1 / 50

Bots and Botnets plus

Bots and Botnets plus. Forensic analysis of a bot. Introduction. Wayne Hauber Computer consultant since 1984 at Iowa State University Started analyzing bots as a major focus in 2002. Bots and Botnets. Bot – nothing more than a remotely controlled program

waldo
Télécharger la présentation

Bots and Botnets plus

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bots and Botnetsplus Forensic analysis of a bot

  2. Introduction • Wayne Hauber • Computer consultant since 1984 at Iowa State University • Started analyzing bots as a major focus in 2002

  3. Bots and Botnets • Bot – nothing more than a remotely controlled program • A collection of bots controlled at a central source are botnets • Most bots have their origin in some segment of the IRC community • Botnet controllers are either public IRC servers or custom private IRC servers

  4. Not New • Floodbots appeared at ISU in early 1990s. Mostly a nuisance to staff from fringe IRC users • First SYN Flood denial of service attacks in 1997 • See the Hank Nussbacher presentation for a good chronology

  5. What is new • Organization • Talent • Skills • Complete disregard for the values of mainstream society

  6. IRC Society drives the problem

  7. Pubstros/distros • In late 2001 and early 2002, the first Pubstros appeared at ISU • Pubstros are servers created on a vulnerable system • They serve movies, games, software and pornography • Usually some other software is installed, expect password crackers, keyloggers, proxies and network scanners

  8. Pubstros/distros • Pubstros were created by a highly organized and developed society of IRC users • Pubstro/distro tutorials were published on the web

  9. Pubstros/distros • Hierarchical duties were assigned to those establishing pubstros • One group scanned for proxy systems and installs scanning tools • Another group scanned for vulnerable systems and posts a list • Another group laid down the server and the contraband • Quotas determined status in group

  10. Pubstros/distros • A group in the far east supplies movies often prior to US release dates

  11. Pubstros/distros • At ISU, we locate some pubstros because they are in our top-20 network traffic list • Others are detected because they “look the same” as a top-20 pubstro • Some are detected because other activity is detected by netflow monitoring • Some are detected when a hacker is clumsy

  12. Pubstros/distros • Becoming more sophisticated • Are well hidden – Hacker Defender is a suite of tools to hide your favorite trojan • Still common – I detected a pubstro on a departmental server at 5:00 p.m. last night!

  13. Organized crime • See From Russia with Malice handout http://www.vnunet.com/analysis/1160302

  14. IRC Society • Slides are from a presentation by Hank Nussbacher http://www.interall.co.il/presentations/first-16.pdf

  15. Frequency of attacks • Page 84 of Nussbacher presentation • Page 32 of the Vunderink presentation http://www.garion.org/tmp/ircdrones.pdf

  16. Size of botnets • It is common to see botnets with a strength of 1,000 to 2,000 bots • One record botnet had a strength of hundreds of thousands of bots

  17. Easy tools • Tools that we have seen at ISU have grown in sophistication and power • Professional hackers are writing tools • Many of today’s new viruses are nothing more than hacker tools in active use • Quote from page 14 of Vunderink presentation

  18. Easy Tools • Sdbot • Korgo • Optix • Spybot

  19. Optix – a sdbot variant • Detailed DescriptionThe backdoor's file is a PE executable about 93 kilobytes long, packed with Yoda and PECompact file compressors. • When the backdoor's file is started, it copies itself as SNDCFG16.EXE to Windows System folder, sets hidden, system and read-only attributes for itself and then creates the following startup keys in the Registry… • The backdoor monitors Registry changes and re-creates these keys if they are deleted or modified.

  20. Optix – a sdbot variant • SDBot.MB kills the processes of security and anti-virus software and also processes of certain malware (for example Bagle). The processes with the following names are killed: • regedit.exe msconfig.exe …a long list…

  21. Optix – a sdbot variant • The backdoor can scan for vulnerable computers using different types of exploits and tries to locate other backdoors installed on remote hosts. Here's the list of scanner capabilities: • * WebDav (port 80) * NetBios (port 139) * NTPass (port 445) * DCom (ports 135, 1025) * DCom2 (port 135) * MSSQL (port 1433) * LSASS (port 445) * UPNP (port 5000) * Optix backdoor (port 3140) * Bagle backdoor (port 2745) * Kuang backdoor (port 17300) * Mydoom backdoor (port 3127) * NetDevil backdoor (port 903) * SubSeven backdoor (port 27347) * DameWare remote management software (port 6129)

  22. Optix – a sdbot variant • The backdoor starts IDENTD server on port 113. • A hacker can control the backdoor via a bot that it creates in a certain IRC channel.

