1. An Inside Look at Botnets By Paul Barford and Vinod Yegneswaran In Series: Advances in Information Security, Springer, 2006 Presented by Jared Bott

2. 2 Outline Why Study Botnets? A Brief History of Botnets Bot Study Findings and Implications Analysis of Paper

3. 3 Why? Malicious software is a major problem Reactive methods predominately used today are ultimately insufficient Proactive methods are required Develop a foundational understanding of the mechanisms used by malicious software Develop an open repository of malware information

4. 4 Outline Why Study Botnets? A Brief History of Botnets Bot Study Findings and Implications Analysis of Paper

5. 5 Botnets A botnet is a collection of compromised computers controlled by their attacker Botnets trace their roots from Eggdrop bot Created for network management by Jeff Fisher in 1993

6. 6 Rise of Botnets Motivation for malicious activity is shifting Primary motivation has changed from vandalism and demonstration of programming skills to for- profit activities Identity theft, extortion Backed by organized crime

7. 7 Botnets Today Botnets can be extremely large, with reports of botnets of over 100,000 systems Average size appears to be dropping Total estimated number of systems used in botnets is in the millions

8. 8 Outline Why Study Botnets? A Brief History of Botnets Bot Study Findings and Implications Analysis of Paper

9. 9 Bot Study Objectives Highlight the richness and diversity of bot codebases Identify commonalities between codebases Consider how knowledge of these botnet mechanisms can lead to development of more effective defense mechanisms

10. 10 Bot Study Attributes of bots to analyze Architecture Botnet Control Mechanisms Host Control Mechanisms Propagation Mechanisms Target Exploits and Attack Mechanisms Malware Delivery Mechanisms Obfuscation Methods Deception Strategies

11. 11 Bot Study Four bot codebases Agobot 4.0 pre-release SDBot 05b SpyBot 1.4 GT Bot with DCOM

12. 12 Agobot AKA Gaobot, Phatbot First referenced in October, 2002 Most sophisticated of the four codebases Typically around 20,000 lines of C/C++ Monolithic architecture Adheres to structured design and software engineering principles Modular, standard data structures, code documentation Exhibits creativity in design

13. 13 Agobot Components IRC-based command and control mechanism Large collection of target exploits Ability to launch different kinds of DoS attacks Modules for shell encodings and limited polymorphism Mechanisms to frustrate disassembly by well known tools

14. 14 Agobot Components Ability to harvest local host for sensitive information, such as Paypal passwords and AOL keys through traffic sniffing, key logging or searching registry entries Mechanisms to defend and fortify compromised systems Over 580 variants

15. 15 SDBot First referenced in October, 2002 Hundreds of variants Fairly simple compared to Agobot Slightly over 2,000 lines of C Main source tree does not contain any overtly malicious code modules Published under GPL Primarily provides a utilitarian IRC-based command and control system

16. 16 SDBot Easy to extend Large number of patches that provide more sophisticated malicious capabilities and diffuse responsibility Scanning DoS attacks Sniffers Information harvesting Encryption routines Over 80 patches

17. 17 SpyBot First referenced in April, 2003 Hundreds of variants Fairly compact, around 3,000 lines of C Shares much of SDBot’s command and control engine No explicit attempt to diffuse accountability

18. 18 SpyBot Capabilities NetBIOS, Kuang, Netdevil and KaZaa exploits Scanning capabilities Modules for launching flooding attacks Efficient Does not exhibit modularity or breadth of capabilities of Agobot

19. 19 GT Bot AKA Global Threat Bot, Aristotles First referenced in April, 1998 Over 100 variants Simple design Limited set of functions based on the scripting capabilities of mIRC Includes HideWindow program to keep the bot hidden

20. 20 GT Bot Includes BNC, a proxy system for anonymity Includes psexec.exe to facilitate remote process execution Nothing to suggest it was designed to be extensible Different versions for specific malicious intents With DCOM includes DCOM exploits

21. 21 Bot Codebases Convergence in the set of functions that are available Suggests the possibility that defensive systems may eventually be effective across bot families Bot codebases are at least somewhat extensible

22. 22 Points of Analysis Botnet Control Mechanisms Host Control Mechanisms Propagation Mechanisms Target Exploits and Attack Mechanisms Malware Delivery Mechanisms Obfuscation Methods Deception Strategies

23. 23 Botnet Control Mechanisms Command language and control protocols are used to operate botnets remotely after target systems have been compromised All analyzed bots base C&C on IRC Disruption of communication can render a botnet useless Network operators can sniff for specific commands in IRC traffic and identify compromised systems

24. 24 Botnet Control Mechanisms Agobot C&C system derived from IRC Standard IRC is used to establish connections IRC and commands developed for Agobot are used for command language SDBot Command language is lightweight version of IRC Has IRC cloning and spying

