Chapter3 Botnets

IT-Security 2
Chapter 3: Malware – Botnets and Stuxnet
Prof. Dr.-Ing. Ulrike Meyer

How can Bots be Characterized?
§ Bots are pieces of malicious software that come with remote control
capabilities
§ Bots spread e.g. using worm or trojan techniques
§ Botnets are networks of compromised computers
§ On which bots have been installed
§ And that are remotely controlled by an attacker through a command
and control infrastructure (C&C)
§ Attacker that controls a botnet is called herder of the botnet
§ Computers infected with a bot are called drones or zombies
IT-Security 2 -- Chapter 3 Botnets 2

Bots in the Malware Taxonomy
§ Bots may exhibit worm characteristics

§ I.e. use network exploits to spread
§ Bots may exhibit backdoor characteristics
§ Bots may utilize rootkits
§ Rootkits hide their presence on an infected system
§ Bots may have spyware components
§ E.g. key loggers to log key strokes on an infected system
§ Bots are typically extensible and may download additional malware
§ Bots are thus closely related to other types of malware
§ Bots can be differentiated from other malware by being remotely
controllable

Attacks Mounted with the help of Botnets
§ Distributing spam and phishing emails

§ Mounting distributed denial of service (DDoS) attacks
§ Conducting data theft with the help of spyware like key
loggers, webcam recording capabilities…
§ Conducting click-fraud
§ Spreading new malware
User Target Server
User
DDoS Attack
User
User

Lifecycle of a Botnet from a Herder’s View
§ Creation: Development of the botnet software often reusing existing code

§ C&C infrastructure and bot malware
§ Infection of victim machines via: Software vulnerabilities, drive-by-downloads,
Trojan horses, email attachments,…
§ Rallying: Bots start up for the first time and attempt to contact the C&C server(s)
§ Centralized: join IRC channel, connect to HTTP server
§ Decentralized: bootstrapping protocol to detect other peers in the P2P
network
§ Waiting: Bots wait for commands from the botmaster through C&C
infrastructure
§ Executing: Bots execute commands received through the C&C
infrastructure
§ E.g. scanning for new victims, downloading updates, sending DoS floods,….
Creation Infection Rallying Waiting Executing

Lifecycle of a Botnet from the Defense-View
§ Detection
§ Security professionals at companies or CERTs detect a new bot
§ Can happen during infection, rallying, or execution
§ Capturing
§ The bot malware is captured by professionals
§ Analysis
§ The bot malware is analyzed and information about its spreading strategies, its purpose,
its C&C infrastructure is extracted
§ Tear down
§ Botnet hunters try to tear down the botnet
Detection Capturing Analysis Tear Down

Command and Control Techniques
Infected Machines
§ Centralized
§ Attacker operates central
infrastructure to distribute
commands to the victim
machines
Botnet
§ Two main techniques used
herder
§ IRC Servers: commands are
pushed to connected clients
§ HTTP Servers: commands are
pulled by victim clients
Infected Machines
§ Decentralized
§ The victim machines form a P2P
network
§ Commands of an attacker are
distributed from P2P directly Botnet
herder
§ Many of today’s bots are hybrid

Internet Relay Chat
§ Internet Relay Chat (IRC) is a real-time messaging service that

runs over the internet
§ It is designed for group communication as well as one-to-one
communication
§ Chats of different groups are separated into channels
§ New channels can be opened by any IRC client
§ Communications use a network of IRC servers
§ Today there are thousands of independent IRC networks
§ There are public and private ones
§ Original idea goes back to 1988

IRC Bots
§ Are bots where the C&C server is an IRC server

§ A newly infected computer joins a specific IRC channel on an
IRC server and waits there for further commands
§ Commands are distributed by the herder using a regular IRC
client that is part of the channel
§ Advantages for attackers using IRC
§ IRC servers are freely available
§ Many attackers have years of IRC communication experience

The first IRC Bots…
§ … were actually non-malicious bots

§ IRC channels: are controlled by “operators”
§ Nowadays, you can register a channel, give it a password such
that you will stay the operator even if you are offline
§ Back in 1990, IRC Networks did not have Channel Services
§ Channels were frequently overtaken by others
§ If channel was empty, the first person to join became the operator

