Botnets - PowerPoint PPT Presentation

1 / 33
About This Presentation
Title:

Botnets

Description:

W32/Spybot family emerged. 2001. 2004. 2005. Cases in the news. Axel Gembe ... Mcafee: W32/SDbot.worm.gen.g, Symantec: W32.Spybot.worm. Infection ... – PowerPoint PPT presentation

Number of Views:73
Avg rating:3.0/5.0
Slides: 34
Provided by: utda
Category:
Tags: botnets | spybot

less

Transcript and Presenter's Notes

Title: Botnets


1
Botnets
  • by
  • Mohammad Mehedy Masud
  • GUEST LECTURE

2
Botnets
  • Introduction
  • History
  • How to they spread?
  • What do they do?
  • Why care about them?
  • Detection and Prevention

3
Bot
  • The term 'bot' comes from 'robot'.
  • In computing paradigm, 'bot' usually refers to an
    automated process.
  • There are good bots and bad bots.
  • Example of good bots
  • Google bot
  • Game bot
  • Example of bad bots
  • Malicious software that steals information

4
Botnet
  • Network of compromised/bot-infected machines
    (zombies) under the control of a human attacker
    (botmaster)

5
History
  • In the beginning, there were only good bots.
  • ex google bot, game bot etc.
  • Later, bad people thought of creating bad bots so
    that they may
  • Send Spam and Phishing emails
  • Control others pc
  • Launch attacks to servers (DDOS)
  • Many malicious bots were created
  • SDBot/Agobot/Phatbot etc.
  • Botnets started to emerge

6
TimeLine
2006
1989
1999
2000
2002
2003
Present
2001
2004
2005
7
Cases in the news
  • Axel Gembe
  • Author or Agobot (aka Gaobot, Polybot)
  • 21 yrs old
  • Arrested from Germany in 2004 under Germanys
    computer Sabotage law
  • Jeffry Parson
  • Released a variation of Blaster Worm
  • Infected 48,000 computers worldwide
  • 18 yrs old
  • Arrested , sentenced to 18 month 3yrs of
    supervised released

8
How The Botnet Grows
9
How The Botnet Grows
10
How The Botnet Grows
11
How The Botnet Grows
12
Recruiting New Machines
  • Exploit a vulnerability to execute a short
    program (exploits) on victims machine
  • Buffer overflows, email viruses, Trojans etc.
  • Exploit downloads and installs actual bot
  • Bot disables firewall and A/V software
  • Bot locates IRC server, connects, joins
  • Typically need DNS to find out servers IP
    address
  • Authentication password often stored in bot
    binary
  • Botmaster issues commands

13
Recruiting New Machines
14
What Is It Used For
  • Botnets are mainly used for only one thing

15
How Are They Used
  • Distributed Denial of Service (DDoS) attacks
  • Sending Spams
  • Phishing (fake websites)
  • Addware (Trojan horse)
  • Spyware (keylogging, information harvesting)
  • Storing pirated materials

16
Example SDBot
  • Open-source Malware
  • Aliases
  • Mcafee IRC-SDBot, Symantec Backdoor.Sdbot
  • Infection
  • Mostly through network shares
  • Try to connect using password guessing (exploits
    weak passwords)
  • Signs of Compromise
  • SDBot copies itself to System folder - Known
    filenames Aim95.exe, Syscfg32.exe etc..
  • Registry entries modified
  • Unexpected traffic port 6667 or 7000
  • Known IRC channels Zxcvbnmas.i989.net etc..

17
Example RBot
  • First of the Bot families to use encryption
  • Aliases
  • Mcafee W32/SDbot.worm.gen.g, Symantec
    W32.Spybot.worm
  • Infection
  • Network shares, exploiting weak passwords
  • Known s/w vulnerabilities in windows (e.g. lsass
    buffer overflow vulnerability)
  • Signs of Compromise
  • copies itself to System folder - Known filenames
    wuamgrd.exe, or random names
  • Registry entries modified
  • Terminate A/V processes
  • Unexpected traffic 113 or other open ports

18
Example Agobot
  • Modular Functionality
  • Rather than infecting a system at once, it
    proceeds through three stages (3 modules)
  • infect a client with the bot open backdoor
  • shut down A/V tools
  • block access to A/V and security related sites
  • After successful completion of one stage, the
    code for the next stage is downloaded
  • Advantage?
  • developer can update or modify one portion/module
    without having to rewrite or recompile entire
    code

19
Example Agobot
  • Aliases
  • Mcafee W32/Gaobot.worm, Symantec
    W32.HLLW.Gaobot.gen
  • Infection
  • Network shares, password guessing
  • P2P systems Kazaa etc..
  • Protocol WASTE
  • Signs of Compromise
  • System folder svshost.exe, sysmgr.exe etc..
  • Registry entries modification
  • Terminate A/V processes
  • Modify System\drivers\etc\hosts file
  • Symantec/ Mcafees live update sites are
    redirected to 127.0.0.1

20
Example Agobot
  • Signs of Compromise (contd..)
  • Theft of information seek and steal CD keys for
    popular games like Half-Life, NFS etc..
  • Unexpected Traffic open ports to IRC server
    etc..
  • Scanning Windows, SQL server etc..

