SlideShare a Scribd company logo

Defending Against Botnets

Download as PPT, PDF
J
Jim Lippard

The document discusses botnets, which are collections of compromised machines controlled by a single entity. It describes the evolution and current state of botnets, how they are used for criminal activities like spam, fraud and denial of service attacks. It also outlines prevention, detection and response mechanisms to defend against botnets, and predicts that the arms race between botnet operators and defenders will continue as each side develops new techniques.

Technology
1 of 31
Downloaded 130 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Jim Lippard, Director, Information Security Operations, Global Crossing ASU Cyber Security Week November 2, 2005 Defending Against Botnets
Agenda Evolution of botnets What’s the problem? Current botnet ecology and life cycle Why botnets? Defense mechanisms: prevention, detection, response What does the future hold?
Evolution of botnets Rise of the botnets Botnets today
Rise of the botnets Early 1990s: IRC channel bots (e.g., eggdrop, mIRC scripts, ComBot, etc.). Late 1990s: Denial of service tools (e.g., Trinoo, Tribal Flood Network, Stacheldraht, Shaft, etc.). 2000: Merger of DDoS tools, worms, and rootkits (e.g., Stacheldraht+t0rnkit+Ramen worm; Lion worm+TFN2K). 2002: IRC-controlled bots implementing DDoS attacks. 2003: IRC-controlled bots spread with worms and viruses, fully implementing DDoS, spyware, malware distribution activity. (Dave Dittrich, “Invasion Force,” Information Security , March 2005, p. 30) 2003-2005: Botnets used as a criminal tool for extortion, fraud, identity theft, computer crime, spam, and phishing.
Botnets today Botnets are collections of compromised machines under the control of a single entity, usually via a single controlling host—a botnet controller. Agobot/Phatbot is well-written, modular code supporting DoS attacks, spam proxying, ability to launch viruses, scan for vulnerabilities, steal Windows Product Keys, sniff passwords, support GRE tunnels, self-update, etc. Phatbot control channel is WASTE (encrypted P2P) instead of IRC. Other common bots: Korgobot, SpyBot, Optix Pro, rBot, SDBots, Toxbot. A majority of viruses contain backdoors/create botnets (MessageLabs, 2004 Annual Report). About 9% of spam is sent via botnets (MessageLabs, September 2005 Report) Bots refute the common argument that “there’s nothing on my computer that anyone would want” (usually given as an excuse not to bother securing the system).
What’s the problem? Malicious traffic trends GLBC downstream malware-infected hosts Internet-wide malware-infected hosts GLBC downstream phishing websites GLBC downstream botnet controllers
Malicious traffic trends Drop in DoS attacks and email-based attacks other than phishing. Percentage of email that is spam: 2002: 9%. 2003: 40%. 2004: 73%. 3Q 2005: 66.7% Percentage of email containing viruses: 2002: 0.5%. 2003: 3%. 2004: 6.1%. 3Q 2005: 2.4% Number of phishing emails: Total through September 2003: 293 Total through September 2004: >2 million Monthly since September 2004: 2-9.1 million September 2005: 4.8 million (Source: MessageLabs 2004 end-of-year report, September 2005 report.) Denial of Service Attacks (reported): 2002: 48 (16/mo). 2003: 409 (34/mo). 2004: 482 (40/mo). Jan. 1-Oct. 28, 2005: 246 (25/mo). (1Q: 77—26/mo, 2Q: 64—21/mo, 3Q: 84—28/mo, Oct: 23) (2005 minus Sep’s 40: 206—23/mo) (Above from Global Crossing; 2002 is for Oct-Dec only.)
GLBC downstream malware-infected hosts (per week)
Infected hosts: Internet/GLBC downstreams (per week)
Phishing websites Mar. 2005: 6 Apr. 2005: 22 May 2005: 25 Jun. 2005: 46 Jul. 2005: 213 Aug. 2005: 256 Sep. 2005: 219 Oct. (1-28) 2005: 223
Phishing websites downstream of AS 3549 (per day)
Botnet controllers downstream of AS 3549 (per day)
Current botnet ecology and life cycle System components Human components Bot life cycle Botnet life cycle
System components Botnet controllers: Usually compromised Unix hosts located in webhosting colo space, running ircd. Bots: Usually compromised Windows hosts with connectivity from commercial broadband ISPs. Spam senders: Usually located in webhosting colo space, may be bogus company, fake webhoster or fake ISP. Proxy web interface or custom application: May be hosted/distributed through legitimate large ISPs. Marketing/deal-making locations: Public IRC channels, web-based message boards.
