Project In COMPUTER SECURITYMonitoring Botnets from withinFINAL presentation – spring 2012 Students: Shir Degani, Yuval DeganiSupervisor: AmichaiShulman
Background Botnets, large networks of compromised computers, form the main source of application layer attacks against web servers as of today. A Botnet is a network built by individually infecting (or “recruiting”) computers via various methods, such as infected websites, downloaded malicious code or abusive use of server-side application vulnerabilities.
Aims and goals One of the important aspects of investigating this phenomenon is to be able to understand the traffic that a bot generates upon command from the botnet commander. Isolating bot traffic from regular traffic will allow a computer security researcher to develop software for identifying an already infected computer and to block this abusive traffic.
Objectives • Publish a website application with easy and known vulnerabilities, that will also be maintained and filled with false but real-looking content. • Join Botnets (if not by accident, then by force). • Accumulate and analyze incoming and outgoing traffic over time.Isolate and classify bot traffic. • Produce a detailed report of the traffic recorded: volume, duration, targets, type of abusive activities, and so on. • Recognize and generalize patterns of traffic.
Accomplishments • Collected long term IRC traffic from various botnets for analysis. • Analyzed IRC botnet traffic characteristics and botnet capabilities. • Researched many sources of malicious PHP code. • Produced a detailed report on the analyzed traffic and code. • Created a set of tools for the automation of infection and research of PHP IRC botnet code. • Published a detailed guide on how to research further scripts and use the tools provided.
Methodology • Publish a website application on “sandbox” machine. • Use provided lists of suspicious URLs to try and recognize active botnets • Use a different machine to collect IRC traffic on the botnets found. • Analyze the traffic logs collected. • Produced a detailed and informative report on each botnet.
Setup Machines on Amazon EC2: • Isolated “sandbox” machine running a web server: • Windows 2008 R2. • Wordpress with a blog full of content. • Security policy allows only web and IRC traffic. • Wireshark running at all times to log packets. • mIRC for monitoring chat room activity on the relevant rooms and server. • Machine is saved as a snapshot for restore if needed. • Separate machine for monitoring.
Set of automation tools • While working, we’ve noticed that most of the time is spent on meticulous and rigorous tasks for inspecting URLs and looking for active botnets. • This led us to try and automate some of the process, and resulted in a set of tools that reduces most of the overhead that URL inspection requires.
Tool #1: URL downloader • Targets the repetitive task of checking the validity of a list of suspicious URLs, and downloading them for further use. • Algorithm: • Try different variations on each URL with a few frequent suffixes. • Number each script that was successfully downloaded and add the .php extension.
Tool #2: IRC traffic sniffer • Targets the time consuming task of running a suspicious script and checking whether it actuates an active botnet. • Algorithm: For each PHP file in a specified folder: • Start a Internet Explorer process. • Copy the PHP file to a provided runnable web published folder. • Start a background job for collecting all TCP packets. • Run the PHP file in the Internet Explorer process for a limited amount of time (timeout parameter provided). • Kill the Internet Explorer and other PHP processes. • Stop collecting packets. • Analyze the packets and look for the following IRC commands: • PASS <string>, for password of the destination server (destination IP and TCP port on the packet). • JOIN #<string> <string>, for joining an IRC channel and the channel password. • Print and add the sniffed info to a file that is named according to the PHP file for further use.
Results & Conclusions • Most of the activity on the active botnets involves scanning for vulnerable websites and trying to infect them. • All vulnerabilities that are used are well known and documented bugs in WordPress extensions. • Although they are known, a great number of scanning results appear to be vulnerable – users doesn’t care for updates enough. • Real attacks were rare in the data collected • A notable DoS attack – UDP flood was seen. • Passing of Credit Card numbers and identities were noted a few times.
Future work • The final report contains a full guide on how to inspect and analyze IRC botnets: • Complete methodology guide. • A list of further investigation directions. • A user manual for the automation tools. • All of the following provide a big opportunity for future teams to get started very quickly and skip the initial non-productive phases.
Summary • Our research shows that there is a whole underground culture of Indonesian sourced botnets that is very much alive and active. • Most of the activity on these botnets is expanding its army of bots, creating a large enough net of abused servers that can be lucrative for their manager. • PHP code allows endless possibilities for hijacking and abusing webservers.