530 likes | 766 Views
Bots and Botnets plus. Forensic analysis of a bot. Introduction. Wayne Hauber Computer consultant since 1984 at Iowa State University Started analyzing bots as a major focus in 2002. Bots and Botnets. Bot – nothing more than a remotely controlled program
E N D
Bots and Botnetsplus Forensic analysis of a bot
Introduction • Wayne Hauber • Computer consultant since 1984 at Iowa State University • Started analyzing bots as a major focus in 2002
Bots and Botnets • Bot – nothing more than a remotely controlled program • A collection of bots controlled at a central source are botnets • Most bots have their origin in some segment of the IRC community • Botnet controllers are either public IRC servers or custom private IRC servers
Not New • Floodbots appeared at ISU in early 1990s. Mostly a nuisance to staff from fringe IRC users • First SYN Flood denial of service attacks in 1997 • See the Hank Nussbacher presentation for a good chronology
What is new • Organization • Talent • Skills • Complete disregard for the values of mainstream society
Pubstros/distros • In late 2001 and early 2002, the first Pubstros appeared at ISU • Pubstros are servers created on a vulnerable system • They serve movies, games, software and pornography • Usually some other software is installed, expect password crackers, keyloggers, proxies and network scanners
Pubstros/distros • Pubstros were created by a highly organized and developed society of IRC users • Pubstro/distro tutorials were published on the web
Pubstros/distros • Hierarchical duties were assigned to those establishing pubstros • One group scanned for proxy systems and installs scanning tools • Another group scanned for vulnerable systems and posts a list • Another group laid down the server and the contraband • Quotas determined status in group
Pubstros/distros • A group in the far east supplies movies often prior to US release dates
Pubstros/distros • At ISU, we locate some pubstros because they are in our top-20 network traffic list • Others are detected because they “look the same” as a top-20 pubstro • Some are detected because other activity is detected by netflow monitoring • Some are detected when a hacker is clumsy
Pubstros/distros • Becoming more sophisticated • Are well hidden – Hacker Defender is a suite of tools to hide your favorite trojan • Still common – I detected a pubstro on a departmental server two days ago.
Organized crime • See From Russia with Malice handout http://www.vnunet.com/analysis/1160302
IRC Society • Slides are from a presentation by Hank Nussbacher http://www.interall.co.il/presentations/first-16.pdf
Frequency of attacks • Page 84 of Nussbacher presentation • Page 32 of the Vunderink presentation http://www.garion.org/tmp/ircdrones.pdf
Size of botnets • It is common to see botnets with a strength of 1,000 to 2,000 bots • One record botnet had a strength of hundreds of thousands of bots
About these numbers • The numbers I located for this talk are from June 2004 • It is too early in our understanding of Botnets to offer a trend analysis • However, it is too easy to establish a botnet; I do not expect the numbers to be smaller • Please note that we discovered a botnet controller at ISU controlling 190,000+ bots just this week.
Easy tools • Tools that we have seen at ISU have grown in sophistication and power • Professional hackers are writing tools • Many of today’s new viruses are nothing more than hacker tools in active use • Quote from page 14 of Vunderink presentation
Easy Tools • Sdbot • Korgo • Optix • Spybot
Optix – a sdbot variant • Detailed DescriptionThe backdoor's file is a PE executable about 93 kilobytes long, packed with Yoda and PECompact file compressors. • When the backdoor's file is started, it copies itself as SNDCFG16.EXE to Windows System folder, sets hidden, system and read-only attributes for itself and then creates the following startup keys in the Registry… • The backdoor monitors Registry changes and re-creates these keys if they are deleted or modified.
Optix – a sdbot variant • SDBot.MB kills the processes of security and anti-virus software and also processes of certain malware (for example Bagle). The processes with the following names are killed: • regedit.exe msconfig.exe …a long list…
Optix – a sdbot variant • The backdoor can scan for vulnerable computers using different types of exploits and tries to locate other backdoors installed on remote hosts. Here's the list of scanner capabilities: • * WebDav (port 80) * NetBios (port 139) * NTPass (port 445) * DCom (ports 135, 1025) * DCom2 (port 135) * MSSQL (port 1433) * LSASS (port 445) * UPNP (port 5000) * Optix backdoor (port 3140) * Bagle backdoor (port 2745) * Kuang backdoor (port 17300) * Mydoom backdoor (port 3127) * NetDevil backdoor (port 903) * SubSeven backdoor (port 27347) * DameWare remote management software (port 6129)
Optix – a sdbot variant • The backdoor starts IDENTD server on port 113. • A hacker can control the backdoor via a bot that it creates in a certain IRC channel.
