280 likes | 380 Vues
Learn about botnets, their control mechanisms, propagation, exploits, and more. Explore common botnet attributes and specific bot variants like Agotbot and SDBot. Discover how these systems work and their potential risks.
E N D
An Inside Look at BotnetsARO-DHS Special Workshop on Malware Detection, 2005 Written By: Paul Barford and VinodYegneswaran University of Wisconsin, Madison Presented By: Jarrod Williams
Outline • Motivation/Goals • Botnets • Botnet Attributes • Conclusion/Review
Motivation/Goals • Increase in BOTNET usage • Spam, DDOS, Identity theft • The objective of the paper is to understand how Botnets work and find communalities between them • Botnets: Agotbot (4.0 Pre-Release), SDBot (05B), SpyBot (1.4), GT Bot with DCOM
Motivation/Goals • Architecture • Botnet control mechanisms • Host control mechanisms • Propagation mechanisms • Exploits and attack mechanisms • Malware delivery mechanisms • Obfuscation methods • Deception mechanisms
Botnets • A collection of compromised computers running software controlled by a single user • Botnets are controlled by a botmaster • Compromised host machines are called zombies • Zombies communicate using IRC • A botnet can have many different versions of the same bot making botnet families
Internet Relay Chat • is a form of real-time Internet text messaging. It is mainly designed for group communication, but it also allows one-to-one communication via private message and data transfers via direct client-to-client • Created by JarkkoOikarinen in August 1988
Botnet Attributes Considered • Architecture • Botnet control mechanisms • Host control mechanisms • Propagation mechanisms • Exploits and attack mechanisms • Malware delivery mechanisms • Obfuscation methods • Deception mechanisms
Agobot (4.0 Pre-Release) • Most sophisticated • Released October, 2002 • Hundreds of variants of this bot and it is also commonly referred to as Phatbot • Roughly 20,000 lines of C/C++ • The ability to launch different kinds of DoS attacks • The ability to harvest the local host for PayPal passwords and AOL keys through traffic sniffing, key logging or searching registry entries
SDBot (05b) • Fairly simple • Released October, 2002 • Hundreds of variants of this bot • Slightly over 2,000 lines of C • Does not include any overtly malicious code modules • The code is obviously easy to extend and patch • Patches contain malicious code for attackers need • 80 patches for SDBot were found through internet web searching
SpyBot (1.4) • Relatively small like SDBot • Released April, 2003 • Under 3,000 lines of C • The command and control engine appears to be shared with SDBot, and it is likely, that it evolved from SDBot • Includes NetBIOS/Kuang/Netdevil/KaZaa exploits • Contains modules for launching flooding attacks and has scanning capabilities
GT Bot with DCOM • Simple design providing a limited set of functions • Released April, 1998 • Global Threat Bot has hundreds of variants and is also referred to as Aristotle's • Easy to modify but there is nothing that suggests it was designed with extensibility in mind • Capabilities include port scanning, DoS attacks, and exploits for RPC and NetBIOS services • Includes the HideWindowprogram which keeps the bot hidden on the local system
Botnet Attributes Considered • Architecture • Botnet control mechanisms • Host control mechanisms • Propagation mechanisms • Exploits and attack mechanisms • Malware delivery mechanisms • Obfuscation methods • Deception mechanisms
Agobot (4.0 Pre-Release) • Simple vertical and horizontal scanning • Scanning is based on the network ranges (network prefixes) that are configured on individual bots
SDBot (05b) • By virtue of its benign intent, SDBot does not have scanning or propagation capability in its base distribution • Many variants of SDBot include scanning and propagation capability
SpyBot (1.4) • Simple command interface for scanning • Horizontal and vertical scanning capability • Scans are sequential • Command: • scan<startIP address><port><delay><spreaders><logfilename> • Example: • scan 127.0.0.1 17300 1 netbios portscan.txt
GT Bot with DCOM • Includes support for simple horizontal and vertical scanning
Botnet Attributes Considered • Architecture • Botnet control mechanisms • Host control mechanisms • Propagation mechanisms • Exploits and attack mechanisms • Malware delivery mechanisms • Obfuscation methods • Deception mechanisms
Agobot (4.0 Pre-Release) • Has the most elaborate set of exploit modules out of the four bots analyzed • Bagle scanner: scans for back doors left by Bagle variants on port 2745 • Dcom scanner: scans for the well known DCE-RPC buffer overflow • MyDoom scanner: scans for back doors left by variants of the MyDoom worm on port 3127 • Dameware scanner: scans for vulnerable versions of the Dameware network administration tool • NetBIOS scanner: brute force password scanning for open NetBIOS shares • Radmin scanner: scans for the Radmin buffer overflow
SDBot (05b) • SDBot does not have any exploits packaged in its standard distribution • It does include modules for sending both UDP and ICMP packets which could be used for simple flooding attacks • Other variants of SDBot contain exploit more modules
SpyBot (1.4) • This version of SpyBot only included a module which attacked NetBIOS open shares • DDoS interface is closely related to SDBot and includes the capabilities for launching simple UDP, ICMP, and TCP SYN floods • Other variants of SpyBot contain more exploit modules
GT Bot with DCOM • Developed to include RPC-DCOM exploits • Has the capability to launch simple ICMP floods • Other variants of GT Bot contain DDoS capabilities such as UDP and TCP SYN floods as well as other known exploits
Botnet Attributes Considered • Architecture • Botnet control mechanisms • Host control mechanisms • Propagation mechanisms • Exploits and attack mechanisms • Malware delivery mechanisms • Obfuscation methods • Deception mechanisms
Agobot (4.0 Pre-Release) • Of the four bots analyzed, only Agobot had elaborate deception mechanisms • Mechanisms included: • Tests for debuggers such as OllyDebug, SoftIce and Procdump • Test for VMWare • Killing anti-virus processes • Altering DNS entries of anti-virus software companies to point to the local host
Conclusion • Botnets are widely used and communicate using IRC • The details of this paper include descriptions of the functional components of botnets categorized into eight components • Understand your enemy
Strengths • Presents information in an organized fashion on the different Bots • Is the first step to codifying Botnet capabilities
Weaknesses • Only presents a high-level over view of a limited number of Bots and only presents one specific Bot version • More detail should be paid to a Bot family and not a specific Bot
References • An Inside Look at Botnets • http://pages.cs.wisc.edu/~pb/botnets_final.pdf • Wikipedia • http://en.wikipedia.org/wiki/Botnet • Wikipedia • http://en.wikipedia.org/wiki/IRC