Transcript An Inside Look at Botnets

Paul Barford
Vinod Yegneswaran
Computer Sciences Department
University of Wisconsen, Madison
Omar Hemmali
CAP 6135


Introduction
Architecture & Seven key mechanisms
◦ Architecture
◦ Control mechanisms
◦ Methods for proagation and attack


Contributions
Shortfalls




The evolution of malware is primarily driven
by improvements in defense mechanisms.
Worms and DoS attacks get a lot of media
coverage while a major problem is
overlooked.
Botnets are a more serious threat on the
Internet today.
Botnets trace their roots to a benign
management system.



Botnets have increased in capability over the
years.
Botnets have become quite extensive.
Focus has changed from vandalism to forprofit malicious activity.

Comparison of 4 different Bot families.
◦
◦
◦
◦
Agobot
SDBot
SpyBot
GT Bot








Architecture
Botnet Control Mechanisms
Host Control Mechanisms
Propagation Mechanisms
Exploits and Attack Mechanisms
Malware Delivery Mechanisms
Obfuscation Mechanisms
Deception Mechanisms







20K LoC C/C++
Many high level components
IRC based C2 mechanism
Can launch different DoS attacks
Can harvest passwords
Fortify the system from attack
Actively attempts to prevent removal





3K LoC C
Does not try to hide its malicious intent
Contains exploits for P2P and comm
programs
Has ip scanning capabilities
Modules for DoS attacks





SDBot
Uses a lightweight version of IRC,
Bots can rejoin channels if they get kicked.
They keep track of their master.
Commands are sent in the form of PRIVMSG.




GT Bot
Uses IRC as the control infrastucture
Very few commands that are consistent
among members of the family
Can invoke ip scanning




Purpose is to fortify the compromised host
against removal of the bot net
Agobot
Can return CD keys, registry info, emails
Able to kill specific processes that may try to
cleans the infected host.





SDBot
Controls are somewhat limited
Can remotely download files
Can create and terminate processes
Can send cd keys for popular games to
BotMaster



SpyBot and GT Bot
Have simple horizontal and vertical scanners
Just run through IPs in order.





Agobot
Very elaborate
Scans for back doors left by other worms
Scans for passwords from open SQL servers
Can enable 7 DDoS Attack commands



GTBot
Makes use of DCOM exploits
Has DDoS capabilities in the form of UDP and
TCP floods.





GTBots
Deliver the exploit in a single script
AgoBot
It first exploits an existing vulnerability
Then opens a shell on the remote host


Agobot is the only one that has any
obfuscation mechanisms.
It uses four different polymorphic schemes





Again Agobot is the only one that has any
elaborate mechanism
Tests for debuggers
Tests for VMWare
Kills Anti Virus processes
Alters DNS entries for anti-virus updates to
point to localhost


Compiled a lot of information about different
flavors of Botnets.
Demonstrated that compromised machines
not only acted as zombies for the master,
opened users to ID theft.

While the paper covers many different effects
of Botnets, it doesn’t give ways to alleviate
them.