An Inside Look at Botnets - PowerPoint PPT Presentation

About This Presentation
Title:

An Inside Look at Botnets

Description:

SpyBot. First referenced in April, 2003. Hundreds of variants ... SDBot, SpyBot, and GT Bot deliver exploit and encoded malware in one script ... – PowerPoint PPT presentation

Number of Views:117
Avg rating:3.0/5.0
Slides: 65
Provided by: jared2
Learn more at: http://www.cs.ucf.edu
Category:
Tags: botnets | inside | look | spybot

less

Transcript and Presenter's Notes

Title: An Inside Look at Botnets


1
An Inside Look at Botnets
  • By Paul Barford and Vinod Yegneswaran
  • In Series Advances in Information Security,
    Springer, 2006
  • Presented by Jared Bott

2
Outline
  • Why Study Botnets?
  • A Brief History of Botnets
  • Bot Study
  • Findings and Implications
  • Analysis of Paper

3
Why?
  • Malicious software is a major problem
  • Reactive methods predominately used today are
    ultimately insufficient
  • Proactive methods are required
  • Develop a foundational understanding of the
    mechanisms used by malicious software
  • Develop an open repository of malware information

4
Outline
  • Why Study Botnets?
  • A Brief History of Botnets
  • Bot Study
  • Findings and Implications
  • Analysis of Paper

5
Botnets
  • A botnet is a collection of compromised computers
    controlled by their attacker
  • Botnets trace their roots from Eggdrop bot
  • Created for network management by Jeff Fisher in
    1993

6
Rise of Botnets
  • Motivation for malicious activity is shifting
  • Primary motivation has changed from vandalism and
    demonstration of programming skills to for-profit
    activities
  • Identity theft, extortion
  • Backed by organized crime

7
Botnets Today
  • Botnets can be extremely large, with reports of
    botnets of over 100,000 systems
  • Average size appears to be dropping
  • Total estimated number of systems used in botnets
    is in the millions

8
Outline
  • Why Study Botnets?
  • A Brief History of Botnets
  • Bot Study
  • Findings and Implications
  • Analysis of Paper

9
Bot Study
  • Objectives
  • Highlight the richness and diversity of bot
    codebases
  • Identify commonalities between codebases
  • Consider how knowledge of these botnet mechanisms
    can lead to development of more effective defense
    mechanisms

10
Bot Study
  • Attributes of bots to analyze
  • Architecture
  • Botnet Control Mechanisms
  • Host Control Mechanisms
  • Propagation Mechanisms
  • Target Exploits and Attack Mechanisms
  • Malware Delivery Mechanisms
  • Obfuscation Methods
  • Deception Strategies

11
Bot Study
  • Four bot codebases
  • Agobot 4.0 pre-release
  • SDBot 05b
  • SpyBot 1.4
  • GT Bot with DCOM

12
Agobot
  • AKA Gaobot, Phatbot
  • First referenced in October, 2002
  • Most sophisticated of the four codebases
  • Typically around 20,000 lines of C/C
  • Monolithic architecture
  • Adheres to structured design and software
    engineering principles
  • Modular, standard data structures, code
    documentation
  • Exhibits creativity in design

13
Agobot
  • Components
  • IRC-based command and control mechanism
  • Large collection of target exploits
  • Ability to launch different kinds of DoS attacks
  • Modules for shell encodings and limited
    polymorphism
  • Mechanisms to frustrate disassembly by well known
    tools

14
Agobot
  • Components
  • Ability to harvest local host for sensitive
    information, such as Paypal passwords and AOL
    keys through traffic sniffing, key logging or
    searching registry entries
  • Mechanisms to defend and fortify compromised
    systems
  • Over 580 variants

15
SDBot
  • First referenced in October, 2002
  • Hundreds of variants
  • Fairly simple compared to Agobot
  • Slightly over 2,000 lines of C
  • Main source tree does not contain any overtly
    malicious code modules
  • Published under GPL
  • Primarily provides a utilitarian IRC-based
    command and control system

16
SDBot
  • Easy to extend
  • Large number of patches that provide more
    sophisticated malicious capabilities and diffuse
    responsibility
  • Scanning
  • DoS attacks
  • Sniffers
  • Information harvesting
  • Encryption routines
  • Over 80 patches

