Botnets by Javantea aka. Joel R. Voss

Botnets

by Javantea aka. Joel R. Voss
Sept. 7, 2006
Essay format

Introduction

Botnets are:

groups of computers
running malicious software
group together to achieve a common goal

Botnets are possible because:

rampant security flaws
commonly used
operating systems
and programs.

Patches:

The solution
Software developers release patches
there isn't a perfect system of updating in place
there is evidence that there never will be.
Lack of patching leaves programs open to exploitation.

Prevention:

many exploits could be prevented by using simple security software
firewall
anti-virus
by simple design of the operating system
no ports open
security audits
programs that are required for business
web servers
mail servers
shell servers
remote visual

Thesis:

botnets
history
methods
motivations
anti-botnet
discovery
analysis
destruction
I don't have perfect solutions
I have some good ideas
can be put into use today
affect the numbers of users in botnets
put that computational power to good use ^_^

History of Botnets

recent addition to security literature
appeared mainly as a result of obvious security vulnerabilities.
Most botnets are targeted at the Win32 OS
the number of vulnerabilities [1]
the massive number of unpatched machines available (250,000-1.5M+ Sasser infections, 200M update downloads) [2]
Many platforms
first Linux/Apache worm was quite recent (Dec 20 2004)

targetting a vulnerability in phpBB
was caused by PHP
It was a worm
Used Perl, Google
left an obvious trace [3]
Although it did not become a botnet, it easily could have.
Destroyed a lot of data

More recently AWStats and Mambo vulnerabilities [4].
Currently targetted IE6

In response to increased patching and firewalls in remote services of Microsoft Windows
IE6 is often unpatched.

1) Ou, George. "Vulnerability statistics for Mac and Windows." URL: http://blogs.zdnet.com/Ou/?p=165 February 28, 2006
2) Sullivan, Bob. "'Sasser' infections begin to subside." URL: http://www.msnbc.msn.com/id/4890780 May 5, 2004
3) Voss, Joel R. "phpBB Vulnerability Analysis." URL: http://www.altsci.com/concepts/phpbb1.html Dec 20, 2004
4) Voss, Joel R. "AWStats and Mambo Vulnerability Analysis." URL: http://www.altsci.com/concepts/mambo1.html Jun 16, 2006

Methods of Botnets

Services (Sasser):

a good example of a recent botnet victim
push technology (service)
Microsoft Windows has a service called LSASS
running on port 445
unnecessary service
many vulnerabilities
Aug 10, 2006 of which the Department of Homeland Security (DHS) said "if exploited could enable an attacker to remotely take control of an affected system," [5]. Thank you Captain Obvious.
On May 1, 2004
Sasser attacked a vulnerability in LSASS
resulted in massive infection (including myself) [6].
Sasser is not generally accepted as a botnet
it did not do anything by itself
it did open shell and file transfer services
qualifies as botnet properties
Unpatched and unfirewalled Windows machines are easily exploited by worms.

5) Department of Homeland Security. "DHS Recommends Security Patch to Protect Against a Vulnerability Found In Windows Operating Systems." URL: http://www.dhs.gov/dhspublic/display?content=5789 August 9, 2006
6) Voss, Joel R. "LSASS Vulnerability Analysis." URL: http://www.altsci.com/concepts/lsass1.html May 1, 2004

Different Rules:

massive computing power
normal limits on intrusion do not apply
they can tcpdump poorly encrypted net traffic and crack the password.
They can brute force SSH.
They can brute force any commonly used password scheme that doesn't use secure techniques.
more efficient attack vectors for botnets than for manual attacks
even though manual attacks work also [7]

7) aorth @ mac.com. "Hacking the Hackers." URL: http://pancakebunny.org/dedicaticon/ December 17th, 2005

Clients (IE6):

pull technology (client)
quite different from push technology (server)
a botnet must gain control over HTTP servers
due to NAT or open firewalls, a client can become an HTTP server
links can be posted by bots to popular forums
titles like "Nude Celebrities" or "Pokemon" depending on the audience.
Any person searching for such terms in the wrong places will find a spammed server with links to strange addresses.
cross-site scripting (XSS) vulnerabilites in websites for clickless attack
A recent talk at Defcon revealed that nearly all recent botnet victims are IE6 users [8].

8) Wesson, Rick. "Abuse and the Global Infection Rate." Defcon 14. Aug 2006.

