Bots and Botnetsplus Forensic analysis of a bot
Introduction • Wayne Hauber • Computer consultant since 1984 at Iowa State University • Started analyzing bots as a major focus in 2002
Bots and Botnets • Bot – nothing more than a remotely controlled program • A collection of bots controlled at a central source are botnets • Most bots have their origin in some segment of the IRC community • Botnet controllers are either public IRC servers or custom private IRC servers
Not New • Floodbots appeared at ISU in early 1990s. Mostly a nuisance to staff from fringe IRC users • First SYN Flood denial of service attacks in 1997 • See the Hank Nussbacher presentation for a good chronology
What is new • Organization • Talent • Skills • Complete disregard for the values of mainstream society
Pubstros/distros • In late 2001 and early 2002, the first Pubstros appeared at ISU • Pubstros are servers created on a vulnerable system • They serve movies, games, software and pornography • Usually some other software is installed, expect password crackers, keyloggers, proxies and network scanners
Pubstros/distros • Pubstros were created by a highly organized and developed society of IRC users • Pubstro/distro tutorials were published on the web
Pubstros/distros • Hierarchical duties were assigned to those establishing pubstros • One group scanned for proxy systems and installs scanning tools • Another group scanned for vulnerable systems and posts a list • Another group laid down the server and the contraband • Quotas determined status in group
Pubstros/distros • A group in the far east supplies movies often prior to US release dates
Pubstros/distros • At ISU, we locate some pubstros because they are in our top-20 network traffic list • Others are detected because they “look the same” as a top-20 pubstro • Some are detected because other activity is detected by netflow monitoring • Some are detected when a hacker is clumsy
Pubstros/distros • Becoming more sophisticated • Are well hidden – Hacker Defender is a suite of tools to hide your favorite trojan • Still common – I detected a pubstro on a departmental server at 5:00 p.m. last night!
Organized crime • See From Russia with Malice handout http://www.vnunet.com/analysis/1160302
IRC Society • Slides are from a presentation by Hank Nussbacher http://www.interall.co.il/presentations/first-16.pdf
Frequency of attacks • Page 84 of Nussbacher presentation • Page 32 of the Vunderink presentation http://www.garion.org/tmp/ircdrones.pdf
Size of botnets • It is common to see botnets with a strength of 1,000 to 2,000 bots • One record botnet had a strength of hundreds of thousands of bots
Easy tools • Tools that we have seen at ISU have grown in sophistication and power • Professional hackers are writing tools • Many of today’s new viruses are nothing more than hacker tools in active use • Quote from page 14 of Vunderink presentation
Easy Tools • Sdbot • Korgo • Optix • Spybot
Optix – a sdbot variant • Detailed DescriptionThe backdoor's file is a PE executable about 93 kilobytes long, packed with Yoda and PECompact file compressors. • When the backdoor's file is started, it copies itself as SNDCFG16.EXE to Windows System folder, sets hidden, system and read-only attributes for itself and then creates the following startup keys in the Registry… • The backdoor monitors Registry changes and re-creates these keys if they are deleted or modified.
Optix – a sdbot variant • SDBot.MB kills the processes of security and anti-virus software and also processes of certain malware (for example Bagle). The processes with the following names are killed: • regedit.exe msconfig.exe …a long list…
Optix – a sdbot variant • The backdoor can scan for vulnerable computers using different types of exploits and tries to locate other backdoors installed on remote hosts. Here's the list of scanner capabilities: • * WebDav (port 80) * NetBios (port 139) * NTPass (port 445) * DCom (ports 135, 1025) * DCom2 (port 135) * MSSQL (port 1433) * LSASS (port 445) * UPNP (port 5000) * Optix backdoor (port 3140) * Bagle backdoor (port 2745) * Kuang backdoor (port 17300) * Mydoom backdoor (port 3127) * NetDevil backdoor (port 903) * SubSeven backdoor (port 27347) * DameWare remote management software (port 6129)
Optix – a sdbot variant • The backdoor starts IDENTD server on port 113. • A hacker can control the backdoor via a bot that it creates in a certain IRC channel.
