AN INSIDE LOOK AT BOTNETSARO-DHS SPECIAL WORKSHOP ON MALWARE DETECTION, 2005
Written By:Paul Barford and Vinod YegneswaranUniversity of Wisconsin, Madison
Presented By: Jarrod Williams
OUTLINE Motivation/Goals Botnets Botnet Attributes Conclusion/Review
MOTIVATION/GOALS Increase in BOTNET usage
Spam, DDOS, Identity theft
The objective of the paper is to understand how Botnets work and find communalities between them
Botnets: Agotbot (4.0 Pre-Release), SDBot (05B), SpyBot (1.4), GT Bot with DCOM
MOTIVATION/GOALS Architecture Botnet control mechanisms Host control mechanisms Propagation mechanisms Exploits and attack mechanisms Malware delivery mechanisms Obfuscation methods Deception mechanisms
BOTNETS A collection of compromised computers
running software controlled by a single user
Botnets are controlled by a botmaster
Compromised host machines are called zombies
Zombies communicate using IRC
A botnet can have many different versions of the same bot making botnet families
BOTNETS
INTERNET RELAY CHAT is a form of real-time
Internet text messaging. It is mainly designed for group communication, but it also allows one-to-one communication via private message and data transfers via direct client-to-client
Created by Jarkko Oikarinen in August 1988
BOTNET ATTRIBUTES CONSIDERED Architecture Botnet control mechanisms Host control mechanisms Propagation mechanisms Exploits and attack mechanisms Malware delivery mechanisms Obfuscation methods Deception mechanisms
AGOBOT (4.0 PRE-RELEASE) Most sophisticated Released October, 2002 Hundreds of variants of this bot and it is also
commonly referred to as Phatbot Roughly 20,000 lines of C/C++ The ability to launch different kinds of DoS
attacks The ability to harvest the local host for PayPal
passwords and AOL keys through traffic sniffing, key logging or searching registry entries
SDBOT (05B) Fairly simple Released October, 2002 Hundreds of variants of this bot Slightly over 2,000 lines of C Does not include any overtly malicious code
modules The code is obviously easy to extend and
patch Patches contain malicious code for attackers
need 80 patches for SDBot were found through
internet web searching
SPYBOT (1.4) Relatively small like SDBot Released April, 2003 Under 3,000 lines of C The command and control engine appears to
be shared with SDBot, and it is likely, that it evolved from SDBot
Includes NetBIOS/Kuang/Netdevil/KaZaa exploits
Contains modules for launching flooding attacks and has scanning capabilities
GT BOT WITH DCOM Simple design providing a limited set of
functions Released April, 1998 Global Threat Bot has hundreds of variants
and is also referred to as Aristotle's Easy to modify but there is nothing that
suggests it was designed with extensibility in mind
Capabilities include port scanning, DoS attacks, and exploits for RPC and NetBIOS services
Includes the HideWindow program which keeps the bot hidden on the local system
BOTNET ATTRIBUTES CONSIDERED Architecture Botnet control mechanisms Host control mechanisms Propagation mechanisms Exploits and attack mechanisms Malware delivery mechanisms Obfuscation methods Deception mechanisms
AGOBOT (4.0 PRE-RELEASE) Simple vertical and horizontal scanning Scanning is based on the network ranges (network
prefixes) that are configured on individual bots
SDBOT (05B) By virtue of its benign intent, SDBot does not
have scanning or propagation capability in its base distribution
Many variants of SDBot include scanning and propagation capability
SPYBOT (1.4) Simple command interface for scanning Horizontal and vertical scanning capability Scans are sequential
Command: scan<startIP
address><port><delay><spreaders><logfilename>
Example: scan 127.0.0.1 17300 1 netbios portscan.txt
GT BOT WITH DCOM Includes support for simple horizontal and
vertical scanning
BOTNET ATTRIBUTES CONSIDERED Architecture Botnet control mechanisms Host control mechanisms Propagation mechanisms Exploits and attack mechanisms Malware delivery mechanisms Obfuscation methods Deception mechanisms
AGOBOT (4.0 PRE-RELEASE) Has the most elaborate set of exploit modules out of
the four bots analyzed Bagle scanner: scans for back doors left by Bagle
variants on port 2745 Dcom scanner: scans for the well known DCE-RPC
buffer overflow MyDoom scanner: scans for back doors left by
variants of the MyDoom worm on port 3127 Dameware scanner: scans for vulnerable versions of
the Dameware network administration tool NetBIOS scanner: brute force password scanning for
open NetBIOS shares Radmin scanner: scans for the Radmin buffer
overflow
SDBOT (05B) SDBot does not have any exploits packaged
in its standard distribution
It does include modules for sending both UDP and ICMP packets which could be used for simple flooding attacks
Other variants of SDBot contain exploit more modules
SPYBOT (1.4) This version of SpyBot only included a
module which attacked NetBIOS open shares
DDoS interface is closely related to SDBot and includes the capabilities for launching simple UDP, ICMP, and TCP SYN floods
Other variants of SpyBot contain more exploit modules
GT BOT WITH DCOM Developed to include RPC-DCOM exploits
Has the capability to launch simple ICMP floods
Other variants of GT Bot contain DDoS capabilities such as UDP and TCP SYN floods as well as other known exploits
BOTNET ATTRIBUTES CONSIDERED Architecture Botnet control mechanisms Host control mechanisms Propagation mechanisms Exploits and attack mechanisms Malware delivery mechanisms Obfuscation methods Deception mechanisms
AGOBOT (4.0 PRE-RELEASE) Of the four bots analyzed, only Agobot had
elaborate deception mechanisms Mechanisms included:
Tests for debuggers such as OllyDebug, SoftIce and Procdump
Test for VMWare Killing anti-virus processes Altering DNS entries of anti-virus software
companies to point to the local host
CONCLUSION Botnets are widely used and communicate
using IRC
The details of this paper include descriptions of the functional components of botnets categorized into eight components
Understand your enemy
STRENGTHS Presents information in an organized fashion
on the different Bots
Is the first step to codifying Botnet capabilities
WEAKNESSES Only presents a high-level over view of a
limited number of Bots and only presents one specific Bot version
More detail should be paid to a Bot family and not a specific Bot
REFERENCES An Inside Look at Botnets
http://pages.cs.wisc.edu/~pb/botnets_final.pdf Wikipedia
http://en.wikipedia.org/wiki/Botnet Wikipedia
http://en.wikipedia.org/wiki/IRC