Top sources of botnet controllers As of June 7, 2005, data from Prof. Randall Vaughn, Baylor Univ., posted to NANOG. ASN Responsible Party Unique C&Cs Open-unresolved 6517 YIPESCOM - Yipes Communication 60 41 21840 SAGONET-TPA - Sago Networks 90 24 25761 STAMINUS-COMM - Staminus Commu 86 20 4766 KIXS-AS-KR Korea Telecom 43 20 13680 AS13680 Hostway Corporation Ta 22 19 21698 NEBRIX-CA - Nebrix Communicati 24 18 13301 UNITEDCOLO-AS Autonomous Syste 27 17 21788 NOC - Network Operations Cente 29 16 29415 EUROWAN-ASN OVANET - EuroWan d 16 15 13749 EVERYONES-INTERNET - Everyones 24 14 30083 SERVER4YOU - Server4You Inc. 21 14 25700 SWIFTDESK - SWIFTDESK VENTURE 13 13 23522 CIT-FOONET - CREATIVE INTERNET 14 12 27595 ATRIVO-AS - Atrivo 31 11 13237 LAMBDANET-AS European Backbone 11 11
Phatbot functionality Phatbot command list (from LURHQ) bot.command runs a command with system() bot.unsecure enable shares / enable dcom bot.secure delete shares / disable dcom bot.flushdns flushes the bots dns cache bot.quit quits the bot bot.longuptime If uptime > 7 days then bot will respond bot.sysinfo displays the system info bot.status gives status ot.rndnick makes the bot generate a new random nick bot.removeallbut removes the bot if id does not match bot.remove removes the bot bot.open opens a file (whatever) bot.nick changes the nickname of the bot bot.id displays the id of the current code bot.execute makes the bot execute a .exe bot.dns resolves ip/hostname by dns bot.die terminates the bot bot.about displays the info the author wants you to see shell.disable Disable shell handler shell.enable Enable shell handler shell.handler FallBack handler for shell commands.list Lists all available commands plugin.unload unloads a plugin (not supported yet) plugin.load loads a plugin cvar.saveconfig saves config to a file cvar.loadconfig loads config from a file cvar.set sets the content of a cvar cvar.get gets the content of a cvar cvar.list prints a list of all cvars inst.svcdel deletes a service from scm inst.svcadd adds a service to scm inst.asdel deletes an autostart entry inst.asadd adds an autostart entry logic.ifuptime exec command if uptime is bigger than specified mac.login logs the user in mac.logout logs the user out ftp.update executes a file from a ftp url ftp.execute updates the bot from a ftp url ftp.download downloads a file from ftp http.visit visits an url with a specified referrer http.update executes a file from a http url http.execute updates the bot from a http url http.download downloads a file from http rsl.logoff logs the user off rsl.shutdown shuts the computer down rsl.reboot reboots the computer pctrl.kill kills a process pctrl.list lists all processes scan.stop signal stop to child threads scan.start signal start to child threads scan.disable disables a scanner module scan.enable enables a scanner module scan.clearnetranges clears all netranges registered with the scanner scan.resetnetranges resets netranges to the localhost scan.listnetranges lists all netranges registered with the scanner scan.delnetrange deletes a netrange from the scanner scan.addnetrange adds a netrange to the scanner ddos.phatwonk starts phatwonk flood ddos.phaticmp starts phaticmp flood ddos.phatsyn starts phatsyn flood ddos.stop stops all floods ddos.httpflood starts a HTTP flood ddos.synflood starts an SYN flood ddos.udpflood starts a UDP flood redirect.stop stops all redirects running redirect.socks starts a socks4 proxy redirect.https starts a https proxy redirect.http starts a http proxy redirect.gre starts a gre redirect redirect.tcp starts a tcp port redirect harvest.aol makes the bot get aol stuff harvest.cdkeys makes the bot get a list of cdkeys harvest.emailshttp makes the bot get a list of emails via http harvest.emails makes the bot get a list of emails waste.server changes the server the bot connects to waste.reconnect reconnects to the server waste.raw sends a raw message to the waste server waste.quit waste.privmsg sends a privmsg waste.part makes the bot part a channel waste.netinfo prints netinfo waste.mode lets the bot perform a mode change waste.join makes the bot join a channel waste.gethost prints netinfo when host matches waste.getedu prints netinfo when the bot is .edu waste.action lets the bot perform an action waste.disconnect disconnects the bot from waste