One of the First Non-Malicious Bots
§ Since people were not online 24/7, so called “Bots" were

developed
§ “Bot" is short for Robot
§ Bots were automated IRC clients capable of giving operator
status to a somehow authenticated channel member
§ More and more features were added over time, and special
commands were implemented:
§ !op, !kick, !ban, . . .
§ Most famous non-malicious bot is “Eggdrop"

IRC Backdoor
§ Standalone file that copies itself, e.g., to Windows or Windows System

folder
§ Creates a Registry key to start that file during every Windows session
§ Some IRC backdoors modify WIN.INI and SYSTEM.INI files or copy
themselves to startup folders for different users
§ Some IRC backdoors replace INI scripts of an IRC client
§ When an IRC backdoor is run, it establishes connection to an IRC server or
waits until a user connects to IRC
§ An attacker can give commands to an IRC bot using IRC interface
§ Advanced IRC backdoors allow to get a limited access to an infected system
and to modify, upload, download and run files
§ Most famous IRC backdoors: rbot, SDBot, Roron, Nymph

Example for an IRC Bot - Agobot
§ Family of bots with worm capabilities including Phatbot and Forbot that
requires little to no programming skills to use
§ By 2009 several thousand variants of Agobot were known
§ Most Agobot variants support
§ Password Protected IRC Client control interface
§ Remote updates for the installed bot
§ Execute programs and commands
§ Port scanner used to find and infect other hosts
§ DDoS capabilities
§ Some variants also contain
§ Packet sniffer, Keylogger, Rootkit installer, Information harvesting tools (email addresses,
software product keys, passwords), SMTP clients for spamming, HTTP clients for click
fraud and DDoS attacks

Web-based Command and Control
§ ~ 2006: HTTP became popular as C&C protocol

§ Instead of continuously being connected to an IRC C&C server,
bots regularly poll a web server for commands or wait for
incoming HTTP connections
§ Malware is configured to regularly request a PHP script on a
web site which leads to the download of a command page
§ Commands issued to the bots may, e.g., include
§ Download and execute files from a URL
§ Execute shell commands
§ Adjust storage location of screen captures
§ Adjust hosts file on the compromised system

HTTP-Bots
§ HTTP-bots typically come with a userfriendly web interface to control the

bots
§ Allows even less skilled people to buy an HTTP bot and create a botnet
§ Creation of the Botnet is achieved by using client-side exploits, such as
vulnerabilities in web browsers
§ At the start
§ HTTP bots were mostly famous in China and Russia
§ Herders from western countries (USA, Europe) to still used IRC bots
§ Today HTTP bots are present world-wide
§ Examples for early HTTP-Bots:

§ Korgo, Padobot, Bzub, Nuclear Grabber, MachBot

Examples for HTTP-Bots - Bobax
§ First detected in 2004

§ Spread over a buffer overflow vulnerability in Microsoft
Windows LSASS (XP, 2000, Server 2003)
§ Attempted to contact a remote web server over a built-in URL
with a unique ID code as notification of infection
§ Parses response for commands
§ Opens a number of randomly selected ports, and awaits an
incoming connection
§ Leaves the infected machine open to be used as a spam relay.

Other Protocols used for C&C Traffic
§ Twitter
§ E.g. distributed Short-URLs via tweeds, to provide link to website with
additional code to load
§ DNS
§ Commands e.g. included in DNS responses
§ Posts on Facebook
§ SMS (in the context of mobile botnets)
§…

Decentralized Botnets: Overview
§ Not all are strict P2P structure

§ Hybrid Multi-Tier Layouts
§ Generally not used to mitigate server load or for fault-tolerance
§ Just resiliency against take-down

Decentralized Botnets: Some Variants of Conficker
§ Pure update botnet, infection vector: MS08-067,

USB, Shares
§ Conficker.A, .B only use domain generation (not

really decentralized)
§ Generates up to 50k Domains / Day and tries to
download update via HTTP
§ Conficker.E uses pure P2P network approach

§ Every infected node has a list of 1000 other
infected peers
§ All commands / updates properly signed with

RSA

Decentralized Botnets: Waledac
§ Hybrid P2P / Centralized Infrastructure

§ Tier 1: Central but hidden C&C server
§ Tier 2: Central C&C servers, relaying Tier 1
§ Protecting Tier 1 information (IP, etc.)
§ Tier 3: Non-NAT P2P Bots, relaying Tier 2
§ Tier 4: NAT P2P Spam Bots
§ P2P used for take-down resilience, but

centralized Backend for real C&C Relay nodes
§ Main purpose of Waledac

§ Send spam to propagate itself and download
additional files onto compromised computers
§ Uses a hybrid of RSA and AES for

encryption but fails to employ signing of
commands
Slave nodes
Waledac – Bootstrapping and Topology
§ Waldedac binary contains list of 100 relay nodes (Tier3 nodes)

