190 likes | 394 Views
Botnets. ECE 4112 Lab 10 Group 19. Botnets. Collection of compromised machines running programs (malicious) under a common command and control infrastructure Attackers target Class B networks Once vulnerable system detected System compromised control client (bot) installed
E N D
Botnets ECE 4112 Lab 10 Group 19
Botnets • Collection of compromised machines running programs (malicious) under a common command and control infrastructure • Attackers target Class B networks • Once vulnerable system detected • System compromised control client (bot) installed • These bots further attack networks exponential growth in a tree like fashion
Botnets - Uses • Distributed Dos attacks • Spamming • Sniffing Traffic • Keylogging • Attacking other networks • Identity theft • Google Adsense abuse • Spyware/Malware infestation
Lab Procedures • I. Setup: Setting up the IRCd server • II. SDBot • III. q8Bot • IV. HoneyNet Botnet capture analysis
IRC client (Attacker) IRCd Infected RedHat machine (Victim) Redhat WS4.0 IRCd Server • IRC networks considered part of the “underground” Internet • Home to many hacking groups and illegal software release groups • Setup on WS 4.0 machine
SDBot/RBot/UrBot/UrXbot • The most active family of bots • Published under GPL • Poorly implemented in C • provides a utilitarian IRC-based command and control system • easy to extend • large number of patches to provide more sophisticated malicious capabilities • scanning, DoS attacks, sniffers, information harvesting & encryption features
SDBot • Setup on Windows XP VM using lccwin32 compiler • Created executable using bat file • Edited host file to include ircserver • Bot Login • Random username joins channel – Bot • Login • .repeat 6 .delay 1 .execute 1 winmine.exe • Started 6 instances of minesweeper on the victim
SDBot • General Commands • .execute causes the bot to run a program. • .download causes the bot to download the file specified by url • .redirect lets the bot to start a basic port redirect. everything sent to the port • .sysinfo causes the bot to reply with information on the host system • .netinfo causes the bot to reply with information on the bot's network connection • .visit lets the bot to invisibly visit the specified url
SDBot – UDP/Ping Flood • .udp <RH 7.2 IP> 1000 4096 100 23 • command causes a UDP flood • For 1 Gbit link • Avg packet size = 1169 bytes • Bots required = 106,928 • .ping <RH 7.2 ip> 1000 4096 1 • Initiates a ping flood • For 1 Gbit link • Avg packet size = 1351 bytes • Bots required = 92,532 (approx)
SDBot – Pay per click • .visit http://57.35.6.10/index.html http://<anything>.com • Ethereal – Tcp stream with http packets illustrating http://<anything>.com as referrer
SDBot – Bot Removal • Kill Process • Remove registry entries: • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\CONFIGURATION LOADER • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\CONFIGURATION LOADER
q8Bot • Small bots with 926 lines of C code • Written only for Unix based systems • Features • DDos attacks • Dynamic updating • Flooding • Versions with spreaders available
q8Bot • Installation after changes to C file • ps –e • Shows the bot file running with a pid • ps –ef • Same pid shown as ‘-bash’ • F flag gives full listing with the command line process name -> replaced by FAKENAME in source code • E flag gives the pid with the executable used
q8Bot – Commands • PAN <target> <port> <secs> - SYN flood which disables most network drivers • TSUNAMI <target> <secs> - packets that can bypass any firewall • GET <target> <save as> - Download/rename files
q8Bot • Tsunami Attack – • Basic Dos attack • Packets directed to port 80 (http) – hence ignored by firewalls • PAN • Add statement: • Sendto(get, &send_tcp, 40+psize, 0, (struct sockaddr*)&sin, sizeof(sin); • Change return() break in final if block • PAN <WIN XP IP> <port> <delay in ms>
HoneyNet Botnet Capture Analysis • Data Forensics • View IRC connections • Ip.dst == 172.16.134.191 && tcp.srcport==6667 • Sniff IRC packets • (Ip.dst== 172.16.134.191 && (tcp.srcport==6667|| tcp.dstport==6667) • Usernames sniffed: • Eohisou – Unsuccessful login attempt • Rgdiuggac – Successful login attempt
HoneyNet Botnet Capture Analysis • Once logged in, chanserv sets modes • i – Invisible mode (hidden) • x – provides random hostname to user • Source attack ips – Analyze through ethereal filter • 209.196.44.172 • 63.241.174.144 • 217.199.175.10
Botnets – Defense • keep your system updated, downloading patches • careful with opening suspicious attachments in email • Control use of scripting languages such as ActiveX and JavaScript • fundamental to use an updated antivirus / antitrojan
Botnets – Defense • main signs of bot presence are connection and system slowdown • netstat –an • Admins - subscription to mailing lists (eg. Bugtraq) • study the logs generated by IDS/firewall/mail/DHCP servers for abnormal activity • Most important – user awareness