Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Botenets
Cyber security essential
Why HoneyPots
A great deal of the security profession and the IT
world depend on honeypots. Honeypots
◦ Build anti-virus signatures.
◦ Build SPAM signatures and filters.
◦ ISP’s identify compromised systems.
◦ Assist law-enforcement to track criminals.
◦ Hunt and shutdown botnets.
◦ Malware collection and analysis.
What are Honeypots
Honeypots are real or emulated vulnerable syst
ems ready to be attacked.
Primary value of honeypots is to collect informa
tion.
This information is used to better identify, unde
rstand and protect against threats.
Honeypots add little direct value to protecting y
our network.
Types of HoneyPot
Server: Put the honeypot on the Internet and le
t the bad guys come to you.
Client: Honeypot initiates and interacts with ser
vers
Other: Proxies
Types of HoneyPot
Low-interaction
◦ Emulates services, applications, and OS’s.
◦ Low risk and easy to deploy/maintain, but capture limi
ted information.
High-interaction
◦ Real services, applications, and OS’s
◦ Capture extensive information, but high risk and time
intensive to maintain.
Types of HoneyPot
Production
◦ Easy to use/deploy
◦ Capture limited information
◦ Mainly used by companies/corporations
◦ Placed inside production network w/other servers
◦ Usually low interaction
Research
◦ Complex to maintain/deploy
◦ Capture extensive information
◦ Primarily used for research, military, or govt. orgs
Examples Of Honeypots
Low Interaction
BackOfficer Friendly
KFSensor
Honeyd
Honeynets
High Interaction
Honeynets
High-interaction honeypot designed to capture i
n-depth information.
Information has different value to different orga
nizations.
Its an architecture you populate with live syste
ms, not a product or software.
Any traffic entering or leaving is suspect.
How It Works
A highly controlled network where every packe
t entering or leaving is monitored, captured, and
analyzed.
◦ Data Control
◦ Data Capture
◦ Data Analysis
Honeynet Architecture
Data Control
• Mitigate risk of honeynet being used to har
m non-honeynet systems.
• Count outbound connections.
• IPS (Snort-Inline)
• Bandwidth Throttling
No Data Control
Data Control
Data Capture
Capture all activity at a variety of levels.
Network activity.
Application activity.
System activity.
Sebek
Hidden kernel module that captures all ho
st activity
Dumps activity to the network.
Attacker cannot sniff any traffic based on
magic number and dst port.
Sebek Architecture
Honeywall CDROM
Attempt to combine all requirements of a
Honeywall onto a single, bootable CDRO
M.
by
Mohammad M. Masud
Botnets
Introduction
History
How to they spread?
What do they do?
Why care about them?
Detection and Prevention
Bot
The term 'bot' comes from 'robot'.
IRC channel
Code
Server
IRC channel
C&C traffic
Updates
Attack
Vulnerable m
achines
BotNet
History
In the beginning, there were only good bots.
◦ ex: google bot, game bot etc.
1989 1999 2000 2001 2002 2003 2004 2005 2006 Present
Jeffry Parson
◦ Released a variation of Blaster Worm
◦ Infected 48,000 computers worldwide
◦ 18 yrs old
◦ Arrested , sentenced to 18 month & 3yrs
of supervised released
How The Botnet Grows
How The Botnet Grows
How The Botnet Grows
How The Botnet Grows
Recruiting New Machines
Exploit a vulnerability to execute a short program
(exploits) on victim’s machine
◦ Buffer overflows, email viruses, Trojans etc.
Exploit downloads and installs actual bot
Bot disables firewall and A/V software
Bot locates IRC server, connects, joins
◦ Typically need DNS to find out server’s IP addre
ss
◦ Authentication password often stored in bot bin
ary
Botmaster issues commands
Recruiting New Machines
What Is It Used For
Botnets are mainly used for only one t
hing
How Are They Used
Distributed Denial of Service (DDoS) at
tacks
Sending Spams
Phishing (fake websites)
Addware (Trojan horse)
Spyware (keylogging, information harv
esting)
Storing pirated materials
Example : SDBot
Open-source Malware
Aliases
◦ Mcafee: IRC-SDBot, Symantec: Backdoor.Sdbot
Infection
◦ Mostly through network shares
◦ Try to connect using password guessing (exploits
weak passwords)
Signs of Compromise
◦ SDBot copies itself to System folder - Known filena
mes: Aim95.exe, Syscfg32.exe etc..
◦ Registry entries modified
◦ Unexpected traffic : port 6667 or 7000
◦ Known IRC channels: Zxcvbnmas.i989.net etc..
