botnets
Download
Skip this Video
Download Presentation
Botnets

Loading in 2 Seconds...

play fullscreen
1 / 19

Botnets - PowerPoint PPT Presentation


  • 174 Views
  • Uploaded on

Botnets. ECE 4112 Lab 10 Group 19. Botnets. Collection of compromised machines running programs (malicious) under a common command and control infrastructure Attackers target Class B networks Once vulnerable system detected System compromised  control client (bot) installed

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Botnets' - zelia


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
botnets

Botnets

ECE 4112 Lab 10

Group 19

botnets1
Botnets
  • Collection of compromised machines running programs (malicious) under a common command and control infrastructure
  • Attackers target Class B networks
  • Once vulnerable system detected
    • System compromised  control client (bot) installed
  • These bots further attack networks  exponential growth in a tree like fashion
botnets uses
Botnets - Uses
  • Distributed Dos attacks
  • Spamming
  • Sniffing Traffic
  • Keylogging
  • Attacking other networks
  • Identity theft
  • Google Adsense abuse
  • Spyware/Malware infestation
lab procedures
Lab Procedures
  • I. Setup: Setting up the IRCd server
  • II. SDBot
  • III. q8Bot
  • IV. HoneyNet Botnet capture analysis
ircd server

IRC client (Attacker)

IRCd

Infected RedHat machine (Victim)

Redhat WS4.0

IRCd Server
  • IRC networks considered part of the “underground” Internet
  • Home to many hacking groups and illegal software release groups
  • Setup on WS 4.0 machine
sdbot rbot urbot urxbot
SDBot/RBot/UrBot/UrXbot
  • The most active family of bots
  • Published under GPL
  • Poorly implemented in C
  • provides a utilitarian IRC-based command and control system
  • easy to extend
  • large number of patches to provide more sophisticated malicious capabilities
    • scanning, DoS attacks, sniffers, information harvesting & encryption features
sdbot
SDBot
  • Setup on Windows XP VM using lccwin32 compiler
  • Created executable using bat file
  • Edited host file to include ircserver
  • Bot Login
    • Random username joins channel – Bot
    • Login
    • .repeat 6 .delay 1 .execute 1 winmine.exe
      • Started 6 instances of minesweeper on the victim
sdbot1
SDBot
  • General Commands
    • .execute causes the bot to run a program.
    • .download causes the bot to download the file specified by url
    • .redirect lets the bot to start a basic port redirect. everything sent to the port
    • .sysinfo causes the bot to reply with information on the host system
    • .netinfo causes the bot to reply with information on the bot\'s network connection
    • .visit lets the bot to invisibly visit the specified url
sdbot udp ping flood
SDBot – UDP/Ping Flood
  • .udp <RH 7.2 IP> 1000 4096 100 23
    • command causes a UDP flood
  • For 1 Gbit link
    • Avg packet size = 1169 bytes
    • Bots required = 106,928
  • .ping <RH 7.2 ip> 1000 4096 1
    • Initiates a ping flood
  • For 1 Gbit link
    • Avg packet size = 1351 bytes
    • Bots required = 92,532 (approx)
sdbot pay per click
SDBot – Pay per click
  • .visit http://57.35.6.10/index.html http://<anything>.com
    • Ethereal – Tcp stream with http packets illustrating http://<anything>.com as referrer
sdbot bot removal
SDBot – Bot Removal
  • Kill Process
  • Remove registry entries:
    • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\CONFIGURATION LOADER
    • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\CONFIGURATION LOADER
q8bot
q8Bot
  • Small bots with 926 lines of C code
  • Written only for Unix based systems
  • Features
    • DDos attacks
    • Dynamic updating
    • Flooding
  • Versions with spreaders available
q8bot1
q8Bot
  • Installation after changes to C file
  • ps –e
    • Shows the bot file running with a pid
  • ps –ef
    • Same pid shown as ‘-bash’
      • F flag gives full listing with the command line process name -> replaced by FAKENAME in source code
      • E flag gives the pid with the executable used
q8bot commands
q8Bot – Commands
  • PAN <target> <port> <secs> - SYN flood which disables most network drivers
  • TSUNAMI <target> <secs> - packets that can bypass any firewall
  • GET <target> <save as> - Download/rename files
q8bot2
q8Bot
  • Tsunami Attack –
    • Basic Dos attack
    • Packets directed to port 80 (http) – hence ignored by firewalls
  • PAN
    • Add statement:
      • Sendto(get, &send_tcp, 40+psize, 0, (struct sockaddr*)&sin, sizeof(sin);
      • Change return()  break in final if block
    • PAN <WIN XP IP> <port> <delay in ms>
honeynet botnet capture analysis
HoneyNet Botnet Capture Analysis
  • Data Forensics
  • View IRC connections
    • Ip.dst == 172.16.134.191 && tcp.srcport==6667
  • Sniff IRC packets
    • (Ip.dst== 172.16.134.191 && (tcp.srcport==6667|| tcp.dstport==6667)
  • Usernames sniffed:
    • Eohisou – Unsuccessful login attempt
    • Rgdiuggac – Successful login attempt
honeynet botnet capture analysis1
HoneyNet Botnet Capture Analysis
  • Once logged in, chanserv sets modes
    • i – Invisible mode (hidden)
    • x – provides random hostname to user
  • Source attack ips – Analyze through ethereal filter
    • 209.196.44.172
    • 63.241.174.144
    • 217.199.175.10
botnets defense
Botnets – Defense
  • keep your system updated, downloading patches
  • careful with opening suspicious attachments in email
  • Control use of scripting languages such as ActiveX and JavaScript
  • fundamental to use an updated antivirus / antitrojan
botnets defense1
Botnets – Defense
  • main signs of bot presence are connection and system slowdown
    • netstat –an
  • Admins - subscription to mailing lists (eg. Bugtraq)
  • study the logs generated by IDS/firewall/mail/DHCP servers for abnormal activity
  • Most important – user awareness
ad