1 / 20

An Inside Look at Botnets

Paul Barford Vinod Yegneswaran Computer Sciences Department University of Wisconsen , Madison. An Inside Look at Botnets. Omar Hemmali CAP 6135. Outline. Introduction Architecture & Seven key mechanisms Architecture Control mechanisms Methods for proagation and attack

eshana
Download Presentation

An Inside Look at Botnets

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PaulBarford VinodYegneswaran Computer Sciences Department University of Wisconsen, Madison An Inside Look at Botnets Omar Hemmali CAP 6135

  2. Outline • Introduction • Architecture & Seven key mechanisms • Architecture • Control mechanisms • Methods for proagation and attack • Contributions • Shortfalls

  3. Introduction • The evolution of malware is primarily driven by improvements in defense mechanisms. • Worms and DoS attacks get a lot of media coverage while a major problem is overlooked. • Botnets are a more serious threat on the Internet today. • Botnets trace their roots to a benign management system.

  4. Introduction cont. • Botnets have increased in capability over the years. • Botnets have become quite extensive. • Focus has changed from vandalism to for-profit malicious activity.

  5. Evaluation • Comparison of 4 different Bot families. • Agobot • SDBot • SpyBot • GT Bot

  6. Architecture & Seven Mechanisms • Architecture • Botnet Control Mechanisms • Host Control Mechanisms • Propagation Mechanisms • Exploits and Attack Mechanisms • Malware Delivery Mechanisms • Obfuscation Mechanisms • Deception Mechanisms

  7. Architecture - Agobot • 20K LoC C/C++ • Many high level components • IRC based C2 mechanism • Can launch different DoS attacks • Can harvest passwords • Fortify the system from attack • Actively attempts to prevent removal

  8. Architecture - SpyBot • 3K LoC C • Does not try to hide its malicious intent • Contains exploits for P2P and comm programs • Has ip scanning capabilities • Modules for DoS attacks

  9. Botnet Control Mechanisms • SDBot • Uses a lightweight version of IRC, • Bots can rejoin channels if they get kicked. • They keep track of their master. • Commands are sent in the form of PRIVMSG.

  10. Botnet Control Mechanisms • GT Bot • Uses IRC as the control infrastucture • Very few commands that are consistent among members of the family • Can invoke ip scanning

  11. Host Control Mechanisms • Purpose is to fortify the compromised host against removal of the bot net • Agobot • Can return CD keys, registry info, emails • Able to kill specific processes that may try to cleans the infected host.

  12. Host Control Mechanisms • SDBot • Controls are somewhat limited • Can remotely download files • Can create and terminate processes • Can send cd keys for popular games to BotMaster

  13. Propagation Mechanisms • SpyBot and GT Bot • Have simple horizontal and vertical scanners • Just run through IPs in order.

  14. Exploits and Attack Mechanisms • Agobot • Very elaborate • Scans for back doors left by other worms • Scans for passwords from open SQL servers • Can enable 7 DDoS Attack commands

  15. Exploits and Attack Mechanisms • GTBot • Makes use of DCOM exploits • Has DDoS capabilities in the form of UDP and TCP floods.

  16. Malware Delivery Mechanisms • GTBots • Deliver the exploit in a single script • AgoBot • It first exploits an existing vulnerability • Then opens a shell on the remote host

  17. Obfuscation Mechanisms • Agobot is the only one that has any obfuscation mechanisms. • It uses four different polymorphic schemes

  18. Deception Mechanisms • Again Agobot is the only one that has any elaborate mechanism • Tests for debuggers • Tests for VMWare • Kills Anti Virus processes • Alters DNS entries for anti-virus updates to point to localhost

  19. Contributions • Compiled a lot of information about different flavors of Botnets. • Demonstrated that compromised machines not only acted as zombies for the master, opened users to ID theft.

  20. Shortfalls • While the paper covers many different effects of Botnets, it doesn’t give ways to alleviate them.

More Related