1 / 19

Botnets

Botnets. ECE 4112 Lab 10 Group 19. Botnets. Collection of compromised machines running programs (malicious) under a common command and control infrastructure Attackers target Class B networks Once vulnerable system detected System compromised  control client (bot) installed

zelia
Download Presentation

Botnets

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Botnets ECE 4112 Lab 10 Group 19

  2. Botnets • Collection of compromised machines running programs (malicious) under a common command and control infrastructure • Attackers target Class B networks • Once vulnerable system detected • System compromised  control client (bot) installed • These bots further attack networks  exponential growth in a tree like fashion

  3. Botnets - Uses • Distributed Dos attacks • Spamming • Sniffing Traffic • Keylogging • Attacking other networks • Identity theft • Google Adsense abuse • Spyware/Malware infestation

  4. Lab Procedures • I. Setup: Setting up the IRCd server • II. SDBot • III. q8Bot • IV. HoneyNet Botnet capture analysis

  5. IRC client (Attacker) IRCd Infected RedHat machine (Victim) Redhat WS4.0 IRCd Server • IRC networks considered part of the “underground” Internet • Home to many hacking groups and illegal software release groups • Setup on WS 4.0 machine

  6. SDBot/RBot/UrBot/UrXbot • The most active family of bots • Published under GPL • Poorly implemented in C • provides a utilitarian IRC-based command and control system • easy to extend • large number of patches to provide more sophisticated malicious capabilities • scanning, DoS attacks, sniffers, information harvesting & encryption features

  7. SDBot • Setup on Windows XP VM using lccwin32 compiler • Created executable using bat file • Edited host file to include ircserver • Bot Login • Random username joins channel – Bot • Login • .repeat 6 .delay 1 .execute 1 winmine.exe • Started 6 instances of minesweeper on the victim

  8. SDBot • General Commands • .execute causes the bot to run a program. • .download causes the bot to download the file specified by url • .redirect lets the bot to start a basic port redirect. everything sent to the port • .sysinfo causes the bot to reply with information on the host system • .netinfo causes the bot to reply with information on the bot's network connection • .visit lets the bot to invisibly visit the specified url

  9. SDBot – UDP/Ping Flood • .udp <RH 7.2 IP> 1000 4096 100 23 • command causes a UDP flood • For 1 Gbit link • Avg packet size = 1169 bytes • Bots required = 106,928 • .ping <RH 7.2 ip> 1000 4096 1 • Initiates a ping flood • For 1 Gbit link • Avg packet size = 1351 bytes • Bots required = 92,532 (approx)

  10. SDBot – Pay per click • .visit http://57.35.6.10/index.html http://<anything>.com • Ethereal – Tcp stream with http packets illustrating http://<anything>.com as referrer

  11. SDBot – Bot Removal • Kill Process • Remove registry entries: • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\CONFIGURATION LOADER • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\CONFIGURATION LOADER

  12. q8Bot • Small bots with 926 lines of C code • Written only for Unix based systems • Features • DDos attacks • Dynamic updating • Flooding • Versions with spreaders available

  13. q8Bot • Installation after changes to C file • ps –e • Shows the bot file running with a pid • ps –ef • Same pid shown as ‘-bash’ • F flag gives full listing with the command line process name -> replaced by FAKENAME in source code • E flag gives the pid with the executable used

  14. q8Bot – Commands • PAN <target> <port> <secs> - SYN flood which disables most network drivers • TSUNAMI <target> <secs> - packets that can bypass any firewall • GET <target> <save as> - Download/rename files

  15. q8Bot • Tsunami Attack – • Basic Dos attack • Packets directed to port 80 (http) – hence ignored by firewalls • PAN • Add statement: • Sendto(get, &send_tcp, 40+psize, 0, (struct sockaddr*)&sin, sizeof(sin); • Change return()  break in final if block • PAN <WIN XP IP> <port> <delay in ms>

  16. HoneyNet Botnet Capture Analysis • Data Forensics • View IRC connections • Ip.dst == 172.16.134.191 && tcp.srcport==6667 • Sniff IRC packets • (Ip.dst== 172.16.134.191 && (tcp.srcport==6667|| tcp.dstport==6667) • Usernames sniffed: • Eohisou – Unsuccessful login attempt • Rgdiuggac – Successful login attempt

  17. HoneyNet Botnet Capture Analysis • Once logged in, chanserv sets modes • i – Invisible mode (hidden) • x – provides random hostname to user • Source attack ips – Analyze through ethereal filter • 209.196.44.172 • 63.241.174.144 • 217.199.175.10

  18. Botnets – Defense • keep your system updated, downloading patches • careful with opening suspicious attachments in email • Control use of scripting languages such as ActiveX and JavaScript • fundamental to use an updated antivirus / antitrojan

  19. Botnets – Defense • main signs of bot presence are connection and system slowdown • netstat –an • Admins - subscription to mailing lists (eg. Bugtraq) • study the logs generated by IDS/firewall/mail/DHCP servers for abnormal activity • Most important – user awareness

More Related