Decentralized botnet

• P2P (peer-to-peer) communication
• zombies talking to each other
• no central server
• Pros Very high resilience
• Cons
• High latency
• Difficult for enumeration

39
Hybrid topologies

• High resilience
• Low latency
• Example,
• Hierarchical P2P
• Centralized P2P

Centralized Peer-to-peer
40
Storm botnet

• A three-level self-organizing hierarchy
• master servers
• proxy bots
• transfers traffic between workers and master
  servers.
• worker bots
• responsible for sending the spam, proxy bots

• Once a Storm binary is downloaded, an infected
  host might become a worker bot (if not reachable
  from the Internet) or a proxy

41
Detection

• Complicated organization of botnets variety of
  cover-up techniques make detection of botnets
  challenging

42
Part 4 How do they hide?
43
Outline
44
(No Transcript)
45
Encryption
Botnet malware use encryption techniques to avoid
being detected by signature-based Intrusion
detection system
Matched
46

Snort Example
Without encryption, Snort can successfully detect
attack
12/30-225959.368544 192.168.1.92138 -gt 192.168.1.255138 UDP TTL64 TOS0x0 ID33092 IpLen20 DgmLen234 Len 214 ..l....F...... EEEBEGEGFJCACACACACACACACACACAAA. ABACFPFPENFDECF CEPFHFDEFFPFPACAB..SMB........................................ ..........V.........7.\MAILSLOT\BROWSE.......METALGODS......... ......U.DAFFY.
Packet Without encryption
alert udp EXTERNAL_NET any -gt 192.168.1.255 138 (msg"SAMBA server identified on local subnet!" content "SMB" content "MAILSLOT")
Snort Rule
100 SAMBA server identified on local subnet! 01/06-022123.465726 192.168.1.92138 -gt 192.168.1.255138 UDP TTL64 TOS0x0 ID64503 IpLen20 DgmLen262 Len 242
Snort Alert
47

Snort Example
Snort cannot detect attack from encrypted traffic
12/30-225959.368544 192.168.1.92138 -gt 192.168.1.255138 UDP TTL64 TOS0x0 ID33092 IpLen20 DgmLen234 Len Li5sLi4uLkYuLi4uLi4gRUVFQkVHRUdGSkNBQ0FDQUNBQ0FDQUNBQ0FDQUNBQUEuIEFCQUNGUEZQRU5GREVDRiBDRkNBQ0FDQUNBQ0FDQUNBQ0FDQUVBGSEZERUZGUEZQQUNBQi4uU01CJS4uLi4uLi4uLi4uLg
Encrypted Packet
alert udp EXTERNAL_NET any -gt 192.168.1.255 138 (msg"SAMBA server identified on local subnet!" content "SMB" content "MAILSLOT")
Snort Rule
48
(No Transcript)
49
Fast Flux
IP addresses that are rotated in seconds against
the same domain. For example QUESTION
Website namewww.lijg.ruANSWER IP
Addresseswww.lijg.ru ? 68.124.161.76www.lijg.r
u ? 69.14.27.151www.lijg.ru ?
70.251.45.186www.lijg.ru ? 71.12.89.105www.lijg
.ru ? 71.235.251.99www.lijg.ru ?
75.11.10.101www.lijg.ru ? 75.75.104.133www.lij
g.ru ? 97.104.40.246www.lijg.ru ?
173.16.99.131
50
Advantages for the attacker

• Simplicity
• Only one suitably powerful backend server (or
  mothership) host is needed to serve the master
  content and DNS information.
• Resilience
• A layer of protection from ongoing investigative
  response or legal action
• Extend the operational lifespan of the critical
  backend core servers that are
• hidden by the front-end nodes

51
An Example of Fast Flux
http//old.honeynet.org/papers/ff/index.html
52
(No Transcript)
53
Rootkit

• A rootkit is a tool that is designed to hide
  itself and other processes, data, and/or activity
  on a system
• To hide what is taking place an attacker wants
  to
• Survive system restart
• Hide processes
• Hide services
• Hide listening TCP/UDP ports
• Hide kernel modules
• Hide drivers

54
How Rootkit Works

• Overwrite first few bytes of target function
  with a jump to rootkit code
• Create trampoline function that first executes
  overwritten bytes from original function, then
  jumps back to original function
• When function is called, rootkit code executes
• Rootkit code calls trampoline, which executes
  original function

55
Rootkit Usage Example Hide process
Process list BEFOR the rootkit is launched.
Process list AFTER the rootkit is launched.
56
Part 5 What do botnets do?
57
Botnet Activities

