Bots and Botnets

Download Report

Transcript Bots and Botnets

Bots and Botnets

plus

Forensic analysis of a bot

Introduction

• Wayne Hauber • Computer consultant since 1984 at Iowa State University • Started analyzing bots as a major focus in 2002

Bots and Botnets

Bot – nothing more than a remotely controlled program A collection of bots controlled at a central source are botnets Most bots have their origin in some segment of the IRC community Botnet controllers are either public IRC servers or custom private IRC servers

Not New

Floodbots appeared at ISU in early 1990s. Mostly a nuisance to staff from fringe IRC users First SYN Flood denial of service attacks in 1997 See the Hank Nussbacher presentation for a good chronology

What is new

Organization Talent Skills Complete disregard for the values of mainstream society

IRC Society drives the problem

Pubstros/distros

In late 2001 and early 2002, the first Pubstros appeared at ISU Pubstros are servers created on a vulnerable system They serve movies, games, software and pornography Usually some other software is installed, expect password crackers, keyloggers, proxies and network scanners

Pubstros/distros

Pubstros were created by a highly organized and developed society of IRC users Pubstro/distro tutorials were published on the web

Pubstros/distros

Hierarchical duties were assigned to those establishing pubstros One group scanned for proxy systems and installs scanning tools Another group scanned for vulnerable systems and posts a list Another group laid down the server and the contraband Quotas determined status in group

Pubstros/distros

A group in the far east supplies movies often prior to US release dates

Pubstros/distros

At ISU, we locate some pubstros because they are in our top-20 network traffic list Others are detected because they “look the same” as a top-20 pubstro Some are detected because other activity is detected by netflow monitoring Some are detected when a hacker is clumsy

Pubstros/distros

Becoming more sophisticated Are well hidden – Hacker Defender is a suite of tools to hide your favorite trojan Still common – I detected a pubstro on a departmental server at 5:00 p.m. last night!

Organized crime

See From Russia with Malice handout http://www.vnunet.com/analysis/1160302

IRC Society

Slides are from a presentation by Hank Nussbacher http://www.interall.co.il/presentations/first-16.pdf

Frequency of attacks

Page 84 of Nussbacher presentation Page 32 of the Vunderink presentation http://www.garion.org/tmp/ircdrones.pdf

Size of botnets

It is common to see botnets with a strength of 1,000 to 2,000 bots One record botnet had a strength of hundreds of thousands of bots

Easy tools

Tools that we have seen at ISU have grown in sophistication and power Professional hackers are writing tools Many of today’s new viruses are nothing more than hacker tools in active use Quote from page 14 of Vunderink presentation

Sdbot Korgo Optix Spybot

Easy Tools

Optix – a sdbot variant

Detailed Description

The backdoor's file is a PE executable about 93 kilobytes long, packed with Yoda and PECompact file compressors. When the backdoor's file is started, it copies itself as SNDCFG16.EXE to Windows System folder, sets hidden, system and read-only attributes for itself and then creates the following startup keys in the Registry… The backdoor monitors Registry changes and re-creates these keys if they are deleted or modified.

Optix – a sdbot variant

SDBot.MB kills the processes of security and anti-virus software and also processes of certain malware (for example Bagle). The processes with the following names are killed: regedit.exe msconfig.exe …a long list…

Optix – a sdbot variant

The backdoor can scan for vulnerable computers using different types of exploits and tries to locate other backdoors installed on remote hosts. Here's the list of scanner capabilities: * WebDav (port 80) * NetBios (port 139) * NTPass (port 445) * DCom (ports 135, 1025) * DCom2 (port 135) * MSSQL (port 1433) * LSASS (port 445) * UPNP (port 5000) * Optix backdoor (port 3140) * Bagle backdoor (port 2745) * Kuang backdoor (port 17300) * Mydoom backdoor (port 3127) * NetDevil backdoor (port 903) * SubSeven backdoor (port 27347) * DameWare remote management software (port 6129)

Optix – a sdbot variant

The backdoor starts IDENTD server on port 113. A hacker can control the backdoor via a bot that it creates in a certain IRC channel.