Ruslan Ibragimov/send-safe.com
Spammer Bulletin Board
Looking for an Exploit
Trojan software wanted
Human components Botherd: Collects and manages bots. Botnet seller: Sells the use of bots (or proxies) to spammers. Spammer: Sends spam. Sponsor: Pays spammer to promote products or services. Exploit developer: Develops code to exploit vulnerabilities. Bot developer: Develops (or more commonly, modifies existing) bot code. Money launderer (“payment processor”): Work-at-home opportunity to process payments/launder money for “sponsors.” Phishers: Collectors of user identity and bank information. Cashers: Use phished bank data to make fake ATM cards and withdraw funds.
Bot life cycle Miscreant (botherd) launches worm, virus, or other mechanism to infect Windows machine. Infected machines contact botnet controller via IRC. 2.5: Infection vector closed. Spammer (sponsor) pays miscreant for use of botnet. Spammer uses botnet to send spam emails. (Usually NOT through IRC channel; typically botherd will open proxy ports on bots and provide proxy list to spammer.) (Image from Wikipedia.)
Botnet life cycle 1. Compromise of controller. 2. Distribution of malware—compromise of individual bots. 3. Bots connect to controller; form botnet. 4. Botnet activity—used by botherd for own purposes or use sold to others. 5. Botnet controller identified by NSP/ISP security; monitored or shutdown. 6. Bots become idle or attempt to contact another controller; some bots have vulnerabilities repaired.
Why botnets? Botnets are used as an economic mechanism for shifting costs of business (often illegal business) to others, including the costs of being caught engaging in illegal activity. Botnets (a) create a buffer between a criminal and criminal activity and (b) provide a massive information processing resource at minimal cost to the criminal. Some financial transactions which botnets facilitate: Sale of the use of bots. Use of bots for marketing the sale of products and services (often fraudulent or illegal) via spam. Use of bots for extortion (denial of service against online gambling companies, credit card processors, etc.). Use of bots to send phishing emails to steal personal identity and account information.
Defense mechanisms: prevention, detection, response Prevention Prevent infections at the host: Endpoint Security, Vulnerability Management. Prevent malware delivery on the network: Firewalls, Intrusion Prevention Systems, “Clean IP,” Mail Filtering, Composite Blocking List. Prevent sale of services to miscreants: AUPs, contracts, customer screening. Prevent phishing: Tools to identify fake websites for end users.
Defense mechanisms: prevention, detection, response Detection Detection of host infections: Host Intrusion Detection Systems (IDS’s), honeypots, monitoring botnet controller activity. Detection of malware on the network: Network IDS, Netflow, Darknets/Internet Motions Sensors/Internet Telescopes, “honey monkeys.” Detection of spam operations/miscreants: Spamhaus, monitoring miscreant communications.
Defense mechanisms: prevention, detection, response Response Nullrouting of botnet controllers Quarantining of bots, automated notifications Bot simulation/intentional infection/monitoring (Microsoft Honey Monkeys, Decoy Bot) Undercover investigation (ICCC, FBI) Civil and criminal prosecution (Microsoft August 2005 lawsuits against 13 spam operations using bots)
Daily customer notifications The following is a list of IP addresses on your network which we have good reason to believe may be compromised systems engaging in malicious activity. Please investigate and take appropriate action to stop any malicious activity you verify. The following is a list of types of activity that may appear in this report: BEAGLE BEAGLE3 BLASTER BOTNETS BOTS BRUTEFORCE DAMEWARE DEFACEMENT DIPNET DNSBOTS MYDOOM NACHI PHATBOT PHISHING SCAN445 SCANNERS SINIT SLAMMER SPAM TOXBOT Open proxies and open mail relays may also appear in this report. Open proxies are designated by a two-character identifier (s4, s5, wg, hc, ho, hu, or fu) followed by a colon and a TCP port number. Open mail relays are designated by the word "relay" followed by a colon and a TCP port number. A detailed description of each of these may be found at https://security.gblx.net/reports.html NOTE: IPs identified as hosting botnet controllers or phishing websites (marked with BOTNETS or PHISHING, respectively) may be null routed by Global Crossing following a separately emailed notice. This report is sent on weekdays, Monday through Friday. If you would prefer a weekly report, sent on Mondays, please contact us by replying to this email to request it. We would prefer, however, that you receive and act upon these reports daily. Unless otherwise indicated, timestamps are in UTC (GMT). 