AN INSIDE LOOK AT BOTNETS - PowerPoint PPT Presentation

About This Presentation
Title:

AN INSIDE LOOK AT BOTNETS

Description:

... No diffusion accountability Includes scanning capability and launching flooding attacks Efficient GTBOT(global threat)(Aristotles) Based on functions of mIRC ... – PowerPoint PPT presentation

Number of Views:133
Avg rating:3.0/5.0
Slides: 22
Provided by: Kish152
Learn more at: http://www.cs.ucf.edu
Category:

less

Transcript and Presenter's Notes

Title: AN INSIDE LOOK AT BOTNETS


1
AN INSIDE LOOK AT BOTNETS
  • Barford, Paul and Yegneswaran
  • Advances in Information Security, Springer, 2006
  • Kishore Padma Raju

2
INTRODUCTION
  • Attacks for financial gain
  • Proactive methods
  • Understanding of malicious software readily
    available
  • 4 IRC botnet codebases along 7 dimensions

3
ARCHITECTURE
  • AGOBOT (Phatbot)
  • Found in october 2002
  • Sophisticated and best written source code
  • 20,000 lines of c/c
  • High level components
  • IRC based command and control mechanism
  • Large collection of target exploits
  • DOS attacks
  • Harvest the local host

4
  • SDBOT
  • October 2002
  • Simple code in C, 2000 lines
  • IRC based command and control system
  • Easy to extend and so many patches available(DOS
    attacks, information harvesting routines)
  • Motivation for patch dissemination is diffusion
    of accountability

5
  • SPYBOT
  • 3000 lines of C code
  • April 2003
  • Evolved from SDBOT
  • No diffusion accountability
  • Includes scanning capability and launching
    flooding attacks
  • Efficient

6
  • GTBOT(global threat)(Aristotles)
  • Based on functions of mIRC(writes event handlers
    for remote nodes)
  • Capabilities are
  • Port scanning
  • DOS attacks
  • Stored in file mirc.ini
  • Remote execution
  • BNC(proxy system) , psexec.exe
  • Implications

7
BOTNET CONTROL MECHANISMS
  • Communication
  • Command language and control protocols
  • Based onIRC
  • Commands
  • Deny service
  • spam
  • Phish

8
  • Agobot
  • Command language contain Standad IRC and specific
    commands of this bot
  • Bot commands, perform specific function
  • Bot.open
  • Cvar.set
  • Ddos_max_threads

9
  • Sdbot

NICK_USER
PING
001/005
PONG
001/005
JOIN
USERHOST
NICK
PREVMSG/ NOTICE/ TOPIC
302
EST
KICK
353
PART/QUIT
ACTION
RESET
REJOIN
10
  • SPYBOT
  • Command language simple
  • Commands are login, passwords, disconnect,
    reconnect, uninstall, spy, loadclones,killclones
  • GTBOT
  • Simplest
  • Varies across versions
  • Commands are !ver, !scan, !portscan,
    !clone.,!update
  • IMPLICATIONS
  • Now simple
  • Future, encrypted communication
  • Finger printing methods

11
HOST CONTROL MECHANISMS
  • Manipulate victim host
  • AGOBOT
  • Commands to harvest sensitive information(harvest.
    cdkeys, harvest.emails, registry, windowskeys)
  • List and kill processes(pctrl.list, kill,
    killpid)
  • Add or delete autostart entries(inst.asadd,
    asdel)
  • SDBOT
  • Remote execution commands and gather local
    information
  • Patches
  • Host control commands (download, killthread,
    update)

12
  • SPYBOT
  • Control commands for file manipulation, key
    logging, remote command execution
  • Commands are delete, execute, makedir,
    startkeylogger, stopkilllogger, reboot, update.
  • GTBOT
  • Gathering local system information
  • Run or delete local files
  • IMPLICATIONS
  • Underscore the need to patch
  • Stronger protection boundaries
  • Gathering sensitive information

13
PROPAGATION MECHANISMS
  • Search for new host systems
  • Horizontal and vertical scan
  • AGOBOT
  • IP address within network ranges
  • Scan.addnetrange, scan.delnetrange, scan.enable
  • SDBOT
  • Same as agobot
  • NETBIOS scanner
  • Starting and end IP adresses

14
  • SPYBOT
  • Command interface
  • Command
  • Scan ltstartipaddressgt ltportgt ltdelaygtltspreadersgtltlo
    gfilenamegt
  • Example
  • Scan 127.0.0.1 17300 1
    netbios portscan.txt
  • GTBOT
  • Horizontal and vertical scanning
  • IMPLICATIONS
  • Simple scanning methods
  • Source code examination

15
EXPLOITS AND ATTACK MECHANISMS
  • Attack known vulnerabilities on target systems
  • AGOBOT
  • Broadening set of exploits
  • Generic DDOS module
  • Enables seven types of service attacks
  • Ddos.udpflood, synflood, httpflood, phatsyn,
    phaticmp,Phatwonk, targa3, stop.
  • SDBOT
  • UDP and ICMP packets, flooding attacks
  • udp lthostgt ltpktsgt ltpktszgtltdelaygtltportgt and ping
    lthostgt ltpktsgt ltpktszgtlttimeoutgt

16
  • SPYBOT AND GTBOT
  • Same as sdbot
  • IMPLICATIONS
  • Multiple exploits

17
MALWARE DELIVERY MECHANISMS
  • GT/SD/SPY bots deliver exploit and encoded
    malware in single package
  • Agobot
  • Exploit vulnerability and open a shell on remote
    host
  • Encoded binary is then sent using HTTP or FTP.
  • IMPLICATIONS

18
OBFUSCATION MECHANISMS
  • Hide the details
  • Polymorphism
  • AGOBOT
  • POLY_TYPE_XOR
  • POLY_TYPE_SWAP
  • POLY_TYPE_ROR
  • POLY_TYPE_ROL
  • IMPLICATIONS

19
CONCLUSIONS
  • Expanded the knowledge base for security research
  • Lethal classes of internet threats
  • Functional components of botnets

20
WEAKNESSES
  • Study only IRC
  • No Preventive mechanisms
  • No dynamic profiling of botnet executables
  • Insufficient analysis

21
IMPROVEMENTS
  • Dynamic profiling can be executed using some
    tools
  • Botnet monitoring mechanism can be explained
  • Analysis for peer to peer infrastructure
Write a Comment
User Comments (0)
About PowerShow.com