the creation and detection of a botnet stuart henderson ethical … · 2013-12-28 · that there...

The Creation and Detection of a Botnet

Stuart Henderson

Ethical Hacking White Paper

University of Abertay Dundee

B Sc Ethical Hacking &

Countermeasures

May 2013

Note that Information contained in this document is for educational purposes.


(i)

ABSTRACT

In recent years, cyber crime has increased and is becoming a larger threat. This is aided by

botnets. A botnet is a series of compromised computers spread across the internet that fulfils the

task given to them by a single attacker. The bot could do a variety of things such as steal

personal information, send spam, DDoS websites and servers and anything the attackers wishes.

Anyone who has access to a root kit can make their own botnet and bring about their own army

of bots. A step by step list will be composed to demonstrate the actions taken to successfully

create a botnet, techniques to prevent a botnet infection will also be examined.


(ii)

TABLE OF CONTENTS

Introduction .......................................................................................................................... 1

Defining a Botnet ................................................................................................................... 2

Creating a Custom Botnet ...................................................................................................... 4

Botnet Discussion and Prevention ......................................................................................... 9

Conclusions ......................................................................................................................... 10

Bibliography ........................................................................................................................ 11


(1)

INTRODUCTION

Regular home computers and company networks are at risk and are highly sought after by

attackers on a regular basis. Years ago when the traditional virus was created it only served to

cause mischief and pranks. These viruses could have had capabilities to copy themselves to files

that would be carried over to another host computer unknown by the user. This type of virus is

easily detectable and can be removed safely. However nowadays the most dangerous and vicious

cyber threats come from a community of botnet networks and infected computers. Botnets can be

used to conduct cyber attacks and steal sensitive information from large businesses and

organisations. This could cause big financial losses to companies. The threat is so big, literally

millions of computers at this very moment are infected with a botnet unknown to the user. Could

such a threat be replicated by a regular attacker with little to no knowledge of how botnets work?

This report will outline the key steps required to create a botnet and will outline the basic

background and fundamentals of how a botnet functions.


(2)

DEFINING A BOTNET

1.1 WHAT IS A BOTNET?

The word "Botnet" derives from the word "robot" and "network". In its most basic form a botnet

is a series of internet-connected applications that work together to accomplish a task. Malicious

hackers distribute malware that can turn a computer into a bot using various methods. These

malicious applications sit on a compromised host unknown to the user, waiting for commands to

be given from a third party botnet controller that issue them remotely through standard network

protocols such as IRC and HTTP. A mass of botnets can be also known as a "zombie army".

Most botnet infected computers are home-based. The task set to a botnet can be anything from a

legal task of managing IRC channels to an illegal task of a DDoS attack on a website causing it

to slow or close down. Until it receives a command from the botnet herder, it will stay hidden.

Many home users nowadays have a fast internet connection and fast computers that would serve

well under a botnet. Bots can propagate networks just like worms to infect a larger network on

computers. These computers form a botnet.

1.2 COMMAND AND CONTROL

Traditionally, botnets were controlled using IRC (Internet Relay Chat) because it was simple and

flexible to use although it is easy to spy on the botnet traffic this way as IRC sends in clear text.

The bot controllers don't control each botnet directly and have a main server to control and

command the botnets as a safeguard in case the server is investigated and have a somewhat

amount of protection using the TOR network to remain anonymous. Many botnets make use of

HTTP to fetch tasks from the server. The bot herder wouldn't have to send commands to the

botnets at all, the botnets would fetch the HTTP periodically. This method has an advantage of

not being blocked by firewalls as HTTP is a common protocol.

Figure 11

1 InfoSec Institute Resources – Botnets and cybercrime – Introduction. 2013. [ONLINE] Available at:

http://resources.infosecinstitute.com/botnets-and-cybercrime-introduction/. [Accessed 16 May 2013].


