Botnets

1
Botnets

• by
• Mohammad Mehedy Masud
• GUEST LECTURE

2
Botnets

• Introduction
• History
• How to they spread?
• What do they do?
• Why care about them?
• Detection and Prevention

3
Bot

• The term 'bot' comes from 'robot'.
• In computing paradigm, 'bot' usually refers to an
  automated process.
• There are good bots and bad bots.
• Example of good bots
• Google bot
• Game bot
• Example of bad bots
• Malicious software that steals information

4
Botnet

• Network of compromised/bot-infected machines
  (zombies) under the control of a human attacker
  (botmaster)

5
History

• In the beginning, there were only good bots.
• ex google bot, game bot etc.
• Later, bad people thought of creating bad bots so
  that they may
• Send Spam and Phishing emails
• Control others pc
• Launch attacks to servers (DDOS)
• Many malicious bots were created
• SDBot/Agobot/Phatbot etc.
• Botnets started to emerge

6
TimeLine
2006
1989
1999
2000
2002
2003
Present
2001
2004
2005
7
Cases in the news

• Axel Gembe
• Author or Agobot (aka Gaobot, Polybot)
• 21 yrs old
• Arrested from Germany in 2004 under Germanys
  computer Sabotage law
• Jeffry Parson
• Released a variation of Blaster Worm
• Infected 48,000 computers worldwide
• 18 yrs old
• Arrested , sentenced to 18 month 3yrs of
  supervised released

8
How The Botnet Grows
9
How The Botnet Grows
10
How The Botnet Grows
11
How The Botnet Grows
12
Recruiting New Machines

• Exploit a vulnerability to execute a short
  program (exploits) on victims machine
• Buffer overflows, email viruses, Trojans etc.
• Exploit downloads and installs actual bot
• Bot disables firewall and A/V software
• Bot locates IRC server, connects, joins
• Typically need DNS to find out servers IP
  address
• Authentication password often stored in bot
  binary
• Botmaster issues commands

13
Recruiting New Machines
14
What Is It Used For

• Botnets are mainly used for only one thing

15
How Are They Used

• Distributed Denial of Service (DDoS) attacks
• Sending Spams
• Phishing (fake websites)
• Addware (Trojan horse)
• Spyware (keylogging, information harvesting)
• Storing pirated materials

16
Example SDBot

• Open-source Malware
• Aliases
• Mcafee IRC-SDBot, Symantec Backdoor.Sdbot
• Infection
• Mostly through network shares
• Try to connect using password guessing (exploits
  weak passwords)
• Signs of Compromise
• SDBot copies itself to System folder - Known
  filenames Aim95.exe, Syscfg32.exe etc..
• Registry entries modified
• Unexpected traffic port 6667 or 7000
• Known IRC channels Zxcvbnmas.i989.net etc..

17
Example RBot

• First of the Bot families to use encryption
• Aliases
• Mcafee W32/SDbot.worm.gen.g, Symantec
  W32.Spybot.worm
• Infection
• Network shares, exploiting weak passwords
• Known s/w vulnerabilities in windows (e.g. lsass
  buffer overflow vulnerability)
• Signs of Compromise
• copies itself to System folder - Known filenames
  wuamgrd.exe, or random names
• Registry entries modified
• Terminate A/V processes
• Unexpected traffic 113 or other open ports

18
Example Agobot

• Modular Functionality
• Rather than infecting a system at once, it
  proceeds through three stages (3 modules)
• infect a client with the bot open backdoor
• shut down A/V tools
• block access to A/V and security related sites
• After successful completion of one stage, the
  code for the next stage is downloaded
• Advantage?
• developer can update or modify one portion/module
  without having to rewrite or recompile entire
  code

19
Example Agobot

• Aliases
• Mcafee W32/Gaobot.worm, Symantec
  W32.HLLW.Gaobot.gen
• Infection
• Network shares, password guessing
• P2P systems Kazaa etc..
• Protocol WASTE
• Signs of Compromise
• System folder svshost.exe, sysmgr.exe etc..
• Registry entries modification
• Terminate A/V processes
• Modify System\drivers\etc\hosts file
• Symantec/ Mcafees live update sites are
  redirected to 127.0.0.1

20
Example Agobot

• Signs of Compromise (contd..)
• Theft of information seek and steal CD keys for
  popular games like Half-Life, NFS etc..
• Unexpected Traffic open ports to IRC server
  etc..
• Scanning Windows, SQL server etc..

21
DDos Attack

• Goal overwhelm victim machine and deny service
  to its legitimate clients
• DoS often exploits networking protocols
• Smurf ICMP echo request to broadcast address
  with spoofed victims address as source
• Ping of death ICMP packets with payloads greater
  than 64K crash older versions of Windows
• SYN flood open TCP connection request from a
  spoofed address
• UDP flood exhaust bandwidth by sending thousands
  of bogus UDP packets

22
DDoS attack

• Coordinated attack to specified host

Attacker
Master (IRC Server) machines
Zombie machines
Victim
23
Why DDoS attack?

• Extortion
• Take down systems until they pay
• Works sometimes too!
• Example 180 Solutions Aug 2005
• Botmaster used bots to distribute 180solutions
  addware
• 180solution shutdown botmaster
• Botmaster threatened to take down 180solutions if
  not paid
• When not paid, botmaster use DDoS
• 180Solutions filed Civil Lawsuit against hackers

24
Botnet Detection

• Host Based
• Intrusion Detection Systems (IDS)
• Anomaly Detection
• IRC Nicknames
• HoneyPot and HoneyNet

25
Host-based detection

• Virus scanning
• Watching for Symptoms
• Modification of windows hosts file
• Random unexplained popups
• Machine slowness
• Antivirus not working
• Watching for Suspicious network traffic
• Since IRC is not commonly used, any IRC traffic
  is suspicious. Sniff these IRC traffic
• Check if the host is trying to communicate to any
  Command and Control (CC) Center
• Through firewall logs, denied connections

26
Network Intrusion Detection Systems

• Example Systems Snort and Bro
• Sniff network packets, looks for specific
  patterns (called signatures)
• If any pattern matches that of a malicious
  binary, then block that traffic and raise alert
• These systems can efficiently detect virus/worms
  having known signatures
• Can't detect any malware whose signature is
  unknown (i.e., zero day attack)

27
Anomaly Detection

• Normal traffic has some patterns
• Bandwidth/Port usage
• Byte-level characteristics (histograms)
• Protocol analysis gather statistics about
• TCP/UDP src, dest address
• Start/end of flow, Byte count
• DNS lookup
• First learn normal traffic pattern
• Then detect any anomaly in that pattern
• Example systems SNMP, NetFlow
• Problems
• Poisoning
• Stealth

28
IRC Nicknames

• Bots use weird nicknames
• But they have certain pattern (really!)
• If we can learn that pattern, we can detect bots
  botnets
• Example nicknames
• USA016887436 or DE028509327
• Country Random number (9 digit)
• RBOTXP48124
• Bot type Machine Type Random number
• Problem May be defeated by changing the nickname
  randomly

29
HoneyPot and HoneyNet

• HoneyPot is a vulnerable machine, ready to be
  attacked
• Example unpatched windows 2000 or windows XP
• Once attacked, the malware is caught inside
• The malware is analyzed, its activity is
  monitored
• When it connects to the CC server, the servers
  identity is revealed

30
HoneyPot and HoneyNet

• Thus many information about the bot is obtained
• CC server address, master commands
• Channel, Nickname, Password
• Now Do the following
• make a fake bot
• join the same IRC channel with the same
  nickname/password
• Monitor who else are in the channel, thus
  observer the botnet
• Collect statistics how many bots
• Collect sensitive information who is being
  attacked, when etc..

31
HoneyPot and HoneyNet

• Finally, take down the botnet
• HoneyNet a network of honeypots (see the
  HoneyNet Project)
• Very effective, worked in many cases
• They also pose great security risk
• If not maintained properly - Hacker may use them
  to attack others
• Must be monitored cautiously

32
Summary

• Today we have learned
• What is botnet
• How / why they are used
• How to detect / prevent

33
Questions ?