Bots and BotnetsBots and Botnets

plusplus

Forensic analysis of a botForensic analysis of a bot

IntroductionIntroduction

• Wayne HauberWayne Hauber

• Computer consultant since 1984 at Iowa Computer consultant since 1984 at Iowa State UniversityState University

• Started analyzing bots as a major focus in Started analyzing bots as a major focus in 20022002

Bots and BotnetsBots and Botnets

Bot – nothing more than a remotely Bot – nothing more than a remotely controlled programcontrolled programA collection of bots controlled at a central A collection of bots controlled at a central source are botnetssource are botnetsMost bots have their origin in some Most bots have their origin in some segment of the IRC communitysegment of the IRC communityBotnet controllers are either public IRC Botnet controllers are either public IRC servers or custom private IRC serversservers or custom private IRC servers

Not NewNot New

Floodbots appeared at ISU in early 1990s. Floodbots appeared at ISU in early 1990s. Mostly a nuisance to staff from fringe IRC Mostly a nuisance to staff from fringe IRC usersusersFirst SYN Flood denial of service attacks First SYN Flood denial of service attacks in 1997in 1997See the Hank Nussbacher presentation for See the Hank Nussbacher presentation for a good chronologya good chronology

What is newWhat is new

OrganizationOrganizationTalentTalentSkillsSkillsComplete disregard for the values of Complete disregard for the values of mainstream society mainstream society

IRC Society drives the problemIRC Society drives the problem

Pubstros/distrosPubstros/distros

In late 2001 and early 2002, the first In late 2001 and early 2002, the first Pubstros appeared at ISUPubstros appeared at ISUPubstros are servers created on a Pubstros are servers created on a vulnerable systemvulnerable systemThey serve movies, games, software and They serve movies, games, software and pornographypornographyUsually some other software is installed, Usually some other software is installed, expect password crackers, keyloggers, expect password crackers, keyloggers, proxies and network scannersproxies and network scanners

Pubstros/distrosPubstros/distros

Pubstros were created by a highly Pubstros were created by a highly organized and developed society of IRC organized and developed society of IRC usersusersPubstro/distro tutorials were published on Pubstro/distro tutorials were published on the webthe web

Pubstros/distrosPubstros/distros

Hierarchical duties were assigned to those Hierarchical duties were assigned to those establishing pubstrosestablishing pubstrosOne group scanned for proxy systems and One group scanned for proxy systems and installs scanning toolsinstalls scanning toolsAnother group scanned for vulnerable Another group scanned for vulnerable systems and posts a listsystems and posts a listAnother group laid down the server and Another group laid down the server and the contrabandthe contrabandQuotas determined status in groupQuotas determined status in group

Pubstros/distrosPubstros/distros

A group in the far east supplies movies A group in the far east supplies movies often prior to US release datesoften prior to US release dates

Pubstros/distrosPubstros/distros

At ISU, we locate some pubstros because At ISU, we locate some pubstros because they are in our top-20 network traffic listthey are in our top-20 network traffic listOthers are detected because they “look Others are detected because they “look the same” as a top-20 pubstrothe same” as a top-20 pubstroSome are detected because other activity Some are detected because other activity is detected by netflow monitoringis detected by netflow monitoringSome are detected when a hacker is Some are detected when a hacker is clumsyclumsy

Pubstros/distrosPubstros/distros

Becoming more sophisticatedBecoming more sophisticatedAre well hidden – Hacker Defender is a Are well hidden – Hacker Defender is a suite of tools to hide your favorite trojansuite of tools to hide your favorite trojanStill common – I detected a pubstro on a Still common – I detected a pubstro on a departmental server at 5:00 p.m. last departmental server at 5:00 p.m. last night!night!