  23. Optix – a sdbot variant • Backdoor capabilities are the following: • start HTTP server on an infected computer • start FTP server on an infected computer • scan for vulnerable computers (open ports and exploits) • make use of exploits and spread to remote computers

  24. Optix – a sdbot variant • start/stop keylogger • get system information including information about OS, network and drives • operate backdoor's bot (nick change, dcc send/receive, join/part channels, etc.) • perform DDoS (Distributed Denial of Service) attack, SYN, ICMP, UDP flood

  25. Optix – a sdbot variant • find, download and run files • search for passwords • start/stop remote services • create/delete remote shares • flush DNS cache

  26. Optix – a sdbot variant • ping any host • list, start and kill processes • sniff network traffic • start remote command shell • capture video from a webcam

  27. Optix – a sdbot variant • capture a screenshot • redirect traffic on certain ports • perform portscan • send e-mails (work as an e-mail proxy) • open a URL with default web browser

  28. SDBot.MB steals CD keys for the following games if they are installed on an infected computer: Counter-Strike (Retail) The Gladiators Gunman Chronicles Half-Life Industry Giant 2 Legends of Might and Magic Soldiers Of Anarchy Unreal Tournament 2003 Unreal Tournament 2004 IGI 2: Covert Strike Freedom Force Battlefield 1942 Battlefield 1942 (Road To Rome) Battlefield 1942 (Secret Weapons of WWII) Battlefield Vietnam Black and White Command and Conquer: Generals (Zero Hour) James Bond 007: Nightfire Command and Conquer: Generals Global Operations Medal of Honor: Allied Assault Medal of Honor: Allied Assault: Breakthrough Medal of Honor: Allied Assault: Spearhead Need For Speed Hot Pursuit 2 Need For Speed: Underground Shogun: Total War: Warlord Edition FIFA 2002 FIFA 2003 NHL 2002 NHL 2003 Nascar Racing 2002 Nascar Racing 2003 Rainbow Six III RavenShield Command and Conquer: Tiberian Sun Command and Conquer: Red Alert Command and Conquer: Red Alert 2 NOX Chrome Hidden & Dangerous 2 Soldier of Fortune II - Double Helix Neverwinter Nights Neverwinter Nights (Shadows of Undrentide) Neverwinter Nights (Hordes of the Underdark) Also the backdoor steals Microsoft Windows Product ID.

  29. Protecting client systems Comments from Vunderink

  30. Some conclusions • Security threats have changed

  31. Some conclusions • Security threats have changed • Our clients have no idea that the security paradigm has changed

  32. Some conclusions • Security threats have changed • Our clients have no idea that the security paradigm has changed • Policy makers do not know that security threats have changed

  33. Some conclusions • Security threats have changed • Our clients have no idea that the security paradigm has changed • Policy makers do not know that security threats have changed • I am less pessimistic than Vunderink. I think that we will succeed in educating policy makers…but we won’t succeed in educating our clients.

  34. 1. A good overview of BotNets: Malicious Bots Threaten Network Security, David Geer. IEEE Computer, January 2005 2. An article that provides examples of organized crime and botnets: From Russia with Malice, http://www.vnunet.com/analysis/1160302 3. Slides from a presentation that provide a good history of DDOS and techniques for fighting DDOS: Fighting Internet Diseases: DDos, worms and miscreants, Hank Nussbacher and Nicolas Fishbach. http://www.interall.co.il/presentations/first-16.pdf 4. Slides from a presentation by an IRC administrator who is fighting botnets: IRC and Drones: Investigating botnets on IRC, Joost "Garion" Vunderink. http://www.garion.org/tmp/ircdrones.pdf 5. A paper that presents a complete forensic analysis of a compromised system: GIAC Certified Forensic Analyse (GCFA) Practical Assignment, Jennifer Kolde, Sans Institute. http://www.giac.org/practical/GCFA/Jennifer_Kolde_GCFA.pdf

  35. Hank Nussbacher’s picks for DDOS references A large number of papers and presentations can be found at the public page: https://puck.nether.net/mailman/listinfo/nsp-security In addition, I have found these to be useful: http://staff.washington.edu/dittrich/misc/ddos/ http://www.linuxsecurity.com/resource_files/intrusion_detection/ddos-faq.html http://www.networkcomputing.com/1201/1201f1c1.html http://www.sans.org/dosstep/index.php http://downloads.securityfocus.com/library/sn_ddos.doc

  36. Other good references • A good overview of DDOS http://www.cisco.com/en/US/about/ac123/ac147/archived_issues/ipj_7-4/dos_attacks.html • Using SNORT to detect rogue IRC Bot Programs http://www.giac.org/certified_professionals/practicals/gsec/4095.php

  37. My slides http://tech.ait.iastate.edu/winsecurity/presentations/infraguard.ppt

  38. Detecting a new bot • Good free tools from sysinternals.com • TCPVIEW • Process explorer • Autoruns • Regmon • Filemon • Rootkitrevealer

More Related