A Short Visit to the Bot Zoo

All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
of 4

Please download to get full document.

View again

Attack Trends Elias Levy, aleph1@securityfocus.com Iván Arce, ivan.arce@coresecurity.com A Short Visit to the Bot Zoo bot: n [common on IRC, MUD, and among gamers; from “robot”] 1. An IRC or MUD user who is actually a program. On IRC, typically the robot provides some useful service. Examples are NickServ, which tries to prevent random users from adopting nicks already claimed by others, and MsgServ, which allows one to send asynchronous messages to be delivered when the recipient signs on. —Th
  form networks of compromised ma-chines (botnets) to further enhancethe effectiveness of their attacks.  A short history of bots  The first bots programs were used inInternet Relay Chat (IRC) net-works; they reacted to events inIRC channels and offered servicesto users. Inappropriate behavior started to evolve around 1993,resulting in the IRC wars thatcaused the first distributed denial-of-service (DDoS) attacks.In recent years, malicious bots havebecome commonplace, with botnetsin particular posing a severe threat tothe Internet community. Attackersprimarily use them for DDoS attacks,mass identity theft, or sending spam. Adetailed introduction to botnets, howthey work, and who uses them ap-pears elsewhere (see http://honeynet.org/papers/bots/). Bot characteristics  Three attributes characterize a bot: aremote control facility, the imple-mentation of several commands, anda spreading mechanism to propagateit further. Let’s look at each one inmore detail.A remote control lets an attacker manipulate infected machines. Botscurrently implement several differ-ent approaches for this mechanism:ãTypically, the bots controller usesa central IRC server for com-mand and control (C&C). Allbots join a specific channel on thisserver and interpret all the mes-sages they receive here as com-mands. This structure is usuallysecured with the help of pass-words to connect to the server, join a specific channel, or issuecommands. Several bots also useSSL-encrypted communication.ãIn other situations, such as whensome bots avoid IRC and use covertcommunication channels, the con-troller uses, for example, communi-cation channels via an HTTP or DNS tunnel instead of an inappro-priate IRC protocol. They can, for example, encode commands to thebots inside HTTP requests or within DNS TXT records. An-other possibility is to hide com-mands in images (steganography). T HORSTEN H OLZ RWTH AachenUniversity   T his past year has seen a new attack trend emerge: bots.After a successful compromise, the attacker installs a bot(also called a zombie or drone) on the system; this smallprogram enables a remote control mechanism to thencommand the victim. Attackers use this technique repeatedly to A Short Visit to the Bot Zoo bot  : n [common on IRC, MUD, and among gamers; from “robot”]1. An IRC or MUD user who is actually a program. On IRC, typically the robot provides some useful service.Examples are NickServ, which tries to prevent random users from adopting nicks already claimed by others,and MsgServ, which allows one to send asynchronous messages to be delivered when the recipient signs on.  —The Jargon File, version 4.4.7 76 PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/05/$20.00 © 2005 IEEE ■ IEEE SECURITY & PRIVACY  Attack Trends Elias Levy, aleph1@securityfocus.comIván Arce, ivan.arce@coresecurity.com   Attack Trends www.computer.org/security/ ■ IEEESECURITY &PRIVACY 77 ãSome bots use peer-to-peer (P2P)communication mechanisms toavoid a central C&C server be-cause it’s a single point of failure.Expect to see more bots imple-ment P2P communication similar to the protocol Slapper used. 1 Typically, two types of com-mands are implementedover the re-mote control network: DDoS at-tacks and updates. DDoS attacksinclude SYN and UDP flooding or more clever ones such as spideringattacks—those that start from agiven URL and follows all links in arecursive way—against Web sites.Update commands instruct the botto download a file from the Internetand execute it. This lets the attacker issue arbitrary commands on thevictim’s machine and dynamicallyenhance the bot’s features. Other commands include functions for sending spam, stealing sensitive in-formation from