Presentation is loading. Please wait.

Presentation is loading. Please wait.

Botnets ECE 4112 Lab 10 Group 19. Botnets Collection of compromised machines running programs (malicious) under a common command and control infrastructure.

Similar presentations


Presentation on theme: "Botnets ECE 4112 Lab 10 Group 19. Botnets Collection of compromised machines running programs (malicious) under a common command and control infrastructure."— Presentation transcript:

1 Botnets ECE 4112 Lab 10 Group 19

2 Botnets Collection of compromised machines running programs (malicious) under a common command and control infrastructure Attackers target Class B networks Once vulnerable system detected  System compromised  control client (bot) installed These bots further attack networks  exponential growth in a tree like fashion

3 Botnets - Uses Distributed Dos attacks Spamming Sniffing Traffic Keylogging Attacking other networks Identity theft Google Adsense abuse Spyware/Malware infestation

4 Lab Procedures I. Setup: Setting up the IRCd server II. SDBot III. q8Bot IV. HoneyNet Botnet capture analysis

5 IRCd Server IRC networks considered part of the “underground” Internet Home to many hacking groups and illegal software release groups Setup on WS 4.0 machine IRCd IRC client (Attacker) Redhat WS4.0 Infected RedHat machine (Victim)

6 SDBot/RBot/UrBot/UrXbot The most active family of bots Published under GPL Poorly implemented in C provides a utilitarian IRC-based command and control system easy to extend large number of patches to provide more sophisticated malicious capabilities  scanning, DoS attacks, sniffers, information harvesting & encryption features

7 SDBot Setup on Windows XP VM using lccwin32 compiler Created executable using bat file Edited host file to include ircserver Bot Login  Random username joins channel – Bot  Login .repeat 6.delay 1.execute 1 winmine.exe Started 6 instances of minesweeper on the victim

8 SDBot General Commands .execute causes the bot to run a program. .download causes the bot to download the file specified by url .redirect lets the bot to start a basic port redirect. everything sent to the port .sysinfo causes the bot to reply with information on the host system .netinfo causes the bot to reply with information on the bot's network connection .visit lets the bot to invisibly visit the specified url

9 SDBot – UDP/Ping Flood.udp  command causes a UDP flood For 1 Gbit link  Avg packet size = 1169 bytes  Bots required = 106,928.ping  Initiates a ping flood For 1 Gbit link  Avg packet size = 1351 bytes  Bots required = 92,532 (approx)

10 SDBot – Pay per click.visit  Ethereal – Tcp stream with http packets illustrating as referrer

11 SDBot – Bot Removal Kill Process Remove registry entries:  HKEY_LOCAL_MACHINE\SOFTWARE\MICROS OFT\WINDOWS\CURRENTVERSION\RUN\CON FIGURATION LOADER  HKEY_LOCAL_MACHINE\SOFTWARE\MICROS OFT\WINDOWS\CURRENTVERSION\RUNSERV ICES\CONFIGURATION LOADER

12 q8Bot Small bots with 926 lines of C code Written only for Unix based systems Features  DDos attacks  Dynamic updating  Flooding Versions with spreaders available

13 q8Bot Installation after changes to C file ps –e  Shows the bot file running with a pid ps –ef  Same pid shown as ‘-bash’ F flag gives full listing with the command line process name -> replaced by FAKENAME in source code E flag gives the pid with the executable used

14 q8Bot – Commands PAN - SYN flood which disables most network drivers TSUNAMI - packets that can bypass any firewall GET - Download/rename files

15 q8Bot Tsunami Attack –  Basic Dos attack  Packets directed to port 80 (http) – hence ignored by firewalls PAN  Add statement: Sendto(get, &send_tcp, 40+psize, 0, (struct sockaddr*)&sin, sizeof(sin); Change return()  break in final if block  PAN

16 HoneyNet Botnet Capture Analysis Data Forensics View IRC connections  Ip.dst == && tcp.srcport==6667 Sniff IRC packets  (Ip.dst== && (tcp.srcport==6667|| tcp.dstport==6667) Usernames sniffed:  Eohisou – Unsuccessful login attempt  Rgdiuggac – Successful login attempt

17 HoneyNet Botnet Capture Analysis Once logged in, chanserv sets modes  i – Invisible mode (hidden)  x – provides random hostname to user Source attack ips – Analyze through ethereal filter   

18 Botnets – Defense keep your system updated, downloading patches careful with opening suspicious attachments in Control use of scripting languages such as ActiveX and JavaScript fundamental to use an updated antivirus / antitrojan

19 Botnets – Defense main signs of bot presence are connection and system slowdown  netstat –an Admins - subscription to mailing lists (eg. Bugtraq) study the logs generated by IDS/firewall/mail/DHCP servers for abnormal activity Most important – user awareness


Download ppt "Botnets ECE 4112 Lab 10 Group 19. Botnets Collection of compromised machines running programs (malicious) under a common command and control infrastructure."

Similar presentations


Ads by Google