(3)

1.3 THE MANY USES OF A BOTNET

The larger the botnet, the more impact it can have on the internet. There are lots of variations of

a botnet. One botnet called "Zeus" which was first identified in July 2007 was used to steal

banking credentials by using key logging and form grabbing exploits. It will report back to the

master herder of the botnet bank credentials of the infected user. It can appear on a user's

computer by certain methods such as drive-by downloads and phishing. The primary target for

this Trojan was computers containing a Windows operating system. In 2012 it was discovered

that there were variants of Zeus that also targeted BlackBerry and Android phone operating

systems. This new mobile version of Zeus dubbed "Eurograbber" was able to steal $47 million in

2012.2 There are botnets that sometimes have the single purpose of spamming. Spamming emails

from the attackers own computer isn't efficient as when they are discovered, their ISP will

prevent them from sending emails. So to bypass this they changed tactics and adopted sending

spam from someone else's computer using a botnet. One noteworthy botnet that focused on

spamming pharmaceutical emails "Grum" was shutdown on the 19th of July 2012. It was

mentioned that this bot alone was responsible for 18% of the worldwide spam traffic.3 There are

botnets that are specifically designed for launching denial of service attacks on specific websites.

If the bot controller were to accumulate a large number of bots and commanded them

collectively to flood a specific site with DDoS attacks, it would cripple the website and render it

unusable. Cyber criminals can sell these Trojan botnets for a fee or extort a company for money

to stop a DDoS attack that would possibly cost them millions per day in revenue. For example, to

rent a DDoS botnet attack to take out possible competitor websites is one way to earn money in

the botnet market. It quotes the price range of how long you would like a DDoS attack a website

for. " 1 hour or DDoS attack is $5" up to "1 month of persistent DDoS attack is $900".4 Discount

is even offered to prospective customers. To facilitate a DDoS for the purpose of bringing down

a website there are 2 main methods. Firstly is the HTTP GET request which would request a

page from the website numerous times over in only a second over and over again. Combined

with a large amount of botnets it could be successful in disrupting and bringing down a website.

Then the second method which is the classic SYN flood which involves initiating a 3 way

handshake but not responding to the SYN-ACK at all and continuously initiating the handshake

from the beginning. The user of the bot controller holds a massive amount of power that could

disrupt major companies and businesses and cause huge loss in revenue. The cybercrime

ecosystem thrives from competitive businesses.

2 Zeus Botnet Eurograbber Steals $47 Million - Security - . 2013. [ONLINE] Available at:

http://www.informationweek.co.uk/security/attacks/zeus-botnet-eurograbber-steals-47-millio/240143837. [Accessed

16 May 2013]. 3 BBC News - Huge spam botnet Grum is taken out by security researchers. 2013. [ONLINE] Available at:

http://www.bbc.co.uk/news/technology-18898971. [Accessed 16 May 2013]. 4 DDoS for hire services offering to ‘take down your competitor’s web sites’ going mainstream | Webroot Threat

Blog - Internet Security Threat Updates from Around the World. 2013. | Webroot Threat Blog - Internet Security

Threat Updates from Around the World. [ONLINE] Available at: http://blog.webroot.com/2012/06/06/ddos-for-

hire-services-offering-to-take-down-your-competitors-web-sites-going-mainstream/. [Accessed 16 May 2013].


4

CREATING A BOTNET

To build and administer our botnet we will be using the popular Zeus toolkit (also known as Zbot, Wsnpoem, Gorhax and Kneber).5 A control panel will be used to control and maintain the botnet. Using a builder tool, it will allow the attacker to create the executables that will be used to infect the victims machine. The ZeuS public toolkit creator is distributed freely so there are many variations of the Zeus botnet. There is also a commercial version of the botnet that includes more features than the public botnet. The commercial version of Zeus can sell on the web anywhere from "$40 to $4000".The commercial version also has piracy protection integrated to prevent it becoming public.5 For this purpose we will be using the freely distributed public botnet. The Zeus botnet is known as a huge commercial banking Trojan used for capturing key strokes and form information. In October 2010 a ring of cyber criminals were able to steal up to $70 million using the Zeus toolkit. 5

2.1 CREATION OF A BOTNET - STEP BY STEP GUIDE

Two machines are set up. One machine contains the Windows Xp Service Pack 3 operating system while the other also contains Windows Xp Service Pack 3. The botnet creation and command and control server will be held one machine (Attacker) while the other will hold a botnet(Victim).

