Download Bots and Botnets - IT Services Technical Notes

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Unix security wikipedia , lookup

Storm botnet wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Mobile security wikipedia , lookup

Computer security wikipedia , lookup

Security-focused operating system wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Operation Payback wikipedia , lookup

Denial-of-service attack wikipedia , lookup

Hacker wikipedia , lookup

Transcript
Bots and Botnets
plus
Forensic analysis of a bot
Introduction
• Wayne Hauber
• Computer consultant since 1984 at Iowa
State University
• Started analyzing bots as a major focus in
2002
Bots and Botnets
Bot – nothing more than a remotely
controlled program
A collection of bots controlled at a central
source are botnets
Most bots have their origin in some
segment of the IRC community
Botnet controllers are either public IRC
servers or custom private IRC servers
Not New
Floodbots appeared at ISU in early 1990s.
Mostly a nuisance to staff from fringe IRC
users
First SYN Flood denial of service attacks
in 1997
See the Hank Nussbacher presentation for
a good chronology
What is new
Organization
Talent
Skills
Complete disregard for the values of
mainstream society
IRC Society drives the problem
Pubstros/distros
In late 2001 and early 2002, the first
Pubstros appeared at ISU
Pubstros are servers created on a
vulnerable system
They serve movies, games, software and
pornography
Usually some other software is installed,
expect password crackers, keyloggers,
proxies and network scanners
Pubstros/distros
Pubstros were created by a highly
organized and developed society of IRC
users
Pubstro/distro tutorials were published on
the web
Pubstros/distros
Hierarchical duties were assigned to those
establishing pubstros
One group scanned for proxy systems and
installs scanning tools
Another group scanned for vulnerable
systems and posts a list
Another group laid down the server and
the contraband
Quotas determined status in group
Pubstros/distros
A group in the far east supplies movies
often prior to US release dates
Pubstros/distros
At ISU, we locate some pubstros because
they are in our top-20 network traffic list
Others are detected because they “look
the same” as a top-20 pubstro
Some are detected because other activity
is detected by netflow monitoring
Some are detected when a hacker is
clumsy
Pubstros/distros
Becoming more sophisticated
Are well hidden – Hacker Defender is a
suite of tools to hide your favorite trojan
Still common – I detected a pubstro on a
departmental server two days ago.
Organized crime
See From Russia with Malice handout
http://www.vnunet.com/analysis/1160302
IRC Society
Slides are from a presentation by Hank
Nussbacher
http://www.interall.co.il/presentations/first-16.pdf
Frequency of attacks
Page 84 of Nussbacher presentation
Page 32 of the Vunderink presentation
http://www.garion.org/tmp/ircdrones.pdf
Size of botnets
It is common to see botnets with a
strength of 1,000 to 2,000 bots
One record botnet had a strength of
hundreds of thousands of bots
About these numbers
The numbers I located for this talk are from June
2004
It is too early in our understanding of Botnets to
offer a trend analysis
However, it is too easy to establish a botnet; I do
not expect the numbers to be smaller
Please note that we discovered a botnet
controller at ISU controlling 190,000+ bots just
this week.
Easy tools
Tools that we have seen at ISU have
grown in sophistication and power
Professional hackers are writing tools
Many of today’s new viruses are nothing
more than hacker tools in active use
Quote from page 14 of Vunderink
presentation
Easy Tools
Sdbot
Korgo
Optix
Spybot
Optix – a sdbot variant
Detailed DescriptionThe backdoor's file is a PE
executable about 93 kilobytes long, packed with
Yoda and PECompact file compressors.
When the backdoor's file is started, it copies
itself as SNDCFG16.EXE to Windows System
folder, sets hidden, system and read-only
attributes for itself and then creates the following
startup keys in the Registry…
The backdoor monitors Registry changes and
re-creates these keys if they are deleted or
modified.
Optix – a sdbot variant
SDBot.MB kills the processes of security
and anti-virus software and also processes
of certain malware (for example Bagle).
The processes with the following names
are killed:
regedit.exe msconfig.exe …a long list…
Optix – a sdbot variant
The backdoor can scan for vulnerable computers using
different types of exploits and tries to locate other
backdoors installed on remote hosts. Here's the list of
scanner capabilities:
* WebDav (port 80) * NetBios (port 139) * NTPass (port
445) * DCom (ports 135, 1025) * DCom2 (port 135) *
MSSQL (port 1433) * LSASS (port 445) * UPNP (port
5000) * Optix backdoor (port 3140) * Bagle backdoor
(port 2745) * Kuang backdoor (port 17300) * Mydoom
backdoor (port 3127) * NetDevil backdoor (port 903) *
SubSeven backdoor (port 27347) * DameWare remote
management software (port 6129)
