Botnets An Introduction Into the World of Botnets Tyler Hudak tyler@hudakville.com
What will we cover? What are botnets? History How do they work? What are they used for? Who cares? Detection and Prevention Methods The purpose of this presentation will be an introduction into the world of botnets. At the end of this, the reader/presentee should have a good understanding of the basics of botnets, how they work, where they came from and why they are used.
Botnets “Collection of software robots, or bots, which run autonomously”1 A group of programs, installed on different computers, all running under one command and control structure (C&C) Typically controlled by one person or a group of people (aka. The botmaster) This definition comes from the wikipedia @ http://en.wikipedia.org/wiki/Botnet Botnets are essentially a collection of bots (short for robots) under a common command and control structure.. Bots are programs installed on different computers who perform actions for the controller (botmaster). While, in the beginning bots were not malicious in nature, the ones discussed in this presentation are.
History Originally used in IRC as a way to allow automated tasks to be done Protect a channel, kick a user out of a channel,etc Eventually evolved into a way to automate malicious tasks Started with DoS/DDoS against servers TFN, stacheldraht, trinoo (1999) Please note that this is an extremely simplistic history of bots and botnets. Bots were originally used within IRC (and IM) to automate tasks, protect a channel and provide entertainment for users. At some point attackers saw the value in automating their attacks and ways to control their victims. The first botnets publicly talked about (that I could find – there may have been others) were the zombie networks created by the TFN, stacheldraht and trinoo distributed denial of service (DDoS) programs in 1999. These were made famous by mafiaboy’s DoS attacks against Yahoo, Microsoft and eBay. These zombie networks used a “proprietary” command and control structure and was very rudimentary, compared to some of today’s botnets. David Dittrich has some excellent write-ups of these early DDoS networks at http://staff.washington.edu/dittrich/misc/ddos/.
History Attackers created easier ways to control bots IRC, HTTP, P2P Bots started to become payloads for worms Allowed for faster compromises, bigger botnets Sobig/SDBot/Rbot/Agobot/Phatbot… Today, botnets are big business! Over 10,000 bots have been reported in a single botnet. As the evolution of these tools progressed, attackers started to move away from some of the methods used for control in the DDoS tools and moved onto more “public” services, such as Internet Relay Chat (IRC). IRC was the perfect place for these types of programs because an attacker could use a password protected chat room to control their bots and keep it out of site from the general public. As time has progressed, other C&C methods using HTTP and P2P has emerged. In order to spread their bots to more people and at a faster rate, bots have started to become payloads for worms. As the worms scan the Internet and infect vulnerable machines, these machines would become part of the botnets, exponentially increasing the number of bots at an attacker’s control. Some of the more famous ones include Sobig, Agobot (more than 500 variants of this exist) and Phatbot.
How do they work? 4. Repeat. Soon the botmaster has an army of bots to control from a single point Botmaster infects victim with bot (worm, social engineering, etc) 2. Bot connects to IRC C&C channel 3. Botmaster sends commands through IRC C&C channel to bots Victim Botmaster The slide above shows a very simplistic view of how an IRC-based botnet works. First, the attackers will infect a computer (through any number of ways) with their bot. The bot will then connect back and log into a chat room on the IRC C&C server. These are typically public IRC servers, such as Undernet, EFNET, etc. Once connected to the channel, the botmaster can send commands to the bot on the infected computer and have it perform any number of tasks. Eventually, the attacker will have an army of bots, the botnet, available to him. IRC Server
How are they spread? Exploiting known vulnerabilities Social Engineering Spam/Phishing Website Downloads Instant Messaging P2P networks Bots, essentially being malicious code like worms and/or spyware, spread in similar ways. A botmaster will usually use the bots in his botnet to spread in a number of different ways. First, the bots will scan other computers for known vulnerabilities and exploit those vulnerabilities to install the bot. Additionally, a botnet may send out spam or phishing emails or IM messages to try to social engineer a victim into downloading the bot software from a website. Bots have also been seen on P2P networks (such as KaZaa) and on websites (disguised as legitimate programs).