Organized crimeOrganized crime

See From Russia with Malice handout See From Russia with Malice handout http://www.vnunet.com/analysis/1160302

IRC SocietyIRC Society

Slides are from a presentation by Hank Slides are from a presentation by Hank Nussbacher Nussbacher http://www.interall.co.il/presentations/first-16.pdf

Frequency of attacksFrequency of attacks

Page 84 of Nussbacher presentationPage 84 of Nussbacher presentationPage 32 of the Vunderink presentation Page 32 of the Vunderink presentation http://www.garion.org/tmp/ircdrones.pdfhttp://www.garion.org/tmp/ircdrones.pdf

Size of botnetsSize of botnets

It is common to see botnets with a It is common to see botnets with a strength of 1,000 to 2,000 botsstrength of 1,000 to 2,000 botsOne record botnet had a strength of One record botnet had a strength of hundreds of thousands of botshundreds of thousands of bots

Easy toolsEasy tools

Tools that we have seen at ISU have Tools that we have seen at ISU have grown in sophistication and powergrown in sophistication and powerProfessional hackers are writing toolsProfessional hackers are writing toolsMany of today’s new viruses are nothing Many of today’s new viruses are nothing more than hacker tools in active usemore than hacker tools in active useQuote from page 14 of Vunderink Quote from page 14 of Vunderink presentationpresentation

Easy ToolsEasy Tools

SdbotSdbotKorgoKorgoOptixOptixSpybotSpybot

Optix – a sdbot variantOptix – a sdbot variant

Detailed DescriptionDetailed DescriptionThe backdoor's file is a PE The backdoor's file is a PE executable about 93 kilobytes long, packed with executable about 93 kilobytes long, packed with Yoda and PECompact file compressors. Yoda and PECompact file compressors. When the backdoor's file is started, it copies When the backdoor's file is started, it copies itself as SNDCFG16.EXE to Windows System itself as SNDCFG16.EXE to Windows System folder, sets hidden, system and read-only folder, sets hidden, system and read-only attributes for itself and then creates the following attributes for itself and then creates the following startup keys in the Registry… startup keys in the Registry… The backdoor monitors Registry changes and The backdoor monitors Registry changes and re-creates these keys if they are deleted or re-creates these keys if they are deleted or modified. modified.

Optix – a sdbot variantOptix – a sdbot variant

SDBot.MB kills the processes of security SDBot.MB kills the processes of security and anti-virus software and also processes and anti-virus software and also processes of certain malware (for example Bagle). of certain malware (for example Bagle). The processes with the following names The processes with the following names are killed: are killed: regedit.exe msconfig.exe …a long list…regedit.exe msconfig.exe …a long list…

Optix – a sdbot variantOptix – a sdbot variantThe backdoor can scan for vulnerable computers using The backdoor can scan for vulnerable computers using different types of exploits and tries to locate other different types of exploits and tries to locate other backdoors installed on remote hosts. Here's the list of backdoors installed on remote hosts. Here's the list of scanner capabilities: scanner capabilities: * WebDav (port 80) * NetBios (port 139) * NTPass (port * WebDav (port 80) * NetBios (port 139) * NTPass (port 445) * DCom (ports 135, 1025) * DCom2 (port 135) * 445) * DCom (ports 135, 1025) * DCom2 (port 135) * MSSQL (port 1433) * LSASS (port 445) * UPNP (port MSSQL (port 1433) * LSASS (port 445) * UPNP (port 5000) * Optix backdoor (port 3140) * Bagle backdoor 5000) * Optix backdoor (port 3140) * Bagle backdoor (port 2745) * Kuang backdoor (port 17300) * Mydoom (port 2745) * Kuang backdoor (port 17300) * Mydoom backdoor (port 3127) * NetDevil backdoor (port 903) * backdoor (port 3127) * NetDevil backdoor (port 903) * SubSeven backdoor (port 27347) * DameWare remote SubSeven backdoor (port 27347) * DameWare remote management software (port 6129)management software (port 6129)

Optix – a sdbot variantOptix – a sdbot variant

The backdoor starts IDENTD server on The backdoor starts IDENTD server on port 113. port 113. A hacker can control the backdoor via a A hacker can control the backdoor via a bot that it creates in a certain IRC channel.bot that it creates in a certain IRC channel.

