Bots and Botnets The Automation of Computer Network Attacks

62
1 Bots and Botnets The Automation of Computer Network Attacks Written and researched by David Dittrich The Information School University of Washington Presented by Amelia Phillips

description

Bots and Botnets The Automation of Computer Network Attacks. Written and researched by David Dittrich The Information School University of Washington. Presented by Amelia Phillips. Overview. Where did “bots” come from? How do they work? How botnets are built How are they used for attacking? - PowerPoint PPT Presentation

Transcript of Bots and Botnets The Automation of Computer Network Attacks

Page 1: Bots and Botnets The Automation of Computer Network Attacks

1

Bots and BotnetsThe Automation of Computer Network Attacks

Written and researched by David DittrichThe Information SchoolUniversity of Washington

Presented by Amelia Phillips

Page 2: Bots and Botnets The Automation of Computer Network Attacks

2

Overview

Where did “bots” come from?

How do they work?

How botnets are built

How are they used for attacking?

How do you defend against them?

Botnets in action!

Page 3: Bots and Botnets The Automation of Computer Network Attacks

3

Where did “bots” come from?

Page 4: Bots and Botnets The Automation of Computer Network Attacks

4

Internet Relay ChatInternet Relay Chat

http://www.newircusers.com/network.html

Page 5: Bots and Botnets The Automation of Computer Network Attacks

5

IRC CommandsIRC Commands

http://www.newircusers.com/ircmds.html

Page 6: Bots and Botnets The Automation of Computer Network Attacks

6

DCC CommandsDCC Commands

http://www.newircusers.com/ircmds.html

Page 7: Bots and Botnets The Automation of Computer Network Attacks

7

mirc IRC clientmirc IRC client

http://www.irchelp.org/irchelp/ircii/ircii.gif

Page 8: Bots and Botnets The Automation of Computer Network Attacks

8

IRC botsIRC bots

http://www.irchelp.org/irchelp/misc/botfaq.html#1

Page 9: Bots and Botnets The Automation of Computer Network Attacks

9

Typical uses

Keep track of channel users

Transfer files automatically

Enforce kick/ban lists of “bad” users

Protect channels from takeover

Page 10: Bots and Botnets The Automation of Computer Network Attacks

10

How do bots work?

Page 11: Bots and Botnets The Automation of Computer Network Attacks

11

““Net split” attack (before)Net split” attack (before)

Owner

Page 12: Bots and Botnets The Automation of Computer Network Attacks

12

““Net split” attack (after)Net split” attack (after)

Owner

Attacker

DDoSAttack

Page 13: Bots and Botnets The Automation of Computer Network Attacks

13

““Net split” attack (defense)Net split” attack (defense)

Owner

Bot

Bot

Bot

Bot

Page 14: Bots and Botnets The Automation of Computer Network Attacks

14

Eggdrop config fileEggdrop config file

Page 15: Bots and Botnets The Automation of Computer Network Attacks

15

Eggdrop config fileEggdrop config file

Page 16: Bots and Botnets The Automation of Computer Network Attacks

16

Translated eggdrop configTranslated eggdrop config

Page 17: Bots and Botnets The Automation of Computer Network Attacks

17

Encrypted communicationsEncrypted communications

Page 18: Bots and Botnets The Automation of Computer Network Attacks

18

My how these bots have grown…

Page 19: Bots and Botnets The Automation of Computer Network Attacks

19

High

Low

1980 1985 1990 1995 2001

password guessing

password cracking

exploiting known vulnerabilities

disabling audits

back doors

hijacking sessions

sniffers

packet spoofing

GUIautomated probes/scans

denial of service

www attacks

Tools

Attackers

IntruderKnowledge

AttackSophistication

“stealth” / advanced scanning techniques

burglaries

network mgmt. diagnostics

distributedattack tools

binary encryption

Source: CERT/CC

Attack sophistication vsIntruder Technical Knowledge

Increasing Attack SophisticationIncreasing Attack Sophistication

1998

Page 20: Bots and Botnets The Automation of Computer Network Attacks

20

Bot features then (1994)

Channel controls

Simple file transfers

Password protected back door

Page 21: Bots and Botnets The Automation of Computer Network Attacks

21

Growth of botnetsGrowth of botnets

Page 22: Bots and Botnets The Automation of Computer Network Attacks

22

Growth of botnetsGrowth of botnets

Page 23: Bots and Botnets The Automation of Computer Network Attacks

23

Bot features now (2004)Bot features now (2004)

http://www.lurhq.com/phatbot.html

Page 24: Bots and Botnets The Automation of Computer Network Attacks

24

Bot features now (2004)Bot features now (2004)

http://www.lurhq.com/phatbot.html

Page 25: Bots and Botnets The Automation of Computer Network Attacks

25

Advances in C2 & security features

Encryption of communications

Use of Peer-to-Peer

“Swiss Army knife” feature set

Polymorphism and Anti-Anti-Virus

Anti-forensics/Anti-debugging

Page 26: Bots and Botnets The Automation of Computer Network Attacks

26

Waste networkWaste network

http://waste.sourceforge.net/index.php?id=information

Page 27: Bots and Botnets The Automation of Computer Network Attacks

27

Combining Waste networksCombining Waste networks

http://waste.sourceforge.net/docs/docs.html

Page 28: Bots and Botnets The Automation of Computer Network Attacks

28

Relationship to DDoSRelationship to DDoS19

96

1998

1997

1999

2000

2001

2002

2003

2004

2005

Single threaded DoS

Classic DDoS(Handler/Agent)