3549 | 208.50.20.164/32 | 2005-01-10 23:23:36 BOTNETS | GBLX Global Crossing Ltd. 3549 | 209.130.174.106/32 | 2005-02-03 15:58:06 tokeat.4two0.com TCP 13222 BOTNETS | GBLX Global Crossing Ltd. 3549 | 146.82.109.130 | 2005-03-24 10:01:30 BEAGLE3 | GBLX Global Crossing Ltd. 3549 | 195.166.97.130 | 2005-03-24 08:40:03 SPAM | GBLX Global Crossing Ltd. 3549 | 206.132.221.37 | 2005-03-24 01:56:13 PHATBOT | GBLX Global Crossing Ltd. 3549 | 206.132.93.5 | 2005-03-23 22:13:40 NACHI | GBLX Global Crossing Ltd. 3549 | 206.165.142.184 | 2005-03-23 09:35:53 SLAMMER | GBLX Global Crossing Ltd. 3549 | 206.165.192.5 | 2005-03-24 12:35:53 SPAM | GBLX Global Crossing Ltd.
What does the future hold? A continued arms race between miscreants and defenders: Defenders will infiltrate, monitor, and prosecute. Miscreants will find new mechanisms to conceal their activity and place further layers of misdirection between themselves and their actions (P2P botnets without controllers, encryption, onion routing). They will continue to find new mechanisms to infect systems and create bots (email delivery, direct network infection, web-delivered code)—duping humans to doing the work for them will continue to be the most difficult issue to address. The economic aspects of this activity need to be recognized to adequately address it—forcing miscreants to “internalize externalities” (bear the costs they are shifting to others), or to shift the costs to entities that are positioned to address the problem (e.g., ISP liability for malicious network traffic from direct customers).
Consequences of inaction “ For all online users, the report found that concern about identity theft is substantial, and is changing consumer behavior in major ways. Four in five Internet users (80 percent) are at least somewhat concerned someone could steal their identity from personal information on the Internet. Nearly nine out of ten users (86 percent) have made at least one change in their behavior because of this fear: • 30 percent say they have reduced their overall use of the Internet. • A majority of Internet users (53 percent) say they have stopped giving out personal information on the Internet. • 25 percent say they have stopped buying things online. • 54 percent of those who shop online report they have become more likely to read a site’s privacy policy or user agreement before buying. • 29 percent of those who shop online say they have cut back on how often they buy on the Internet.” (Consumer Reports WebWatch, “Leap of Faith: Using the Internet Despite the Dangers”)
Further Information Composite Blocking List: http://cbl.abuseat.org Registry Of Known Spam Operations (ROKSO): http://www.spamhaus.org Bot information: http://www.lurhq.com/research.html “ Know Your Enemy: Tracking Botnets,” http://www.honeynet.org/papers/bots/ Message Labs 2004 end-of-year report, http://www.messagelabs.com/binaries/LAB480_endofyear_v2.pdf CAIDA Network Telescope: http://www.caida.org/analysis/security/telescope/ Team Cymru DarkNet: http://www.cymru.com/Darknet/ Internet Motion Sensor: http://ims.eecs.umich.edu/ The Strider Honey Monkey Project: http://research.microsoft.com/HoneyMonkey/ Christopher Abad, “The economy of phishing,” http://www.firstmonday.org/issues/issue10_9/abad/ Brian McWilliams, Spam Kings , 2004, O’Reilly and Associates. Spammer-X, Inside the Spam Cartel , 2004, Syngress. (Read but don’t buy.) Gary Warner, “Phishing Investigations: It’s Time to Make Some Decisions,” April 26, 2005, Infragard Birmingham, AL. Consumer Reports WebWatch, “Leap of Faith: Using the Internet Despite the Dangers,” http://www.consumerwebwatch.org/dynamic/web-credibility-reports-princeton.cfm Jim Lippard [email_address]