25. 25 Typical interaction between an SDBot and IRC server

26. 26 Botnet Control Mechanisms SpyBot Command language is a subset of SDBot’s command language GT Bot Simplest command language of the bot families Large variations across different versions

27. 27 Points of Analysis Botnet Control Mechanisms Host Control Mechanisms Propagation Mechanisms Target Exploits and Attack Mechanisms Malware Delivery Mechanisms Obfuscation Methods Deception Strategies

28. 28 Host Control Mechanisms The mechanisms used by the bot to manipulate a victim host once it has been compromised Fortify the local system against malicious attacks Disable anti-virus software Harvest sensitive information

29. 29 Host Control Mechanisms Agobot Commands to secure system Broad set of commands to harvest sensitive information pctrl commands to list or kill processes running on host inst commands to add or delete autostart entries

30. 30 Agobot Commands CommandDescription pctrl.killKill specified process set from service file pctrl.listsvcReturn list of all services that are running pctrl.killsvcDelete/stop a specified service pctrl.killpidKill specified process inst.asaddAdd an autostart entry inst.asdelDelete an autostart entry inst.svcaddAdds a service to SCM inst.svcdelDelete a service from SCM CommandDescription harvest.cdkeysReturn a list of CD keys harvest.emailsReturn a list of emails harvest.emailshttpReturn a list of emails via HTTP harvest.aolReturn a list of AOL specific information harvest.registryReturn registry information for specific registry path harvest.windowskeysReturn Windows registry information pctrl.listReturn list of all processes

31. 31 Host Control Mechanisms SDBot Limited capabilities Basic remote execution commands Some ability to gather local information Auxiliary patches add more capabilities

32. 32 SDBot Commands CommandDescription sysinfoList host system information (CPU/RAM/OS and uptime) execute parameters Run a specified program (visibility is 0/1) cdkey/getcdkeyReturn keys of popular games e.g., Halflife, Soldier of Fortune etc. CommandDescription download Downloaded specified file and execute if action is 1 killthread Kill specified thread update If bot ID is different than current, download “sdbot executable” and update

33. 33 Host Control Mechanisms SpyBot Similar capabilities to Agobot Local file manipulation Key logging Process/system manipulation, remote command execution

34. 34 SpyBot Commands CommandDescription listprocessesReturn a list of all running processes killprocess Kills the specified process threadsReturns a list of all running threads killthread Kills a specified thread disconnect Disconnect the bot for number seconds rebootReboot the system cd-rom Open/close cd-rom opencmdStarts cmd.exe (hidden) cmd Sends a command to cmd.exe get Triggers DCC send on bot update Updates local copy of the bot code CommandDescription delete Delete a specified file execute Execute a specified file rename Rename a specified file makedir Create a specified directory startkeyloggerStarts the on-line keylogger stopkeyloggerStops the keylogger sendkeys Simulates key presses keyboardlightsFlashes remote keyboard lights 50x passwordsLists the RAS passwords in Windows 9x systems listprocessesReturn a list of all running processes

35. 35 Host Control Mechanisms GT Bot Most limited capabilities Base capabilities are only gathering local system information and running or deleting local files Many versions with more capabilities

36. 36 Points of Analysis Botnet Control Mechanisms Host Control Mechanisms Propagation Mechanisms Target Exploits and Attack Mechanisms Malware Delivery Mechanisms Obfuscation Methods Deception Strategies

37. 37 Propagation Mechanisms The mechanisms bots use to search for new host systems Traditionally horizontal or vertical scans Horizontal is one port across an address range Vertical is across a port range on an address

38. 38 Propagation Mechanisms Agobot Relatively simple, essentially vertical and horizontal scanning SDBot No scanning or propagation in base distribution Variants with horizontal, vertical scanning and more complex methods

39. 39 Propagation Mechanisms SpyBot Simple horizontal and vertical scanning GT Bot Simple horizontal and vertical scanning Due to simplicity and uniformity of methods, it may be possible to develop statistical finger printing methods to identify scans from botnets

40. 40 Points of Analysis Botnet Control Mechanisms Host Control Mechanisms Propagation Mechanisms Target Exploits and Attack Mechanisms Malware Delivery Mechanisms Obfuscation Methods Deception Strategies

41. 41 Exploits and Attack Mechanisms Specific methods for attacking known vulnerabilities on target systems Agobot Includes an ever broadening set of exploits Agobot exploits Bagle scanner DCOM scanners MyDoom scanner Dameware scanner NetBIOS scanner Radmin scanner MS-SQL scanner Generic DDoS module

42. 42 Exploits and Attack Mechanisms SDBot No exploits in standard distribution Modules for sending UDP and ICMP packets DoS Numerous variants with exploits Numerous variants with DDoS attack modules