the victim (such aspasswords or cookies), or using thevictim’s computer for other nefari-ous purposes.The remote control facility andthe commands that can be executedfrom it differentiate a bot from a worm , a program that propagates it-self by attacking other systems andcopying itself to them. But similar toa worm, most bots also include amechanism to spread further, usuallyby automatically scanning wholenetwork ranges and propagatingthemselves via vulnerabilities. Thesevulnerabilities usually appear in theWindows operating system, themost common being DCOM(MS03-026, buffer overrun in RPCinterface could allow code execu-tion) and LSASS (MS04-011, secu-rity update for Microsoft Windows).Attackers also integrate recentlypublished exploits into their bots toreact quickly to new trends.Propagation via network sharesand weak passwords on other ma-chines is another common tech-nique. The bot uses a list of passwordsand usernames to log on to remoteshares and then drops its copy. Somebots propagate by using P2P file-sharing protocols, such as Kazaa andBear Share; using interesting file-names, the bot drops copies of itself into these programs’ shared folders. Itgenerates the filename by randomlychoosing from sets of strings.An additional characteristic ap-plies to bots that the German Hon-eynet Project captured in the wild:most of them have at least one exe-cutable packer  , a small program thatcompresses/encrypts the actual bi-nary. Typically, the attacker uses toolssuch as UPX (http://upx.sourceforge.net/) or Morphine (http://hxdef.czweb.org/download/Mor phine27.zip) to pack the executable. Examples and classification  Let’s examine some specific bots inmore detail. Table 1 gives a quantita-tive overview of the evolution of dif-ferent bot types. It shows thatAgobot, the bot that dominated the year 2004, is now less common. Incontrast, attackers are increasinglyusing SDBot, and new variants ap-pear daily.  Agobot and variants  Probably the best-known family of bots is Agobot/Gaobot, and itsvariants Phatbot (www.lurhq.com/phatbot.html), Forbot, and Xtrm-Bot. The antivirus vendor Sophoscurrently lists more than 1,100known different versions of Agobot, and this number is steadilyincreasing. Agobot’s source codewas published on various Web sitesin April 2004, leading to new vari-ants every week since.A young German man using thepseudonym Ago first wrote Agobotin 2003; in May 2004, German au-thorities arrested and charged himwith creating malicious computer code under the country’s computer sabotage law. The bot is written inC++ with cross-platform capabilities,and it shows a high abstract design. It’sstructured in a very modular way,which makes it easy to add commandsor scanners for other vulnerabilities.For remote control, this family of bots typically uses a central C&CIRC server. Some variants also useP2P communication via the decen-tralized WASTE network (http://waste.sourceforge.net/), thus avoid-ing a central server.Agobot and its variants use apacket-sniffing library (libpcap) andPerl-compatible regular expressionsto sniff and sort network traffic pass-ing through the victim’s computer.This malware can use the NewTechnology File System (NTFS) al-ternate data stream and offers rootkitcapabilities such as file and processhiding to hide its own presence on acompromised host. As an addedcomplication, reverse engineeringthis malware is difficult because it in-cludes functions to detect debuggersand virtual machines, and it encryptsthe configuration in the binary.On startup, the program attemptsto run a speed test for Internet con-nectivity. By accessing several serversand sending data to them, the bottries to estimate the victim’s availablebandwidth. Fortunately, this activitycan help us estimate the actual num-ber of hosts compromised by thisparticular bot: essentially, we look atthe log files. If Agobot uses www.belwue.de as one of the domains for a speed test, for example, the do-main’s administrators can make an www.computer.org/security/ ■ IEEESECURITY &PRIVACY 77 MONTHAGOBOTSDBOT May 2004543332June 2004249654July 20043391018 August 2004133977September 2004123818October 20041581111November 20041131156December 20041961637January 20052271539February 2005972010March 20052001689 Table 1. New bot variants by month.   