AN INSIDE LOOK AT BOTNETS

Barford, Paul and YegneswaranAdvances in Information Security,

Springer, 2006Kishore Padma Raju

INTRODUCTION

• Attacks for financial gain• Proactive methods• Understanding of malicious

software readily available• 4 IRC botnet codebases along 7 dimensions

ARCHITECTURE

• AGOBOT (Phatbot)– Found in october 2002 – Sophisticated and best written source code– 20,000 lines of c/c++– High level components• IRC based command and control mechanism• Large collection of target exploits• DOS attacks• Harvest the local host

• SDBOT– October 2002– Simple code in C, 2000 lines– IRC based command and control system– Easy to extend and so many patches

available(DOS attacks, information harvesting routines)

– Motivation for patch dissemination is diffusion of accountability

• SPYBOT– 3000 lines of C code– April 2003– Evolved from SDBOT• No diffusion accountability

– Includes scanning capability and launching flooding attacks

– Efficient

• GTBOT(global threat)(Aristotles)– Based on functions of mIRC(writes event handlers for

remote nodes)– Capabilities are

• Port scanning• DOS attacks

– Stored in file mirc.ini– Remote execution

• BNC(proxy system) , psexec.exe• Implications

BOTNET CONTROL MECHANISMS

• Communication • Command language and control protocols• Based onIRC• Commands– Deny service– spam– Phish

• Agobot– Command language contain Standad IRC and

specific commands of this bot– Bot commands, perform specific function• Bot.open• Cvar.set• Ddos_max_threads

• SdbotNICK_USER

PONG

USERHOST

JOIN

EST

ACTIONRESETREJOIN

NICK

PING

302

KICK 353PART/QUIT

PREVMSG/NOTICE/TOPIC

001/005

001/005

• SPYBOT– Command language simple – Commands are login, passwords, disconnect, reconnect,

uninstall, spy, loadclones,killclones• GTBOT– Simplest– Varies across versions – Commands are !ver, !scan, !portscan, !clone.*,!update

• IMPLICATIONS– Now simple– Future, encrypted communication– Finger printing methods

HOST CONTROL MECHANISMS

• Manipulate victim host• AGOBOT

• Commands to harvest sensitive information(harvest.cdkeys, harvest.emails, registry, windowskeys)

• List and kill processes(pctrl.list, kill, killpid)• Add or delete autostart entries(inst.asadd, asdel)

• SDBOT• Remote execution commands and gather local information• Patches • Host control commands (download, killthread, update)

• SPYBOT– Control commands for file manipulation, key logging,

remote command execution– Commands are delete, execute, makedir, startkeylogger,

stopkilllogger, reboot, update.• GTBOT– Gathering local system information– Run or delete local files

• IMPLICATIONS– Underscore the need to patch– Stronger protection boundaries– Gathering sensitive information

PROPAGATION MECHANISMS

• Search for new host systems• Horizontal and vertical scan• AGOBOT– IP address within network ranges– Scan.addnetrange, scan.delnetrange, scan.enable

• SDBOT– Same as agobot– NETBIOS scanner• Starting and end IP adresses

• SPYBOT– Command interface

• CommandScan <startipaddress> <port> <delay><spreaders><logfilename>

• ExampleScan 127.0.0.1 17300 1 netbios

portscan.txt

• GTBOT– Horizontal and vertical scanning

• IMPLICATIONS– Simple scanning methods– Source code examination

EXPLOITS AND ATTACK MECHANISMS

• Attack known vulnerabilities on target systems• AGOBOT– Broadening set of exploits– Generic DDOS module

• Enables seven types of service attacks• Ddos.udpflood, synflood, httpflood, phatsyn,

phaticmp,Phatwonk, targa3, stop.• SDBOT– UDP and ICMP packets, flooding attacks– udp <host> <#pkts> <pktsz><delay><port> and

ping <host> <#pkts> <pktsz><timeout>

• SPYBOT AND GTBOT– Same as sdbot

• IMPLICATIONS– Multiple exploits

MALWARE DELIVERY MECHANISMS

• GT/SD/SPY bots deliver exploit and encoded malware in single package

• Agobot– Exploit vulnerability and open a shell on remote

host– Encoded binary is then sent using HTTP or FTP.

IMPLICATIONS

OBFUSCATION MECHANISMS

• Hide the details• Polymorphism

• AGOBOT

– POLY_TYPE_XOR– POLY_TYPE_SWAP– POLY_TYPE_ROR– POLY_TYPE_ROL

• IMPLICATIONS

CONCLUSIONS

• Expanded the knowledge base for security research

• Lethal classes of internet threats• Functional components of botnets

WEAKNESSES

• Study only IRC• No Preventive mechanisms• No dynamic profiling of botnet executables• Insufficient analysis

IMPROVEMENTS

• Dynamic profiling can be executed using some tools

• Botnet monitoring mechanism can be explained

• Analysis for peer to peer infrastructure