Presentation is loading. Please wait.

Presentation is loading. Please wait.

A N I NSIDE L OOK AT B OTNETS ARO-DHS S PECIAL W ORKSHOP ON M ALWARE D ETECTION, 2005 Written By: Paul Barford and Vinod Yegneswaran University of Wisconsin,

Published byAleesha Price Modified over 8 years ago

Similar presentations

Presentation on theme: "A N I NSIDE L OOK AT B OTNETS ARO-DHS S PECIAL W ORKSHOP ON M ALWARE D ETECTION, 2005 Written By: Paul Barford and Vinod Yegneswaran University of Wisconsin,"— Presentation transcript:

1 A N I NSIDE L OOK AT B OTNETS ARO-DHS S PECIAL W ORKSHOP ON M ALWARE D ETECTION, 2005 Written By: Paul Barford and Vinod Yegneswaran University of Wisconsin, Madison Presented By: Jarrod Williams

2 O UTLINE Motivation/Goals Botnets Botnet Attributes Conclusion/Review

3 M OTIVATION /G OALS Increase in BOTNET usage Spam, DDOS, Identity theft The objective of the paper is to understand how Botnets work and find communalities between them Botnets: Agotbot (4.0 Pre-Release), SDBot (05B), SpyBot (1.4), GT Bot with DCOM

4 M OTIVATION /G OALS Architecture Botnet control mechanisms Host control mechanisms Propagation mechanisms Exploits and attack mechanisms Malware delivery mechanisms Obfuscation methods Deception mechanisms

5 B OTNETS A collection of compromised computers running software controlled by a single user Botnets are controlled by a botmaster Compromised host machines are called zombies Zombies communicate using IRC A botnet can have many different versions of the same bot making botnet families

6 B OTNETS

7 I NTERNET R ELAY C HAT is a form of real-time Internet text messaging. It is mainly designed for group communication, but it also allows one-to- one communication via private message and data transfers via direct client-to-client Created by Jarkko Oikarinen in August 1988

8 B OTNET A TTRIBUTES C ONSIDERED Architecture Botnet control mechanisms Host control mechanisms Propagation mechanisms Exploits and attack mechanisms Malware delivery mechanisms Obfuscation methods Deception mechanisms

9 A GOBOT (4.0 P RE -R ELEASE ) Most sophisticated Released October, 2002 Hundreds of variants of this bot and it is also commonly referred to as Phatbot Roughly 20,000 lines of C/C++ The ability to launch different kinds of DoS attacks The ability to harvest the local host for PayPal passwords and AOL keys through traffic sniffing, key logging or searching registry entries

10 SDB OT (05 B ) Fairly simple Released October, 2002 Hundreds of variants of this bot Slightly over 2,000 lines of C Does not include any overtly malicious code modules The code is obviously easy to extend and patch Patches contain malicious code for attackers need 80 patches for SDBot were found through internet web searching

11 S PY B OT (1.4) Relatively small like SDBot Released April, 2003 Under 3,000 lines of C The command and control engine appears to be shared with SDBot, and it is likely, that it evolved from SDBot Includes NetBIOS/Kuang/Netdevil/KaZaa exploits Contains modules for launching flooding attacks and has scanning capabilities

12 GT B OT WITH DCOM Simple design providing a limited set of functions Released April, 1998 Global Threat Bot has hundreds of variants and is also referred to as Aristotle's Easy to modify but there is nothing that suggests it was designed with extensibility in mind Capabilities include port scanning, DoS attacks, and exploits for RPC and NetBIOS services Includes the HideWindow program which keeps the bot hidden on the local system

13 B OTNET A TTRIBUTES C ONSIDERED Architecture Botnet control mechanisms Host control mechanisms Propagation mechanisms Exploits and attack mechanisms Malware delivery mechanisms Obfuscation methods Deception mechanisms

14 A GOBOT (4.0 P RE -R ELEASE ) Simple vertical and horizontal scanning Scanning is based on the network ranges (network prefixes) that are configured on individual bots

15 SDB OT (05 B ) By virtue of its benign intent, SDBot does not have scanning or propagation capability in its base distribution Many variants of SDBot include scanning and propagation capability