Attack Trends 78 IEEE SECURITY &PRIVACY ■ MAY/JUNE 2005 educated guess about the bot’s de-ployment by monitoring how oftenthe speed test is performed. In May2004, the University of Stuttgart’sComputer Emergency ResponseTeam (RUS-CERT) identified ap-proximately 300,000 unique IP ad-dresses per day in this fashion. 2 This type of malware can also ter-minate the processes that belong toantivirus and monitoring applica-tions; some variants can even modifythe host file (which contains thehost-name-to-IP-address map-pings). The malware appends a list of Web site addresses—of antivirusvendors, for example—and redirectsthem to the loopback address, pre-venting the infected user from ac-cessing the specified location. SDBot and variants  At the moment, SDBot and its vari-ants RBot, UrBot, UrXBot, andSpybot, are the most active bots inthe wild. The whole family is writ-ten in C, and literally thousands of different versions exist because thesource code is public. SDBot’ssource code isn’t as well designed or written as Agobot’s, but it offers sim-ilar features, although the commandset isn’t as large, nor the implementa-tion as sophisticated.We can see bot evolutionthrough time by looking at this par-ticular family of bots: each new ver-sion integrates new features, andeach new variant results in major en-hancements. Attackers integratenew vulnerabilities quickly, andonce one version has a new spread-ing capability, all the others integrateit immediately. Moreover, smallmodifications that can implementspecific features (such as passwordencryption within the malware) canbe integrated in all variants. mIRC-based bots  We subsume all mIRC-based botsinto the category of GT-bots: somany different versions of them existthat giving an overview of all the forkswould be close to impossible. mIRCis a popular IRC client for Windows,and GT is an abbreviation for   global threat  , which is the common nameused for all mIRC-scripted bots.GT-bots launch an instance of the mIRC chat client with a set of scripts and other binaries. One bi-nary we usually find is a Hide- Window  executable that hides themIRC instance from the user. Theother binaries are mainly dynamiclink libraries (DLLs) linked tomIRC that add some new featuresthat the mIRC scripts can use to Mid Atlantic (product/recruitment) Dawn BeckerPhone:+1 732 772 0160Fax:+1 732 772 0161Email: db.ieeemedia@ieee.org New England (product) Jody EstabrookPhone:+1 978 244 0192Fax:+1 978 244 0103Email: je.ieeemedia@ieee.org New England (recruitment) Robert ZwickPhone:+1 212 419 7765Fax:+1 212 419 7570Email: r.zwick@ieee.org Connecticut (product) Stan GreenfieldPhone:+1 203 938 2418Fax:+1 203 938 3211Email: greenco@optonline.net Midwest (product) Dave JonesPhone: +1 708 442 5633Fax:+1 708 442 7620Email: dj.ieeemedia@ieee.orgWill HamiltonPhone:+1 269 381 2156Fax:+1 269 381 2556Email: wh.ieeemedia@ieee.orgJoe DiNardoPhone:+1 440 248 2456Fax:+1 440 248 2594Email: jd.ieeemedia@ieee.org Southeast (recruitment) Thomas M. FlynnPhone:+1 770 645 2944Fax:+1 770 993 4423Email: flynntom@mindspring.com Southeast (product) Bill HollandPhone:+1 770 435 6549Fax:+1 770 435 0243Email: hollandwfh@yahoo.com Midwest/Southwest (recruitment) Darcy GiovingoPhone:+1 847 498-4520Fax:+1 847 498-5911Email: dg.ieeemedia@ieee.org Southwest (product) Josh MayerPhone:+1 972 423 5507Fax:+1 972 423 6858Email: jm.ieeemedia@ieee.org Northwest (product) Peter D. ScottPhone:+1 415 421-7950Fax:+1 415 398-4156Email: peterd@pscottassoc.com Southern CA (product) Marshall RubinPhone:+1 818 888 2407Fax:+1 818 888 4907Email: mr.ieeemedia@ieee.org Northwest/Southern CA (recruitment) Tim MattesonPhone:+1 310 836 4064Fax:+1 310 836 4067Email: tm.ieeemedia@ieee.org Japan Tim MattesonPhone:+1 310 836 4064Fax:+1 310 836 4067Email: tm.ieeemedia@ieee.org Europe (product) Hilary TurnbullPhone:+44 1875 825700Fax:+44 1875 825701Email:impress@impressmedia.com ADVERTISER / PRODUCT INDEX MAY/JUNE 2005 Black Hat Briefings 2005Cover 3John Wiley & SonsCover 2Morgan KaufmannPublishers13Naval ReserveCover 4  Boldface denotes advertisements in this issue. Advertising PersonnelAdvertiser Page NumberMarion Delaney IEEEMedia, Advertising DirectorPhone:+1 212 419 7766Fax:+1 212 419 7589Email: md.ieeemedia@ieee.org Marian Anderson Advertising CoordinatorPhone:+1 714 821 8380Fax:+1 714 821 4010Email: manderson@computer.org Sandy Brown IEEE Computer