1. To begin a local server is set up on the Attackers machine by installing XAMPP, an open source web server package. The botnet builder is downloaded and contained within the builder we are using is files that are configured to work with XAMPP. Within the "conf" folder of the Zeus builder folder, there is a "httpd.conf" file that needs to be edited. An IP address needs to be changed to the bot controllers IP address. In this case the controller IP address is 10.0.0.26.

Figure 2

2. The "conf" folder and all its contents are copied to "C:\XAMPP\apache" . The "1" folder is copied over to "C:\XAMPP\htdocs\xampp".

3. Next XAMPP is run and "Apache" and "MySql" is started. Both of these are allowed and unblocked through the firewall.

4. The web browser is launched (in this case Google Chrome) and the IP address of the controller is put in the address bar to navigate to the XAMPP page.

5. Navigate to "Security" and set the password to "password".

5 Attack Toolkit Business Gaining Legitimacy | Security News. 2013 [ONLINE] Available at:

http://www.pctools.com/security-news/attack-toolkits/. [Accessed 16 May 2013].


5

6. Navigate to "phpMyAdmin" and log in using the credentials "root" and "password". The SQL configurations page should be displayed.

7. Create a new database called "bssnet".

Figure 3

8. Once the database has been created, click "import" and "choose file" and navigate to the file "bssnet.sql" and click go. The import should have been successful.

9. Next navigate to "10.0.0.26/xampp/1/install/index.php". This will take you to a control panel installer (Figure 4). The user name and password for the first section can be to the attackers choosing. In this case the user is "admin" and the password is "qwerty123". The MySql server section will be the same username and password that was set up for the security page. In this case it is "root" and "password". Finally it needs an encryption key. This can be found in the config.txt file in the ZeuS builder folder. Once all fields are correct click "install".

Figure 4

10. Once this has been completed the attacker is now able to login to the control panel that manages the botnets. Navigate to "10.0.0.26/xampp/1/cp.php?m=login". Enter the credentials "admin" and "qwerty123".

Figure 5

11. This will next take the attacker to the botnet control panel.(Figure 6) From here the user can view information such as how many botnets are in circulation, what operating


6

systems are certain botnets being ran under and information that botnets have captured. There is also options to update the bots to the most recent version of the botnet and to send scripts to all botnets in circulation.

Figure 6

The next step is to make the virus itself which will be placed on the victims machine.

1. In the config.txt file in the directory of the ZeuS builder, edit the IP addresses to match the botnet controllers IP address.

2. Next launch "zsb.exe" - this is the ZeuS builder(Figure 7). Click the builder tab.

Figure 7

3. Click "Build config" and save the configuration file to the desktop.


7

4. Next click "Build loader". Save the "bt.exe" executable to the same location as the config file previously built. Once these 2 files are created from the ZeuS builder you no longer need the program so you can close it.

5. Copy the 2 files from the Desktop to the "C:\XAMPP\htdocs\xampp\1" folder.

Figure 8

6. Once this is completed the next task is to put the "bt.exe" virus on the victims machine and run the program.

Once the program has been executed on the victims side, testing can begin to ensure that our botnet is fully functional. Using Play.com as an example shopping site the victim will sign in to purchase goods. Signing in with a non-existing account "[email protected]" and a password of "racecar99". Going back to the attackers computer, from the control panel we can see a recent entry to the database. The recent entry shows the login details captured from the victims computer.

Figure 9

It was next tested on the PayPal register form. It successfully captured all the information entered by the user into the form including the password, "catanddog1".


8

Figure 10

It was next tested on the bank Lloyds TSB, the user attempted to login and the data was successfully captured.

Figure 11

Script commands were then tested to ensure that the attacker holds some control over the compromised computer. A simple “reboot” command was sent to the botnet on the victims pc and the computer was restarted without the victims prompt or input. There are more commands that issue various tasks to the botnet.


