A N I NSIDE L OOK AT B OTNETS ARO-DHS S PECIAL W ORKSHOP ON M ALWARE D ETECTION, 2005 Written By: Paul Barford and Vinod Yegneswaran University of Wisconsin,

Slides:

Advertisements

Similar presentations

Botnets ECE 4112 Lab 10 Group 19.

Advertisements

Network Security of Labnet ******. Introduction Test the network security of the servers on our Labnet domain Find Potential Weaknesses Find Security.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.

Introduction to Security Computer Networks Computer Networks Term B10.

BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.

463.4 Botnets Computer Security II CS463/ECE424 University of Illinois.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,

Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

Sravanthi Vattikuti Sri Harsha Devabhaktuni

Botnets An Introduction Into the World of Botnets Tyler Hudak

Introduction to Honeypot, Botnet, and Security Measurement

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Article presentation for: The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware Based on article by: Jaideep Chandrashekar,

Honeypot and Intrusion Detection System

This courseware is copyrighted © 2015 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.

CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.

Botnets: Yesterday, Today, and Tomorrow CS 598: Advanced Internet Presented by: Imranul Hoque.

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

CIS 450 – Network Security Chapter 3 – Information Gathering.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

--Harish Reddy Vemula Distributed Denial of Service.

The Internet Motion Sensor: A Distributed Blackhole Monitoring System Presented By: Arun Krishnamurthy Authors: Michael Bailey, Evan Cooke, Farnam Jahanian,

Attacks On systems And Networks To understand how we can protect our system and network we need to know about what kind of attacks a hacker/cracker would.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

Nullcon Goa 2010http://nullcon.net Botnet Mitigation, Monitoring and Management - Harshad Patil.

BOTNETS Presented By : Ramesh kumar Ramesh kumar 08EBKIT049 08EBKIT049 A BIGGEST THREAT TO INERNET.

Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike.

Recent Internet Viruses & Worms By Doppalapudi Raghu.

CHAPTER 3 Classes of Attack. INTRODUCTION Network attacks come from both inside and outside firewall. Kinds of attacks: 1. Denial-of-service 2. Information.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.

AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju.

Omar Hemmali CAP 6135 Paul Barford Vinod Yegneswaran Computer Sciences Department University of Wisconsen, Madison.

An Inside Look at Botnets By Paul Barford and Vinod Yegneswaran In Series: Advances in Information Security, Springer, 2006 Presented by Jared Bott.

Quality of Information System (IS) reflecting local correctness and reliability of the operating system; the logical completeness of the hardware and software.

Malicious Software.

Ingredients of Security

Open Malicious Source Symantec Security Response Kaoru Hayashi.

Understand Malware LESSON Security Fundamentals.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

Zhiyu Wan and Shunxing Bao BOTNET ATTACKS ON CYBER-PHYSICAL SYSTEM.

1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.

Denial of Service A comparison of DoS schemes Kevin LaMantia COSC 316.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.

Botnets A collection of compromised machines

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Chapter 7: Identifying Advanced Attacks

Instructor Materials Chapter 7 Network Security

Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.

Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.

Botnets A collection of compromised machines

Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.

Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.

Presentation transcript:

A N I NSIDE L OOK AT B OTNETS ARO-DHS S PECIAL W ORKSHOP ON M ALWARE D ETECTION, 2005 Written By: Paul Barford and Vinod Yegneswaran University of Wisconsin, Madison Presented By: Jarrod Williams

O UTLINE Motivation/Goals Botnets Botnet Attributes Conclusion/Review

M OTIVATION /G OALS Increase in BOTNET usage Spam, DDOS, Identity theft The objective of the paper is to understand how Botnets work and find communalities between them Botnets: Agotbot (4.0 Pre-Release), SDBot (05B), SpyBot (1.4), GT Bot with DCOM

M OTIVATION /G OALS Architecture Botnet control mechanisms Host control mechanisms Propagation mechanisms Exploits and attack mechanisms Malware delivery mechanisms Obfuscation methods Deception mechanisms

B OTNETS A collection of compromised computers running software controlled by a single user Botnets are controlled by a botmaster Compromised host machines are called zombies Zombies communicate using IRC A botnet can have many different versions of the same bot making botnet families

B OTNETS

I NTERNET R ELAY C HAT is a form of real-time Internet text messaging. It is mainly designed for group communication, but it also allows one-to- one communication via private message and data transfers via direct client-to-client Created by Jarkko Oikarinen in August 1988

B OTNET A TTRIBUTES C ONSIDERED Architecture Botnet control mechanisms Host control mechanisms Propagation mechanisms Exploits and attack mechanisms Malware delivery mechanisms Obfuscation methods Deception mechanisms

