Transcript slides

Offense: Brute Force
A Multifaceted Approach to
Understanding the Botnet
Phenomenon
(Rajab/Zarfoss/Monrose/Terzis)
Enough Data?

Research paper states:
800,000 DNS domains examined
 85,000 servers botnet-infected
 65 IRC server domain names


Is above data statistically significant?
450,000,000 hosts via DNS (isc.org)
 Over 150,000,000 domain names exist
 47,700,000 .com domains (1% probed)

Realtime Tracking
Source: Shadowserver.org
Longitudinal Tracking

Research paper states:
65 IRC server domain names
 85,000 servers infected by bots
 Type-II botnets only


Shadowserver.org tracking (2+ years):
1800 active botnets daily
 3,000,000 active bots daily
 Updates every 15 minutes

Where’s the 40%?

Research paper exclusively WinTel


Most internet servers are Linux-based


Easier to obtain bot binaries?
Hard to ignore the majority
Worm or Trojan backdoors exploited

Defenses are already weakened
Botnet size
Footprint vs. effective size
 The paper complains that the footprint is
much larger than the effective size.

So? Bots are trying to stay off DNSBL
(black lists) and be more stealthy.
 Sections of footprint may be rented out

Botmaster concerns
Source: swatit.org
C&C Stealth
Botmasters want to remain hidden
 IRC-based isn’t the only way
 Peer-to-peer systems hide IP source addr
 Virtualization of C&C

Dynamic web servers
 Network creation/reconfiguration
 Come and go quickly
 Difficult to trace
 Works for honeypots, why not botnets?

Gray-box testing
Only binary bot behavior studied
 Results limited by mimicing IRC state
 Research emphasized automation over
thoroughness
 Source code or disassembly reveals more
 Behavior may be different in honeynet

Agobot C&C
Variable Description:
bot ftrans port Set bot - file transfer port
bot ftrans port ftp Set bot - file transfer port for FTP
si chanpass IRC server information - channel password
si mainchan IRC server information - main channel
si nickprefix IRC server information - nickname prefix
si port IRC server information - server port
si server IRC server information - server address
si servpass IRC server information - server password
si usessl IRC server information - use SSL ?
si nick IRC server information - nickname
bot version Bot - version
bot filename Bot - runtime filename
bot id Bot - current ID
bot prefix Bot - command prefix
bot timeo Bot - timeout for receiving (in milliseconds)
bot seclogin Bot - enable login only by channel messages
bot compnick Bot - use the computer name as a nickname
bot randnick Bot - random nicknames of letters and numbers
bot meltserver Bot - melt the original server file
bot topiccmd Bot - execute topic commands
do speedtest Bot - do speed test on startup
do avkill Bot - enable anti-virus kill
do stealth Bot - enable stealth operation
as valname Autostart - value name
as enabled Autostart - enabled
as service Autostart - start as service
as service name Autostart - short service name
scan maxthreads Scanner - maximum number of threads
scan maxsockets Scanner - Maximum number of sockets
ddos maxthreads DDoS - maximum number of threads
redir maxthreads Redirect - maximum number of threads
identd enabled IdentD - enable the server
cdkey windows Return windows product keys on cdkey.get
scaninfo chan Scanner - output channel
scaninfo level Info level 1 (less) - (3) more
spam aol channel AOL spam - channel name
spam aol enabled AOL spam - enabled ?
sniffer enabled Sniffer - enabled ?
sniffer channel Sniffer - output channel
vuln channel Vulnerability daemon sniffer channel
inst polymorph Installer - polymorphoic on install ?
Command Description:
bot.about Displays information (e.g., version) about the bot code
bot.die Terminates the bot
bot.dns Resolves IP/hostname via DNS
bot.execute Makes the bot execute a specific .exe
bot.id Displays the ID of the current bot code
bot.nick Changes the nickname of the bot
bot.open Opens a specified file
bot.remove Removes the bot from the host
bot.removeallbut Removes the bot if ID does not match
bot.rndnick Makes the bot generate a new random nickname
bot.status Echo bot status information
bot.sysinfo Echo the bot’s system information
bot.longuptime If uptime > 7 days then bot will respond
bot.highspeed If speed> 5000 then bot will respond
bot.quit Quits the bot
bot.flushdns Flushes the bot’s DNS cache
bot.secure Delete specified shares and disable DCOM
bot.unsecure Enable specified shares and enables DCOM
bot.command Executes a specified command with system()
Botnet evolution
Polymorphic bot code
 Gmail as control protocol
 SSL usage
 Invisible to network inspection
 XML/RSS messages
 Exploit IPv6 flaws