Command and Control Number of different ways to control bots Dynamic DNS services often used Most common is through IRC (public or private) Bots log into a specific IRC channel Bots are written to accept specific commands and execute them (sometimes from specific users) Disadvantages with IRC Usually unencrypted, easy to get into and take over or shut down The most common C&C method for botnets seen now are through IRC servers. Botnets can use either public or private IRC networks; each have their own advantages and disadvantages. Dynamic DNS Services, such as dyndns.org, are used frequently with botnets. Normally, botnets would be programmed to connect to specific IRC or HTTP servers for C&C. Since these servers would usually be a fixed name or IP address, it would typically be easy for the ISP provider or administrator to make changes to prevent the botnets from connected. Using dynamic DNS servers, the botmaster can point the botnet to the a dynamic DNS name and change the location of the C&C server at will. However, dynamic DNS providers have started to crack down on this.
Command and Control This screenshot shows an example of an IRC C&C channel. Notice the !login command by the botmaster (sigh```) as well as the response from one of the bots. The botmaster also issues a DoS stop command and then starts another DoS against 24.67.87.12. 24.67.87.12 appears to be a Canadian cable home. These screenshots taken from http://swatit.org/bots/gallery.html. Source: http://swatit.org/bots/gallery.html
Command and Control This is another screenshot of the same botnet. Here we see the syntax for one of the bot DoS commands, !pepsi. At the bottom we also see an ICMP (or IGMP) DoS attack against 24.67.87.12. These screenshots taken from http://swatit.org/bots/gallery.html. Source: http://swatit.org/bots/gallery.html
Command and Control Here is a different botnet. This time we see the botmaster (Inferno) removing some files – most likely setup files from their bots. These screenshots taken from http://swatit.org/bots/gallery.html. Source: http://swatit.org/bots/gallery.html
Command and Control C&C interfaces starting to become more complex HTTP C&C interface Advantages: IRC not always allowed through corporate firewalls, HTTP almost always is Websites are found everywhere In the case of an HTTP C&C interface, the bot would connect out to a website to grab any new commands or configurations.
Command and Control The screenshots above are from http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=257 and shows an example of an HTTP bot interface. Source: Websense Security Labs
Command and Control More C&C interfaces emerging Phatbot/Nugache worm uses encrypted P2P network (WASTE) Much more difficult to find botmaster or shut down botnet Botnets have started to use encrypted peer-to-peer (P2P) networks for C&C. The advantage of using P2P is that the bots no longer connect to a central C&C server to get their commands, they talk to their peers in the network. This makes it more difficult to shut down as there is no central server to shut off. Additionally, since the P2P channel is encrypted, IDS will probably not be able to detect it unless flow analysis is used. So far only a small number of bots have used this type of C&C channel, but it will surely increase in the future. Phatbot, one of the original bots to use this type of channel, used the WASTE P2P tool to create its network. The Nugache worm is suspected to use this as well. WASTE homepage: http://waste.sourceforge.net/ Phatbot info: http://www.lurhq.com/phatbot.html Nugache info: http://www.sarc.com/avcenter/venc/data/w32.nugache.a@mm.html
What are they used for? Phishing Spam Distributed Denial of Service Click Fraud Adware/Spyware Installation Identity Theft Making Additional Income!!! Botnets have been seen used for LOTS of different things. These include the following: Phishing – Botnets make a great place to send out phishing emails. If a phisher uses a number of mis-configured, open-relay servers to distribute their phishing attempts they can be easily blocked by relay blacklists. However, since bots are mostly installed on hundreds of different home computers – which are probably not in a blacklist – the phisher has a better chance of getting their attempt through to the unsuspecting victim. Spamming – Same reason as phishing. DDoS – With hundreds, even thousands, of bots in a botnet, it is trivial to use them to take down a website or system. In fact, these types of attacks are almost always done to either take down competition (in the case of spammers) or in extortion schemes. Click Fraud – Most pay-by-click online advertisements pay out by the number of unique IP addresses which “click” on a particular ad. Bots are being written to artificially inflate the number of clicks at specific places, providing an additional source of income for attackers. Adware/Spyware installation – Since attackers own a computer when a bot is on it, why not install adware or spyware which could 1) generate more income or 2) get you lots of good info (CC #s, personal info, passwords, etc) Identity Theft – In the same lines as the {ad|spy}ware installations, bots can provide data to be used for identity theft.