21
DDos Attack
  • Goal overwhelm victim machine and deny service
    to its legitimate clients
  • DoS often exploits networking protocols
  • Smurf ICMP echo request to broadcast address
    with spoofed victims address as source
  • Ping of death ICMP packets with payloads greater
    than 64K crash older versions of Windows
  • SYN flood open TCP connection request from a
    spoofed address
  • UDP flood exhaust bandwidth by sending thousands
    of bogus UDP packets

22
DDoS attack
  • Coordinated attack to specified host

Attacker
Master (IRC Server) machines
Zombie machines
Victim
23
Why DDoS attack?
  • Extortion
  • Take down systems until they pay
  • Works sometimes too!
  • Example 180 Solutions Aug 2005
  • Botmaster used bots to distribute 180solutions
    addware
  • 180solution shutdown botmaster
  • Botmaster threatened to take down 180solutions if
    not paid
  • When not paid, botmaster use DDoS
  • 180Solutions filed Civil Lawsuit against hackers

24
Botnet Detection
  • Host Based
  • Intrusion Detection Systems (IDS)
  • Anomaly Detection
  • IRC Nicknames
  • HoneyPot and HoneyNet

25
Host-based detection
  • Virus scanning
  • Watching for Symptoms
  • Modification of windows hosts file
  • Random unexplained popups
  • Machine slowness
  • Antivirus not working
  • Watching for Suspicious network traffic
  • Since IRC is not commonly used, any IRC traffic
    is suspicious. Sniff these IRC traffic
  • Check if the host is trying to communicate to any
    Command and Control (CC) Center
  • Through firewall logs, denied connections

26
Network Intrusion Detection Systems
  • Example Systems Snort and Bro
  • Sniff network packets, looks for specific
    patterns (called signatures)
  • If any pattern matches that of a malicious
    binary, then block that traffic and raise alert
  • These systems can efficiently detect virus/worms
    having known signatures
  • Can't detect any malware whose signature is
    unknown (i.e., zero day attack)

27
Anomaly Detection
  • Normal traffic has some patterns
  • Bandwidth/Port usage
  • Byte-level characteristics (histograms)
  • Protocol analysis gather statistics about
  • TCP/UDP src, dest address
  • Start/end of flow, Byte count
  • DNS lookup
  • First learn normal traffic pattern
  • Then detect any anomaly in that pattern
  • Example systems SNMP, NetFlow
  • Problems
  • Poisoning
  • Stealth

28
IRC Nicknames
  • Bots use weird nicknames
  • But they have certain pattern (really!)
  • If we can learn that pattern, we can detect bots
    botnets
  • Example nicknames
  • USA016887436 or DE028509327
  • Country Random number (9 digit)
  • RBOTXP48124
  • Bot type Machine Type Random number
  • Problem May be defeated by changing the nickname
    randomly

29
HoneyPot and HoneyNet
  • HoneyPot is a vulnerable machine, ready to be
    attacked
  • Example unpatched windows 2000 or windows XP
  • Once attacked, the malware is caught inside
  • The malware is analyzed, its activity is
    monitored
  • When it connects to the CC server, the servers
    identity is revealed

30
HoneyPot and HoneyNet
  • Thus many information about the bot is obtained
  • CC server address, master commands
  • Channel, Nickname, Password
  • Now Do the following
  • make a fake bot
  • join the same IRC channel with the same
    nickname/password
  • Monitor who else are in the channel, thus
    observer the botnet
  • Collect statistics how many bots
  • Collect sensitive information who is being
    attacked, when etc..

31
HoneyPot and HoneyNet
  • Finally, take down the botnet
  • HoneyNet a network of honeypots (see the
    HoneyNet Project)
  • Very effective, worked in many cases
  • They also pose great security risk
  • If not maintained properly - Hacker may use them
    to attack others
  • Must be monitored cautiously

32
Summary
  • Today we have learned
  • What is botnet
  • How / why they are used
  • How to detect / prevent

33
Questions ?
Write a Comment
User Comments (0)
About PowerShow.com