More Related Content

PDF
Penetrating Windows 8 with syringe utility
IOSR Journals
 
PDF
26.1.7 lab snort and firewall rules
Freddy Buenaño
 
PPT
Thou shalt not
taftosterone
 
PDF
Di shen pacsec_final
PacSecJP
 
DOC
Days of the Honeynet: Attacks, Tools, Incidents
Anton Chuvakin
 
PDF
20150909_cybercrime_cybersecurity_minor
University of Twente
 
PPTX
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
CODE BLUE
 
PPTX
International collaborative efforts to share threat data in a vetted member c...
CODE BLUE
 
Penetrating Windows 8 with syringe utility
IOSR Journals
 
26.1.7 lab snort and firewall rules
Freddy Buenaño
 
Thou shalt not
taftosterone
 
Di shen pacsec_final
PacSecJP
 
Days of the Honeynet: Attacks, Tools, Incidents
Anton Chuvakin
 
20150909_cybercrime_cybersecurity_minor
University of Twente
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
CODE BLUE
 
International collaborative efforts to share threat data in a vetted member c...
CODE BLUE
 

Similar to Defending Against Botnets (20)

PPTX
Criminals in the Cloud: Past, Present, and Future
Jim Lippard
 
PDF
about botnets
Alain Bindele
 
PPT
098
Arun Mishra
 
PDF
A short visit to the bot zoo
UltraUploader
 
PPT
botnet.ppt
KiranKumar24546
 
DOCX
All you know about Botnet
Naveen Titare
 
PPTX
Mcs2453 aniq mc101053-assignment1
Aniq Eastrarulkhair
 
PPTX
Botnets
Kavisha Miyan
 
PDF
Ce hv6 module 63 botnets
Vi Tính Hoàng Nam
 
PDF
Analysis of rxbot
UltraUploader
 
PPT
Storm Worm & Botnet
Kendiv
 
PPT
Netforts
Wing Venture Capital
 
DOC
Botnets And Alife
Zotronix
 
PPTX
Botnets
Vishwadeep Badgujar
 
PDF
Tracing Back The Botmaster
IJERA Editor
 
PPT
Botnet
Joshin Gomez
 
PDF
Guarding Against Large-Scale Scrabble In Social Network
Editor IJCATR
 
DOCX
lab3cdga.ziplab3code.c#include stdio.h#include std.docx
smile790243
 
PPTX
Botnet Architecture
Bhagath Singh Jayaprakasam
 
PPT
BotNet Attacks
Rangana lakmal
 
Criminals in the Cloud: Past, Present, and Future
Jim Lippard
 
about botnets
Alain Bindele
 
098
Arun Mishra
 
A short visit to the bot zoo
UltraUploader
 
botnet.ppt
KiranKumar24546
 
All you know about Botnet
Naveen Titare
 
Mcs2453 aniq mc101053-assignment1
Aniq Eastrarulkhair
 
Botnets
Kavisha Miyan
 
Ce hv6 module 63 botnets
Vi Tính Hoàng Nam
 
Analysis of rxbot
UltraUploader
 
Storm Worm & Botnet
Kendiv
 
Netforts
Wing Venture Capital
 
Botnets And Alife
Zotronix
 
Botnets
Vishwadeep Badgujar
 
Tracing Back The Botmaster
IJERA Editor
 
Botnet
Joshin Gomez
 
Guarding Against Large-Scale Scrabble In Social Network
Editor IJCATR
 
lab3cdga.ziplab3code.c#include stdio.h#include std.docx
smile790243
 
Botnet Architecture
Bhagath Singh Jayaprakasam
 
BotNet Attacks
Rangana lakmal
 
Ad

Recently uploaded (20)

PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Approach and Philosophy of On baking technology
30anthuong17
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
KodekX | Application Modernization Development
KodekX
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Encapsulation theory and applications.pdf
gurumoop
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Ad