Optix – a sdbot variantOptix – a sdbot variant

Backdoor capabilities are the following: Backdoor capabilities are the following: start HTTP server on an infected computer start HTTP server on an infected computer start FTP server on an infected computer start FTP server on an infected computer scan for vulnerable computers (open ports scan for vulnerable computers (open ports and exploits) and exploits) make use of exploits and spread to remote make use of exploits and spread to remote computers computers

Optix – a sdbot variantOptix – a sdbot variant

start/stop keylogger start/stop keylogger get system information including get system information including information about OS, network and drives information about OS, network and drives operate backdoor's bot (nick change, dcc operate backdoor's bot (nick change, dcc send/receive, join/part channels, etc.)send/receive, join/part channels, etc.)perform DDoS (Distributed Denial of perform DDoS (Distributed Denial of Service) attack, SYN, ICMP, UDP floodService) attack, SYN, ICMP, UDP flood

Optix – a sdbot variantOptix – a sdbot variant

find, download and run files find, download and run files search for passwords search for passwords start/stop remote services start/stop remote services create/delete remote shares create/delete remote shares flush DNS cache flush DNS cache

Optix – a sdbot variantOptix – a sdbot variant

ping any host ping any host list, start and kill processes list, start and kill processes sniff network traffic sniff network traffic start remote command shell start remote command shell capture video from a webcam capture video from a webcam

Optix – a sdbot variantOptix – a sdbot variant

capture a screenshot capture a screenshot redirect traffic on certain ports redirect traffic on certain ports perform portscan perform portscan send e-mails (work as an e-mail proxy) send e-mails (work as an e-mail proxy) open a URL with default web browseropen a URL with default web browser

SDBot.MB steals CD keys for the following games if they are installed on an SDBot.MB steals CD keys for the following games if they are installed on an infected computer: infected computer:

Counter-Strike (Retail) The Gladiators Gunman Chronicles Half-Life Industry Counter-Strike (Retail) The Gladiators Gunman Chronicles Half-Life Industry Giant 2 Legends of Might and Magic Soldiers Of Anarchy Unreal Tournament Giant 2 Legends of Might and Magic Soldiers Of Anarchy Unreal Tournament 2003 Unreal Tournament 2004 IGI 2: Covert Strike Freedom Force Battlefield 2003 Unreal Tournament 2004 IGI 2: Covert Strike Freedom Force Battlefield 1942 Battlefield 1942 (Road To Rome) Battlefield 1942 (Secret Weapons of 1942 Battlefield 1942 (Road To Rome) Battlefield 1942 (Secret Weapons of WWII) Battlefield Vietnam Black and White Command and Conquer: Generals WWII) Battlefield Vietnam Black and White Command and Conquer: Generals (Zero Hour) James Bond 007: Nightfire Command and Conquer: Generals (Zero Hour) James Bond 007: Nightfire Command and Conquer: Generals Global Operations Medal of Honor: Allied Assault Medal of Honor: Allied Global Operations Medal of Honor: Allied Assault Medal of Honor: Allied Assault: Breakthrough Medal of Honor: Allied Assault: Spearhead Need For Assault: Breakthrough Medal of Honor: Allied Assault: Spearhead Need For Speed Hot Pursuit 2 Need For Speed: Underground Shogun: Total War: Speed Hot Pursuit 2 Need For Speed: Underground Shogun: Total War: Warlord Edition FIFA 2002 FIFA 2003 NHL 2002 NHL 2003 Nascar Racing Warlord Edition FIFA 2002 FIFA 2003 NHL 2002 NHL 2003 Nascar Racing 2002 Nascar Racing 2003 Rainbow Six III RavenShield Command and 2002 Nascar Racing 2003 Rainbow Six III RavenShield Command and Conquer: Tiberian Sun Command and Conquer: Red Alert Command and Conquer: Tiberian Sun Command and Conquer: Red Alert Command and Conquer: Red Alert 2 NOX Chrome Hidden & Dangerous 2 Soldier of Fortune Conquer: Red Alert 2 NOX Chrome Hidden & Dangerous 2 Soldier of Fortune II - Double Helix Neverwinter Nights Neverwinter Nights (Shadows of II - Double Helix Neverwinter Nights Neverwinter Nights (Shadows of Undrentide) Neverwinter Nights (Hordes of the Underdark) Undrentide) Neverwinter Nights (Hordes of the Underdark)

Also the backdoor steals Microsoft Windows Product ID. Also the backdoor steals Microsoft Windows Product ID.

