AN INSIDE LOOK AT BOTNETS

ARO-DHS SPECIAL WORKSHOP ON MALWARE DETECTION, 2005

Written By:

Paul Barford and Vinod Yegneswaran

University of Wisconsin, Madison

Presented By:

Jarrod Williams

OUTLINE

Motivation/Goals Botnets Botnet Attributes Conclusion/Review

MOTIVATION/GOALS

Increase in BOTNET usage Spam, DDOS, Identity theft

The objective of the paper is to understand how Botnets work and find communalities between them

Botnets: Agotbot (4.0 Pre-Release), SDBot (05B), SpyBot (1.4), GT Bot with DCOM

MOTIVATION/GOALS

Architecture Botnet control mechanisms Host control mechanisms Propagation mechanisms Exploits and attack mechanisms Malware delivery mechanisms Obfuscation methods Deception mechanisms

BOTNETS

A collection of compromised computers running software controlled by a single user

Botnets are controlled by a botmaster

Compromised host machines are called zombies

Zombies communicate using IRC

A botnet can have many different versions of the same bot making botnet families

BOTNETS

INTERNET RELAY CHAT

is a form of real-time Internet text messaging. It is mainly designed for group communication, but it also allows one-to-one communication via private message and data transfers via direct client-to-client

Created by Jarkko Oikarinen in August 1988

BOTNET ATTRIBUTES CONSIDERED

Architecture Botnet control mechanisms Host control mechanisms Propagation mechanisms Exploits and attack mechanisms Malware delivery mechanisms Obfuscation methods Deception mechanisms

AGOBOT (4.0 PRE-RELEASE)

Most sophisticated Released October, 2002 Hundreds of variants of this bot and it is also

commonly referred to as Phatbot Roughly 20,000 lines of C/C++ The ability to launch different kinds of DoS

attacks The ability to harvest the local host for PayPal

passwords and AOL keys through traffic sniffing, key logging or searching registry entries

SDBOT (05B)

Fairly simple Released October, 2002 Hundreds of variants of this bot Slightly over 2,000 lines of C Does not include any overtly malicious code

modules The code is obviously easy to extend and

patch Patches contain malicious code for attackers

need 80 patches for SDBot were found through

internet web searching

SPYBOT (1.4)

Relatively small like SDBot Released April, 2003 Under 3,000 lines of C The command and control engine appears to

be shared with SDBot, and it is likely, that it evolved from SDBot

Includes NetBIOS/Kuang/Netdevil/KaZaa exploits

Contains modules for launching flooding attacks and has scanning capabilities

GT BOT WITH DCOM

Simple design providing a limited set of functions

Released April, 1998 Global Threat Bot has hundreds of variants

and is also referred to as Aristotle's Easy to modify but there is nothing that

suggests it was designed with extensibility in mind

Capabilities include port scanning, DoS attacks, and exploits for RPC and NetBIOS services

Includes the HideWindow program which keeps the bot hidden on the local system

BOTNET ATTRIBUTES CONSIDERED

Architecture Botnet control mechanisms Host control mechanisms Propagation mechanisms Exploits and attack mechanisms Malware delivery mechanisms Obfuscation methods Deception mechanisms

AGOBOT (4.0 PRE-RELEASE) Simple vertical and horizontal scanning Scanning is based on the network ranges (network

prefixes) that are configured on individual bots

SDBOT (05B)

By virtue of its benign intent, SDBot does not have scanning or propagation capability in its base distribution

Many variants of SDBot include scanning and propagation capability

SPYBOT (1.4)

Simple command interface for scanning Horizontal and vertical scanning capability Scans are sequential

Command: scan<startIP

address><port><delay><spreaders><logfilename>

Example: scan 127.0.0.1 17300 1 netbios portscan.txt

GT BOT WITH DCOM

Includes support for simple horizontal and vertical scanning

BOTNET ATTRIBUTES CONSIDERED

Architecture Botnet control mechanisms Host control mechanisms Propagation mechanisms Exploits and attack mechanisms Malware delivery mechanisms Obfuscation methods Deception mechanisms

AGOBOT (4.0 PRE-RELEASE) Has the most elaborate set of exploit modules out of

the four bots analyzed Bagle scanner: scans for back doors left by Bagle

variants on port 2745 Dcom scanner: scans for the well known DCE-RPC

buffer overflow MyDoom scanner: scans for back doors left by

variants of the MyDoom worm on port 3127 Dameware scanner: scans for vulnerable versions of

the Dameware network administration tool NetBIOS scanner: brute force password scanning for

open NetBIOS shares Radmin scanner: scans for the Radmin buffer

overflow

SDBOT (05B)

SDBot does not have any exploits packaged in its standard distribution

It does include modules for sending both UDP and ICMP packets which could be used for simple flooding attacks

Other variants of SDBot contain exploit more modules

SPYBOT (1.4)

This version of SpyBot only included a module which attacked NetBIOS open shares

DDoS interface is closely related to SDBot and includes the capabilities for launching simple UDP, ICMP, and TCP SYN floods

Other variants of SpyBot contain more exploit modules

GT BOT WITH DCOM

Developed to include RPC-DCOM exploits

Has the capability to launch simple ICMP floods

Other variants of GT Bot contain DDoS capabilities such as UDP and TCP SYN floods as well as other known exploits

BOTNET ATTRIBUTES CONSIDERED

Architecture Botnet control mechanisms Host control mechanisms Propagation mechanisms Exploits and attack mechanisms Malware delivery mechanisms Obfuscation methods Deception mechanisms

AGOBOT (4.0 PRE-RELEASE)

Of the four bots analyzed, only Agobot had elaborate deception mechanisms

Mechanisms included: Tests for debuggers such as OllyDebug, SoftIce

and Procdump Test for VMWare Killing anti-virus processes Altering DNS entries of anti-virus software

companies to point to the local host

CONCLUSION

Botnets are widely used and communicate using IRC

The details of this paper include descriptions of the functional components of botnets categorized into eight components

Understand your enemy

STRENGTHS

Presents information in an organized fashion on the different Bots

Is the first step to codifying Botnet capabilities

WEAKNESSES

Only presents a high-level over view of a limited number of Bots and only presents one specific Bot version

More detail should be paid to a Bot family and not a specific Bot

REFERENCES

An Inside Look at Botnets http://pages.cs.wisc.edu/~pb/botnets_final.pdf

Wikipedia http://en.wikipedia.org/wiki/Botnet

Wikipedia http://en.wikipedia.org/wiki/IRC