DDoS & Botnets DDoS has been available in bots since the beginning All too common Used for extortion Take down systems until they pay – threats work too! Take out competition BlueSecurity anti-spam service DDoS and botnets go hand in hand and are used for such all too often. Some of the reasons botnets are used for DDoS are for extortion and to take out the competition. With extortion, an attacker can threaten to take down systems, or actually DDoS systems, until the victims pay. An article discussing DDoS and extortion is available at http://www.networkworld.com/news/2005/051605-ddos-extortion.html. DDoS and botnets are also used to take out the competition or services in place to prevent something from happening. Recently the security company BlueSecurity – who ran an anti-spam service where it’s customers would send messages back to the spammer – was recently attacked with a DDoS from a botnet and forced to close it’s doors. http://blog.washingtonpost.com/securityfix/2006/05/legal_antispam_vigilante_compa.html
Additional Income??? Botnets can be very profitable Extortion Fraud Identity Theft Adware Renting out botnets! Botnets can be very profitable for a botmaster. Through the use of extortion from DDoS attacks, online ad fraud, ID Theft and adware installations, a lot of money can be generated. Botmasters have even started to rent out their botnets per hour! In fact, the recent DDoS attack on BlueSecurity was supposedly from a spammer who rented a botnet. http://www.usatoday.com/tech/news/computersecurity/2004-07-07-zombie-pimps_x.htm
Botnet Email Ad Tired of being scammed? Tired of servers downtime? Tired of high latency? Being Blocked or Blacklisted too fast? FORGET ABOUT THAT! Get rid of asian datacenters and choose a better Spam friendly solution with us.We have the latest development in Bulletproof Webservers that will handle your high complaint loads. Contact us for pricing! ----------------------------- ICQ #: MSN Messenger: AIM: yahoo: Botnet Hosting Servers ------------------------------- 5 Ips that changes every 10 minutes (with different ISP) Excellent ping and uptime. 100 percent uptime guarantee. Easy Control Panel to add or delete your domains thru webinterface. Redhat / Debian LINUX OS. SSH Root Access. FTP Access. APACHE2 PHP CURL ZEND MYSQL FTP SSH. We have Direct Sending Servers, and we also do Email Lists Mailings. This is an actual email ad for botnets that was received by the security pros at spywareguide.com. The guys there actually contacted the botnet hoster to get more information. A transcript of their IM session can be found at http://blog.spywareguide.com/2006/05/interview_with_a_botnet_host_1.html. Source: SpywareGuide Blog
Why should you care? Botnets are becoming more common Once a bot is on your machine (or your company’s machines) you no longer own that box Do you really want your machine to be used to attack others? Botnets are becoming more and more common. From a security perspective, if you have not already seen these in your network you most likely will in the future. By understanding what bots and botnets are, you can better protect your networks and systems from them.
Detection Methods Watch anti-virus/anti-spyware logs Use IDS to watch for: IRC/P2P activity DoS traffic coming FROM your network Attacks coming from your network Network flow analysis Detection methods for bots and botnets are the same one would use to detect worms or other malicious code.
Prevention Patch, patch, patch Teach users safe computing habits Use updated anti-virus Again, preventing bots from even getting installed is pretty much the same as preventing malicious code from getting installed. Make sure your patches are up to date, teach users safe computing habits and use updated anti-virus.
Additional Resources Know Your Enemy: Botnets Swatit Botnets Resource Shadowserver group Google There are many resources on botnets available on the Internet. As always, Google is your friend. The Honeynet Project has put out a KYE paper on botnets which can be found at http://www.honeynet.org/papers/bots/. Swatit, an anti-bot/trojan program has some good resources on bots, including screenshots of C&C interfaces (some of which were used here). http://swatit.org/bots/ The shadowserver group is a group dedicated to monitoring and taking down botnets. They have a lot of great information at http://www.shadowserver.org/news.php.
Thank you! Any questions? http://www.hudakville.com/infosec