Optix – a sdbot variant

Backdoor capabilities are the following: start HTTP server on an infected computer start FTP server on an infected computer scan for vulnerable computers (open ports and exploits) make use of exploits and spread to remote computers

Optix – a sdbot variant

start/stop keylogger get system information including information about OS, network and drives operate backdoor's bot (nick change, dcc send/receive, join/part channels, etc.) perform DDoS (Distributed Denial of Service) attack, SYN, ICMP, UDP flood

Optix – a sdbot variant

find, download and run files search for passwords start/stop remote services create/delete remote shares flush DNS cache

Optix – a sdbot variant

ping any host list, start and kill processes sniff network traffic start remote command shell capture video from a webcam

Optix – a sdbot variant

capture a screenshot redirect traffic on certain ports perform portscan send e-mails (work as an e-mail proxy) open a URL with default web browser

SDBot.MB steals CD keys for the following games if they are installed on an infected computer: Counter-Strike (Retail) The Gladiators Gunman Chronicles Half-Life Industry Giant 2 Legends of Might and Magic Soldiers Of Anarchy Unreal Tournament 2003 Unreal Tournament 2004 IGI 2: Covert Strike Freedom Force Battlefield 1942 Battlefield 1942 (Road To Rome) Battlefield 1942 (Secret Weapons of WWII) Battlefield Vietnam Black and White Command and Conquer: Generals (Zero Hour) James Bond 007: Nightfire Command and Conquer: Generals Global Operations Medal of Honor: Allied Assault Medal of Honor: Allied Assault: Breakthrough Medal of Honor: Allied Assault: Spearhead Need For Speed Hot Pursuit 2 Need For Speed: Underground Shogun: Total War: Warlord Edition FIFA 2002 FIFA 2003 NHL 2002 NHL 2003 Nascar Racing 2002 Nascar Racing 2003 Rainbow Six III RavenShield Command and Conquer: Tiberian Sun Command and Conquer: Red Alert Command and Conquer: Red Alert 2 NOX Chrome Hidden & Dangerous 2 Soldier of Fortune II - Double Helix Neverwinter Nights Neverwinter Nights (Shadows of Undrentide) Neverwinter Nights (Hordes of the Underdark) Also the backdoor steals Microsoft Windows Product ID.

Protecting client systems

Comments from Vunderink

Some conclusions

Security threats have changed

Some conclusions

Security threats have changed Our clients have no idea that the security paradigm has changed

Some conclusions

Security threats have changed Our clients have no idea that the security paradigm has changed Policy makers do not know that security threats have changed

Some conclusions

Security threats have changed Our clients have no idea that the security paradigm has changed Policy makers do not know that security threats have changed I am less pessimistic than Vunderink. I think that we will succeed in educating policy makers…but we won’t succeed in educating our clients.

1. A good overview of BotNets: Malicious Bots Threaten Network Security, David Geer. IEEE Computer, January 2005 2. An article that provides examples of organized crime and botnets: From Russia with Malice, http://www.vnunet.com/analysis/1160302 3. Slides from a presentation that provide a good history of DDOS and techniques for fighting DDOS: Fighting Internet Diseases: DDos, worms and miscreants, Hank Nussbacher and Nicolas Fishbach. http://www.interall.co.il/presentations/first-16.pdf

4. Slides from a presentation by an IRC administrator who is fighting botnets: IRC and Drones: Investigating botnets on IRC, Joost "Garion" Vunderink. http://www.garion.org/tmp/ircdrones.pdf

5. A paper that presents a complete forensic analysis of a compromised system: GIAC Certified Forensic Analyse (GCFA) Practical Assignment, Jennifer Kolde, Sans Institute. http://www.giac.org/practical/GCFA/Jennifer_Kolde_GCFA.pdf

Hank Nussbacher’s picks for DDOS references A large number of papers and presentations can be found at the public page: https://puck.nether.net/mailman/listinfo/nsp-security In addition, I have found these to be useful: http://staff.washington.edu/dittrich/misc/ddos/ http://www.linuxsecurity.com/resource_files/intrusion_detection/ddos-faq.html

http://www.networkcomputing.com/1201/1201f1c1.html

http://www.sans.org/dosstep/index.php

http://downloads.securityfocus.com/library/sn_ddos.doc

Other good references A good overview of DDOS http://www.cisco.com/en/US/about/ac123/ac147/archived_issues/ipj_7 4/dos_attacks.html

Using SNORT to detect rogue IRC Bot Programs http://www.giac.org/certified_professionals/practicals/gsec/4095.php

My slides

http://tech.ait.iastate.edu/winsecurity/presentations/infraguard.ppt

Detecting a new bot

Good free tools from sysinternals.com

TCPVIEW Process explorer Autoruns Regmon Filemon Rootkitrevealer