AN INSIDE LOOK AT BOTNETS

1
AN INSIDE LOOK AT BOTNETS

• Barford, Paul and Yegneswaran
• Advances in Information Security, Springer, 2006
• Kishore Padma Raju

2
INTRODUCTION

• Attacks for financial gain
• Proactive methods
• Understanding of malicious software readily
  available
• 4 IRC botnet codebases along 7 dimensions

3
ARCHITECTURE

• AGOBOT (Phatbot)
• Found in october 2002
• Sophisticated and best written source code
• 20,000 lines of c/c
• High level components
• IRC based command and control mechanism
• Large collection of target exploits
• DOS attacks
• Harvest the local host

4

• SDBOT
• October 2002
• Simple code in C, 2000 lines
• IRC based command and control system
• Easy to extend and so many patches available(DOS
  attacks, information harvesting routines)
• Motivation for patch dissemination is diffusion
  of accountability

5

• SPYBOT
• 3000 lines of C code
• April 2003
• Evolved from SDBOT
• No diffusion accountability
• Includes scanning capability and launching
  flooding attacks
• Efficient

6

• GTBOT(global threat)(Aristotles)
• Based on functions of mIRC(writes event handlers
  for remote nodes)
• Capabilities are
• Port scanning
• DOS attacks
• Stored in file mirc.ini
• Remote execution
• BNC(proxy system) , psexec.exe
• Implications

7
BOTNET CONTROL MECHANISMS

• Communication
• Command language and control protocols
• Based onIRC
• Commands
• Deny service
• spam
• Phish

8

• Agobot
• Command language contain Standad IRC and specific
  commands of this bot
• Bot commands, perform specific function
• Bot.open
• Cvar.set
• Ddos_max_threads

9

• Sdbot

NICK_USER
PING
001/005
PONG
001/005
JOIN
USERHOST
NICK
PREVMSG/ NOTICE/ TOPIC
302
EST
KICK
353
PART/QUIT
ACTION
RESET
REJOIN
10

• SPYBOT
• Command language simple
• Commands are login, passwords, disconnect,
  reconnect, uninstall, spy, loadclones,killclones
• GTBOT
• Simplest
• Varies across versions
• Commands are !ver, !scan, !portscan,
  !clone.,!update
• IMPLICATIONS
• Now simple
• Future, encrypted communication
• Finger printing methods

11
HOST CONTROL MECHANISMS

• Manipulate victim host
• AGOBOT
• Commands to harvest sensitive information(harvest.
  cdkeys, harvest.emails, registry, windowskeys)
• List and kill processes(pctrl.list, kill,
  killpid)
• Add or delete autostart entries(inst.asadd,
  asdel)
• SDBOT
• Remote execution commands and gather local
  information
• Patches
• Host control commands (download, killthread,
  update)

12

• SPYBOT
• Control commands for file manipulation, key
  logging, remote command execution
• Commands are delete, execute, makedir,
  startkeylogger, stopkilllogger, reboot, update.
• GTBOT
• Gathering local system information
• Run or delete local files
• IMPLICATIONS
• Underscore the need to patch
• Stronger protection boundaries
• Gathering sensitive information

13
PROPAGATION MECHANISMS

• Search for new host systems
• Horizontal and vertical scan
• AGOBOT
• IP address within network ranges
• Scan.addnetrange, scan.delnetrange, scan.enable
• SDBOT
• Same as agobot
• NETBIOS scanner
• Starting and end IP adresses

14

• SPYBOT
• Command interface
• Command
• Scan ltstartipaddressgt ltportgt ltdelaygtltspreadersgtltlo
  gfilenamegt
• Example
• Scan 127.0.0.1 17300 1
  netbios portscan.txt
• GTBOT
• Horizontal and vertical scanning
• IMPLICATIONS
• Simple scanning methods
• Source code examination

15
EXPLOITS AND ATTACK MECHANISMS

• Attack known vulnerabilities on target systems
• AGOBOT
• Broadening set of exploits
• Generic DDOS module
• Enables seven types of service attacks
• Ddos.udpflood, synflood, httpflood, phatsyn,
  phaticmp,Phatwonk, targa3, stop.
• SDBOT
• UDP and ICMP packets, flooding attacks
• udp lthostgt ltpktsgt ltpktszgtltdelaygtltportgt and ping
  lthostgt ltpktsgt ltpktszgtlttimeoutgt

16

• SPYBOT AND GTBOT
• Same as sdbot
• IMPLICATIONS
• Multiple exploits

17
MALWARE DELIVERY MECHANISMS

• GT/SD/SPY bots deliver exploit and encoded
  malware in single package
• Agobot
• Exploit vulnerability and open a shell on remote
  host
• Encoded binary is then sent using HTTP or FTP.
• IMPLICATIONS

18
OBFUSCATION MECHANISMS

• Hide the details
• Polymorphism
• AGOBOT
• POLY_TYPE_XOR
• POLY_TYPE_SWAP
• POLY_TYPE_ROR
• POLY_TYPE_ROL
• IMPLICATIONS

19
CONCLUSIONS

• Expanded the knowledge base for security research
• Lethal classes of internet threats
• Functional components of botnets

20
WEAKNESSES

• Study only IRC
• No Preventive mechanisms
• No dynamic profiling of botnet executables
• Insufficient analysis

21
IMPROVEMENTS

• Dynamic profiling can be executed using some
  tools
• Botnet monitoring mechanism can be explained
• Analysis for peer to peer infrastructure