• The least damage caused by Botnets Bandwidth
  Consumption
• Other things
• DDOS attacks
• Spam
• Click Fraud
• Data Theft
• Phishing
• Mistrustful services

58
DDOS attacks
Attacker
China
Brazil
Russia
US
e.g. Google.com
http//en.wikipedia.org/wiki/Denial-of-service_att
ack
59
Click Fraud

• Pay per Click (PPC) is an Internet advertising
  model used on websites in which advertisers pay
  their host only when an ad is clicked.
• Famous Bots ClickBot(100k), Bahama Botnet (200k)

60
Click Fraud - FFSearcher
http//blog.trendmicro.com/click-fraud-takes-a-ste
p-forward-with-troj_ffsearch/
61
Data Theft

• Accounts for a great deal of botnet activity.
• Purpose Harvesting user data
• Screen captures
• Typed data
• Files
• Anti-Spyware software
• Highly controversial.
• Has resulted in Scareware.

http//www.antiphishing.org/reports/apwg_report_h1
_2009.pdf
62
Data Theft-Mumba Zeus Botnet
http//avg.typepad.com/files/revised-mumba-botnet-
whitepaper_approved_yi_fv-2.pdf
63
Phishing

• A deceptive email/website/etc. to harvest
  confidential information.

http//library.thinkquest.org/06aug/00446/Phishing
.html
64
http//www.antiphishing.org/reports/apwg_report_h1
_2009.pdf
65
Part 6 How difficult is it to create a botnet?
66
Botnet business is booming

• The primary reason for rapid botnet evolution is
  the underground market
• Botnet services has reached a professional level
• Software, zombies or even botnet service can be
  purchased
• Customization professional support
• http//www.hackforums.net/showthread.php?tid56962
  9
• http//www.hackforums.net/showthread.php?tid50703
  0highlightbot
• http//www.hackforums.net/showthread.php?tid61199
  8
• http//www.hackforums.net/showthread.php?tid61167
  8

67
Reality

• To obtain a simple botnet or botnet services DOES
  NOT require
• Great technical knowledge
• Special hardware
• unless youre planning to make it your primary
  source of income

68
What is needed to create a simple botnet

• A bot, i.e., a small program that can remotely
  perform certain functions
• CC server
• A network of zombies

69
Step 1 Creating a bot

• Where to find a bot
• Find a script on the Internet
• Purchase a ready-to-go bot
• Prices vary from 5 to 1000 depending on the bot
  functionality
• Write yourself

70
Step 2 CC server

• CC server is simply a powerful computer which
  will give you direct access to zombies, or if
  needed will store stolen data.
• For example, to install IRC server
• Dedicated computer with installed software
  (fairly legal)
• Buy a domain, since it should be set up as a web
  server
• Hosting - to make the server accessible from the
  Internet, it should be hosted by a hosting company

71
Step 3 Creating zombies

• Options
• Purchase/rent a network of zombies
• Compromise computers yourself
• Using software packages such as Mpack, Icepack
  and WebAttacker
• Using your brains

72
Thank You!
73
Extra Slides
74
Social Aspects of Botnets

• Malware in general is written by some,
  contributed by others and used by many more.
• Incentives
• Challenge Seeking (CH NL)
• Fame Seeking (CA NA)
• Revenge Seeking (C? NL)
• Gain Seeking

75
Fight-back

• Centralized CC
• CC migration
• Random Domain Names
• E.g. McColo takedown
• Peer-to-peer
• New protocols
• SpamThru

http//gadgets.boingboing.net/2008/11/13/colo-shut
down-takes.html
76
Botnet Detection

• Every interaction between two entities requires
  the flow of information.
• This can utilized to detect the interaction.
• The problem is that this interaction is generally
  obfuscated and mixed with others with similar
  behaviour.
• Traditionally work in botnet detection has been
  categorized by either detection methodology
  (behavioural/signature) or CC infrastructure.

77
References

• The Gumblar system, http//www.securelist.com/en/
  weblog?discuss208187897return1
• C. Kanich, C. Kreibich, K. Levchenko, B. Enright,
  G. Voelker, V. Paxson, S. Savage. Spamalytics An
  Empirical Analysis of Spam Marketing Conversion.
  15th ACM Conference on Computer and
  Communications Security 2008, Alexandria, VA,
  USA. 
• The Koobface botnet, http//us.trendmicro.com
• Malicious websites, http//www.ipa.go.jp/security/
  english/virus/press/201001/E_PR201001.html
• The fast flux techniques, http//old.honeynet.org
  /papers/ff/index.html