1 / 28

An Inside Look at Botnets ARO-DHS Special Workshop on Malware Detection, 2005

An Inside Look at Botnets ARO-DHS Special Workshop on Malware Detection, 2005. Written By: Paul Barford and Vinod Yegneswaran University of Wisconsin, Madison Presented By: Jarrod Williams. Outline. Motivation/Goals Botnets Botnet Attributes Conclusion/Review. Motivation/Goals.

nay
Download Presentation

An Inside Look at Botnets ARO-DHS Special Workshop on Malware Detection, 2005

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Inside Look at BotnetsARO-DHS Special Workshop on Malware Detection, 2005 Written By: Paul Barford and VinodYegneswaran University of Wisconsin, Madison Presented By: Jarrod Williams

  2. Outline • Motivation/Goals • Botnets • Botnet Attributes • Conclusion/Review

  3. Motivation/Goals • Increase in BOTNET usage • Spam, DDOS, Identity theft • The objective of the paper is to understand how Botnets work and find communalities between them • Botnets: Agotbot (4.0 Pre-Release), SDBot (05B), SpyBot (1.4), GT Bot with DCOM

  4. Motivation/Goals • Architecture • Botnet control mechanisms • Host control mechanisms • Propagation mechanisms • Exploits and attack mechanisms • Malware delivery mechanisms • Obfuscation methods • Deception mechanisms

  5. Botnets • A collection of compromised computers running software controlled by a single user • Botnets are controlled by a botmaster • Compromised host machines are called zombies • Zombies communicate using IRC • A botnet can have many different versions of the same bot making botnet families

  6. Botnets

  7. Internet Relay Chat • is a form of real-time Internet text messaging. It is mainly designed for group communication, but it also allows one-to-one communication via private message and data transfers via direct client-to-client • Created by JarkkoOikarinen in August 1988

  8. Botnet Attributes Considered • Architecture • Botnet control mechanisms • Host control mechanisms • Propagation mechanisms • Exploits and attack mechanisms • Malware delivery mechanisms • Obfuscation methods • Deception mechanisms

  9. Agobot (4.0 Pre-Release) • Most sophisticated • Released October, 2002 • Hundreds of variants of this bot and it is also commonly referred to as Phatbot • Roughly 20,000 lines of C/C++ • The ability to launch different kinds of DoS attacks • The ability to harvest the local host for PayPal passwords and AOL keys through traffic sniffing, key logging or searching registry entries

  10. SDBot (05b) • Fairly simple • Released October, 2002 • Hundreds of variants of this bot • Slightly over 2,000 lines of C • Does not include any overtly malicious code modules • The code is obviously easy to extend and patch • Patches contain malicious code for attackers need • 80 patches for SDBot were found through internet web searching

  11. SpyBot (1.4) • Relatively small like SDBot • Released April, 2003 • Under 3,000 lines of C • The command and control engine appears to be shared with SDBot, and it is likely, that it evolved from SDBot • Includes NetBIOS/Kuang/Netdevil/KaZaa exploits • Contains modules for launching flooding attacks and has scanning capabilities

  12. GT Bot with DCOM • Simple design providing a limited set of functions • Released April, 1998 • Global Threat Bot has hundreds of variants and is also referred to as Aristotle's • Easy to modify but there is nothing that suggests it was designed with extensibility in mind • Capabilities include port scanning, DoS attacks, and exploits for RPC and NetBIOS services • Includes the HideWindowprogram which keeps the bot hidden on the local system

  13. Botnet Attributes Considered • Architecture • Botnet control mechanisms • Host control mechanisms • Propagation mechanisms • Exploits and attack mechanisms • Malware delivery mechanisms • Obfuscation methods • Deception mechanisms

  14. Agobot (4.0 Pre-Release) • Simple vertical and horizontal scanning • Scanning is based on the network ranges (network prefixes) that are configured on individual bots

  15. SDBot (05b) • By virtue of its benign intent, SDBot does not have scanning or propagation capability in its base distribution • Many variants of SDBot include scanning and propagation capability

  16. SpyBot (1.4) • Simple command interface for scanning • Horizontal and vertical scanning capability • Scans are sequential • Command: • scan<startIP address><port><delay><spreaders><logfilename> • Example: • scan 127.0.0.1 17300 1 netbios portscan.txt

  17. GT Bot with DCOM • Includes support for simple horizontal and vertical scanning

  18. Botnet Attributes Considered • Architecture • Botnet control mechanisms • Host control mechanisms • Propagation mechanisms • Exploits and attack mechanisms • Malware delivery mechanisms • Obfuscation methods • Deception mechanisms

  19. Agobot (4.0 Pre-Release) • Has the most elaborate set of exploit modules out of the four bots analyzed • Bagle scanner: scans for back doors left by Bagle variants on port 2745 • Dcom scanner: scans for the well known DCE-RPC buffer overflow • MyDoom scanner: scans for back doors left by variants of the MyDoom worm on port 3127 • Dameware scanner: scans for vulnerable versions of the Dameware network administration tool • NetBIOS scanner: brute force password scanning for open NetBIOS shares • Radmin scanner: scans for the Radmin buffer overflow

  20. SDBot (05b) • SDBot does not have any exploits packaged in its standard distribution • It does include modules for sending both UDP and ICMP packets which could be used for simple flooding attacks • Other variants of SDBot contain exploit more modules

  21. SpyBot (1.4) • This version of SpyBot only included a module which attacked NetBIOS open shares • DDoS interface is closely related to SDBot and includes the capabilities for launching simple UDP, ICMP, and TCP SYN floods • Other variants of SpyBot contain more exploit modules

  22. GT Bot with DCOM • Developed to include RPC-DCOM exploits • Has the capability to launch simple ICMP floods • Other variants of GT Bot contain DDoS capabilities such as UDP and TCP SYN floods as well as other known exploits

  23. Botnet Attributes Considered • Architecture • Botnet control mechanisms • Host control mechanisms • Propagation mechanisms • Exploits and attack mechanisms • Malware delivery mechanisms • Obfuscation methods • Deception mechanisms

  24. Agobot (4.0 Pre-Release) • Of the four bots analyzed, only Agobot had elaborate deception mechanisms • Mechanisms included: • Tests for debuggers such as OllyDebug, SoftIce and Procdump • Test for VMWare • Killing anti-virus processes • Altering DNS entries of anti-virus software companies to point to the local host

  25. Conclusion • Botnets are widely used and communicate using IRC • The details of this paper include descriptions of the functional components of botnets categorized into eight components • Understand your enemy

  26. Strengths • Presents information in an organized fashion on the different Bots • Is the first step to codifying Botnet capabilities

  27. Weaknesses • Only presents a high-level over view of a limited number of Bots and only presents one specific Bot version • More detail should be paid to a Bot family and not a specific Bot

  28. References • An Inside Look at Botnets • http://pages.cs.wisc.edu/~pb/botnets_final.pdf • Wikipedia • http://en.wikipedia.org/wiki/Botnet • Wikipedia • http://en.wikipedia.org/wiki/IRC

More Related