16 S PY B OT (1.4) Simple command interface for scanning Horizontal and vertical scanning capability Scans are sequential Command: scan Example: scan 127.0.0.1 17300 1 netbios portscan.txt

17 GT B OT WITH DCOM Includes support for simple horizontal and vertical scanning

18 B OTNET A TTRIBUTES C ONSIDERED Architecture Botnet control mechanisms Host control mechanisms Propagation mechanisms Exploits and attack mechanisms Malware delivery mechanisms Obfuscation methods Deception mechanisms

19 A GOBOT (4.0 P RE -R ELEASE ) Has the most elaborate set of exploit modules out of the four bots analyzed Bagle scanner: scans for back doors left by Bagle variants on port 2745 Dcom scanner: scans for the well known DCE-RPC buffer overflow MyDoom scanner: scans for back doors left by variants of the MyDoom worm on port 3127 Dameware scanner: scans for vulnerable versions of the Dameware network administration tool NetBIOS scanner: brute force password scanning for open NetBIOS shares Radmin scanner: scans for the Radmin buffer overflow

20 SDB OT (05 B ) SDBot does not have any exploits packaged in its standard distribution It does include modules for sending both UDP and ICMP packets which could be used for simple flooding attacks Other variants of SDBot contain exploit more modules

21 S PY B OT (1.4) This version of SpyBot only included a module which attacked NetBIOS open shares DDoS interface is closely related to SDBot and includes the capabilities for launching simple UDP, ICMP, and TCP SYN floods Other variants of SpyBot contain more exploit modules

22 GT B OT WITH DCOM Developed to include RPC-DCOM exploits Has the capability to launch simple ICMP floods Other variants of GT Bot contain DDoS capabilities such as UDP and TCP SYN floods as well as other known exploits

23 B OTNET A TTRIBUTES C ONSIDERED Architecture Botnet control mechanisms Host control mechanisms Propagation mechanisms Exploits and attack mechanisms Malware delivery mechanisms Obfuscation methods Deception mechanisms

24 A GOBOT (4.0 P RE -R ELEASE ) Of the four bots analyzed, only Agobot had elaborate deception mechanisms Mechanisms included: Tests for debuggers such as OllyDebug, SoftIce and Procdump Test for VMWare Killing anti-virus processes Altering DNS entries of anti-virus software companies to point to the local host

25 C ONCLUSION Botnets are widely used and communicate using IRC The details of this paper include descriptions of the functional components of botnets categorized into eight components Understand your enemy

26 S TRENGTHS Presents information in an organized fashion on the different Bots Is the first step to codifying Botnet capabilities

27 W EAKNESSES Only presents a high-level over view of a limited number of Bots and only presents one specific Bot version More detail should be paid to a Bot family and not a specific Bot

28 R EFERENCES An Inside Look at Botnets http://pages.cs.wisc.edu/~pb/botnets_final.pdf Wikipedia http://en.wikipedia.org/wiki/Botnet Wikipedia http://en.wikipedia.org/wiki/IRC

Download ppt "A N I NSIDE L OOK AT B OTNETS ARO-DHS S PECIAL W ORKSHOP ON M ALWARE D ETECTION, 2005 Written By: Paul Barford and Vinod Yegneswaran University of Wisconsin,"

Similar presentations

Botnets ECE 4112 Lab 10 Group 19.

Botnets ECE 4112 Lab 10 Group 19.
Network Security of Labnet ******. Introduction Test the network security of the servers on our Labnet domain Find Potential Weaknesses Find Security.

Network Security of Labnet ******. Introduction Test the network security of the servers on our Labnet domain Find Potential Weaknesses Find Security.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.

Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.
Introduction to Security Computer Networks Computer Networks Term B10.

Introduction to Security Computer Networks Computer Networks Term B10.
BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.

BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.

Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.
463.4 Botnets Computer Security II CS463/ECE424 University of Illinois.

463.4 Botnets Computer Security II CS463/ECE424 University of Illinois.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,

Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.

Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
Sravanthi Vattikuti Sri Harsha Devabhaktuni

Sravanthi Vattikuti Sri Harsha Devabhaktuni
Botnets An Introduction Into the World of Botnets Tyler Hudak

Botnets An Introduction Into the World of Botnets Tyler Hudak
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement

Similar presentations

Ads by Google