AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer,...
-
Upload
gabriel-parsons -
Category
Documents
-
view
214 -
download
0
Transcript of AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer,...
AN INSIDE LOOK AT BOTNETS
Barford, Paul and YegneswaranAdvances in Information Security,
Springer, 2006Kishore Padma Raju
INTRODUCTION
• Attacks for financial gain• Proactive methods• Understanding of malicious
software readily available• 4 IRC botnet codebases along 7 dimensions
ARCHITECTURE
• AGOBOT (Phatbot)– Found in october 2002 – Sophisticated and best written source code– 20,000 lines of c/c++– High level components• IRC based command and control mechanism• Large collection of target exploits• DOS attacks• Harvest the local host
• SDBOT– October 2002– Simple code in C, 2000 lines– IRC based command and control system– Easy to extend and so many patches
available(DOS attacks, information harvesting routines)
– Motivation for patch dissemination is diffusion of accountability
• SPYBOT– 3000 lines of C code– April 2003– Evolved from SDBOT• No diffusion accountability
– Includes scanning capability and launching flooding attacks
– Efficient
• GTBOT(global threat)(Aristotles)– Based on functions of mIRC(writes event handlers for
remote nodes)– Capabilities are
• Port scanning• DOS attacks
– Stored in file mirc.ini– Remote execution
• BNC(proxy system) , psexec.exe• Implications
BOTNET CONTROL MECHANISMS
• Communication • Command language and control protocols• Based onIRC• Commands– Deny service– spam– Phish
• Agobot– Command language contain Standad IRC and
specific commands of this bot– Bot commands, perform specific function• Bot.open• Cvar.set• Ddos_max_threads
• SdbotNICK_USER
PONG
USERHOST
JOIN
EST
ACTIONRESETREJOIN
NICK
PING
302
KICK 353PART/QUIT
PREVMSG/NOTICE/TOPIC
001/005
001/005
• SPYBOT– Command language simple – Commands are login, passwords, disconnect, reconnect,
uninstall, spy, loadclones,killclones• GTBOT– Simplest– Varies across versions – Commands are !ver, !scan, !portscan, !clone.*,!update
• IMPLICATIONS– Now simple– Future, encrypted communication– Finger printing methods
HOST CONTROL MECHANISMS
• Manipulate victim host• AGOBOT
• Commands to harvest sensitive information(harvest.cdkeys, harvest.emails, registry, windowskeys)
• List and kill processes(pctrl.list, kill, killpid)• Add or delete autostart entries(inst.asadd, asdel)
• SDBOT• Remote execution commands and gather local information• Patches • Host control commands (download, killthread, update)
• SPYBOT– Control commands for file manipulation, key logging,
remote command execution– Commands are delete, execute, makedir, startkeylogger,
stopkilllogger, reboot, update.• GTBOT– Gathering local system information– Run or delete local files
• IMPLICATIONS– Underscore the need to patch– Stronger protection boundaries– Gathering sensitive information
PROPAGATION MECHANISMS
• Search for new host systems• Horizontal and vertical scan• AGOBOT– IP address within network ranges– Scan.addnetrange, scan.delnetrange, scan.enable
• SDBOT– Same as agobot– NETBIOS scanner• Starting and end IP adresses
• SPYBOT– Command interface
• CommandScan <startipaddress> <port> <delay><spreaders><logfilename>
• ExampleScan 127.0.0.1 17300 1 netbios
portscan.txt
• GTBOT– Horizontal and vertical scanning
• IMPLICATIONS– Simple scanning methods– Source code examination
EXPLOITS AND ATTACK MECHANISMS
• Attack known vulnerabilities on target systems• AGOBOT– Broadening set of exploits– Generic DDOS module
• Enables seven types of service attacks• Ddos.udpflood, synflood, httpflood, phatsyn,
phaticmp,Phatwonk, targa3, stop.• SDBOT– UDP and ICMP packets, flooding attacks– udp <host> <#pkts> <pktsz><delay><port> and
ping <host> <#pkts> <pktsz><timeout>
• SPYBOT AND GTBOT– Same as sdbot
• IMPLICATIONS– Multiple exploits
MALWARE DELIVERY MECHANISMS
• GT/SD/SPY bots deliver exploit and encoded malware in single package
• Agobot– Exploit vulnerability and open a shell on remote
host– Encoded binary is then sent using HTTP or FTP.
IMPLICATIONS
OBFUSCATION MECHANISMS
• Hide the details• Polymorphism
• AGOBOT
– POLY_TYPE_XOR– POLY_TYPE_SWAP– POLY_TYPE_ROR– POLY_TYPE_ROL
• IMPLICATIONS
CONCLUSIONS
• Expanded the knowledge base for security research
• Lethal classes of internet threats• Functional components of botnets
WEAKNESSES
• Study only IRC• No Preventive mechanisms• No dynamic profiling of botnet executables• Insufficient analysis
IMPROVEMENTS
• Dynamic profiling can be executed using some tools
• Botnet monitoring mechanism can be explained
• Analysis for peer to peer infrastructure