Embed Size (px)
Citation preview
CAP6135: Malware and Software Vulnerability Analysis
BotnetsCliff Zou
Spring 2012
2
Acknowledgement
This lecture uses some contents from the lecture notes from:
Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development of
Botnets Randy Marchany - VA Tech IT Security Lab: Botnets
3
Botnets
Collection of compromised hosts Spread like worms and viruses Once installed, respond to remote commands
A network of ‘bots’ robot :
an automatic machine that can be programmed to perform specific tasks.
Also known as ‘zombies’
4
Platform for many attacks Spam forwarding (70% of all spam?) Click fraud Keystroke logging Distributed denial of service attacks
Serious problem Top concern of banks, online merchants Vint Cerf: ¼ of hosts connected to Internet
5
What are botnets used for?
6
IRC (Internet Relay Chat) based Control
7
IRC (Internet Relay Chat) based Control
8
Why IRC?
IRC servers are: freely available easy to manage easy to subvert
Attackers have experience with IRC IRC bots usually have a way to
remotely upgrade victims with new payloads to stay ahead of security efforts
9
How bad is the problem?
Symantec identified a 400K node botnet
Netadmin in the Netherlands discovered 1-2M unique IPs associated with Phatbot infections. Phatbot harvests MyDoom and Bagel
infected machines. Researchers in Gtech monitored
thousands of botnets
10
Spreading Problem
Spreading mechanism is a leading cause of background noise Port 445, 135, 139, 137 accounted for
80% of traffic captured by German Honeynet Project
Other ports 2745 – bagle backdoor 3127 – MyDoom backdoor 3410 – Optix trojan backdoor 5000 – upnp vulnerability
Most commonly used Bot families
Agobot
SDBot
SpyBot
GT Bot
Agobot
Most sophisticated 20,000 lines C/C++ code IRC based command/control Large collection of target exploits Capable of many DoS attack types Shell encoding/polymorphic obfuscation Traffic sniffers/key logging Defend/fortify compromised system Ability to frustrate dissassembly
SDBot Simpler than Agobot, 2,000 lines C code Non-malicious at base Utilize IRC-based command/control Easily extended for malicious purposes
Scanning DoS Attacks Sniffers Information harvesting Encryption
SpyBot <3,000 lines C code Possibly evolved from SDBot
Similar command/control engine No attempts to hide malicious purposes
GT Bot Functions based on mIRC scripting
capabilities HideWindow program hides bot on
local system Basic rootkit function
Port scanning, DoS attacks, exploits for RPC and NetBIOS
Variance in codebase size, structure, complexity, implementation
Convergence in set of functions Possibility for defense systems effective across
bot families Bot families extensible Agobot likely to become dominant
All of the above use IRC for command/control
Disrupt IRC, disable bots Sniff IRC traffic for commands Shutdown channels used for Botnets
IRC operators play central role in stopping botnet traffic
But a botnet could use its own IRC server Automated traffic identification required Future botnets may move away from IRC
Move to P2P communication Traffic fingerprinting still useful for
identification
Control
Host control
Fortify system against other malicious attacks
Disable anti-virus software Harvest sensitive information
PayPal, software keys, etc. Economic incentives for botnets
Stresses need to patch/protect systems prior to attack
Stronger protection boundaries required across applications in OSes
19
Example Botnet Commands
Connection CLIENT: PASS <password> HOST : (if error, disconnect) CLIENT: NICK <nick> HOST : NICKERROR | CONNECTED
Pass hierarchy info BOTINFO <nick> <connected_to>
<priority> BOTQUIT <nick>
20
Example Botnet Commands
IRC Commands CHANJOIN <tag> <channel> CHANPART <tag> <channel> CHANOP <tag> <channel> CHANKICK <tag> <channel> CHANBANNED <tag> <channel> CHANPRIORITY <ircnet> <channel>
<LOW/NORMAL/HIGH>
21
Example Botnet Commands
pstore Display all usernames/passwords stored
in browsers of infected systems bot.execute
Run executable on remote system bot.open
Reads file on remote computer bot.command
Runs command with system()
22
Example Botnet Commands
http.execute Download and execute file through http ftp.execute
ddos.udpflood ddos.synflod ddos.phaticmp redirect.http redirect.socks
23
Current Botnet Control Architecture
bot bot
C&C
botmaster
bot
C&C
•More than one C&C server•Spread all around the world
24
Botnet Monitor: Gatech KarstNet
A lot bots use Dyn-DNS name to find C&C
bot
bot
C&C
attacker
C&C
KarstNet sinkhole
cc1.com KarstNet informs DNS
provider of cc1.com Detect cc1.com by its abnormal
DNS queries
DNS provider maps cc1.com to Gatech sinkhole (DNS hijack)
bot
All/most bots attempt to connect the sinkhole
Botnet Monitor: Honeypot Spy Security researchers set up honeypots
Honeypots: deliberately set up vulnerable machines When compromised, put close monitoring of malware’s
behaviors Tutorial: http://en.wikipedia.org/wiki/Honeypot_%28computing
%29 When compromised honeypot joins a botnet
Passive monitoring: log all network traffic Active monitoring: actively contact other bots to obtain more
information (neighborhood list, additional c&c, etc.) Representative research paper:
A multifaceted approach to understanding the botnet phenomenon, Abu Rajab, Moheeb and Zarfoss, Jay and Monrose, Fabian and Terzis, Andreas, 6th ACM SIGCOMM conference on Internet measurement (IMC), 2006.
25
26
The Future Generation of Botnets
Peer-to-Peer C&C
Polymorphism
Anti-honeypot
Rootkit techniques
