Download an inside look at botnets

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
Document related concepts

Mobile security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Storm botnet wikipedia , lookup

Operation Payback wikipedia , lookup

Cyberattack wikipedia , lookup

Transcript 
AN INSIDE LOOK AT BOTNETS
Barford, Paul and Yegneswaran
Advances in Information Security,
Springer, 2006
Kishore Padma Raju
INTRODUCTION
• Attacks for financial gain
• Proactive methods
• Understanding of malicious
software readily available
• 4 IRC botnet codebases along 7 dimensions
ARCHITECTURE
• AGOBOT (Phatbot)
– Found in october 2002
– Sophisticated and best written source code
– 20,000 lines of c/c++
– High level components
•
•
•
•
IRC based command and control mechanism
Large collection of target exploits
DOS attacks
Harvest the local host
• SDBOT
– October 2002
– Simple code in C, 2000 lines
– IRC based command and control system
– Easy to extend and so many patches available(DOS
attacks, information harvesting routines)
– Motivation for patch dissemination is diffusion of
accountability
• SPYBOT
– 3000 lines of C code
– April 2003
– Evolved from SDBOT
• No diffusion accountability
– Includes scanning capability and launching
flooding attacks
– Efficient
• GTBOT(global threat)(Aristotles)
– Based on functions of mIRC(writes event handlers for
remote nodes)
– Capabilities are
• Port scanning
• DOS attacks
– Stored in file mirc.ini
– Remote execution
• BNC(proxy system) , psexec.exe
• Implications
BOTNET CONTROL MECHANISMS
•
•
•
•
Communication
Command language and control protocols
Based onIRC
Commands
– Deny service
– spam
– Phish
• Agobot
– Command language contain Standad IRC and
specific commands of this bot
– Bot commands, perform specific function
• Bot.open
• Cvar.set
• Ddos_max_threads
• Sdbot
NICK_USER
PING
001/005
PONG
001/005
JOIN
USERHOST
302
EST
KICK
REJOIN
PART/QUIT
NICK
PREVMSG/
NOTICE/
TOPIC
353
RESET
ACTION
• SPYBOT
– Command language simple
– Commands are login, passwords, disconnect, reconnect,
uninstall, spy, loadclones,killclones
• GTBOT
– Simplest
– Varies across versions
– Commands are !ver, !scan, !portscan, !clone.*,!update
• IMPLICATIONS
– Now simple
– Future, encrypted communication
– Finger printing methods
HOST CONTROL MECHANISMS
• Manipulate victim host
• AGOBOT
• Commands to harvest sensitive information(harvest.cdkeys,
harvest.emails, registry, windowskeys)
• List and kill processes(pctrl.list, kill, killpid)
• Add or delete autostart entries(inst.asadd, asdel)
• SDBOT
• Remote execution commands and gather local information
• Patches
• Host control commands (download, killthread, update)
• SPYBOT
– Control commands for file manipulation, key logging,
remote command execution
– Commands are delete, execute, makedir, startkeylogger,
stopkilllogger, reboot, update.
• GTBOT
– Gathering local system information
– Run or delete local files
• IMPLICATIONS
– Underscore the need to patch
– Stronger protection boundaries
– Gathering sensitive information
PROPAGATION MECHANISMS
• Search for new host systems
• Horizontal and vertical scan
• AGOBOT
– IP address within network ranges
– Scan.addnetrange, scan.delnetrange, scan.enable
• SDBOT
– Same as agobot
– NETBIOS scanner
• Starting and end IP adresses
• SPYBOT
– Command interface
• Command
Scan <startipaddress> <port> <delay><spreaders><logfilename>
• Example
Scan 127.0.0.1
17300
1
• GTBOT
– Horizontal and vertical scanning
• IMPLICATIONS
– Simple scanning methods
– Source code examination
netbios
portscan.txt
EXPLOITS AND ATTACK MECHANISMS
• Attack known vulnerabilities on target systems
• AGOBOT
– Broadening set of exploits
– Generic DDOS module
• Enables seven types of service attacks
• Ddos.udpflood, synflood, httpflood, phatsyn,
phaticmp,Phatwonk, targa3, stop.
• SDBOT
– UDP and ICMP packets, flooding attacks
– udp <host> <#pkts> <pktsz><delay><port> and
ping <host> <#pkts> <pktsz><timeout>
• SPYBOT AND GTBOT
– Same as sdbot
• IMPLICATIONS
– Multiple exploits
MALWARE DELIVERY MECHANISMS
• GT/SD/SPY bots deliver exploit and encoded
malware in single package
• Agobot
– Exploit vulnerability and open a shell on remote
host
– Encoded binary is then sent using HTTP or FTP.
IMPLICATIONS
OBFUSCATION MECHANISMS
• Hide the details
• Polymorphism
• AGOBOT
– POLY_TYPE_XOR
– POLY_TYPE_SWAP
– POLY_TYPE_ROR
– POLY_TYPE_ROL
• IMPLICATIONS
CONCLUSIONS
• Expanded the knowledge base for security
research
• Lethal classes of internet threats
• Functional components of botnets
WEAKNESSES
•
•
•
•
Study only IRC
No Preventive mechanisms
No dynamic profiling of botnet executables
Insufficient analysis
IMPROVEMENTS
• Dynamic profiling can be executed using some
tools
• Botnet monitoring mechanism can be
explained
• Analysis for peer to peer infrastructure
Related documents
AP Statistics * Simulation Exercise The following problem was from
AP Statistics * Simulation Exercise The following problem was from
Computer Science 101
Computer Science 101
operating system
operating system
The most important program that runs on a computer
The most important program that runs on a computer
Computer Operating Systems
Computer Operating Systems
Lesson Plan Software
Lesson Plan Software
Classnotes 3
Classnotes 3
Lecture25
Lecture25
Access lesson 1 Database Basics
Access lesson 1 Database Basics
Final Review Sheet
Final Review Sheet
Bots and Botnets - IT Services Technical Notes
Bots and Botnets - IT Services Technical Notes