§ IP list is updated with one of two methods
§ Exchange IP list with other nodes
§ Take in entries from the list of the other node if these are newer
§ Connect to one of several hard-coded Waledac domains
§ Fetch a list of active relay nodes from there using GET request for an
idex.php file
§ List contains up to 500 entries
§ Hardcoded domains are fast-fluxed domains such that they resolve to
multiple IP addresses

Waledac - Communication
§ Waledac opens radom local port on compromised computer

§ Attempts to connect to port 80 of the remote Waledac relay node
§ Messages send over http are encoded by

§ Bzip2 compression
§ AES-128-CBC encryption
§ Base64 encoding with some additional character substitutions
§ Symmetric key required for AES encryption/decryption is exchanged with

the help of self-signed public key certificates
§ Slave node generates RSA public/private key pair
§ Sends self-signed certificate for his public key to relay node
§ Relay node sends back AES key encrypted with RSA public key

Waledac Propagation
§ Social Engineering
§ Make users download and execute the Waledac binary themselves
§ Mostly with the help of spam massages pointing to fake websites
§ See next slides
§ Client-Side vulnerabilities
§ Drive-by Downloads from malicous websites using browser or other
client-side vulnerabilities
§ No “zero-day” exploits but old well known ones

Waledac – Example Spam Campaign (1)



Waledac – Malicious Functionality
§ Download and execute binaries

§ E.g. download and install fake A/V products
§ Act as network proxy

§ Send spam messages
§ To propagate itself
§ To advertise products
§ Harvest email addresses and passwords

§ Perform denial of service attacks

Taking Down a Centralized C&C Infrastructure
§ Locate C&C servers and take them down

§ Analyze network traffic of bots
§ Analyze bot malware found on honeypots -> see next Chapter
§ If it is a compromised machine, contact legitimate owner
§ In the mean time: make C&C server impossible to contact

§ Block domain name in DNS
§ Block domain names calculated by the DGAs in the bots
§ Requires pre-calculation of the domain names the DGA will calculate
§ Block IP range of C&C infrastructure
§ Disconnect rogue hosting companies
§ Find out which devices in your network are infected by

§ Sinkholing the corresponding domain names and see who connects
§ Automatically warn users of infected machines

DNS Sinkholing of known Malicious Domains
Without Sinkhole Sinkhole

DNS Server
DNS Server
mal.com mal.com
6.6.6.6 137.226.107.63
Yo om
u
Command?
Command
ar man
C
ei
nf d?
ec
te
d!
mal.com 137.226.107.63
mal.com
6.6.6.6
6.6.6.6

Hiding the IPs of C&C Servers
§ Taking down centralized C&C infrastructures is impeded by techniques

hiding the IPs of C&C Servers
§ Use of Domain Generating Algorithms (DGAs)

§ Change domain name of machine queried for commands e.g. by an HTTP-bot
based on a DGA using a seed (e.g. time stamp, twitter post,…) as input
§ Domain names queried change frequently
§ Attack has to register the queried domain names in order to be able to
distribute commands
§ If DGA and seed are known domain names can be blocked in local DNS
§ Use of Fast Flux in DNS

§ Multiple IP addresses associated with a single domain name
§ IP addresses quickly changed by changing DNS records
§ IP addresses typically belong to compromised servers
§ No one server to take down
§ Still domain name can be blocked locally at DNS server on the victim’s network

Hiding C&C Server by DGA
t3622c4773260c097e2e9b26705212ab85.ws
DNS Server
NX-Response (domain does not exist)
u83ccf36d9f02e9ea79a9d16c0336677e4.to
NX-Response (domain does not exist)
v02bec0c090508bc76b3ea81dfc2198a71.in
Command?
Command
6.6.6.6
§ DGA generates domains

§ Bot tries to resolve domains
§ Most domains are not registered
6.6.6.6
§ Bot herder registers one or more domains per day
§ Bot connects to C&C server and asks for commands

Taking Down P2P Botnets
§ Not as “easy” as taking down centralized C&C infrastructures
§ In pure P2P networks, a permanent take-down is nearly impossible as

commands can be distributed via any peer in the network to any other
peer in the network
§ Take-down of a P2P network

§ Ultimately requires disinfection of all infected nodes
§ Otherwise the botnet can be brought to life again (cp. Waledac)
§ Temporarily attacks on P2P infrastructure possible

§ Peer list poisoning (cp. Conficker)
§ No “one-fits-all” solution to take down P2P botnets!

