an inside look at botnets barford, paul and yegneswaran advances in information security, springer,...
TRANSCRIPT
![Page 1: AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju](https://reader035.vdocuments.site/reader035/viewer/2022062720/56649f145503460f94c29531/html5/thumbnails/1.jpg)
AN INSIDE LOOK AT BOTNETS
Barford, Paul and YegneswaranAdvances in Information Security,
Springer, 2006Kishore Padma Raju
![Page 2: AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju](https://reader035.vdocuments.site/reader035/viewer/2022062720/56649f145503460f94c29531/html5/thumbnails/2.jpg)
INTRODUCTION
• Attacks for financial gain• Proactive methods• Understanding of malicious
software readily available• 4 IRC botnet codebases along 7 dimensions
![Page 3: AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju](https://reader035.vdocuments.site/reader035/viewer/2022062720/56649f145503460f94c29531/html5/thumbnails/3.jpg)
ARCHITECTURE
• AGOBOT (Phatbot)– Found in october 2002 – Sophisticated and best written source code– 20,000 lines of c/c++– High level components• IRC based command and control mechanism• Large collection of target exploits• DOS attacks• Harvest the local host
![Page 4: AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju](https://reader035.vdocuments.site/reader035/viewer/2022062720/56649f145503460f94c29531/html5/thumbnails/4.jpg)
• SDBOT– October 2002– Simple code in C, 2000 lines– IRC based command and control system– Easy to extend and so many patches
available(DOS attacks, information harvesting routines)
– Motivation for patch dissemination is diffusion of accountability
![Page 5: AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju](https://reader035.vdocuments.site/reader035/viewer/2022062720/56649f145503460f94c29531/html5/thumbnails/5.jpg)
• SPYBOT– 3000 lines of C code– April 2003– Evolved from SDBOT• No diffusion accountability
– Includes scanning capability and launching flooding attacks
– Efficient
![Page 6: AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju](https://reader035.vdocuments.site/reader035/viewer/2022062720/56649f145503460f94c29531/html5/thumbnails/6.jpg)
• GTBOT(global threat)(Aristotles)– Based on functions of mIRC(writes event handlers for
remote nodes)– Capabilities are
• Port scanning• DOS attacks
– Stored in file mirc.ini– Remote execution
• BNC(proxy system) , psexec.exe• Implications
![Page 7: AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju](https://reader035.vdocuments.site/reader035/viewer/2022062720/56649f145503460f94c29531/html5/thumbnails/7.jpg)
BOTNET CONTROL MECHANISMS
• Communication • Command language and control protocols• Based onIRC• Commands– Deny service– spam– Phish
![Page 8: AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju](https://reader035.vdocuments.site/reader035/viewer/2022062720/56649f145503460f94c29531/html5/thumbnails/8.jpg)
• Agobot– Command language contain Standad IRC and
specific commands of this bot– Bot commands, perform specific function• Bot.open• Cvar.set• Ddos_max_threads
![Page 9: AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju](https://reader035.vdocuments.site/reader035/viewer/2022062720/56649f145503460f94c29531/html5/thumbnails/9.jpg)
• SdbotNICK_USER
PONG
USERHOST
JOIN
EST
ACTIONRESETREJOIN
NICK
PING
302
KICK 353PART/QUIT
PREVMSG/NOTICE/TOPIC
001/005
001/005
![Page 10: AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju](https://reader035.vdocuments.site/reader035/viewer/2022062720/56649f145503460f94c29531/html5/thumbnails/10.jpg)
• SPYBOT– Command language simple – Commands are login, passwords, disconnect, reconnect,
uninstall, spy, loadclones,killclones• GTBOT– Simplest– Varies across versions – Commands are !ver, !scan, !portscan, !clone.*,!update
• IMPLICATIONS– Now simple– Future, encrypted communication– Finger printing methods
![Page 11: AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju](https://reader035.vdocuments.site/reader035/viewer/2022062720/56649f145503460f94c29531/html5/thumbnails/11.jpg)
HOST CONTROL MECHANISMS
• Manipulate victim host• AGOBOT
• Commands to harvest sensitive information(harvest.cdkeys, harvest.emails, registry, windowskeys)
• List and kill processes(pctrl.list, kill, killpid)• Add or delete autostart entries(inst.asadd, asdel)
• SDBOT• Remote execution commands and gather local information• Patches • Host control commands (download, killthread, update)
![Page 12: AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju](https://reader035.vdocuments.site/reader035/viewer/2022062720/56649f145503460f94c29531/html5/thumbnails/12.jpg)
• SPYBOT– Control commands for file manipulation, key logging,
remote command execution– Commands are delete, execute, makedir, startkeylogger,
stopkilllogger, reboot, update.• GTBOT– Gathering local system information– Run or delete local files
• IMPLICATIONS– Underscore the need to patch– Stronger protection boundaries– Gathering sensitive information
![Page 13: AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju](https://reader035.vdocuments.site/reader035/viewer/2022062720/56649f145503460f94c29531/html5/thumbnails/13.jpg)
PROPAGATION MECHANISMS
• Search for new host systems• Horizontal and vertical scan• AGOBOT– IP address within network ranges– Scan.addnetrange, scan.delnetrange, scan.enable
• SDBOT– Same as agobot– NETBIOS scanner• Starting and end IP adresses
![Page 14: AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju](https://reader035.vdocuments.site/reader035/viewer/2022062720/56649f145503460f94c29531/html5/thumbnails/14.jpg)
• SPYBOT– Command interface
• CommandScan <startipaddress> <port> <delay><spreaders><logfilename>
• ExampleScan 127.0.0.1 17300 1 netbios
portscan.txt
• GTBOT– Horizontal and vertical scanning
• IMPLICATIONS– Simple scanning methods– Source code examination
![Page 15: AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju](https://reader035.vdocuments.site/reader035/viewer/2022062720/56649f145503460f94c29531/html5/thumbnails/15.jpg)
EXPLOITS AND ATTACK MECHANISMS
• Attack known vulnerabilities on target systems• AGOBOT– Broadening set of exploits– Generic DDOS module
• Enables seven types of service attacks• Ddos.udpflood, synflood, httpflood, phatsyn,
phaticmp,Phatwonk, targa3, stop.• SDBOT– UDP and ICMP packets, flooding attacks– udp <host> <#pkts> <pktsz><delay><port> and
ping <host> <#pkts> <pktsz><timeout>
![Page 16: AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju](https://reader035.vdocuments.site/reader035/viewer/2022062720/56649f145503460f94c29531/html5/thumbnails/16.jpg)
• SPYBOT AND GTBOT– Same as sdbot
• IMPLICATIONS– Multiple exploits
![Page 17: AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju](https://reader035.vdocuments.site/reader035/viewer/2022062720/56649f145503460f94c29531/html5/thumbnails/17.jpg)
MALWARE DELIVERY MECHANISMS
• GT/SD/SPY bots deliver exploit and encoded malware in single package
• Agobot– Exploit vulnerability and open a shell on remote
host– Encoded binary is then sent using HTTP or FTP.
IMPLICATIONS
![Page 18: AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju](https://reader035.vdocuments.site/reader035/viewer/2022062720/56649f145503460f94c29531/html5/thumbnails/18.jpg)
OBFUSCATION MECHANISMS
• Hide the details• Polymorphism
• AGOBOT
– POLY_TYPE_XOR– POLY_TYPE_SWAP– POLY_TYPE_ROR– POLY_TYPE_ROL
• IMPLICATIONS
![Page 19: AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju](https://reader035.vdocuments.site/reader035/viewer/2022062720/56649f145503460f94c29531/html5/thumbnails/19.jpg)
CONCLUSIONS
• Expanded the knowledge base for security research
• Lethal classes of internet threats• Functional components of botnets
![Page 20: AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju](https://reader035.vdocuments.site/reader035/viewer/2022062720/56649f145503460f94c29531/html5/thumbnails/20.jpg)
WEAKNESSES
• Study only IRC• No Preventive mechanisms• No dynamic profiling of botnet executables• Insufficient analysis
![Page 21: AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju](https://reader035.vdocuments.site/reader035/viewer/2022062720/56649f145503460f94c29531/html5/thumbnails/21.jpg)
IMPROVEMENTS
• Dynamic profiling can be executed using some tools
• Botnet monitoring mechanism can be explained
• Analysis for peer to peer infrastructure