Defending Against Botnets

  • 1. Jim Lippard, Director, Information Security Operations, Global Crossing ASU Cyber Security Week November 2, 2005 Defending Against Botnets
  • 2. Agenda Evolution of botnets What’s the problem? Current botnet ecology and life cycle Why botnets? Defense mechanisms: prevention, detection, response What does the future hold?
  • 3. Evolution of botnets Rise of the botnets Botnets today
  • 4. Rise of the botnets Early 1990s: IRC channel bots (e.g., eggdrop, mIRC scripts, ComBot, etc.). Late 1990s: Denial of service tools (e.g., Trinoo, Tribal Flood Network, Stacheldraht, Shaft, etc.). 2000: Merger of DDoS tools, worms, and rootkits (e.g., Stacheldraht+t0rnkit+Ramen worm; Lion worm+TFN2K). 2002: IRC-controlled bots implementing DDoS attacks. 2003: IRC-controlled bots spread with worms and viruses, fully implementing DDoS, spyware, malware distribution activity. (Dave Dittrich, “Invasion Force,” Information Security , March 2005, p. 30) 2003-2005: Botnets used as a criminal tool for extortion, fraud, identity theft, computer crime, spam, and phishing.
  • 5. Botnets today Botnets are collections of compromised machines under the control of a single entity, usually via a single controlling host—a botnet controller. Agobot/Phatbot is well-written, modular code supporting DoS attacks, spam proxying, ability to launch viruses, scan for vulnerabilities, steal Windows Product Keys, sniff passwords, support GRE tunnels, self-update, etc. Phatbot control channel is WASTE (encrypted P2P) instead of IRC. Other common bots: Korgobot, SpyBot, Optix Pro, rBot, SDBots, Toxbot. A majority of viruses contain backdoors/create botnets (MessageLabs, 2004 Annual Report). About 9% of spam is sent via botnets (MessageLabs, September 2005 Report) Bots refute the common argument that “there’s nothing on my computer that anyone would want” (usually given as an excuse not to bother securing the system).
  • 6. What’s the problem? Malicious traffic trends GLBC downstream malware-infected hosts Internet-wide malware-infected hosts GLBC downstream phishing websites GLBC downstream botnet controllers
  • 7. Malicious traffic trends Drop in DoS attacks and email-based attacks other than phishing. Percentage of email that is spam: 2002: 9%. 2003: 40%. 2004: 73%. 3Q 2005: 66.7% Percentage of email containing viruses: 2002: 0.5%. 2003: 3%. 2004: 6.1%. 3Q 2005: 2.4% Number of phishing emails: Total through September 2003: 293 Total through September 2004: >2 million Monthly since September 2004: 2-9.1 million September 2005: 4.8 million (Source: MessageLabs 2004 end-of-year report, September 2005 report.) Denial of Service Attacks (reported): 2002: 48 (16/mo). 2003: 409 (34/mo). 2004: 482 (40/mo). Jan. 1-Oct. 28, 2005: 246 (25/mo). (1Q: 77—26/mo, 2Q: 64—21/mo, 3Q: 84—28/mo, Oct: 23) (2005 minus Sep’s 40: 206—23/mo) (Above from Global Crossing; 2002 is for Oct-Dec only.)
  • 9. Infected hosts: Internet/GLBC downstreams (per week)
  • 10. Phishing websites Mar. 2005: 6 Apr. 2005: 22 May 2005: 25 Jun. 2005: 46 Jul. 2005: 213 Aug. 2005: 256 Sep. 2005: 219 Oct. (1-28) 2005: 223
  • 11. Phishing websites downstream of AS 3549 (per day)
  • 12. Botnet controllers downstream of AS 3549 (per day)
  • 13. Current botnet ecology and life cycle System components Human components Bot life cycle Botnet life cycle
  • 14. System components Botnet controllers: Usually compromised Unix hosts located in webhosting colo space, running ircd. Bots: Usually compromised Windows hosts with connectivity from commercial broadband ISPs. Spam senders: Usually located in webhosting colo space, may be bogus company, fake webhoster or fake ISP. Proxy web interface or custom application: May be hosted/distributed through legitimate large ISPs. Marketing/deal-making locations: Public IRC channels, web-based message boards.
  • 15. Top sources of botnet controllers As of June 7, 2005, data from Prof. Randall Vaughn, Baylor Univ., posted to NANOG. ASN Responsible Party Unique C&Cs Open-unresolved 6517 YIPESCOM - Yipes Communication 60 41 21840 SAGONET-TPA - Sago Networks 90 24 25761 STAMINUS-COMM - Staminus Commu 86 20 4766 KIXS-AS-KR Korea Telecom 43 20 13680 AS13680 Hostway Corporation Ta 22 19 21698 NEBRIX-CA - Nebrix Communicati 24 18 13301 UNITEDCOLO-AS Autonomous Syste 27 17 21788 NOC - Network Operations Cente 29 16 29415 EUROWAN-ASN OVANET - EuroWan d 16 15 13749 EVERYONES-INTERNET - Everyones 24 14 30083 SERVER4YOU - Server4You Inc. 21 14 25700 SWIFTDESK - SWIFTDESK VENTURE 13 13 23522 CIT-FOONET - CREATIVE INTERNET 14 12 27595 ATRIVO-AS - Atrivo 31 11 13237 LAMBDANET-AS European Backbone 11 11
  • 16. Phatbot functionality Phatbot command list (from LURHQ) bot.command runs a command with system() bot.unsecure enable shares / enable dcom bot.secure delete shares / disable dcom bot.flushdns flushes the bots dns cache bot.quit quits the bot bot.longuptime If uptime > 7 days then bot will respond bot.sysinfo displays the system info bot.status gives status ot.rndnick makes the bot generate a new random nick bot.removeallbut removes the bot if id does not match bot.remove removes the bot bot.open opens a file (whatever) bot.nick changes the nickname of the bot bot.id displays the id of the current code bot.execute makes the bot execute a .exe bot.dns resolves ip/hostname by dns bot.die terminates the bot bot.about displays the info the author wants you to see shell.disable Disable shell handler shell.enable Enable shell handler shell.handler FallBack handler for shell commands.list Lists all available commands