project in computer security monitoring botnets from within final presentation – spring 2012
DESCRIPTION
Project In COMPUTER SECURITY Monitoring Botnets from within FINAL presentation – spring 2012. Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman. Background. Botnets , large networks of compromised computers, form the main source of application layer attacks - PowerPoint PPT PresentationTRANSCRIPT
PROJECT IN COMPUTER SECURITYMONITORING BOTNETS FROM WITHINFINAL PRESENTATION – SPRING 2012
Students: Shir Degani, Yuval DeganiSupervisor: Amichai Shulman
BackgroundBotnets, large networks of compromised computers,form the main source of application layer attacksagainst web servers as of today. A Botnet is a network built by individuallyinfecting (or “recruiting”) computers via variousmethods, such as infected websites,
downloadedmalicious code or abusive use of server-sideapplication vulnerabilities.
Aims and goalsOne of the important aspects of investigating thisphenomenon is to be able to understand the trafficthat a bot generates upon command from the
botnetcommander. Isolating bot traffic from regular trafficwill allow a computer security researcher to
developsoftware for identifying an already infected
computerand to block this abusive traffic.
Objectives Publish a website application with easy and known
vulnerabilities, that will also be maintained and filled with false but real-looking content.
Join Botnets (if not by accident, then by force). Accumulate and analyze incoming and outgoing
traffic over time.Isolate and classify bot traffic.
Produce a detailed report of the traffic recorded: volume, duration, targets, type of abusive activities, and so on.
Recognize and generalize patterns of traffic.
Accomplishments Collected long term IRC traffic from various
botnets for analysis. Analyzed IRC botnet traffic characteristics and
botnet capabilities. Researched many sources of malicious PHP code. Produced a detailed report on the analyzed traffic
and code. Created a set of tools for the automation of
infection and research of PHP IRC botnet code. Published a detailed guide on how to research
further scripts and use the tools provided.
Methodology Publish a website application on
“sandbox” machine. Use provided lists of suspicious URLs to
try and recognize active botnets Use a different machine to collect IRC
traffic on the botnets found. Analyze the traffic logs collected. Produced a detailed and informative
report on each botnet.
SetupMachines on Amazon EC2:
Isolated “sandbox” machine running a web server:
Windows 2008 R2. Wordpress with a blog full of content. Security policy allows only web and IRC traffic. Wireshark running at all times to log packets. mIRC for monitoring chat room activity on the
relevant rooms and server. Machine is saved as a snapshot for restore if
needed. Separate machine for monitoring.
Set of automation tools While working, we’ve noticed that most
of the time is spent on meticulous and rigorous tasks for inspecting URLs and looking for active botnets.
This led us to try and automate some of the process, and resulted in a set of tools that reduces most of the overhead that URL inspection requires.
Tool #1: URL downloader Targets the repetitive task of checking
the validity of a list of suspicious URLs, and downloading them for further use.
Algorithm: Try different variations on each URL with a
few frequent suffixes. Number each script that was successfully
downloaded and add the .php extension.
Tool #2: IRC traffic sniffer Targets the time consuming task of running a suspicious script and
checking whether it actuates an active botnet. Algorithm:For each PHP file in a specified folder:
Start a Internet Explorer process. Copy the PHP file to a provided runnable web published folder. Start a background job for collecting all TCP packets. Run the PHP file in the Internet Explorer process for a limited amount of
time (timeout parameter provided). Kill the Internet Explorer and other PHP processes. Stop collecting packets. Analyze the packets and look for the following IRC commands:
PASS <string>, for password of the destination server (destination IP and TCP port on the packet).
JOIN #<string> <string>, for joining an IRC channel and the channel password. Print and add the sniffed info to a file that is named according to the PHP
file for further use.
Tool #2: IRC traffic sniffer
Results & Conclusions Most of the activity on the active botnets involves
scanning for vulnerable websites and trying to infect them.
All vulnerabilities that are used are well known and documented bugs in WordPress extensions.
Although they are known, a great number of scanning results appear to be vulnerable – users doesn’t care for updates enough.
Real attacks were rare in the data collected A notable DoS attack – UDP flood was seen. Passing of Credit Card numbers and identities were
noted a few times.
Some Visual Demonstrations
UDP flood
Complex network of bots and managers
Timeline example
Backdoor example
Future work The final report contains a full guide on
how to inspect and analyze IRC botnets: Complete methodology guide. A list of further investigation directions. A user manual for the automation tools.
All of the following provide a big opportunity for future teams to get started very quickly and skip the initial non-productive phases.
Summary Our research shows that there is a whole
underground culture of Indonesian sourced botnets that is very much alive and active.
Most of the activity on these botnets is expanding its army of bots, creating a large enough net of abused servers that can be lucrative for their manager.
PHP code allows endless possibilities for hijacking and abusing webservers.
The End.