43. 43 Exploits and Attack Mechanisms SpyBot Exploits depend on version of SpyBot Wide range of exploits Evaluated version has attacks on open NetBIOS shares DDoS interface closely related to SDBot UDP, ICMP, and TCP SYN

44. 44 Exploits and Attack Mechanisms GT Bot This variant has RPC-DCOM exploits and Simple ICMP floods Many variants with many exploits and DoS capabilities Bots will likely become more like Agobot, each version having many exploits

45. 45 Points of Analysis Botnet Control Mechanisms Host Control Mechanisms Propagation Mechanisms Target Exploits and Attack Mechanisms Malware Delivery Mechanisms Obfuscation Methods Deception Strategies

46. 46 Malware Delivery Mechanism The mechanisms bots use to deliver exploits Packers and shell encoders used to compress and obfuscate code SDBot, SpyBot, and GT Bot deliver exploit and encoded malware in one script Agobot separates exploits and delivery Exploit vulnerability and open shell on remote host Encoded malware binary delivered by HTTP or FTP Enables encoder to be used across exploits, streamlining codebase and potentially diversifying the resulting bit streams

47. 47 1. Send exploit 2. Open shell 3. HTTP/FTP File Transfer of Bot Attacker computer (Bot) Target computer Agobot Delivery

48. 48 Points of Analysis Botnet Control Mechanisms Host Control Mechanisms Propagation Mechanisms Target Exploits and Attack Mechanisms Malware Delivery Mechanisms Obfuscation Methods Deception Strategies

49. 49 Obfuscation Mechanisms The mechanisms that are used to hide the details of what is being transmitted through the network and what arrives for execution on end hosts Only Agobot supports any kind of polymorphism

50. 50 Points of Analysis Botnet Control Mechanisms Host Control Mechanisms Propagation Mechanisms Target Exploits and Attack Mechanisms Malware Delivery Mechanisms Obfuscation Methods Deception Strategies

51. 51 Deception Strategies The mechanisms used to evade detection once a bot is installed on a target host Rootkits Only Agobot has elaborate deception mechanisms Tests for debuggers Tests for VMware Killing anti-virus processes Altering DNS entries of anti-virus software companies to point to localhost

52. 52 Outline Why Study Botnets? A Brief History of Botnets Bot Study Findings and Implications Analysis of Paper

53. 53 Findings and Implications Finding: The overall architecture and implementation of botnets is complex and evolving toward the use of common software engineering techniques. Implication: The regularization of botnet architecture provides insight on potential extensibility and could help to facilitate systematic evaluation of botnet code.

54. 54 Findings and Implications Finding: The predominant remote control mechanism is IRC and in general includes a rich set of commands. Implication: Monitoring botnet activity on IRC channels and disruption of specific channels on IRC servers should continue to be an effective defensive strategy for the time being.

55. 55 Findings and Implications Finding: The host control mechanisms used for harvesting sensitive information from host systems are ingenious and enable data from passwords to mailing lists to credit card numbers to be gathered. Implication: This is one of the most serious results of the study and suggests design objectives for future operating systems and applications.

56. 56 Findings and Implications Finding: There are a wide diversity of exploits for infecting target systems, including many of those used by worms that target well known Microsoft vulnerabilities. Implication: This is yet additional evidence that keeping OS patches up to date is essential and informs requirements for network intrusion detection and prevention systems.

57. 57 Findings and Implications Finding: All botnets include DoS attack capability. Implication: The specific DoS mechanisms in botnets can inform designs for DoS defense.

58. 58 Findings and Implications Finding: All botnets include a variety of mechanisms for avoiding detection once installed. Implication: Development of methods for detecting and disinfecting compromised systems will need to keep pace.

59. 59 Findings and Implications Finding: Shell encoding and packing mechanisms are common. Polymorphism is found only in Agobot. Implication: A major focus on methods for detecting polymorphism may not be needed yet, but encodings will continue to present a challenge for defensive systems.

60. 60 Findings and Implications Finding: Currently there are only a limited set of propagation mechanisms available in botnets. Implication: The specific propagation methods used in these botnets can form the basis for modeling and simulating botnet propagation.

61. 61 Outline Why Study Botnets? A Brief History of Botnets Bot Study Findings and Implications Analysis of Paper

62. 62 Strengths Detailed evaluation of code and capabilities Starting point for malware database Open database would greatly help defensive capabilities Finding commonalities among bots could help create some kind of broad defense

63. 63 Weaknesses Dynamic profiling of bots needs to be done Too many variants of bots to evaluate each and every one Analysis of this kind calls for source code access, which may not be available

64. 64 Improvements Dynamic profiling Analysis points for other kinds of malware