DDoS Botnets

Bots

Leads to

(Dates approximated)

Page 29: Bots and Botnets The Automation of Computer Network Attacks

29

How are botnets built?

Page 30: Bots and Botnets The Automation of Computer Network Attacks

30

“It takes malware…”

Page 31: Bots and Botnets The Automation of Computer Network Attacks

31

Strategies in botnet creationLearn about IRC commands and featuresChoose a bot or “blended threat” kitGet access to some computers

Trade for CCs, other hosts/accounts, or buyUse a virus, trojan horse, or other “sploit”“War drive” to find free wireless access

Herd your botsTry to keep someone from finding/stealing them

Page 32: Bots and Botnets The Automation of Computer Network Attacks

32

Botnet used for recruitmentBotnet used for recruitment

Page 33: Bots and Botnets The Automation of Computer Network Attacks

33

Bot propagationBot propagation

“Trends in Denial of Service Attack Technology,” http://www.cert.org/archive/pdf/DoS_trends.pdf

Page 34: Bots and Botnets The Automation of Computer Network Attacks

34

Malicious use of botsand how to respond

Page 35: Bots and Botnets The Automation of Computer Network Attacks

35

The new spammersThe new spammers

Page 36: Bots and Botnets The Automation of Computer Network Attacks

36

Phases of botnet/DDoS attacks

Phase one: “own” a [bleep!]load of computers!

Phase two: use them to attack othersDDoS

More “owning”

Anonymity while doing crimes

Page 37: Bots and Botnets The Automation of Computer Network Attacks

37

The new gangstersThe new gangsters

Page 38: Bots and Botnets The Automation of Computer Network Attacks

38

Page 39: Bots and Botnets The Automation of Computer Network Attacks

39

Page 40: Bots and Botnets The Automation of Computer Network Attacks

40

Phatbot DDoS attack methodsPhatbot DDoS attack methods

Two types of SYN floods, UDP & ICMP

“Targa” (random IP protocol, fragmentation, and frag offset)

“Wonk” (one SYN packet followed by 1023 ACK packets)

HTTP (single GET w/delay in hours, or recursive GET)

Many attacks support various spoofing (/16, /24 or all 32 bits)

Page 41: Bots and Botnets The Automation of Computer Network Attacks

41

Botnet used for DDoS attackBotnet used for DDoS attack

Page 42: Bots and Botnets The Automation of Computer Network Attacks

42

Assoc. of Remote Gambling Assoc. of Remote Gambling OperatorsOperators

$73M lost to extortion in 2004$10k - $40k per attack (some multiple)Each attack lasts hours to > 1 week518,000 “computers” used in one attack3 arrested in July 2004

By following the $$, not by tracebackSeveral gangs still active worldwide

“Gambling Sites, This Is A Holdup: Organized criminal hackers threaten to paralyze their networks if they don't pay up,” Business Week, http://www.businessweek.com/magazine/content/04_32/b3895106_mz063.htm

Page 43: Bots and Botnets The Automation of Computer Network Attacks

43

Strategies in botnet defenseLearn about IRC commands and featuresLearn about bots, DDoS, other malware(http://staff.washington.edu/dittrich/misc/ddos, and book…)

Gain data collection and analysis skillsHost forensicsNetwork forensicsReverse engineering, programming, scanning, etc.

Analyze traffic flows, patternsKey goals: Identify structure and C2 methods

Page 44: Bots and Botnets The Automation of Computer Network Attacks

44

Weaknesses in botnets

Recruitment/Herding

Command/ Control

Scanning/ Attacking

Page 45: Bots and Botnets The Automation of Computer Network Attacks

45

Botnets in action

Page 46: Bots and Botnets The Automation of Computer Network Attacks

46

Report of activityReport of activity

Page 47: Bots and Botnets The Automation of Computer Network Attacks

47

Nmap scanNmap scan

Page 48: Bots and Botnets The Automation of Computer Network Attacks

48

Services provided by botServices provided by bot

Page 49: Bots and Botnets The Automation of Computer Network Attacks

49

Feedback to attacker!Feedback to attacker!

“My” IP address!