Optix – a sdbot variant
The backdoor starts IDENTD server on
port 113.
A hacker can control the backdoor via a
bot that it creates in a certain IRC channel.
Optix – a sdbot variant
Backdoor capabilities are the following:
start HTTP server on an infected computer
start FTP server on an infected computer
scan for vulnerable computers (open ports
and exploits)
make use of exploits and spread to remote
computers
Optix – a sdbot variant
start/stop keylogger
get system information including
information about OS, network and drives
operate backdoor's bot (nick change, dcc
send/receive, join/part channels, etc.)
perform DDoS (Distributed Denial of
Service) attack, SYN, ICMP, UDP flood
Optix – a sdbot variant
find, download and run files
search for passwords
start/stop remote services
create/delete remote shares
flush DNS cache
Optix – a sdbot variant
ping any host
list, start and kill processes
sniff network traffic
start remote command shell
capture video from a webcam
Optix – a sdbot variant
capture a screenshot
redirect traffic on certain ports
perform portscan
send e-mails (work as an e-mail proxy)
open a URL with default web browser
SDBot.MB steals CD keys for the following games if they are installed on an
infected computer:
Counter-Strike (Retail) The Gladiators Gunman Chronicles Half-Life Industry
Giant 2 Legends of Might and Magic Soldiers Of Anarchy Unreal Tournament
2003 Unreal Tournament 2004 IGI 2: Covert Strike Freedom Force Battlefield
1942 Battlefield 1942 (Road To Rome) Battlefield 1942 (Secret Weapons of
WWII) Battlefield Vietnam Black and White Command and Conquer: Generals
(Zero Hour) James Bond 007: Nightfire Command and Conquer: Generals
Global Operations Medal of Honor: Allied Assault Medal of Honor: Allied
Assault: Breakthrough Medal of Honor: Allied Assault: Spearhead Need For
Speed Hot Pursuit 2 Need For Speed: Underground Shogun: Total War:
Warlord Edition FIFA 2002 FIFA 2003 NHL 2002 NHL 2003 Nascar Racing
2002 Nascar Racing 2003 Rainbow Six III RavenShield Command and
Conquer: Tiberian Sun Command and Conquer: Red Alert Command and
Conquer: Red Alert 2 NOX Chrome Hidden & Dangerous 2 Soldier of Fortune
II - Double Helix Neverwinter Nights Neverwinter Nights (Shadows of
Undrentide) Neverwinter Nights (Hordes of the Underdark)
Also the backdoor steals Microsoft Windows Product ID.
Other threats
 “Drive-by installations of trojans”
googkle.com example
http://www.f-secure.com/v-descs/googkle.shtml
 Lyrics example
Protecting client systems
Comments from Vunderink
Some conclusions
Security threats have changed
Some conclusions
Security threats have changed
Our clients have no idea that the security
paradigm has changed
Some conclusions
Security threats have changed
Our clients have no idea that the security
paradigm has changed
Policy makers do not know that security
threats have changed
Some conclusions
Security threats have changed
Our clients have no idea that the security
paradigm has changed
Policy makers do not know that security
threats have changed
I am less pessimistic than Vunderink. I
think that we will succeed in educating
policy makers…but we won’t succeed in
educating our clients.
1. A good overview of BotNets: Malicious Bots Threaten Network
Security, David Geer. IEEE Computer, January 2005
2. An article that provides examples of organized crime and botnets:
From Russia with Malice, http://www.vnunet.com/analysis/1160302
3. Slides from a presentation that provide a good history of DDOS
and techniques for fighting DDOS: Fighting Internet Diseases: DDos,
worms and miscreants, Hank Nussbacher and Nicolas Fishbach.
http://www.interall.co.il/presentations/first-16.pdf
4. Slides from a presentation by an IRC administrator who is fighting
botnets: IRC and Drones: Investigating botnets on IRC, Joost
"Garion" Vunderink. http://www.garion.org/tmp/ircdrones.pdf
5. A paper that presents a complete forensic analysis of a
compromised system: GIAC Certified Forensic Analyse (GCFA)
Practical Assignment, Jennifer Kolde, Sans Institute.
http://www.giac.org/practical/GCFA/Jennifer_Kolde_GCFA.pdf
Hank Nussbacher’s picks for DDOS references
A large number of papers and presentations can be found at the public page:
https://puck.nether.net/mailman/listinfo/nsp-security
In addition, I have found these to be useful:
http://staff.washington.edu/dittrich/misc/ddos/
http://www.linuxsecurity.com/resource_files/intrusion_detection/ddos-faq.html
http://www.networkcomputing.com/1201/1201f1c1.html
http://www.sans.org/dosstep/index.php
http://downloads.securityfocus.com/library/sn_ddos.doc
Other good references
A good overview of DDOS
http://www.cisco.com/en/US/about/ac123/ac147/archived_issues/ipj_74/dos_attacks.html
Using SNORT to detect rogue IRC Bot Programs
http://www.giac.org/certified_professionals/practicals/gsec/4095.php
My slides
http://tech.ait.iastate.edu/winsecurity/presentations/infraguard.ppt
Detecting a new bot
Good free tools from sysinternals.com
TCPVIEW
Process explorer
Autoruns
Regmon
Filemon
Rootkitrevealer