Society,Business Development ManagerPhone:+1 714 821 8380Fax:+1 714 821 4010Email: sb.ieeemedia@ieee.org Advertising Sales Representatives   Attack Trends control the bot. The bots can accessthe spreading functions in the DLLsand thus enable further propagation.GT-bots spread by exploitingweaknesses on remote computersand uploading themselves to com-promised hosts. One handicap istheir large file size—they’re some-times bigger than a megabyte. Other types of bots  Although some bots aren’t as wide-spread as the ones we’ve just exam-ined, some of them have interestingfeatures that are worth reviewing.Xot and its successor XT Bot im-plement a feature called dynamic re-mote settings stub . DRSS hides thecommunication flow between at-tacker and bots by embedding thecommands in a file (for example,within an image). The attacker thenuploads this file to a server, and thebot on the victim’s computer down-loads it, extracts the information,and interprets the commands.The Dataspy Network X bot iswritten in C++ and has a conve-nient interface that lets attackerswrite scanners and spreaders as plug-ins and extend the bot’s features.This bot has a major disadvantage— the default version doesn’t comewith any spreaders—but plugins areavailable to overcome this gap. Addi-tional plugins also offer services suchas DDoS attacks, portscan interface,or hidden HTTP server.Bobax uses HTTP requests as itscommunication channel and thusimplements a stealthier remote con-trol than IRC-based C&C. It alsoimplements mechanisms to spreadfurther by downloading and execut-ing arbitrary files. In contrast toother bots, Bobax’s primary purposeis to send spam. A detailed analysis of it appears elsewhere (www.lurhq.com/bobax.html).aIRCBot is very small (only 2,560bytes); it’s not a typical bot because itimplements a rudimentary remotecontrol mechanism, and it only un-derstands raw IRC commands. It alsocompletely lacks the functions tospread further. Likewise, Q8Bot andkaiten are small bots, consisting of only a few hundred lines of sourcecode, but they have an additionalnoteworthiness: they’re written for Unix/Linux systems. These programsimplement all common bot features:dynamic updating via HTTP-down-loads, various DDoS attack capabili-ties, execution of arbitrary com-mands, and many more. In the versionwe’ve captured, the spreaders aremissing, but we assume other versionsof these bots have spreaders. Many dif-ferent versions of simple bots based onthe programming language Perl exist,but these bots usually contain only afew hundred lines of source code andoffer a rudimentary set of commands(most often just for DDoS attacks).This type of bot is typically used onUnix-based systems. B ots are constantly evolving: at-tackers can integrate new vul-nerabilities within an incredibly shorttime span, sometimes in a matter of hours or days. Furthermore, newtechniques to hide the communica-tion channel between bot and con-troller, new remote control mecha-nisms in the form of P2P communi-cation, and other innovative ideasdemonstrate that bots constitute anemerging security concern. TheGerman Honeynet Project’s currentresearch focuses on automated waysto collect and analyze malware. We’redeveloping techniques to observebotnets and to learn more about bots.As these threats continue to adapt andchange, so too must the securitycommunity. References  1.I. Arce and E. Levy, “An Analysisof the Slapper Worm,” IEEE Secu-rity & Privacy , vol. 1, no. 1, 2003,pp. 82–87.2.T. Fischer, “Botnetze,” Proc. 12thDFN-CERT Workshop , DFN-CERT Services, 2005, p. E1–E7. Thorsten Holz  is a research student at the Laboratory for Dependable Distrib-uted Systems at RWTH Aachen Univer-sity. His research interests include the practical aspects of secure systems, but he’s also interested in more theoretical considerations of dependable systems.Holz is one of the founders of the GermanHoneynet Project. Contact him at holz@ i4.informatik.rwth-aachen.de. www.computer.org/security/ ■ IEEESECURITY &PRIVACY 79 JAN./FEB.: Economics of Information SecurityMAR./APR.:Trusted ComputingMAY/JUN.:Infrastructure SecurityJUL./AUG.: Enterprise Security ManagementSEPT./OCT.:Policy and RegulationNOV./DEC.:Consumer Devices www.computer.org/security/  2005 EDITORIAL CALENDAR 2005 EDITORIAL CALENDAR
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks