210 likes | 307 Vues
Delve into the fascinating world of botnets with detailed insights on architectures, control mechanisms, and potential impacts on cybersecurity. Explore the methods used by Agobot, SDBOT, Spybot, and GTBOT, as well as implications and mechanisms for host control, propagation, exploits, and malware delivery.
E N D
AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 KishorePadmaRaju
INTRODUCTION • Attacks for financial gain • Proactive methods • Understanding of malicious software readily available • 4 IRC botnet codebases along 7 dimensions
ARCHITECTURE • AGOBOT (Phatbot) • Found in october 2002 • Sophisticated and best written source code • 20,000 lines of c/c++ • High level components • IRC based command and control mechanism • Large collection of target exploits • DOS attacks • Harvest the local host
SDBOT • October 2002 • Simple code in C, 2000 lines • IRC based command and control system • Easy to extend and so many patches available(DOS attacks, information harvesting routines) • Motivation for patch dissemination is diffusion of accountability
SPYBOT • 3000 lines of C code • April 2003 • Evolved from SDBOT • No diffusion accountability • Includes scanning capability and launching flooding attacks • Efficient
GTBOT(global threat)(Aristotles) • Based on functions of mIRC(writes event handlers for remote nodes) • Capabilities are • Port scanning • DOS attacks • Stored in file mirc.ini • Remote execution • BNC(proxy system) , psexec.exe • Implications
BOTNET CONTROL MECHANISMS • Communication • Command language and control protocols • Based onIRC • Commands • Deny service • spam • Phish
Agobot • Command language contain Standad IRC and specific commands of this bot • Bot commands, perform specific function • Bot.open • Cvar.set • Ddos_max_threads
Sdbot NICK_USER PING 001/005 PONG 001/005 JOIN USERHOST NICK PREVMSG/ NOTICE/ TOPIC 302 EST KICK 353 PART/QUIT REJOIN RESET ACTION
SPYBOT • Command language simple • Commands are login, passwords, disconnect, reconnect, uninstall, spy, loadclones,killclones • GTBOT • Simplest • Varies across versions • Commands are !ver, !scan, !portscan, !clone.*,!update • IMPLICATIONS • Now simple • Future, encrypted communication • Finger printing methods
HOST CONTROL MECHANISMS • Manipulate victim host • AGOBOT • Commands to harvest sensitive information(harvest.cdkeys, harvest.emails, registry, windowskeys) • List and kill processes(pctrl.list, kill, killpid) • Add or delete autostart entries(inst.asadd, asdel) • SDBOT • Remote execution commands and gather local information • Patches • Host control commands (download, killthread, update)
SPYBOT • Control commands for file manipulation, key logging, remote command execution • Commands are delete, execute, makedir, startkeylogger, stopkilllogger, reboot, update. • GTBOT • Gathering local system information • Run or delete local files • IMPLICATIONS • Underscore the need to patch • Stronger protection boundaries • Gathering sensitive information
PROPAGATION MECHANISMS • Search for new host systems • Horizontal and vertical scan • AGOBOT • IP address within network ranges • Scan.addnetrange, scan.delnetrange, scan.enable • SDBOT • Same as agobot • NETBIOS scanner • Starting and end IP adresses
SPYBOT • Command interface • Command Scan <startipaddress> <port> <delay><spreaders><logfilename> • Example Scan 127.0.0.1 17300 1 netbios portscan.txt • GTBOT • Horizontal and vertical scanning • IMPLICATIONS • Simple scanning methods • Source code examination
EXPLOITS AND ATTACK MECHANISMS • Attack known vulnerabilities on target systems • AGOBOT • Broadening set of exploits • Generic DDOS module • Enables seven types of service attacks • Ddos.udpflood, synflood, httpflood, phatsyn, phaticmp,Phatwonk, targa3, stop. • SDBOT • UDP and ICMP packets, flooding attacks • udp <host> <#pkts> <pktsz><delay><port> and ping <host> <#pkts> <pktsz><timeout>
SPYBOT AND GTBOT • Same as sdbot • IMPLICATIONS • Multiple exploits
MALWARE DELIVERY MECHANISMS • GT/SD/SPY bots deliver exploit and encoded malware in single package • Agobot • Exploit vulnerability and open a shell on remote host • Encoded binary is then sent using HTTP or FTP. IMPLICATIONS
OBFUSCATION MECHANISMS • Hide the details • Polymorphism • AGOBOT • POLY_TYPE_XOR • POLY_TYPE_SWAP • POLY_TYPE_ROR • POLY_TYPE_ROL • IMPLICATIONS
CONCLUSIONS • Expanded the knowledge base for security research • Lethal classes of internet threats • Functional components of botnets
WEAKNESSES • Study only IRC • No Preventive mechanisms • No dynamic profiling of botnet executables • Insufficient analysis
IMPROVEMENTS • Dynamic profiling can be executed using some tools • Botnet monitoring mechanism can be explained • Analysis for peer to peer infrastructure