Decentralized Botnets: Waledac Mitigation
§ There is no cryptographic authentication at

all
§ Issue “update” command with clean-up tool
§ Illegal in most parts of the world, except if
ISP has legal agreement with the user
§ Concurrent takedown of all three tiers
required:
§ Poison P2P peer caches, so no new Tier 2
nodes can be injected into P2P network
§ Take down the Tier 2 nodes, so location of
main C&C can be determined and no new
main C&C can be established
§ Take down Tier 1 C&C, do forensic
examination (identify botnet herder)

Decentralized Botnets: Conficker Mitigation
§ Commands are properly signed

§ Issuing an update command for a
cleanup tool is not possible
§ Peer lists only use IP uniqueness, no

information about network range
distribution
§ Peer lists are organized in a most

recently seen fashion
§ Flood peer lists with peerings from a /18
large network range
§ “Legitimate” peers will only
communicate with these “cleaning
peers”

Emotet
§ Botnet taken down in January 2021

§ Take down collaborative effort between authorities in
§ Netherlands, Germany, the United States, the United Kingdom, France,
Lithuania, Canada, and Ukraine
§ One of the most professional and long lasting botnets ever
§ First discovered as a banking Trojan in 2014,
§ Evolved into an infrastructure sold/rented out for all kinds of malious actions
including ransomware and data theft
§ Spread via emails with malicious word documents attached
§ Disguised, e.g., as invoices, shipping notices, or information on COVID-
19
§ Dynamit-Phishing: victims receive emails that seem to be answers to
emails they sent
§ Also spreads locally after a machine in a local network is infected
§ Used several hundreds of C&C servers around the world

Tracking Down Botnet Herders
§ Tracking down botnet C&C infrastructure to herder

§ No general method, highly depends on C&C type
§ Example for centralized C&C servers: putting network taps on C&C server
to get herders IP address
§ Further steps, including acquiring the herders identity, only possible for law
enforcement
§ Herders are so far usually caught with the help of social engineering
§ Agents pretending to be interested in buying botnets, requesting proof from
the herder that he has one,…

Roles in Organized Crime with Botnets
§ Exploit Developers
Exploit Developers § Look for vulnerabilities that could be exploited to
infect computers
§ Malware Programmers
Malware § Develop C&C server and bot client
Programmers § Have in-depth knowledge of operating system
internals
§ Often also have experience in kernel development
Botnet § Botnet Herders

Herders § Operates the botnet, potentially sells out or rents
out the control over it
§ Financial status largely unclear, but data is
available when they were convicted (see next
Botnet slides)
Users § Bot Users
§ Uses the botnet to mount an actual attack
§ May coincide with the herder of course

Overview on How Money is Made from Botnets
Money Flow
Spam Selling bank

account and
Phishing Credit card
Find Information
Rent Installing
Exploits a botnet Malware / Selling identity
Adware Information
Create
Code C&C
a botnet Stealing
Selling personal
Information Information
Code bot Sell a
malware botnet DDoS
Selling account
information for
Extortion Internet services
and shops
Click-Fraud

How much money is in the market: Prizing (2019)
§ Access credentials to servers US $ 8-15

§ Balduzzi M., per server depending on location
Ciancaglini V
§ Access to paypal accounts with known
balance: 10% of balance
§ Renting bots
§ 60$ per 3 hours 200k
requests/s
§ Ransomware as a service
§ Subscription per month

Further Trends in the Malware / Botnet World
§ Mobile Botnets
§ Covered in the chapter on the specifics of mobile malware
§ IoT-Botnets
§ Botnets consisting of Internet of Things (IoT) devices
§ I.e. small devices with internet connectivity but very limited user
interfaces and often limited update capabilities
§ Most prominent example: Mirai (2016)
§ Industrial Control Systems / SCADA Malware

