1 / 21

AN INSIDE LOOK AT BOTNETS

AN INSIDE LOOK AT BOTNETS. Barford , Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju. INTRODUCTION. Attacks for financial gain Proactive methods Understanding of malicious software readily available 4 IRC botnet codebases along 7 dimensions.

morela
Download Presentation

AN INSIDE LOOK AT BOTNETS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 KishorePadmaRaju

  2. INTRODUCTION • Attacks for financial gain • Proactive methods • Understanding of malicious software readily available • 4 IRC botnet codebases along 7 dimensions

  3. ARCHITECTURE • AGOBOT (Phatbot) • Found in october 2002 • Sophisticated and best written source code • 20,000 lines of c/c++ • High level components • IRC based command and control mechanism • Large collection of target exploits • DOS attacks • Harvest the local host

  4. SDBOT • October 2002 • Simple code in C, 2000 lines • IRC based command and control system • Easy to extend and so many patches available(DOS attacks, information harvesting routines) • Motivation for patch dissemination is diffusion of accountability

  5. SPYBOT • 3000 lines of C code • April 2003 • Evolved from SDBOT • No diffusion accountability • Includes scanning capability and launching flooding attacks • Efficient

  6. GTBOT(global threat)(Aristotles) • Based on functions of mIRC(writes event handlers for remote nodes) • Capabilities are • Port scanning • DOS attacks • Stored in file mirc.ini • Remote execution • BNC(proxy system) , psexec.exe • Implications

  7. BOTNET CONTROL MECHANISMS • Communication • Command language and control protocols • Based onIRC • Commands • Deny service • spam • Phish

  8. Agobot • Command language contain Standad IRC and specific commands of this bot • Bot commands, perform specific function • Bot.open • Cvar.set • Ddos_max_threads

  9. Sdbot NICK_USER PING 001/005 PONG 001/005 JOIN USERHOST NICK PREVMSG/ NOTICE/ TOPIC 302 EST KICK 353 PART/QUIT REJOIN RESET ACTION

  10. SPYBOT • Command language simple • Commands are login, passwords, disconnect, reconnect, uninstall, spy, loadclones,killclones • GTBOT • Simplest • Varies across versions • Commands are !ver, !scan, !portscan, !clone.*,!update • IMPLICATIONS • Now simple • Future, encrypted communication • Finger printing methods

  11. HOST CONTROL MECHANISMS • Manipulate victim host • AGOBOT • Commands to harvest sensitive information(harvest.cdkeys, harvest.emails, registry, windowskeys) • List and kill processes(pctrl.list, kill, killpid) • Add or delete autostart entries(inst.asadd, asdel) • SDBOT • Remote execution commands and gather local information • Patches • Host control commands (download, killthread, update)

  12. SPYBOT • Control commands for file manipulation, key logging, remote command execution • Commands are delete, execute, makedir, startkeylogger, stopkilllogger, reboot, update. • GTBOT • Gathering local system information • Run or delete local files • IMPLICATIONS • Underscore the need to patch • Stronger protection boundaries • Gathering sensitive information

  13. PROPAGATION MECHANISMS • Search for new host systems • Horizontal and vertical scan • AGOBOT • IP address within network ranges • Scan.addnetrange, scan.delnetrange, scan.enable • SDBOT • Same as agobot • NETBIOS scanner • Starting and end IP adresses

  14. SPYBOT • Command interface • Command Scan <startipaddress> <port> <delay><spreaders><logfilename> • Example Scan 127.0.0.1 17300 1 netbios portscan.txt • GTBOT • Horizontal and vertical scanning • IMPLICATIONS • Simple scanning methods • Source code examination

  15. EXPLOITS AND ATTACK MECHANISMS • Attack known vulnerabilities on target systems • AGOBOT • Broadening set of exploits • Generic DDOS module • Enables seven types of service attacks • Ddos.udpflood, synflood, httpflood, phatsyn, phaticmp,Phatwonk, targa3, stop. • SDBOT • UDP and ICMP packets, flooding attacks • udp <host> <#pkts> <pktsz><delay><port> and ping <host> <#pkts> <pktsz><timeout>

  16. SPYBOT AND GTBOT • Same as sdbot • IMPLICATIONS • Multiple exploits

  17. MALWARE DELIVERY MECHANISMS • GT/SD/SPY bots deliver exploit and encoded malware in single package • Agobot • Exploit vulnerability and open a shell on remote host • Encoded binary is then sent using HTTP or FTP. IMPLICATIONS

  18. OBFUSCATION MECHANISMS • Hide the details • Polymorphism • AGOBOT • POLY_TYPE_XOR • POLY_TYPE_SWAP • POLY_TYPE_ROR • POLY_TYPE_ROL • IMPLICATIONS

  19. CONCLUSIONS • Expanded the knowledge base for security research • Lethal classes of internet threats • Functional components of botnets

  20. WEAKNESSES • Study only IRC • No Preventive mechanisms • No dynamic profiling of botnet executables • Insufficient analysis

  21. IMPROVEMENTS • Dynamic profiling can be executed using some tools • Botnet monitoring mechanism can be explained • Analysis for peer to peer infrastructure

More Related