Botnets
This presentation is the property of its rightful owner.
Sponsored Links
1 / 19

Botnets PowerPoint PPT Presentation


  • 125 Views
  • Uploaded on
  • Presentation posted in: General

Botnets. ECE 4112 Lab 10 Group 19. Botnets. Collection of compromised machines running programs (malicious) under a common command and control infrastructure Attackers target Class B networks Once vulnerable system detected System compromised  control client (bot) installed

Download Presentation

Botnets

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Botnets

Botnets

ECE 4112 Lab 10

Group 19


Botnets1

Botnets

  • Collection of compromised machines running programs (malicious) under a common command and control infrastructure

  • Attackers target Class B networks

  • Once vulnerable system detected

    • System compromised  control client (bot) installed

  • These bots further attack networks  exponential growth in a tree like fashion


Botnets uses

Botnets - Uses

  • Distributed Dos attacks

  • Spamming

  • Sniffing Traffic

  • Keylogging

  • Attacking other networks

  • Identity theft

  • Google Adsense abuse

  • Spyware/Malware infestation


Lab procedures

Lab Procedures

  • I. Setup: Setting up the IRCd server

  • II. SDBot

  • III. q8Bot

  • IV. HoneyNet Botnet capture analysis


Ircd server

IRC client (Attacker)

IRCd

Infected RedHat machine (Victim)

Redhat WS4.0

IRCd Server

  • IRC networks considered part of the “underground” Internet

  • Home to many hacking groups and illegal software release groups

  • Setup on WS 4.0 machine


Sdbot rbot urbot urxbot

SDBot/RBot/UrBot/UrXbot

  • The most active family of bots

  • Published under GPL

  • Poorly implemented in C

  • provides a utilitarian IRC-based command and control system

  • easy to extend

  • large number of patches to provide more sophisticated malicious capabilities

    • scanning, DoS attacks, sniffers, information harvesting & encryption features


Sdbot

SDBot

  • Setup on Windows XP VM using lccwin32 compiler

  • Created executable using bat file

  • Edited host file to include ircserver

  • Bot Login

    • Random username joins channel – Bot

    • Login

    • .repeat 6 .delay 1 .execute 1 winmine.exe

      • Started 6 instances of minesweeper on the victim


Sdbot1

SDBot

  • General Commands

    • .execute causes the bot to run a program.

    • .download causes the bot to download the file specified by url

    • .redirect lets the bot to start a basic port redirect. everything sent to the port

    • .sysinfo causes the bot to reply with information on the host system

    • .netinfo causes the bot to reply with information on the bot's network connection

    • .visit lets the bot to invisibly visit the specified url


Sdbot udp ping flood

SDBot – UDP/Ping Flood

  • .udp <RH 7.2 IP> 1000 4096 100 23

    • command causes a UDP flood

  • For 1 Gbit link

    • Avg packet size = 1169 bytes

    • Bots required = 106,928

  • .ping <RH 7.2 ip> 1000 4096 1

    • Initiates a ping flood

  • For 1 Gbit link

    • Avg packet size = 1351 bytes

    • Bots required = 92,532 (approx)


Sdbot pay per click

SDBot – Pay per click

  • .visit http://57.35.6.10/index.html http://<anything>.com

    • Ethereal – Tcp stream with http packets illustrating http://<anything>.com as referrer


Sdbot bot removal

SDBot – Bot Removal

  • Kill Process

  • Remove registry entries:

    • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\CONFIGURATION LOADER

    • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\CONFIGURATION LOADER


Q8bot

q8Bot

  • Small bots with 926 lines of C code

  • Written only for Unix based systems

  • Features

    • DDos attacks

    • Dynamic updating

    • Flooding

  • Versions with spreaders available


Q8bot1

q8Bot

  • Installation after changes to C file

  • ps –e

    • Shows the bot file running with a pid

  • ps –ef

    • Same pid shown as ‘-bash’

      • F flag gives full listing with the command line process name -> replaced by FAKENAME in source code

      • E flag gives the pid with the executable used


Q8bot commands

q8Bot – Commands

  • PAN <target> <port> <secs> - SYN flood which disables most network drivers

  • TSUNAMI <target> <secs> - packets that can bypass any firewall

  • GET <target> <save as> - Download/rename files


Q8bot2

q8Bot

  • Tsunami Attack –

    • Basic Dos attack

    • Packets directed to port 80 (http) – hence ignored by firewalls

  • PAN

    • Add statement:

      • Sendto(get, &send_tcp, 40+psize, 0, (struct sockaddr*)&sin, sizeof(sin);

      • Change return()  break in final if block

    • PAN <WIN XP IP> <port> <delay in ms>


Honeynet botnet capture analysis

HoneyNet Botnet Capture Analysis

  • Data Forensics

  • View IRC connections

    • Ip.dst == 172.16.134.191 && tcp.srcport==6667

  • Sniff IRC packets

    • (Ip.dst== 172.16.134.191 && (tcp.srcport==6667|| tcp.dstport==6667)

  • Usernames sniffed:

    • Eohisou – Unsuccessful login attempt

    • Rgdiuggac – Successful login attempt


Honeynet botnet capture analysis1

HoneyNet Botnet Capture Analysis

  • Once logged in, chanserv sets modes

    • i – Invisible mode (hidden)

    • x – provides random hostname to user

  • Source attack ips – Analyze through ethereal filter

    • 209.196.44.172

    • 63.241.174.144

    • 217.199.175.10


Botnets defense

Botnets – Defense

  • keep your system updated, downloading patches

  • careful with opening suspicious attachments in email

  • Control use of scripting languages such as ActiveX and JavaScript

  • fundamental to use an updated antivirus / antitrojan


Botnets defense1

Botnets – Defense

  • main signs of bot presence are connection and system slowdown

    • netstat –an

  • Admins - subscription to mailing lists (eg. Bugtraq)

  • study the logs generated by IDS/firewall/mail/DHCP servers for abnormal activity

  • Most important – user awareness


  • Login