A GOBOT (4.0 P RE -R ELEASE ) Most sophisticated Released October, 2002 Hundreds of variants of this bot and it is also commonly referred to as Phatbot Roughly 20,000 lines of C/C++ The ability to launch different kinds of DoS attacks The ability to harvest the local host for PayPal passwords and AOL keys through traffic sniffing, key logging or searching registry entries

SDB OT (05 B ) Fairly simple Released October, 2002 Hundreds of variants of this bot Slightly over 2,000 lines of C Does not include any overtly malicious code modules The code is obviously easy to extend and patch Patches contain malicious code for attackers need 80 patches for SDBot were found through internet web searching

S PY B OT (1.4) Relatively small like SDBot Released April, 2003 Under 3,000 lines of C The command and control engine appears to be shared with SDBot, and it is likely, that it evolved from SDBot Includes NetBIOS/Kuang/Netdevil/KaZaa exploits Contains modules for launching flooding attacks and has scanning capabilities

GT B OT WITH DCOM Simple design providing a limited set of functions Released April, 1998 Global Threat Bot has hundreds of variants and is also referred to as Aristotle's Easy to modify but there is nothing that suggests it was designed with extensibility in mind Capabilities include port scanning, DoS attacks, and exploits for RPC and NetBIOS services Includes the HideWindow program which keeps the bot hidden on the local system

B OTNET A TTRIBUTES C ONSIDERED Architecture Botnet control mechanisms Host control mechanisms Propagation mechanisms Exploits and attack mechanisms Malware delivery mechanisms Obfuscation methods Deception mechanisms

A GOBOT (4.0 P RE -R ELEASE ) Simple vertical and horizontal scanning Scanning is based on the network ranges (network prefixes) that are configured on individual bots

SDB OT (05 B ) By virtue of its benign intent, SDBot does not have scanning or propagation capability in its base distribution Many variants of SDBot include scanning and propagation capability

S PY B OT (1.4) Simple command interface for scanning Horizontal and vertical scanning capability Scans are sequential Command: scan Example: scan netbios portscan.txt

GT B OT WITH DCOM Includes support for simple horizontal and vertical scanning

B OTNET A TTRIBUTES C ONSIDERED Architecture Botnet control mechanisms Host control mechanisms Propagation mechanisms Exploits and attack mechanisms Malware delivery mechanisms Obfuscation methods Deception mechanisms

A GOBOT (4.0 P RE -R ELEASE ) Has the most elaborate set of exploit modules out of the four bots analyzed Bagle scanner: scans for back doors left by Bagle variants on port 2745 Dcom scanner: scans for the well known DCE-RPC buffer overflow MyDoom scanner: scans for back doors left by variants of the MyDoom worm on port 3127 Dameware scanner: scans for vulnerable versions of the Dameware network administration tool NetBIOS scanner: brute force password scanning for open NetBIOS shares Radmin scanner: scans for the Radmin buffer overflow

SDB OT (05 B ) SDBot does not have any exploits packaged in its standard distribution It does include modules for sending both UDP and ICMP packets which could be used for simple flooding attacks Other variants of SDBot contain exploit more modules

S PY B OT (1.4) This version of SpyBot only included a module which attacked NetBIOS open shares DDoS interface is closely related to SDBot and includes the capabilities for launching simple UDP, ICMP, and TCP SYN floods Other variants of SpyBot contain more exploit modules

GT B OT WITH DCOM Developed to include RPC-DCOM exploits Has the capability to launch simple ICMP floods Other variants of GT Bot contain DDoS capabilities such as UDP and TCP SYN floods as well as other known exploits

B OTNET A TTRIBUTES C ONSIDERED Architecture Botnet control mechanisms Host control mechanisms Propagation mechanisms Exploits and attack mechanisms Malware delivery mechanisms Obfuscation methods Deception mechanisms

A GOBOT (4.0 P RE -R ELEASE ) Of the four bots analyzed, only Agobot had elaborate deception mechanisms Mechanisms included: Tests for debuggers such as OllyDebug, SoftIce and Procdump Test for VMWare Killing anti-virus processes Altering DNS entries of anti-virus software companies to point to the local host

C ONCLUSION Botnets are widely used and communicate using IRC The details of this paper include descriptions of the functional components of botnets categorized into eight components Understand your enemy

S TRENGTHS Presents information in an organized fashion on the different Bots Is the first step to codifying Botnet capabilities

W EAKNESSES Only presents a high-level over view of a limited number of Bots and only presents one specific Bot version More detail should be paid to a Bot family and not a specific Bot

R EFERENCES An Inside Look at Botnets Wikipedia Wikipedia