17
SpyBot
  • First referenced in April, 2003
  • Hundreds of variants
  • Fairly compact, around 3,000 lines of C
  • Shares much of SDBots command and control engine
  • No explicit attempt to diffuse accountability

18
SpyBot
  • Capabilities
  • NetBIOS, Kuang, Netdevil and KaZaa exploits
  • Scanning capabilities
  • Modules for launching flooding attacks
  • Efficient
  • Does not exhibit modularity or breadth of
    capabilities of Agobot

19
GT Bot
  • AKA Global Threat Bot, Aristotles
  • First referenced in April, 1998
  • Over 100 variants
  • Simple design
  • Limited set of functions based on the scripting
    capabilities of mIRC
  • Includes HideWindow program to keep the bot hidden

20
GT Bot
  • Includes BNC, a proxy system for anonymity
  • Includes psexec.exe to facilitate remote process
    execution
  • Nothing to suggest it was designed to be
    extensible
  • Different versions for specific malicious intents
  • With DCOM includes DCOM exploits

21
Bot Codebases
  • Convergence in the set of functions that are
    available
  • Suggests the possibility that defensive systems
    may eventually be effective across bot families
  • Bot codebases are at least somewhat extensible

22
Points of Analysis
  • Botnet Control Mechanisms
  • Host Control Mechanisms
  • Propagation Mechanisms
  • Target Exploits and Attack Mechanisms
  • Malware Delivery Mechanisms
  • Obfuscation Methods
  • Deception Strategies

23
Botnet Control Mechanisms
  • Command language and control protocols are used
    to operate botnets remotely after target systems
    have been compromised
  • All analyzed bots base CC on IRC
  • Disruption of communication can render a botnet
    useless
  • Network operators can sniff for specific commands
    in IRC traffic and identify compromised systems

24
Botnet Control Mechanisms
  • Agobot
  • CC system derived from IRC
  • Standard IRC is used to establish connections
  • IRC and commands developed for Agobot are used
    for command language
  • SDBot
  • Command language is lightweight version of IRC
  • Has IRC cloning and spying

25
Typical interaction between an SDBot and IRC
server
26
Botnet Control Mechanisms
  • SpyBot
  • Command language is a subset of SDBots command
    language
  • GT Bot
  • Simplest command language of the bot families
  • Large variations across different versions

27
Points of Analysis
  • Botnet Control Mechanisms
  • Host Control Mechanisms
  • Propagation Mechanisms
  • Target Exploits and Attack Mechanisms
  • Malware Delivery Mechanisms
  • Obfuscation Methods
  • Deception Strategies

28
Host Control Mechanisms
  • The mechanisms used by the bot to manipulate a
    victim host once it has been compromised
  • Fortify the local system against malicious
    attacks
  • Disable anti-virus software
  • Harvest sensitive information

29
Host Control Mechanisms
  • Agobot
  • Commands to secure system
  • Broad set of commands to harvest sensitive
    information
  • pctrl commands to list or kill processes running
    on host
  • inst commands to add or delete autostart entries

30
Agobot Commands
Command Description
pctrl.kill Kill specified process set from service file
pctrl.listsvc Return list of all services that are running
pctrl.killsvc Delete/stop a specified service
pctrl.killpid Kill specified process
inst.asadd Add an autostart entry
inst.asdel Delete an autostart entry
inst.svcadd Adds a service to SCM
inst.svcdel Delete a service from SCM
Command Description
harvest.cdkeys Return a list of CD keys
harvest.emails Return a list of emails
harvest.emailshttp Return a list of emails via HTTP
harvest.aol Return a list of AOL specific information
harvest.registry Return registry information for specific registry path
harvest.windowskeys Return Windows registry information
pctrl.list Return list of all processes
31
Host Control Mechanisms
  • SDBot
  • Limited capabilities
  • Basic remote execution commands
  • Some ability to gather local information
  • Auxiliary patches add more capabilities

32
SDBot Commands
Command Description
sysinfo List host system information (CPU/RAM/OS and uptime)
execute ltvisibilitygt ltfilegt parameters Run a specified program (visibility is 0/1)
cdkey/getcdkey Return keys of popular games e.g., Halflife, Soldier of Fortune etc.
Command Description
download lturlgt ltdestgt ltactiongt Downloaded specified file and execute if action is 1
killthread ltthreadgt Kill specified thread
update lturlgt ltidgt If bot ID is different than current, download sdbot executable and update
33
Host Control Mechanisms
  • SpyBot
  • Similar capabilities to Agobot
  • Local file manipulation
  • Key logging
  • Process/system manipulation, remote command
    execution