9

BOTNET PREVENTION

3.1 HOW CAN A USER PROTECT THEMSELVES?

Botnets prove to be very malicious to people who use banking online or do online shopping

regularly. Attackers may use botnets equip with key logging functions to gain personal financial

details from such users. In other cases a botnet may control your computer to aid spamming, to

host phishing sites and hold payloads that could infect other users. It is only obvious that there

needs to be a prevention and detection system in place to avoid being part of the botnet. Many

anti-viruses these days are updated periodically to protect the user from harmful files and attacks

from outside users. An anti-virus program is one of the key elements to botnet preventions. The

anti-virus application will detect any patterns that it knows to be malicious and prevent the virus

from executing. As long as the anti-virus is well maintained and up to date it should detect any

abnormalities inside your operating system. There are also Windows Updates that patch security

holes in the operating system to protect the user's computer and files from being exposed to

attacks and to make your system more secure and reliable. These updates are incredibly

important and it is crucial to keep up to date with the latest patches. The firewall also serves as a

blockade between the attacker and the victim. A firewall will regulate and control the network

traffic by analysing the network and data packets which will be determined if they will be

allowed through or not based on the firewalls rules. The firewall should be well maintained to

prevent malicious attacks. The browsers security features are just as important as the anti-virus

applications. Many sites are compromised and malicious JavaScript present underneath the

website will attempt to force malware onto the victims machine. They may use browser plug-in

exploits to gain access to your system and perform a "drive-by-download" which essentially

downloads files without the users consent or knowing that a file is being downloaded and will

install onto the system without a single prompt. Most of these drive-by-downloads are malicious

viruses like spyware and malware. Browser developers should patch their browsers regularly to

prevent this and block security holes. Plug-ins such as Java, Adobe Flash and Adobe Reader

should also be kept up to date. It is recommended that JavaScript be disabled on most websites

except on ones commonly used such as banking and shopping websites. The next step may be

obvious but avoid opening any email attachments that were received from unknown sources. It is

most certainly a file that is infected with some sort of worm or virus. Ensure your spam filter is

working correctly and if you do read the email, ensure it is in plain text. Finally the most

effective way of preventing a virus or botnet prevention is to use common sense. Don't download

files from suspicious sites and ensure you scan files before opening them.

Upon discovering a botnet is present on your machine you should disconnect the pc from the

network right away. This ensures it can't talk to the bot controller and stops it from executing any

task that it was given. The antivirus should be used to scan and clean the botnet, removing it

from the system completely.


10

CONCLUSION

In conclusion a botnet can be very easy to create for the average "script kiddie" who doesn't fully understand a botnet and the full destructive force it possesses by using a simple root kit builder. Still now more than ever botnets still pose to be the most powerful weapon a cyber criminal can possess. If the command and control servers that commanded a certain botnet were to be captured and investigated there is a chance that the attacker will not get caught due to using an anonymous connection such as TOR to talk to the server which makes it almost impossible to backtrack to the real attack source. However it would mean that the botnets are no longer being sent and are doing any more malicious tasks since the "brain" is shut down. Careful usage of computers and the internet today would prove useful in the prevention of being infected by a botnet. By ensuring everything is up to date there should be no security hole that a botnet can exploit.


11

BIBLIOGRAPHY

Fueled by super botnets, DDoS attacks grow meaner and ever-more powerful | Ars Technica.

2013. | Ars Technica. [ONLINE] Available at: http://arstechnica.com/security/2013/04/fueled-

by-super-botnets-ddos-attacks-grow-meaner-and-ever-more-powerful/. [Accessed 16 May 2013].

Alomari, Manickam, Gupta, Karuppayah, Alfaris, 2012. Botnet-based Distributed Denial of

Service (DDoS) Attacks on Web Servers: Classification and Art. International Journal of

Computer Applications, Volume - 49 No. 7, 9. [ONLINE] Available at:

http://arxiv.org/ftp/arxiv/papers/1208/1208.0403.pdf. [Accessed 16 May 2013].

What is botnet (zombie army)? - Definition from WhatIs.com. 2013. [ONLINE] Available at:

http://searchsecurity.techtarget.com/definition/botnet. [Accessed 16 May 2013].

Attack Toolkit Business Gaining Legitimacy | Security News. 2013. [ONLINE] Available at:

http://www.pctools.com/security-news/attack-toolkits/. [Accessed 16 May 2013].

Botnet Protection Measures PC Users Can Adopt. 2013. [ONLINE] Available at:

http://www.best-pc-security-software.com/botnet-protection.html. [Accessed 16 May 2013].

the creation and detection of a botnet stuart henderson ethical … · 2013-12-28 · that there...

Documents