§ Targeted cyber attacks that often aim at causing physical damage
§ Most prominent example: Stuxnet (2010)

Mirai IoT Botnet
§ First identified in August 2016 by MalwareMustDie

§ Infects Internet of Things (IoT) devices, including
§ DVRs, routers, IP cameras, printer,…
§ Misconfigured (e.g. open telnet port) or simple default credentials (e.g. on
SSH)
§ Centralized C&C
§ Does not try to avoid detection
§ Neither on the device nor in the network
§ Excludes some IP ranges, e.g., US Postal Office, IANA, HP, …
§ Used to launch DDoS attacks:
620 Gbps
1.1 Tbps

Mirai IoT Botnet
§ Other prominent victims:

Mirai IoT Botnet - Lifecycle
Attacker
Herder
5. Send cmd
Infrastructure
Command Report
3. Dispatch Loader
& Control Server
4. Load
6. Relay 2. Report
Devices
Zombies Victim
(IoT Devices)
1. Scan
(IoT Device)
7. Attack
DDoS Target
Victims’ Infrastructure

Mirai Botnet - Lifecycle
§ Lifecycle
1. Scan IPv4 address space for devices that run telnet or SSH, attempt to login
using a small hardcoded dictionary of IoT credentials
2. Send victim IP address and credentials to report server
3. Report server asynchronously triggers a loader to infect the device
4. Loader infects device
5. Herder sends DDoS command
6. Command and control server relays command to zombies
7. Zombies launch DDoS attack on victim web server
§ Loader facilitates dissemination of executable targeting different platforms

(ARM, MIPS, x86)
§ Report Server has details about infected devices and potential new victim
devices

Mirai Botnet - Derivates
§ Source code was made public

§ Resulted in new variants exploiting the same weaknesses, e.g.,
§ Hajime (Japanese for “the beginning”, first seen in October 2016)
§ Uses open telnet ports or default credentials in SSH as Mirai
§ Not centralized
§ BitTorrent DHT for distributed communication
§ uTorrent transport protocol for data
§ Each message is RC4 encrypted and signed
§ But so far: no malicious behavior
§ Instead closes vulnerabilities in IoT devices, e.g. access to port 23 (telnet)
§ BrickerBot (April 2017)
§ Permanent DoS (PDoS) attack against IoT devices by, e.g., erasing all files

Mirai IoT Botnet – Lessons Learned
§ IoT devices are advantageous to build a botnet

§ Constant and unobtrusive operation
§ Feeble protection
§ Poor maintenance
§ Considerable attack traffic
§ Non-interactive or minimally interactive user interface
§ Protection techniques
§ Change default to strong password
§ Update IoT devices
§ Disable UPnP on routers
§ Block port 23/TCP and if monitor or even block port 22/TCP and other open
ports
§ Setup IoT devices to accept connections from non-routable IP addresses only

Stuxnet
§ Stuxnet was one of the first examples for malware threating critical
infrastructures
§ Stuxnet shows how realistic attacks against SCADA systems are
§ Existence of Suxnet lowers the beam for further attacks as code pieces can be
reused
§ Protection against targeted attacks is nearly impossible
§ Example for a so-called advanced persistent threat

Critical Infrastructures
§ Power grid
§ Water supply
§ (Nuclear) power plants
§ Traffic control systems
§ Stock exchanges
§ Medical facilities
§ Industrial facilities
IT-Security 2 - Chapter 5 Stuxnet 48

Cyber Attacks Against Critical Infrastructures
§ Sabotaging critical infrastructures

with the help of cyber attacks
§ Enable remote attacks that do

not require the physical presence
of the attacker
§ Extortion of the operator of the

critical infrastructure

SCADA Systems in Critical Infrastructures
§ Supervisory Control and Data Acquisition System

§ Monitor and control industrial processes
§ Often across several physical locations
§ Examples for application areas

§ Industrial processes in production, energy generation
§ Infrastructure processes such as HVAC-control systems for buildings,
energy consumption, water supply, oil pipelines, energy grids, traffic
control systems , processing of drinking water,…
§ Facilities processes such as access control systems,…
§ Example: energy industry

§ More than 50% of all facilities use SCADA systems

SCADA System Example
SCADA control network
Controlled process

SCADA Systems – Security Myths
§ Many operators assume that SCADA systems are inherently

secure as the protocols and interfaces used are proprietary
§ Many also assume that physical protection is sufficient to
shield their SCADA system
§ Finally, many assume that their systems are secure as long as
they are not connected to the Internet
§ Consequence
§ Many operating SCADA systems are vulnerable even though very few
attacks have become known so far