Example : RBot
First of the Bot families to use encryption
Aliases
◦ Mcafee: W32/SDbot.worm.gen.g, Symantec: W32.S
pybot.worm
Infection
◦ Network shares, exploiting weak passwords
◦ Known s/w vulnerabilities in windows (e.g.: lsass b
uffer overflow vulnerability)
Signs of Compromise
◦ copies itself to System folder - Known filenames:
wuamgrd.exe, or random names
◦ Registry entries modified
◦ Terminate A/V processes
◦ Unexpected traffic: 113 or other open ports
Example : Agobot
Modular Functionality
◦ Rather than infecting a system at once, it proceeds
through three stages (3 modules)
infect a client with the bot & open backdoor
shut down A/V tools
block access to A/V and security related sites
◦ After successful completion of one stage, the code
for the next stage is downloaded
Advantage?
◦ developer can update or modify one portion/mod
ule without having to rewrite or recompile entire c
ode
Example : Agobot
Aliases
◦ Mcafee: W32/Gaobot.worm, Symantec: W32.HLLW.
Gaobot.gen
Infection
◦ Network shares, password guessing
◦ P2P systems: Kazaa etc..
◦ Protocol: WASTE
Signs of Compromise
◦ System folder: svshost.exe, sysmgr.exe etc..
◦ Registry entries modification
◦ Terminate A/V processes
◦ Modify %System\drivers\etc\hosts file
Symantec/ Mcafee’s live update sites are redirect
ed to 127.0.0.1
Example : Agobot
Signs of Compromise (contd..)
◦ Theft of information: seek and steal CD key
s for popular games like “Half-Life”, “NFS”
etc..
◦ Unexpected Traffic: open ports to IRC serv
er etc..
◦ Scanning: Windows, SQL server etc..
DDos Attack
Goal: overwhelm victim machine and deny service t
o its legitimate clients
DoS often exploits networking protocols
◦ Smurf: ICMP echo request to broadcast address w
ith spoofed victim’s address as source
◦ Ping of death: ICMP packets with payloads greater
than 64K crash older versions of Windows
◦ SYN flood: “open TCP connection” request from a
spoofed address
◦ UDP flood: exhaust bandwidth by sending thousa
nds of bogus UDP packets
DDoS attack
Coordinated attack to specified host
Attacker
Zombie machines
Victim
Why DDoS attack?
Extortion
◦ Take down systems until they pay
◦ Works sometimes too!
Example: 180 Solutions – Aug 2005
◦ Botmaster used bots to distribute 180sol
utions addware
◦ 180solution shutdown botmaster
◦ Botmaster threatened to take down 180s
olutions if not paid
◦ When not paid, botmaster use DDoS
◦ 180Solutions filed Civil Lawsuit against h
ackers
Botnet Detection
Host Based
Intrusion Detection Systems (IDS)
Anomaly Detection
IRC Nicknames
HoneyPot and HoneyNet
Host-based detection
Virus scanning
Watching for Symptoms
Modification of windows hosts file
Random unexplained popups
Machine slowness
Antivirus not working
Watching for Suspicious network traffic
Since IRC is not commonly used, any IRC traffic
is suspicious. Sniff these IRC traffic
Check if the host is trying to communicate to a
ny Command and Control (C&C) Center
Through firewall logs, denied connections
Network Intrusion Detection Syst
ems
Example Systems: Snort and Bro
Sniff network packets, looks for specific patterns
(called signatures)
If any pattern matches that of a malicious binary,
then block that traffic and raise alert
These systems can efficiently detect virus/worms
having known signatures
Can't detect any malware whose signature is unk
nown (i.e., zero day attack)
Anomaly Detection
Normal traffic has some patterns
Bandwidth/Port usage
Byte-level characteristics (histograms)
Protocol analysis – gather statistics about
TCP/UDP src, dest address
Start/end of flow, Byte count
DNS lookup
First learn normal traffic pattern
Then detect any anomaly in that pattern
Example systems: SNMP, NetFlow
Problems:
Poisoning
Stealth
IRC Nicknames
Bots use weird nicknames
But they have certain pattern (really!)
If we can learn that pattern, we can detect bots &
botnets
Example nicknames:
USA|016887436 or DE|028509327
Country | Random number (9 digit)
RBOT|XP|48124
Bot type | Machine Type | Random number
Problem: May be defeated by changing the nickna
me randomly
HoneyPot and HoneyNet
HoneyPot is a vulnerable machine, re
ady to be attacked
Example: unpatched windows 2000 o
r windows XP
Once attacked, the malware is caught
inside
The malware is analyzed, its activity i
s monitored
When it connects to the C&C server, t
he server’s identity is revealed
HoneyPot and HoneyNet
Thus many information about the bot is obtained
C&C server address, master commands
Channel, Nickname, Password
Now Do the following
make a fake bot
join the same IRC channel with the same nickname
/password
Monitor who else are in the channel, thus observer
the botnet
Collect statistics – how many bots
Collect sensitive information – who is being attack
ed, when etc..
HoneyPot and HoneyNet
Finally, take down the botnet
HoneyNet: a network of honeypots (see
the ‘HoneyNet Project’)
Very effective, worked in many cases
They also pose great security risk
If not maintained properly - Hacker may us
e them to attack others
Must be monitored cautiously