an inside look at botnets
DESCRIPTION
AN INSIDE LOOK AT BOTNETS. Barford , Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju. INTRODUCTION. Attacks for financial gain Proactive methods Understanding of malicious software readily available 4 IRC botnet codebases along 7 dimensions. - PowerPoint PPT PresentationTRANSCRIPT
AN INSIDE LOOK AT BOTNETS
Barford, Paul and YegneswaranAdvances in Information Security,
Springer, 2006Kishore Padma Raju
INTRODUCTION
• Attacks for financial gain• Proactive methods• Understanding of malicious
software readily available• 4 IRC botnet codebases along 7 dimensions
ARCHITECTURE
• AGOBOT (Phatbot)– Found in october 2002 – Sophisticated and best written source code– 20,000 lines of c/c++– High level components• IRC based command and control mechanism• Large collection of target exploits• DOS attacks• Harvest the local host
• SDBOT– October 2002– Simple code in C, 2000 lines– IRC based command and control system– Easy to extend and so many patches
available(DOS attacks, information harvesting routines)
– Motivation for patch dissemination is diffusion of accountability
• SPYBOT– 3000 lines of C code– April 2003– Evolved from SDBOT• No diffusion accountability
– Includes scanning capability and launching flooding attacks
– Efficient
• GTBOT(global threat)(Aristotles)– Based on functions of mIRC(writes event handlers for
remote nodes)– Capabilities are
• Port scanning• DOS attacks
– Stored in file mirc.ini– Remote execution
• BNC(proxy system) , psexec.exe• Implications
BOTNET CONTROL MECHANISMS
• Communication • Command language and control protocols• Based onIRC• Commands– Deny service– spam– Phish
• Agobot– Command language contain Standad IRC and
specific commands of this bot– Bot commands, perform specific function• Bot.open• Cvar.set• Ddos_max_threads
• SdbotNICK_USER
PONG
USERHOST
JOIN
EST
ACTIONRESETREJOIN
NICK
PING
302
KICK 353PART/QUIT
PREVMSG/NOTICE/TOPIC
001/005
001/005
• SPYBOT– Command language simple – Commands are login, passwords, disconnect, reconnect,
uninstall, spy, loadclones,killclones• GTBOT– Simplest– Varies across versions – Commands are !ver, !scan, !portscan, !clone.*,!update
• IMPLICATIONS– Now simple– Future, encrypted communication– Finger printing methods
HOST CONTROL MECHANISMS
• Manipulate victim host• AGOBOT
• Commands to harvest sensitive information(harvest.cdkeys, harvest.emails, registry, windowskeys)
• List and kill processes(pctrl.list, kill, killpid)• Add or delete autostart entries(inst.asadd, asdel)
• SDBOT• Remote execution commands and gather local information• Patches • Host control commands (download, killthread, update)
• SPYBOT– Control commands for file manipulation, key logging,
remote command execution– Commands are delete, execute, makedir, startkeylogger,
stopkilllogger, reboot, update.• GTBOT– Gathering local system information– Run or delete local files
• IMPLICATIONS– Underscore the need to patch– Stronger protection boundaries– Gathering sensitive information
PROPAGATION MECHANISMS
• Search for new host systems• Horizontal and vertical scan• AGOBOT– IP address within network ranges– Scan.addnetrange, scan.delnetrange, scan.enable
• SDBOT– Same as agobot– NETBIOS scanner• Starting and end IP adresses
• SPYBOT– Command interface
• CommandScan <startipaddress> <port> <delay><spreaders><logfilename>
• ExampleScan 127.0.0.1 17300 1 netbios
portscan.txt
• GTBOT– Horizontal and vertical scanning
• IMPLICATIONS– Simple scanning methods– Source code examination
EXPLOITS AND ATTACK MECHANISMS
• Attack known vulnerabilities on target systems• AGOBOT– Broadening set of exploits– Generic DDOS module
• Enables seven types of service attacks• Ddos.udpflood, synflood, httpflood, phatsyn,
phaticmp,Phatwonk, targa3, stop.• SDBOT– UDP and ICMP packets, flooding attacks– udp <host> <#pkts> <pktsz><delay><port> and
ping <host> <#pkts> <pktsz><timeout>
• SPYBOT AND GTBOT– Same as sdbot
• IMPLICATIONS– Multiple exploits
MALWARE DELIVERY MECHANISMS
• GT/SD/SPY bots deliver exploit and encoded malware in single package
• Agobot– Exploit vulnerability and open a shell on remote
host– Encoded binary is then sent using HTTP or FTP.
IMPLICATIONS
OBFUSCATION MECHANISMS
• Hide the details• Polymorphism
• AGOBOT
– POLY_TYPE_XOR– POLY_TYPE_SWAP– POLY_TYPE_ROR– POLY_TYPE_ROL
• IMPLICATIONS
CONCLUSIONS
• Expanded the knowledge base for security research
• Lethal classes of internet threats• Functional components of botnets
WEAKNESSES
• Study only IRC• No Preventive mechanisms• No dynamic profiling of botnet executables• Insufficient analysis
IMPROVEMENTS
• Dynamic profiling can be executed using some tools
• Botnet monitoring mechanism can be explained
• Analysis for peer to peer infrastructure