Offense: Brute Force - PowerPoint PPT Presentation

About This Presentation
Title:

Offense: Brute Force

Description:

Offense: Brute Force. A Multifaceted Approach to Understanding the Botnet ... The paper complains that the footprint is much larger than the effective size. So? ... – PowerPoint PPT presentation

Number of Views:44
Avg rating:3.0/5.0
Slides: 13
Provided by: ronwi3
Category:

less

Transcript and Presenter's Notes

Title: Offense: Brute Force


1
Offense Brute Force
  • A Multifaceted Approach to Understanding the
    Botnet Phenomenon(Rajab/Zarfoss/Monrose/Terzis)

2
Enough Data?
  • Research paper states
  • 800,000 DNS domains examined
  • 85,000 servers botnet-infected
  • 65 IRC server domain names
  • Is above data statistically significant?
  • 450,000,000 hosts via DNS (isc.org)
  • Over 150,000,000 domain names exist
  • 47,700,000 .com domains (1 probed)

3
Realtime Tracking
Source Shadowserver.org
4
Longitudinal Tracking
  • Research paper states
  • 65 IRC server domain names
  • 85,000 servers infected by bots
  • Type-II botnets only
  • Shadowserver.org tracking (2 years)
  • 1800 active botnets daily
  • 3,000,000 active bots daily
  • Updates every 15 minutes

5
Wheres the 40?
  • Research paper exclusively WinTel
  • Easier to obtain bot binaries?
  • Most internet servers are Linux-based
  • Hard to ignore the majority
  • Worm or Trojan backdoors exploited
  • Defenses are already weakened

6
Botnet size
  • Footprint vs. effective size
  • The paper complains that the footprint is much
    larger than the effective size.
  • So? Bots are trying to stay off DNSBL (black
    lists) and be more stealthy.
  • Sections of footprint may be rented out

7
Botmaster concerns
Source swatit.org
8
CC Stealth
  • Botmasters want to remain hidden
  • IRC-based isnt the only way
  • Peer-to-peer systems hide IP source addr
  • Virtualization of CC
  • Dynamic web servers
  • Network creation/reconfiguration
  • Come and go quickly
  • Difficult to trace
  • Works for honeypots, why not botnets?

9
Bot Clones
10
Bot Planning
11
Gray-box testing
  • Only binary bot behavior studied
  • Results limited by mimicing IRC state
  • Research emphasized automation over thoroughness
  • Source code or disassembly reveals more
  • Behavior may be different in honeynet

12
Agobot CC
Variable Description
bot ftrans port Set bot - file transfer port
bot ftrans port ftp Set bot - file transfer port for FTP
si chanpass IRC server information - channel password
si mainchan IRC server information - main channel
si nickprefix IRC server information - nickname prefix
si port IRC server information - server port
si server IRC server information - server address
si servpass IRC server information - server password
si usessl IRC server information - use SSL ?
si nick IRC server information - nickname
bot version Bot - version
bot filename Bot - runtime filename
bot id Bot - current ID
bot prefix Bot - command prefix
bot timeo Bot - timeout for receiving (in milliseconds)
bot seclogin Bot - enable login only by channel messages
bot compnick Bot - use the computer name as a nickname
bot randnick Bot - random nicknames of letters and numbers
bot meltserver Bot - melt the original server file
bot topiccmd Bot - execute topic commands
do speedtest Bot - do speed test on startup
do avkill Bot - enable anti-virus kill
do stealth Bot - enable stealth operation
as valname Autostart - value name
as enabled Autostart - enabled
as service Autostart - start as service
as service name Autostart - short service name
scan maxthreads Scanner - maximum number of threads
scan maxsockets Scanner - Maximum number of sockets
ddos maxthreads DDoS - maximum number of threads
redir maxthreads Redirect - maximum number of threads
identd enabled IdentD - enable the server
cdkey windows Return windows product keys on cdkey.get
scaninfo chan Scanner - output channel
scaninfo level Info level 1 (less) - (3) more
spam aol channel AOL spam - channel name
spam aol enabled AOL spam - enabled ?
sniffer enabled Sniffer - enabled ?
sniffer channel Sniffer - output channel
vuln channel Vulnerability daemon sniffer channel
inst polymorph Installer - polymorphoic on install ?
Command Description
bot.about Displays information (e.g., version) about the bot code
bot.die Terminates the bot
bot.dns Resolves IP/hostname via DNS
bot.execute Makes the bot execute a specific .exe
bot.id Displays the ID of the current bot code
bot.nick Changes the nickname of the bot
bot.open Opens a specified file
bot.remove Removes the bot from the host
bot.removeallbut Removes the bot if ID does not match
bot.rndnick Makes the bot generate a new random nickname
bot.status Echo bot status information
bot.sysinfo Echo the bots system information
bot.longuptime If uptime gt 7 days then bot will respond
bot.highspeed If speedgt 5000 then bot will respond
bot.quit Quits the bot
bot.flushdns Flushes the bots DNS cache
bot.secure Delete specified shares and disable DCOM
bot.unsecure Enable specified shares and enables DCOM
bot.command Executes a specified command with system()
13
Botnet evolution
  • Polymorphic bot code
  • Gmail as control protocol
  • SSL usage
  • Invisible to network inspection
  • XML/RSS messages
  • Exploit IPv6 flaws

14
? ? ?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Offense: Brute Force" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!