Page 50: Bots and Botnets The Automation of Computer Network Attacks

50

Other compromised hostsOther compromised hosts

Page 51: Bots and Botnets The Automation of Computer Network Attacks

51

Bot propagationBot propagation

“Trends in Denial of Service Attack Technology,” http://www.cert.org/archive/pdf/DoS_trends.pdf

Page 52: Bots and Botnets The Automation of Computer Network Attacks

52

Scanning with PhatbotScanning with Phatbot

Page 53: Bots and Botnets The Automation of Computer Network Attacks

53

The victims…The victims…

"Politehnica" University of Bucharest, HungaryAachen University of Technology, Aachen, GermanyAcademic Medical Centre, Amsterdam, The NetherlandsAlbert-Ludwigs-Universitaet Freiburg, GermanyCzech Technical University, PragueFachhochschule Albstadt-Sigmaringen, GermanyFachhochschule Augsburg, GermanyFachhochschule Esslingen, GermanyFachhochschule Konstanz, GermanyFachhochschule Worms, GermanyHochschule fuer Technik, Ulm, GermanyHogeschool Brabant, The NetherlandsHogeschool Rotterdam & Omstreken, The NetherlandsHogeschool van Amsterdam, The NetherlandsHogeschool van Utrecht, The NetherlandsHumboldt-Universitaet zu Berlin, GermanyJohann Wolfgang Goethe-Universitaet Frankfurt, GermanyPhilipps-Universitaet Marburg, GermanyPhysikalisch-Technische Bundesanstalt, GermanyRechenzentrum der Universitaet Jena, GermanyTechnische Universitaet Berlin, GermanyTechnische Universitaet Dresden, Germany

Universitaet Augsburg, GermanyUniversitaet Bamberg, GermanyUniversitaet Bremen, GermanyUniversitaet Duisburg-Essen, GermanyUniversitaet Karlsruhe, GermanyUniversitaet Konstanz, GermanyUniversitaet Muenster, GermanyUniversitaet Oldenburg, GermanyUniversitaet Stuttgart, GermanyUniversitaet Wuerzburg, GermanyUniversite de Fribourg, SwitzerlandUniversite de Liege, BelgiumUniversite de Valenciennes, FranceUniversiteit van Amsterdam, The NetherlandsUniversity College London, UKUniversity of Applied Sciences, Weingarten, GermanyUniversity of Cooperative Education, Mannheim, GermanyUniversity of Cooperative Education, Ravensburg, GermanyUniversity of Cooperative Education, Stuttgart, GermanyUniversity of Hamburg, GermanyUniversity of Innsbruck, AustriaUniversity of Liverpool, UKUniversity of London, UKWestsaechsische Hochschule, Zwickau, Germany

Page 54: Bots and Botnets The Automation of Computer Network Attacks

54

Some more victims…Some more victims…

Amsterdam Airport Schiphol, The Netherlands

DESY Zeuthen, Germany

DeTeLine GmbH, Berlin, Germany

Dr. Ing. h.c. F. Porsche AG, Germany

Dutch Railways Network, Utrecht, The Netherlands

EDS International B.V., The Netherlands

Materna GmbH, Dortmund, Germany

Ministerie van Binnenlandse Zaken, The Hague

Ministerie van Sociale Zaken en Werkgelegenheid, The HagueSaudi Online Network, Riyadh, Saudi ArabiaShell Information Technology International, SA TelecomSiemens AG, World Headquarter, Munich, GermanySwisscom Fixnet, Berne, SwitzerlandSwisscom IP-Plus, Berne, SwitzerlandUnilever Research Laboratorium, The NetherlandsUnilever Research Vlaardingen, The Netherlands

Page 55: Bots and Botnets The Automation of Computer Network Attacks

55

Harvesting product keysHarvesting product keys

Page 56: Bots and Botnets The Automation of Computer Network Attacks

56

Uptime of botsUptime of bots

Page 57: Bots and Botnets The Automation of Computer Network Attacks

57

UptimesUptimes

Page 58: Bots and Botnets The Automation of Computer Network Attacks

58

Proxying IRC trafficProxying IRC traffic

Page 59: Bots and Botnets The Automation of Computer Network Attacks

59

Proxying IRC traffic (2)Proxying IRC traffic (2)

Page 60: Bots and Botnets The Automation of Computer Network Attacks

60

Proxying IRC traffic (3)Proxying IRC traffic (3)

Page 61: Bots and Botnets The Automation of Computer Network Attacks

61

Still a Threat

Security World says botnets are on the decline

Phishing is now the chosen method

Botnets are still a threat

Visit the Honeynet Projectwww.honeynet.org

Page 62: Bots and Botnets The Automation of Computer Network Attacks

62

Thanks and questionsThanks and questions

Contact: Dave DittrichInformation Assurance ResearcherThe Information Schooldittrich(at)u.washington.eduhttp://staff.washington.edu/dittrich/