34
SpyBot Commands
Command Description
listprocesses Return a list of all running processes
killprocess ltprocessnamegt Kills the specified process
threads Returns a list of all running threads
killthread lt number gt Kills a specified thread
disconnect ltnumbergt Disconnect the bot for number seconds
reboot Reboot the system
cd-rom lt0/1gt Open/close cd-rom
opencmd Starts cmd.exe (hidden)
cmd ltcommandgt Sends a command to cmd.exe
get ltfilenamegt Triggers DCC send on bot
update lturlgt Updates local copy of the bot code
Command Description
delete ltfilenamegt Delete a specified file
execute ltfilenamegt Execute a specified file
rename ltorigfilegt ltnewfilegt Rename a specified file
makedir ltdirnamegt Create a specified directory
startkeylogger Starts the on-line keylogger
stopkeylogger Stops the keylogger
sendkeys ltkeysgt Simulates key presses
keyboardlights Flashes remote keyboard lights 50x
passwords Lists the RAS passwords in Windows 9x systems
listprocesses Return a list of all running processes
35
Host Control Mechanisms
  • GT Bot
  • Most limited capabilities
  • Base capabilities are only gathering local system
    information and running or deleting local files
  • Many versions with more capabilities

36
Points of Analysis
  • Botnet Control Mechanisms
  • Host Control Mechanisms
  • Propagation Mechanisms
  • Target Exploits and Attack Mechanisms
  • Malware Delivery Mechanisms
  • Obfuscation Methods
  • Deception Strategies

37
Propagation Mechanisms
  • The mechanisms bots use to search for new host
    systems
  • Traditionally horizontal or vertical scans
  • Horizontal is one port across an address range
  • Vertical is across a port range on an address

38
Propagation Mechanisms
  • Agobot
  • Relatively simple, essentially vertical and
    horizontal scanning
  • SDBot
  • No scanning or propagation in base distribution
  • Variants with horizontal, vertical scanning and
    more complex methods

39
Propagation Mechanisms
  • SpyBot
  • Simple horizontal and vertical scanning
  • GT Bot
  • Simple horizontal and vertical scanning
  • Due to simplicity and uniformity of methods, it
    may be possible to develop statistical finger
    printing methods to identify scans from botnets

40
Points of Analysis
  • Botnet Control Mechanisms
  • Host Control Mechanisms
  • Propagation Mechanisms
  • Target Exploits and Attack Mechanisms
  • Malware Delivery Mechanisms
  • Obfuscation Methods
  • Deception Strategies

41
Exploits and Attack Mechanisms
  • Specific methods for attacking known
    vulnerabilities on target systems
  • Agobot
  • Includes an ever broadening set of exploits
  • Agobot exploits
  • Bagle scanner
  • DCOM scanners
  • MyDoom scanner
  • Dameware scanner
  • NetBIOS scanner
  • Radmin scanner
  • MS-SQL scanner
  • Generic DDoS module

42
Exploits and Attack Mechanisms
  • SDBot
  • No exploits in standard distribution
  • Modules for sending UDP and ICMP packets
  • DoS
  • Numerous variants with exploits
  • Numerous variants with DDoS attack modules

43
Exploits and Attack Mechanisms
  • SpyBot
  • Exploits depend on version of SpyBot
  • Wide range of exploits
  • Evaluated version has attacks on open NetBIOS
    shares
  • DDoS interface closely related to SDBot
  • UDP, ICMP, and TCP SYN

44
Exploits and Attack Mechanisms
  • GT Bot
  • This variant has RPC-DCOM exploits and Simple
    ICMP floods
  • Many variants with many exploits and DoS
    capabilities
  • Bots will likely become more like Agobot, each
    version having many exploits

45
Points of Analysis
  • Botnet Control Mechanisms
  • Host Control Mechanisms
  • Propagation Mechanisms
  • Target Exploits and Attack Mechanisms
  • Malware Delivery Mechanisms
  • Obfuscation Methods
  • Deception Strategies