plugin.unload unloads a plugin (not supported yet) plugin.load loads a plugin cvar.saveconfig saves config to a file cvar.loadconfig loads config from a file cvar.set sets the content of a cvar cvar.get gets the content of a cvar cvar.list prints a list of all cvars inst.svcdel deletes a service from scm inst.svcadd adds a service to scm inst.asdel deletes an autostart entry inst.asadd adds an autostart entry logic.ifuptime exec command if uptime is bigger than specified mac.login logs the user in mac.logout logs the user out ftp.update executes a file from a ftp url ftp.execute updates the bot from a ftp url ftp.download downloads a file from ftp http.visit visits an url with a specified referrer http.update executes a file from a http url http.execute updates the bot from a http url http.download downloads a file from http rsl.logoff logs the user off rsl.shutdown shuts the computer down rsl.reboot reboots the computer pctrl.kill kills a process pctrl.list lists all processes scan.stop signal stop to child threads scan.start signal start to child threads scan.disable disables a scanner module scan.enable enables a scanner module scan.clearnetranges clears all netranges registered with the scanner scan.resetnetranges resets netranges to the localhost scan.listnetranges lists all netranges registered with the scanner scan.delnetrange deletes a netrange from the scanner scan.addnetrange adds a netrange to the scanner ddos.phatwonk starts phatwonk flood ddos.phaticmp starts phaticmp flood ddos.phatsyn starts phatsyn flood ddos.stop stops all floods ddos.httpflood starts a HTTP flood ddos.synflood starts an SYN flood ddos.udpflood starts a UDP flood redirect.stop stops all redirects running redirect.socks starts a socks4 proxy redirect.https starts a https proxy redirect.http starts a http proxy redirect.gre starts a gre redirect redirect.tcp starts a tcp port redirect harvest.aol makes the bot get aol stuff harvest.cdkeys makes the bot get a list of cdkeys harvest.emailshttp makes the bot get a list of emails via http harvest.emails makes the bot get a list of emails waste.server changes the server the bot connects to waste.reconnect reconnects to the server waste.raw sends a raw message to the waste server waste.quit waste.privmsg sends a privmsg waste.part makes the bot part a channel waste.netinfo prints netinfo waste.mode lets the bot perform a mode change waste.join makes the bot join a channel waste.gethost prints netinfo when host matches waste.getedu prints netinfo when the bot is .edu waste.action lets the bot perform an action waste.disconnect disconnects the bot from waste
  • 19. Looking for an Exploit
  • 21. Human components Botherd: Collects and manages bots. Botnet seller: Sells the use of bots (or proxies) to spammers. Spammer: Sends spam. Sponsor: Pays spammer to promote products or services. Exploit developer: Develops code to exploit vulnerabilities. Bot developer: Develops (or more commonly, modifies existing) bot code. Money launderer (“payment processor”): Work-at-home opportunity to process payments/launder money for “sponsors.” Phishers: Collectors of user identity and bank information. Cashers: Use phished bank data to make fake ATM cards and withdraw funds.
  • 22. Bot life cycle Miscreant (botherd) launches worm, virus, or other mechanism to infect Windows machine. Infected machines contact botnet controller via IRC. 2.5: Infection vector closed. Spammer (sponsor) pays miscreant for use of botnet. Spammer uses botnet to send spam emails. (Usually NOT through IRC channel; typically botherd will open proxy ports on bots and provide proxy list to spammer.) (Image from Wikipedia.)
  • 23. Botnet life cycle 1. Compromise of controller. 2. Distribution of malware—compromise of individual bots. 3. Bots connect to controller; form botnet. 4. Botnet activity—used by botherd for own purposes or use sold to others. 5. Botnet controller identified by NSP/ISP security; monitored or shutdown. 6. Bots become idle or attempt to contact another controller; some bots have vulnerabilities repaired.
  • 24. Why botnets? Botnets are used as an economic mechanism for shifting costs of business (often illegal business) to others, including the costs of being caught engaging in illegal activity. Botnets (a) create a buffer between a criminal and criminal activity and (b) provide a massive information processing resource at minimal cost to the criminal. Some financial transactions which botnets facilitate: Sale of the use of bots. Use of bots for marketing the sale of products and services (often fraudulent or illegal) via spam. Use of bots for extortion (denial of service against online gambling companies, credit card processors, etc.). Use of bots to send phishing emails to steal personal identity and account information.
  • 25. Defense mechanisms: prevention, detection, response Prevention Prevent infections at the host: Endpoint Security, Vulnerability Management. Prevent malware delivery on the network: Firewalls, Intrusion Prevention Systems, “Clean IP,” Mail Filtering, Composite Blocking List. Prevent sale of services to miscreants: AUPs, contracts, customer screening. Prevent phishing: Tools to identify fake websites for end users.
  • 26. Defense mechanisms: prevention, detection, response Detection Detection of host infections: Host Intrusion Detection Systems (IDS’s), honeypots, monitoring botnet controller activity. Detection of malware on the network: Network IDS, Netflow, Darknets/Internet Motions Sensors/Internet Telescopes, “honey monkeys.” Detection of spam operations/miscreants: Spamhaus, monitoring miscreant communications.