Threads to SCADA Systems
§ Unauthorized access to the control software

§ By personal with physical access to the control computers
§ By exploiting vulnerabilities in the operating system run on the control
computers
Used by Stuxnet
§ Access to unprotected communication networks over which

the PLCs of a SCADA network are controlled
§ E.g. via physical access to one of the components in the same network
segment
§ Can be protected by typical network security means

SCADA/Industrial Control Systems Malware is on the Rise
§ 2000: Attack against a SCADA system in Queensland Australia

§ Attack goal: waste water control system of Maroochy
§ Origin: former employee of the company that installed the SCADA system
§ Consequence: waste water floods nearby park, pumps are blocked,…
§ 2010: Stuxnet worm
§ Further Examples of ICS-Malware

§ 2014 Havex: Remote Access Tool (RAT) used in targeted attacks e.g. on energy
sector
§ 2015 Irongate: first detected, spreads probably since 2012 targets a Siemens
PLC simulation (SIM) environment on which developers test PLC code
§ 2016 Industroyer: Responsible for the 2016 attack on Ukraine’s power grid
§ 2017 Blackenergy: Proof-of-concept ransomeware targeting SCADA systems
§…

Stuxnet - Overview
§ Computer worm/bot first discovered on June 17th

2010
§ Propagated since June 2009 worldwide
§ Used vulnerability in Windows operating systems
§ Searches on infected computers for SCADA control

software SIMANTIC WinCC/Step7 by Siemens AG
§ Infects the control software via a vulnerability in

WinCC/Step7
§ Manipulates the attached PLCs

Stuxnet – Windows Vulnerability
§ Initial infection over removable storage device like USB stick

§ Malicious DLL is executed as soon as directory is browsed, which
contains the DLL in form of a manipulated .LNK file
§ Exploit two vulnerabilities for privilege escalation
§ Install two signed driver files, which ensure the propagation of Stuxnet
after reboot
§ Propagation within the local network
§ Via network drives
§ Via vulnerability in the Windows printer spooler service
§ Via a RPC vulnerability
§ Three of the four used exploits were “zero-day exploits”, i.e. exploits
that were previously unknown to security experts

Stuxnet - Updates
§ Stuxnets supports two ways to update itself and thus exhibits

bot behavior
§ HTTP connection to one of two update servers
§ Directly between two infected devices

§ Via IRC client/server installed during initial infection

Stuxnet – Infection of WinCC/Step7
§ Stuxnet uses two vulnerabilities in WinCC/Step7

§ One allows to modify the communication between
WinCC/Step7 and the controlled PLCs
§ The other is a vulnerability in the WinCC/SCADA data base
software
§ Access protected only by an unchangeable default password

Stuxnet – Manipulation of the PLCs
§ Infected control software modifies PLC only if all of several

conditions hold, e.g.
§ PLCs are connected to a frequency converter
§ Frequency converter produced by one of two particular manufacturers
§ Attached motors operate at 807 - 1210 Hz
§ Modifies the frequency and therefore the speed of rotation of
the attached motors
§ Targeted attack
§ Detailed analyses suggests that an Iranian
uranium enrichment facility is targeted
§ Modification of the frequency here damages the
regulated centrifuges

Stuxnet – Infection and Update
§ Initial infection via USB

§ Internal propagation via
vulnerabilities in Windows
§ Update via C&C web server
§ Infection of control computer
in the SCADA network via USB
§ Manipulation of the Siemens
controller PLCs
§ Ultimately manipulation of the
physical processes

Stuxnet - Origin
§ Stuxnet is much different form “regular” worms

§ Conditions on the infection very complex, suggests targeted attack
§ No integrated data theft
§ No C&C properties besides updates
§ Does actively sabotage not only threatens to do so
§ Quite high financial investment
§ 48-60 person months programming efforts estimate
§ “Cost” of three zero-day exploits
§ Use of signature keys of valid certificates of two Taiwanese semi-
conductor companies
§ All of this very early on already lead to assumption of
intelligence services as origin

Stuxnet - Origin
§ On 01.06.2012 there was an article in the New York Times

claiming that Stuxnet was a joint project of Israeli and US
American secret services

