Presentation is loading. Please wait.

Presentation is loading. Please wait.

Botnets ECE 4112 Lab 10 Group 19.

Similar presentations

Presentation on theme: "Botnets ECE 4112 Lab 10 Group 19."— Presentation transcript:

1 Botnets ECE 4112 Lab 10 Group 19

2 Botnets Collection of compromised machines running programs (malicious) under a common command and control infrastructure Attackers target Class B networks Once vulnerable system detected System compromised  control client (bot) installed These bots further attack networks  exponential growth in a tree like fashion

3 Botnets - Uses Distributed Dos attacks Spamming Sniffing Traffic
Keylogging Attacking other networks Identity theft Google Adsense abuse Spyware/Malware infestation

4 Lab Procedures I. Setup: Setting up the IRCd server II. SDBot
III. q8Bot IV. HoneyNet Botnet capture analysis

5 Infected RedHat machine (Victim)
IRCd Server IRC networks considered part of the “underground” Internet Home to many hacking groups and illegal software release groups Setup on WS 4.0 machine IRCd IRC client (Attacker) Redhat WS4.0 Infected RedHat machine (Victim)

6 SDBot/RBot/UrBot/UrXbot
The most active family of bots Published under GPL Poorly implemented in C provides a utilitarian IRC-based command and control system easy to extend large number of patches to provide more sophisticated malicious capabilities scanning, DoS attacks, sniffers, information harvesting & encryption features

7 SDBot Setup on Windows XP VM using lccwin32 compiler
Created executable using bat file Edited host file to include ircserver Bot Login Random username joins channel – Bot Login .repeat 6 .delay 1 .execute 1 winmine.exe Started 6 instances of minesweeper on the victim

8 SDBot General Commands .execute causes the bot to run a program.
.download causes the bot to download the file specified by url .redirect lets the bot to start a basic port redirect. everything sent to the port .sysinfo causes the bot to reply with information on the host system .netinfo causes the bot to reply with information on the bot's network connection .visit lets the bot to invisibly visit the specified url

9 SDBot – UDP/Ping Flood .udp <RH 7.2 IP> 1000 4096 100 23
command causes a UDP flood For 1 Gbit link Avg packet size = 1169 bytes Bots required = 106,928 .ping <RH 7.2 ip> Initiates a ping flood Avg packet size = 1351 bytes Bots required = 92,532 (approx)

10 SDBot – Pay per click .visit Ethereal – Tcp stream with http packets illustrating as referrer

11 SDBot – Bot Removal Kill Process Remove registry entries:

12 q8Bot Small bots with 926 lines of C code
Written only for Unix based systems Features DDos attacks Dynamic updating Flooding Versions with spreaders available

13 q8Bot Installation after changes to C file ps –e ps –ef
Shows the bot file running with a pid ps –ef Same pid shown as ‘-bash’ F flag gives full listing with the command line process name -> replaced by FAKENAME in source code E flag gives the pid with the executable used

14 q8Bot – Commands PAN <target> <port> <secs> - SYN flood which disables most network drivers TSUNAMI <target> <secs> - packets that can bypass any firewall GET <target> <save as> - Download/rename files

15 q8Bot Tsunami Attack – PAN Basic Dos attack
Packets directed to port 80 (http) – hence ignored by firewalls PAN Add statement: Sendto(get, &send_tcp, 40+psize, 0, (struct sockaddr*)&sin, sizeof(sin); Change return()  break in final if block PAN <WIN XP IP> <port> <delay in ms>

16 HoneyNet Botnet Capture Analysis
Data Forensics View IRC connections Ip.dst == && tcp.srcport==6667 Sniff IRC packets (Ip.dst== && (tcp.srcport==6667|| tcp.dstport==6667) Usernames sniffed: Eohisou – Unsuccessful login attempt Rgdiuggac – Successful login attempt

17 HoneyNet Botnet Capture Analysis
Once logged in, chanserv sets modes i – Invisible mode (hidden) x – provides random hostname to user Source attack ips – Analyze through ethereal filter

18 Botnets – Defense keep your system updated, downloading patches
careful with opening suspicious attachments in Control use of scripting languages such as ActiveX and JavaScript fundamental to use an updated antivirus / antitrojan

19 Botnets – Defense main signs of bot presence are connection and system slowdown netstat –an Admins - subscription to mailing lists (eg. Bugtraq) study the logs generated by IDS/firewall/mail/DHCP servers for abnormal activity Most important – user awareness

Download ppt "Botnets ECE 4112 Lab 10 Group 19."

Similar presentations

Ads by Google