Protecting client systemsProtecting client systems

Comments from VunderinkComments from Vunderink

Some conclusionsSome conclusions

Security threats have changedSecurity threats have changed

Some conclusionsSome conclusions

Security threats have changedSecurity threats have changedOur clients have no idea that the security Our clients have no idea that the security paradigm has changedparadigm has changed

Some conclusionsSome conclusions

Security threats have changedSecurity threats have changedOur clients have no idea that the security Our clients have no idea that the security paradigm has changedparadigm has changedPolicy makers do not know that security Policy makers do not know that security threats have changedthreats have changed

Some conclusionsSome conclusions

Security threats have changedSecurity threats have changedOur clients have no idea that the security Our clients have no idea that the security paradigm has changedparadigm has changedPolicy makers do not know that security Policy makers do not know that security threats have changedthreats have changedI am less pessimistic than Vunderink. I I am less pessimistic than Vunderink. I think that we will succeed in educating think that we will succeed in educating policy makers…but we won’t succeed in policy makers…but we won’t succeed in educating our clients.educating our clients.

1. A good overview of BotNets: Malicious Bots Threaten Network Security, David Geer. IEEE Computer, January 20052. An article that provides examples of organized crime and botnets: From Russia with Malice, http://www.vnunet.com/analysis/11603023. Slides from a presentation that provide a good history of DDOS and techniques for fighting DDOS: Fighting Internet Diseases: DDos, worms and miscreants, Hank Nussbacher and Nicolas Fishbach. http://www.interall.co.il/presentations/first-16.pdf

4. Slides from a presentation by an IRC administrator who is fighting botnets: IRC and Drones: Investigating botnets on IRC, Joost "Garion" Vunderink. http://www.garion.org/tmp/ircdrones.pdf

5. A paper that presents a complete forensic analysis of a compromised system: GIAC Certified Forensic Analyse (GCFA) Practical Assignment, Jennifer Kolde, Sans Institute. http://www.giac.org/practical/GCFA/Jennifer_Kolde_GCFA.pdf

A large number of papers and presentations can be found at the public page:https://puck.nether.net/mailman/listinfo/nsp-security

In addition, I have found these to be useful:http://staff.washington.edu/dittrich/misc/ddos/

http://www.linuxsecurity.com/resource_files/intrusion_detection/ddos-faq.htmlhttp://www.networkcomputing.com/1201/1201f1c1.html

http://www.sans.org/dosstep/index.phphttp://downloads.securityfocus.com/library/sn_ddos.doc

Hank Nussbacher’s picks for DDOS references

Other good referencesOther good references

A good overview of DDOS A good overview of DDOS http://www.cisco.com/en/US/about/ac123/ac147/archived_issues/ipj_7-4/dohttp://www.cisco.com/en/US/about/ac123/ac147/archived_issues/ipj_7-4/dos_attacks.htmls_attacks.htmlUsing SNORT to detect rogue IRC Bot Programs Using SNORT to detect rogue IRC Bot Programs http://www.giac.org/certified_professionals/practicals/gsec/4095.phphttp://www.giac.org/certified_professionals/practicals/gsec/4095.php

My slidesMy slides

http://tech.ait.iastate.edu/winsecurity/presentations/infraguard.ppthttp://tech.ait.iastate.edu/winsecurity/presentations/infraguard.ppt

Detecting a new botDetecting a new botGood free tools from sysinternals.comGood free tools from sysinternals.comTCPVIEWTCPVIEWProcess explorerProcess explorerAutorunsAutorunsRegmonRegmonFilemonFilemonRootkitrevealerRootkitrevealer