Stuxnet – Geographical Distribution

Stuxnet – Patching and Cleaning
§ The used Windows vulnerabilities are patched by now

§ All well-known A/V scanners are able to detect infections with
Stuxnet and can clean infected machines
§ Vulnerabilities in SIMATIC WinnCC/Step7
§ Patches are made available by Siemens
§ According to Siemens in 2012 24 systems of customers were already
successfully cleaned without disruption of the physical processes
controlled by the systems

Reading
§ Check out the “Know your enemy” papers on the honeynet

project site http://www.honeynet.org/
§ Details on Waledac: Symantec Win32.Waledac Threat Analysis
§ Details on Mirai IoT Botnet:
§ Antonakakis et al: “Understanding the Mirai Botnet” USENIX Security
2017
§ Deatils on Stuxnet: Ralph Langner’s Stuxnet Deep Dive
§ http://www.digitalbond.com/blog/2012/01/31/langners-stuxnet-
deep-dive-s4-video/

Chapter3 Botnets

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter3 Botnets

Uploaded by

Copyright:

Available Formats

IT-Security 2

Chapter 3: Malware – Botnets and Stuxnet

Prof. Dr.-Ing. Ulrike Meyer

IT-Security 2 -- Chapter 3 Botnets 2

§ Bots may exhibit worm characteristics

IT-Security 2 -- Chapter 3 Botnets 3

§ Distributing spam and phishing emails

IT-Security 2 -- Chapter 3 Botnets 4

§ Creation: Development of the botnet software often reusing existing code

Creation Infection Rallying Waiting Executing

IT-Security 2 -- Chapter 3 Botnets 5

Detection Capturing Analysis Tear Down

IT-Security 2 -- Chapter 3 Botnets 6

IT-Security 2 -- Chapter 3 Botnets 7

§ Internet Relay Chat (IRC) is a real-time messaging service that

IT-Security 2 -- Chapter 3 Botnets 8

§ Are bots where the C&C server is an IRC server

IT-Security 2 -- Chapter 3 Botnets 9

§ … were actually non-malicious bots

IT-Security 2 -- Chapter 3 Botnets 10

§ Since people were not online 24/7, so called “Bots" were

IT-Security 2 -- Chapter 3 Botnets 11

§ Standalone file that copies itself, e.g., to Windows or Windows System

IT-Security 2 -- Chapter 3 Botnets 12

IT-Security 2 -- Chapter 3 Botnets 13

§ ~ 2006: HTTP became popular as C&C protocol

IT-Security 2 -- Chapter 3 Botnets 14

§ HTTP-bots typically come with a userfriendly web interface to control the

§ Examples for early HTTP-Bots:

IT-Security 2 -- Chapter 3 Botnets 15

§ First detected in 2004

IT-Security 2 -- Chapter 3 Botnets 16

IT-Security 2 -- Chapter 3 Botnets 17

§ Not all are strict P2P structure

IT-Security 2 -- Chapter 3 Botnets 18

§ Pure update botnet, infection vector: MS08-067,

§ Conficker.A, .B only use domain generation (not

§ Conficker.E uses pure P2P network approach

§ All commands / updates properly signed with

IT-Security 2 -- Chapter 3 Botnets 19

§ Hybrid P2P / Centralized Infrastructure

§ P2P used for take-down resilience, but

§ Main purpose of Waledac

§ Uses a hybrid of RSA and AES for

§ Waldedac binary contains list of 100 relay nodes (Tier3 nodes)

IT-Security 2 -- Chapter 3 Botnets 21

§ Waledac opens radom local port on compromised computer

§ Messages send over http are encoded by

§ Symmetric key required for AES encryption/decryption is exchanged with

IT-Security 2 -- Chapter 3 Botnets 22

IT-Security 2 -- Chapter 3 Botnets 23

IT-Security 2 -- Chapter 3 Botnets 24

IT-Security 2 -- Chapter 3 Botnets 25

IT-Security 2 -- Chapter 3 Botnets 26

§ Download and execute binaries

§ Act as network proxy

§ Harvest email addresses and passwords

IT-Security 2 -- Chapter 3 Botnets 27

§ Locate C&C servers and take them down

§ In the mean time: make C&C server impossible to contact

§ Find out which devices in your network are infected by

IT-Security 2 -- Chapter 3 Botnets 28