1. CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012

2. 2 Acknowledgement  This lecture uses some contents from the lecture notes from:  Dr. Dawn Song: CS161: computer securityCS161: computer security  Richard Wang – SophosLabs: The Development of BotnetsThe Development of Botnets  Randy Marchany - VA Tech IT Security Lab: BotnetsBotnets

3. 3  Collection of compromised hosts  Spread like worms and viruses  Once installed, respond to remote commands  A network of ‘ bots ’  robot : an automatic machine that can be programmed to perform specific tasks.  Also known as ‘ zombies ’

4. 4  Platform for many attacks  Spam forwarding (70% of all spam?)  Click fraud  Keystroke logging  Distributed denial of service attacks  Serious problem  Top concern of banks, online merchants  Vint Cerf: ¼ of hosts connected to Internet

5. 5 What are botnets used for?

6. 6 IRC (Internet Relay Chat) based Control

7. 7

8. 8 Why IRC?  IRC servers are:  freely available  easy to manage  easy to subvert  Attackers have experience with IRC  IRC bots usually have a way to remotely upgrade victims with new payloads to stay ahead of security efforts

9. 9 How bad is the problem?  Symantec identified a 400K node botnet  Netadmin in the Netherlands discovered 1-2M unique IPs associated with Phatbot infections.  Phatbot harvests MyDoom and Bagel infected machines.  Researchers in Gtech monitored thousands of botnets

10. 10 Spreading Problem  Spreading mechanism is a leading cause of background noise  Port 445, 135, 139, 137 accounted for 80% of traffic captured by German Honeynet Project  Other ports  2745 – bagle backdoor  3127 – MyDoom backdoor  3410 – Optix trojan backdoor  5000 – upnp vulnerability

11. Most commonly used Bot families  Agobot  SDBot  SpyBot  GT Bot

12. Agobot  Most sophisticated  20,000 lines C/C++ code  IRC based command/control  Large collection of target exploits  Capable of many DoS attack types  Shell encoding/polymorphic obfuscation  Traffic sniffers/key logging  Defend/fortify compromised system  Ability to frustrate dissassembly

13. SDBot  Simpler than Agobot, 2,000 lines C code  Non-malicious at base  Utilize IRC-based command/control  Easily extended for malicious purposes  Scanning  DoS Attacks  Sniffers  Information harvesting  Encryption

14. SpyBot  <3,000 lines C code  Possibly evolved from SDBot  Similar command/control engine  No attempts to hide malicious purposes

15. GT Bot  Functions based on mIRC scripting capabilities  HideWindow program hides bot on local system  Basic rootkit function  Port scanning, DoS attacks, exploits for RPC and NetBIOS

16.  Variance in codebase size, structure, complexity, implementation  Convergence in set of functions  Possibility for defense systems effective across bot families  Bot families extensible  Agobot likely to become dominant

17.  All of the above use IRC for command/control  Disrupt IRC, disable bots  Sniff IRC traffic for commands  Shutdown channels used for Botnets  IRC operators play central role in stopping botnet traffic  But a botnet could use its own IRC server  Automated traffic identification required  Future botnets may move away from IRC  Move to P2P communication  Traffic fingerprinting still useful for identification Control

18. Host control  Fortify system against other malicious attacks  Disable anti-virus software  Harvest sensitive information  PayPal, software keys, etc.  Economic incentives for botnets  Stresses need to patch/protect systems prior to attack  Stronger protection boundaries required across applications in OSes

19. 19 Example Botnet Commands  Connection  CLIENT: PASS  HOST : (if error, disconnect)  CLIENT: NICK  HOST : NICKERROR | CONNECTED  Pass hierarchy info  BOTINFO  BOTQUIT

20. 20 Example Botnet Commands  IRC Commands  CHANJOIN  CHANPART  CHANOP  CHANKICK  CHANBANNED  CHANPRIORITY

21. 21 Example Botnet Commands  pstore  Display all usernames/passwords stored in browsers of infected systems  bot.execute  Run executable on remote system  bot.open  Reads file on remote computer  bot.command  Runs command with system()

22. 22 Example Botnet Commands  http.execute  Download and execute file through http  ftp.execute  ddos.udpflood  ddos.synflod  ddos.phaticmp  redirect.http  redirect.socks

23. 23 Current Botnet Control Architecture bot C&C botmaster bot C&C More than one C&C server Spread all around the world

24. 24 Botnet Monitor: Gatech KarstNet  A lot bots use Dyn- DNS name to find C&C bot C&C attacker C&C KarstNet sinkhole cc1.com  KarstNet informs DNS provider of cc1.com  Detect cc1.com by its abnormal DNS queries  DNS provider maps cc1.com to Gatech sinkhole (DNS hijack) bot  All/most bots attempt to connect the sinkhole

25. Botnet Monitor: Honeypot Spy  Security researchers set up honeypots  Honeypots: deliberately set up vulnerable machines  When compromised, put close monitoring of malware’s behaviors  Tutorial: http://en.wikipedia.org/wiki/Honeypot_%28computing%29 http://en.wikipedia.org/wiki/Honeypot_%28computing%29  When compromised honeypot joins a botnet  Passive monitoring: log all network traffic  Active monitoring: actively contact other bots to obtain more information (neighborhood list, additional c&c, etc.)  Representative research paper:  A multifaceted approach to understanding the botnet phenomenon, Abu Rajab, Moheeb and Zarfoss, Jay and Monrose, Fabian and Terzis, Andreas, 6th ACM SIGCOMM conference on Internet measurement (IMC), 2006. A multifaceted approach to understanding the botnet phenomenon 25

26. 26 The Future Generation of Botnets  Peer-to-Peer C&C  Polymorphism  Anti-honeypot  Rootkit techniques