Optix – a sdbot variant • Backdoor capabilities are the following: • start HTTP server on an infected computer • start FTP server on an infected computer • scan for vulnerable computers (open ports and exploits) • make use of exploits and spread to remote computers
Optix – a sdbot variant • start/stop keylogger • get system information including information about OS, network and drives • operate backdoor's bot (nick change, dcc send/receive, join/part channels, etc.) • perform DDoS (Distributed Denial of Service) attack, SYN, ICMP, UDP flood
Optix – a sdbot variant • find, download and run files • search for passwords • start/stop remote services • create/delete remote shares • flush DNS cache
Optix – a sdbot variant • ping any host • list, start and kill processes • sniff network traffic • start remote command shell • capture video from a webcam
Optix – a sdbot variant • capture a screenshot • redirect traffic on certain ports • perform portscan • send e-mails (work as an e-mail proxy) • open a URL with default web browser
SDBot.MB steals CD keys for the following games if they are installed on an infected computer: Counter-Strike (Retail) The Gladiators Gunman Chronicles Half-Life Industry Giant 2 Legends of Might and Magic Soldiers Of Anarchy Unreal Tournament 2003 Unreal Tournament 2004 IGI 2: Covert Strike Freedom Force Battlefield 1942 Battlefield 1942 (Road To Rome) Battlefield 1942 (Secret Weapons of WWII) Battlefield Vietnam Black and White Command and Conquer: Generals (Zero Hour) James Bond 007: Nightfire Command and Conquer: Generals Global Operations Medal of Honor: Allied Assault Medal of Honor: Allied Assault: Breakthrough Medal of Honor: Allied Assault: Spearhead Need For Speed Hot Pursuit 2 Need For Speed: Underground Shogun: Total War: Warlord Edition FIFA 2002 FIFA 2003 NHL 2002 NHL 2003 Nascar Racing 2002 Nascar Racing 2003 Rainbow Six III RavenShield Command and Conquer: Tiberian Sun Command and Conquer: Red Alert Command and Conquer: Red Alert 2 NOX Chrome Hidden & Dangerous 2 Soldier of Fortune II - Double Helix Neverwinter Nights Neverwinter Nights (Shadows of Undrentide) Neverwinter Nights (Hordes of the Underdark) Also the backdoor steals Microsoft Windows Product ID.
Other threats • “Drive-by installations of trojans” googkle.com example http://www.f-secure.com/v-descs/googkle.shtml • Lyrics example
Protecting client systems Comments from Vunderink
Some conclusions • Security threats have changed
Some conclusions • Security threats have changed • Our clients have no idea that the security paradigm has changed
Some conclusions • Security threats have changed • Our clients have no idea that the security paradigm has changed • Policy makers do not know that security threats have changed
Some conclusions • Security threats have changed • Our clients have no idea that the security paradigm has changed • Policy makers do not know that security threats have changed • I am less pessimistic than Vunderink. I think that we will succeed in educating policy makers…but we won’t succeed in educating our clients.
1. A good overview of BotNets: Malicious Bots Threaten Network Security, David Geer. IEEE Computer, January 2005 2. An article that provides examples of organized crime and botnets: From Russia with Malice, http://www.vnunet.com/analysis/1160302 3. Slides from a presentation that provide a good history of DDOS and techniques for fighting DDOS: Fighting Internet Diseases: DDos, worms and miscreants, Hank Nussbacher and Nicolas Fishbach. http://www.interall.co.il/presentations/first-16.pdf 4. Slides from a presentation by an IRC administrator who is fighting botnets: IRC and Drones: Investigating botnets on IRC, Joost "Garion" Vunderink. http://www.garion.org/tmp/ircdrones.pdf 5. A paper that presents a complete forensic analysis of a compromised system: GIAC Certified Forensic Analyse (GCFA) Practical Assignment, Jennifer Kolde, Sans Institute. http://www.giac.org/practical/GCFA/Jennifer_Kolde_GCFA.pdf
Hank Nussbacher’s picks for DDOS references A large number of papers and presentations can be found at the public page: https://puck.nether.net/mailman/listinfo/nsp-security In addition, I have found these to be useful: http://staff.washington.edu/dittrich/misc/ddos/ http://www.linuxsecurity.com/resource_files/intrusion_detection/ddos-faq.html http://www.networkcomputing.com/1201/1201f1c1.html http://www.sans.org/dosstep/index.php http://downloads.securityfocus.com/library/sn_ddos.doc