Professional Documents
Culture Documents
Chapter3 Botnets
Chapter3 Botnets
§ Bots are pieces of malicious software that come with remote control
capabilities
§ Bots spread e.g. using worm or trojan techniques
§ Botnets are networks of compromised computers
§ On which bots have been installed
§ And that are remotely controlled by an attacker through a command
and control infrastructure (C&C)
§ Attacker that controls a botnet is called herder of the botnet
§ Computers infected with a bot are called drones or zombies
User
DDoS Attack
User
User
§ Detection
§ Security professionals at companies or CERTs detect a new bot
§ Can happen during infection, rallying, or execution
§ Capturing
§ The bot malware is captured by professionals
§ Analysis
§ The bot malware is analyzed and information about its spreading strategies, its purpose,
its C&C infrastructure is extracted
§ Tear down
§ Botnet hunters try to tear down the botnet
Infected Machines
§ Centralized
§ Attacker operates central
infrastructure to distribute
commands to the victim
machines
Botnet
§ Two main techniques used
herder
§ IRC Servers: commands are
pushed to connected clients
§ HTTP Servers: commands are
pulled by victim clients
Infected Machines
§ Decentralized
§ The victim machines form a P2P
network
§ Commands of an attacker are
distributed from P2P directly Botnet
herder
§ Many of today’s bots are hybrid
§ Family of bots with worm capabilities including Phatbot and Forbot that
requires little to no programming skills to use
§ By 2009 several thousand variants of Agobot were known
§ Most Agobot variants support
§ Password Protected IRC Client control interface
§ Remote updates for the installed bot
§ Execute programs and commands
§ Port scanner used to find and infect other hosts
§ DDoS capabilities
§ Some variants also contain
§ Packet sniffer, Keylogger, Rootkit installer, Information harvesting tools (email addresses,
software product keys, passwords), SMTP clients for spamming, HTTP clients for click
fraud and DDoS attacks
§ Twitter
§ E.g. distributed Short-URLs via tweeds, to provide link to website with
additional code to load
§ DNS
§ Commands e.g. included in DNS responses
§ Posts on Facebook
§ SMS (in the context of mobile botnets)
§…
§ Social Engineering
§ Make users download and execute the Waledac binary themselves
§ Mostly with the help of spam massages pointing to fake websites
§ See next slides
§ Client-Side vulnerabilities
§ Drive-by Downloads from malicous websites using browser or other
client-side vulnerabilities
§ No “zero-day” exploits but old well known ones
Yo om
u
Command?
Command
ar man
C
ei
nf d?
ec
te
d!
mal.com 137.226.107.63
mal.com
6.6.6.6
6.6.6.6
t3622c4773260c097e2e9b26705212ab85.ws
DNS Server
NX-Response (domain does not exist)
u83ccf36d9f02e9ea79a9d16c0336677e4.to
NX-Response (domain does not exist)
v02bec0c090508bc76b3ea81dfc2198a71.in
Command?
Command
6.6.6.6
§ Exploit Developers
Exploit Developers § Look for vulnerabilities that could be exploited to
infect computers
§ Malware Programmers
Malware § Develop C&C server and bot client
Programmers § Have in-depth knowledge of operating system
internals
§ Often also have experience in kernel development
Money Flow
§ Renting bots
§ 60$ per 3 hours 200k
requests/s
§ Ransomware as a service
§ Subscription per month
§ Mobile Botnets
§ Covered in the chapter on the specifics of mobile malware
§ IoT-Botnets
§ Botnets consisting of Internet of Things (IoT) devices
§ I.e. small devices with internet connectivity but very limited user
interfaces and often limited update capabilities
§ Most prominent example: Mirai (2016)
620 Gbps
1.1 Tbps
5. Send cmd
Infrastructure
Command Report
3. Dispatch Loader
& Control Server
4. Load
6. Relay 2. Report
Devices
Zombies Victim
(IoT Devices)
1. Scan
(IoT Device)
7. Attack
DDoS Target
Victims’ Infrastructure
§ Lifecycle
1. Scan IPv4 address space for devices that run telnet or SSH, attempt to login
using a small hardcoded dictionary of IoT credentials
2. Send victim IP address and credentials to report server
3. Report server asynchronously triggers a loader to infect the device
4. Loader infects device
5. Herder sends DDoS command
6. Command and control server relays command to zombies
7. Zombies launch DDoS attack on victim web server
§ Report Server has details about infected devices and potential new victim
devices
§ Protection techniques
§ Change default to strong password
§ Update IoT devices
§ Disable UPnP on routers
§ Block port 23/TCP and if monitor or even block port 22/TCP and other open
ports
§ Setup IoT devices to accept connections from non-routable IP addresses only
§ Stuxnet was one of the first examples for malware threating critical
infrastructures
§ Stuxnet shows how realistic attacks against SCADA systems are
§ Existence of Suxnet lowers the beam for further attacks as code pieces can be
reused
§ Protection against targeted attacks is nearly impossible
§ Power grid
§ Water supply
§ (Nuclear) power plants
§ Traffic control systems
§ Stock exchanges
§ Medical facilities
§ Industrial facilities
Controlled process
§ Consequence
§ Many operating SCADA systems are vulnerable even though very few
attacks have become known so far
§ Three of the four used exploits were “zero-day exploits”, i.e. exploits
that were previously unknown to security experts
§ Targeted attack
§ Detailed analyses suggests that an Iranian
uranium enrichment facility is targeted
§ Modification of the frequency here damages the
regulated centrifuges