Omar Hemmali CAP 6135 Paul Barford Vinod Yegneswaran Computer Sciences Department University of Wisconsen, Madison

 Introduction  Architecture & Seven key mechanisms ◦ Architecture ◦ Control mechanisms ◦ Methods for proagation and attack  Contributions  Shortfalls

 The evolution of malware is primarily driven by improvements in defense mechanisms.  Worms and DoS attacks get a lot of media coverage while a major problem is overlooked.  Botnets are a more serious threat on the Internet today.  Botnets trace their roots to a benign management system.

 Botnets have increased in capability over the years.  Botnets have become quite extensive.  Focus has changed from vandalism to for- profit malicious activity.

 Comparison of 4 different Bot families. ◦ Agobot ◦ SDBot ◦ SpyBot ◦ GT Bot

 Architecture  Botnet Control Mechanisms  Host Control Mechanisms  Propagation Mechanisms  Exploits and Attack Mechanisms  Malware Delivery Mechanisms  Obfuscation Mechanisms  Deception Mechanisms

 20K LoC C/C++  Many high level components  IRC based C2 mechanism  Can launch different DoS attacks  Can harvest passwords  Fortify the system from attack  Actively attempts to prevent removal

 3K LoC C  Does not try to hide its malicious intent  Contains exploits for P2P and comm programs  Has ip scanning capabilities  Modules for DoS attacks

 SDBot  Uses a lightweight version of IRC,  Bots can rejoin channels if they get kicked.  They keep track of their master.  Commands are sent in the form of PRIVMSG.

 GT Bot  Uses IRC as the control infrastucture  Very few commands that are consistent among members of the family  Can invoke ip scanning

 Purpose is to fortify the compromised host against removal of the bot net  Agobot  Can return CD keys, registry info, s  Able to kill specific processes that may try to cleans the infected host.

 SDBot  Controls are somewhat limited  Can remotely download files  Can create and terminate processes  Can send cd keys for popular games to BotMaster

 SpyBot and GT Bot  Have simple horizontal and vertical scanners  Just run through IPs in order.

 Agobot  Very elaborate  Scans for back doors left by other worms  Scans for passwords from open SQL servers  Can enable 7 DDoS Attack commands

 GTBot  Makes use of DCOM exploits  Has DDoS capabilities in the form of UDP and TCP floods.

 GTBots  Deliver the exploit in a single script  AgoBot  It first exploits an existing vulnerability  Then opens a shell on the remote host

 Agobot is the only one that has any obfuscation mechanisms.  It uses four different polymorphic schemes

 Again Agobot is the only one that has any elaborate mechanism  Tests for debuggers  Tests for VMWare  Kills Anti Virus processes  Alters DNS entries for anti-virus updates to point to localhost

 Compiled a lot of information about different flavors of Botnets.  Demonstrated that compromised machines not only acted as zombies for the master, opened users to ID theft.

 While the paper covers many different effects of Botnets, it doesn’t give ways to alleviate them.