  • 27. Defense mechanisms: prevention, detection, response Response Nullrouting of botnet controllers Quarantining of bots, automated notifications Bot simulation/intentional infection/monitoring (Microsoft Honey Monkeys, Decoy Bot) Undercover investigation (ICCC, FBI) Civil and criminal prosecution (Microsoft August 2005 lawsuits against 13 spam operations using bots)
  • 28. Daily customer notifications The following is a list of IP addresses on your network which we have good reason to believe may be compromised systems engaging in malicious activity. Please investigate and take appropriate action to stop any malicious activity you verify. The following is a list of types of activity that may appear in this report: BEAGLE BEAGLE3 BLASTER BOTNETS BOTS BRUTEFORCE DAMEWARE DEFACEMENT DIPNET DNSBOTS MYDOOM NACHI PHATBOT PHISHING SCAN445 SCANNERS SINIT SLAMMER SPAM TOXBOT Open proxies and open mail relays may also appear in this report. Open proxies are designated by a two-character identifier (s4, s5, wg, hc, ho, hu, or fu) followed by a colon and a TCP port number. Open mail relays are designated by the word "relay" followed by a colon and a TCP port number. A detailed description of each of these may be found at https://security.gblx.net/reports.html NOTE: IPs identified as hosting botnet controllers or phishing websites (marked with BOTNETS or PHISHING, respectively) may be null routed by Global Crossing following a separately emailed notice. This report is sent on weekdays, Monday through Friday. If you would prefer a weekly report, sent on Mondays, please contact us by replying to this email to request it. We would prefer, however, that you receive and act upon these reports daily. Unless otherwise indicated, timestamps are in UTC (GMT). 3549 | 208.50.20.164/32 | 2005-01-10 23:23:36 BOTNETS | GBLX Global Crossing Ltd. 3549 | 209.130.174.106/32 | 2005-02-03 15:58:06 tokeat.4two0.com TCP 13222 BOTNETS | GBLX Global Crossing Ltd. 3549 | 146.82.109.130 | 2005-03-24 10:01:30 BEAGLE3 | GBLX Global Crossing Ltd. 3549 | 195.166.97.130 | 2005-03-24 08:40:03 SPAM | GBLX Global Crossing Ltd. 3549 | 206.132.221.37 | 2005-03-24 01:56:13 PHATBOT | GBLX Global Crossing Ltd. 3549 | 206.132.93.5 | 2005-03-23 22:13:40 NACHI | GBLX Global Crossing Ltd. 3549 | 206.165.142.184 | 2005-03-23 09:35:53 SLAMMER | GBLX Global Crossing Ltd. 3549 | 206.165.192.5 | 2005-03-24 12:35:53 SPAM | GBLX Global Crossing Ltd.
  • 29. What does the future hold? A continued arms race between miscreants and defenders: Defenders will infiltrate, monitor, and prosecute. Miscreants will find new mechanisms to conceal their activity and place further layers of misdirection between themselves and their actions (P2P botnets without controllers, encryption, onion routing). They will continue to find new mechanisms to infect systems and create bots (email delivery, direct network infection, web-delivered code)—duping humans to doing the work for them will continue to be the most difficult issue to address. The economic aspects of this activity need to be recognized to adequately address it—forcing miscreants to “internalize externalities” (bear the costs they are shifting to others), or to shift the costs to entities that are positioned to address the problem (e.g., ISP liability for malicious network traffic from direct customers).
  • 30. Consequences of inaction “ For all online users, the report found that concern about identity theft is substantial, and is changing consumer behavior in major ways. Four in five Internet users (80 percent) are at least somewhat concerned someone could steal their identity from personal information on the Internet. Nearly nine out of ten users (86 percent) have made at least one change in their behavior because of this fear: • 30 percent say they have reduced their overall use of the Internet. • A majority of Internet users (53 percent) say they have stopped giving out personal information on the Internet. • 25 percent say they have stopped buying things online. • 54 percent of those who shop online report they have become more likely to read a site’s privacy policy or user agreement before buying. • 29 percent of those who shop online say they have cut back on how often they buy on the Internet.” (Consumer Reports WebWatch, “Leap of Faith: Using the Internet Despite the Dangers”)
  • 31. Further Information Composite Blocking List: http://cbl.abuseat.org Registry Of Known Spam Operations (ROKSO): http://www.spamhaus.org Bot information: http://www.lurhq.com/research.html “ Know Your Enemy: Tracking Botnets,” http://www.honeynet.org/papers/bots/ Message Labs 2004 end-of-year report, http://www.messagelabs.com/binaries/LAB480_endofyear_v2.pdf CAIDA Network Telescope: http://www.caida.org/analysis/security/telescope/ Team Cymru DarkNet: http://www.cymru.com/Darknet/ Internet Motion Sensor: http://ims.eecs.umich.edu/ The Strider Honey Monkey Project: http://research.microsoft.com/HoneyMonkey/ Christopher Abad, “The economy of phishing,” http://www.firstmonday.org/issues/issue10_9/abad/ Brian McWilliams, Spam Kings , 2004, O’Reilly and Associates. Spammer-X, Inside the Spam Cartel , 2004, Syngress. (Read but don’t buy.) Gary Warner, “Phishing Investigations: It’s Time to Make Some Decisions,” April 26, 2005, Infragard Birmingham, AL. Consumer Reports WebWatch, “Leap of Faith: Using the Internet Despite the Dangers,” http://www.consumerwebwatch.org/dynamic/web-credibility-reports-princeton.cfm Jim Lippard [email_address]