Optix – a sdbot variant • Backdoor capabilities are the following: • start HTTP server on an infected computer • start FTP server on an infected computer • scan for vulnerable computers (open ports and exploits) • make use of exploits and spread to remote computers
Optix – a sdbot variant • start/stop keylogger • get system information including information about OS, network and drives • operate backdoor's bot (nick change, dcc send/receive, join/part channels, etc.) • perform DDoS (Distributed Denial of Service) attack, SYN, ICMP, UDP flood
Optix – a sdbot variant • find, download and run files • search for passwords • start/stop remote services • create/delete remote shares • flush DNS cache
Optix – a sdbot variant • ping any host • list, start and kill processes • sniff network traffic • start remote command shell • capture video from a webcam
Optix – a sdbot variant • capture a screenshot • redirect traffic on certain ports • perform portscan • send e-mails (work as an e-mail proxy) • open a URL with default web browser
SDBot.MB steals CD keys for the following games if they are installed on an infected computer: Counter-Strike (Retail) The Gladiators Gunman Chronicles Half-Life Industry Giant 2 Legends of Might and Magic Soldiers Of Anarchy Unreal Tournament 2003 Unreal Tournament 2004 IGI 2: Covert Strike Freedom Force Battlefield 1942 Battlefield 1942 (Road To Rome) Battlefield 1942 (Secret Weapons of WWII) Battlefield Vietnam Black and White Command and Conquer: Generals (Zero Hour) James Bond 007: Nightfire Command and Conquer: Generals Global Operations Medal of Honor: Allied Assault Medal of Honor: Allied Assault: Breakthrough Medal of Honor: Allied Assault: Spearhead Need For Speed Hot Pursuit 2 Need For Speed: Underground Shogun: Total War: Warlord Edition FIFA 2002 FIFA 2003 NHL 2002 NHL 2003 Nascar Racing 2002 Nascar Racing 2003 Rainbow Six III RavenShield Command and Conquer: Tiberian Sun Command and Conquer: Red Alert Command and Conquer: Red Alert 2 NOX Chrome Hidden & Dangerous 2 Soldier of Fortune II - Double Helix Neverwinter Nights Neverwinter Nights (Shadows of Undrentide) Neverwinter Nights (Hordes of the Underdark) Also the backdoor steals Microsoft Windows Product ID.
Protecting client systems Comments from Vunderink
Some conclusions • Security threats have changed
Some conclusions • Security threats have changed • Our clients have no idea that the security paradigm has changed
Some conclusions • Security threats have changed • Our clients have no idea that the security paradigm has changed • Policy makers do not know that security threats have changed
Some conclusions • Security threats have changed • Our clients have no idea that the security paradigm has changed • Policy makers do not know that security threats have changed • I am less pessimistic than Vunderink. I think that we will succeed in educating policy makers…but we won’t succeed in educating our clients.
1. A good overview of BotNets: Malicious Bots Threaten Network Security, David Geer. IEEE Computer, January 2005 2. An article that provides examples of organized crime and botnets: From Russia with Malice, http://www.vnunet.com/analysis/1160302 3. Slides from a presentation that provide a good history of DDOS and techniques for fighting DDOS: Fighting Internet Diseases: DDos, worms and miscreants, Hank Nussbacher and Nicolas Fishbach. http://www.interall.co.il/presentations/first-16.pdf 4. Slides from a presentation by an IRC administrator who is fighting botnets: IRC and Drones: Investigating botnets on IRC, Joost "Garion" Vunderink. http://www.garion.org/tmp/ircdrones.pdf 5. A paper that presents a complete forensic analysis of a compromised system: GIAC Certified Forensic Analyse (GCFA) Practical Assignment, Jennifer Kolde, Sans Institute. http://www.giac.org/practical/GCFA/Jennifer_Kolde_GCFA.pdf
Hank Nussbacher’s picks for DDOS references A large number of papers and presentations can be found at the public page: https://puck.nether.net/mailman/listinfo/nsp-security In addition, I have found these to be useful: http://staff.washington.edu/dittrich/misc/ddos/ http://www.linuxsecurity.com/resource_files/intrusion_detection/ddos-faq.html http://www.networkcomputing.com/1201/1201f1c1.html http://www.sans.org/dosstep/index.php http://downloads.securityfocus.com/library/sn_ddos.doc
Other good references • A good overview of DDOS http://www.cisco.com/en/US/about/ac123/ac147/archived_issues/ipj_7-4/dos_attacks.html • Using SNORT to detect rogue IRC Bot Programs http://www.giac.org/certified_professionals/practicals/gsec/4095.php
My slides http://tech.ait.iastate.edu/winsecurity/presentations/infraguard.ppt
Detecting a new bot • Good free tools from sysinternals.com • TCPVIEW • Process explorer • Autoruns • Regmon • Filemon • Rootkitrevealer