46
Malware Delivery Mechanism
  • The mechanisms bots use to deliver exploits
  • Packers and shell encoders used to compress and
    obfuscate code
  • SDBot, SpyBot, and GT Bot deliver exploit and
    encoded malware in one script
  • Agobot separates exploits and delivery
  • Exploit vulnerability and open shell on remote
    host
  • Encoded malware binary delivered by HTTP or FTP
  • Enables encoder to be used across exploits,
    streamlining codebase and potentially
    diversifying the resulting bit streams

47
Agobot Delivery
2. Open shell
Target computer
3. HTTP/FTP File Transfer of Bot
1. Send exploit
Attacker computer (Bot)
48
Points of Analysis
  • Botnet Control Mechanisms
  • Host Control Mechanisms
  • Propagation Mechanisms
  • Target Exploits and Attack Mechanisms
  • Malware Delivery Mechanisms
  • Obfuscation Methods
  • Deception Strategies

49
Obfuscation Mechanisms
  • The mechanisms that are used to hide the details
    of what is being transmitted through the network
    and what arrives for execution on end hosts
  • Only Agobot supports any kind of polymorphism

50
Points of Analysis
  • Botnet Control Mechanisms
  • Host Control Mechanisms
  • Propagation Mechanisms
  • Target Exploits and Attack Mechanisms
  • Malware Delivery Mechanisms
  • Obfuscation Methods
  • Deception Strategies

51
Deception Strategies
  • The mechanisms used to evade detection once a bot
    is installed on a target host
  • Rootkits
  • Only Agobot has elaborate deception mechanisms
  • Tests for debuggers
  • Tests for VMware
  • Killing anti-virus processes
  • Altering DNS entries of anti-virus software
    companies to point to localhost

52
Outline
  • Why Study Botnets?
  • A Brief History of Botnets
  • Bot Study
  • Findings and Implications
  • Analysis of Paper

53
Findings and Implications
  • Finding The overall architecture and
    implementation of botnets is complex and evolving
    toward the use of common software engineering
    techniques.
  • Implication The regularization of botnet
    architecture provides insight on potential
    extensibility and could help to facilitate
    systematic evaluation of botnet code.

54
Findings and Implications
  • Finding The predominant remote control mechanism
    is IRC and in general includes a rich set of
    commands.
  • Implication Monitoring botnet activity on IRC
    channels and disruption of specific channels on
    IRC servers should continue to be an effective
    defensive strategy for the time being.

55
Findings and Implications
  • Finding The host control mechanisms used for
    harvesting sensitive information from host
    systems are ingenious and enable data from
    passwords to mailing lists to credit card numbers
    to be gathered.
  • Implication This is one of the most serious
    results of the study and suggests design
    objectives for future operating systems and
    applications.

56
Findings and Implications
  • Finding There are a wide diversity of exploits
    for infecting target systems, including many of
    those used by worms that target well known
    Microsoft vulnerabilities.
  • Implication This is yet additional evidence that
    keeping OS patches up to date is essential and
    informs requirements for network intrusion
    detection and prevention systems.

57
Findings and Implications
  • Finding All botnets include DoS attack
    capability.
  • Implication The specific DoS mechanisms in
    botnets can inform designs for DoS defense.

58
Findings and Implications
  • Finding All botnets include a variety of
    mechanisms for avoiding detection once installed.
  • Implication Development of methods for detecting
    and disinfecting compromised systems will need to
    keep pace.

59
Findings and Implications
  • Finding Shell encoding and packing mechanisms
    are common. Polymorphism is found only in
    Agobot.
  • Implication A major focus on methods for
    detecting polymorphism may not be needed yet, but
    encodings will continue to present a challenge
    for defensive systems.

60
Findings and Implications
  • Finding Currently there are only a limited set
    of propagation mechanisms available in botnets.
  • Implication The specific propagation methods
    used in these botnets can form the basis for
    modeling and simulating botnet propagation.

61
Outline
  • Why Study Botnets?
  • A Brief History of Botnets
  • Bot Study
  • Findings and Implications
  • Analysis of Paper

62
Strengths
  • Detailed evaluation of code and capabilities
  • Starting point for malware database
  • Open database would greatly help defensive
    capabilities
  • Finding commonalities among bots could help
    create some kind of broad defense

63
Weaknesses
  • Dynamic profiling of bots needs to be done
  • Too many variants of bots to evaluate each and
    every one
  • Analysis of this kind calls for source code
    access, which may not be available

64
Improvements
  • Dynamic profiling
  • Analysis points for other kinds of malware
Write a Comment
User Comments (0)
About PowerShow.com