Botnet Authors:

at least a dozen examples of botnets
but not more
two things about the authors of botnets
by this time, they're thinking about your plans before you are.
They have control over every angle.
since there are not more, assume

handwritten by extremely skilled hackers.

examining the code and the cases
that they are usually young programmers
come from various poor or not poor backgrounds
from developed or semi-developed countries
a wide range of authors
any hacker with any motive can write a botnet and most can execute it successfully.
Many people make note that the how-to below is so easy that it could be successfully pulled off by a script kiddie
most of the tools are available, but not all
at least some knowledge of security coding is required.
Certain tools that qualify as botnets can be used and modified by script kiddies
are not very sophisticated

How to:

Start with a motive: profit, theft, power, curiosity, harm, or espionage.
Design a payload: spam, keylogger, shell/ftp, hello world, delete files, search for files, encrypt files, and DDoS.
no limit on size, any number of payloads can be added
shell/ftp, you can dynamically choose or upload a payload.
Communication/control method: port binding, reverse shell, IRC, port knocking, etc.
Try to make this much more difficult for those other than yourself.
Blowfish encryption
Diffie-Hellman

traffic cannot be sniffed/blocked without control

Public Key Crypto

not guaranteed since private key must be available to attackers.

anything
Decentralized systems allow for amazing amounts of privacy by the botnet creator.
Vulnerability to exploit
Virus delivery mechanism: reverse shell + uudecode, wget, stand-alone, etc.
Propagation system: random scan, e-mail, Google, websites, etc.
Testing on a small network
Initial shipping: Tor, a friend, wifi, an exploited box, or at random.

Multi-platform:

there's no reason that a virus can't be
likely that botnet software in the near future will nmap a target
try every exploit on every open port
botnet is large in numbers and not actively attacked
no fear of giving away it's address to a target by way of logs.

Tracking Botnets

Tracking an evil botnet:

not just an academic exercise
business opportunity
fits into general security practice
without Dan K's network access
any network access can spot attackers
sufficiently broad in their attack vector
propagation system is a random scan
find botnets attacking
opening your ports
setting up a honeypot.

Sasser:

May 1, 2004, during Sasser
a glimpse into hell [6]
tested the LSASS exploit on my laptop and sure enough it worked
my desktop's motherboard died during Sasser
I switched to using my laptop
it was running Windows XP
got infected myself
My modem (MSN Arescom) DMZ'd the computer it was connected to

it opens the user up to worms
instead of giving protection like a NAT router does

Sasser and LSASS exploit rebooted the target machine
60 seconds after disconnect
5 minutes to get infected
5 hours to patch my laptop
most modems are NAT and not DMZ
many people still open up unnecessary ports to the outside world
I didn't know how to use tcpdump at the time, so I was unable to capture Sasser traffic.
I should have written a data capturing honeypot, but I was not able to.

Run a Patched Server:

track botnets by reading logs
you'll notice long strings
Code Red, Nimda, and so forth
quite new exploits based on AWStats and Mambo [4].
Note the simple system:
exploit the vulnerability using an 0wned box
grab the payload from the 0wned box
execute the payload
see not only what is going on in the botnet
who is infected. (This will be used later on.)

Output of a Botnet:

assume a profit motive
various illegitimate profiters on the internet:
Spam, DDoS, user-paid advertising, identity theft, and extortion are the most popular.
mail account, you have spam.
Do you delete your spam?
I have collected all my spam, tarred it
designed methods of tracking the sender [9].
In the past I have told friends often that I didn't get enough spam.
In 2004, I got 5 spams per day.
I get 2314 per month now (I have to glimpse at/click on 607 of these)
I'm interested in seeing other people's spam still. You should know why.
legit mail servers track who sent the e-mail to them with the Received: header
a simple Perl script to grab a list of spam servers.
I can check to see whether the spam server is:
open relay, a proxy, a legitimate business, or an exploited machine.
how do you tell a legit machine from an exploited machine?
Exploited machines usually look strange
they don't have to be
spam servers look strange, too.
So really a person can only guess looking at the raw data.
There are advanced techniques
DDoS attack
send me your logs
I'd really like a list of IPs of these botnet bastards.
You'll find out why later.

9) Voss, Joel R. "Spam Server Analysis." URL: http://www.altsci.com/concepts/spam1.html Jan 9-Aug 26, 2006

Honeypots:

actually infected with botnet software
provides invaluable information.
If the botnet is controlled via IRC
the bots are not using Tor to connect
get their IP from the server
an anonymizing IRC server?
more likely they will not
if botnet command and control ever connects directly to the honeypot, it gives away its address.
infecting a virtual machine of unpatched Windows and capturing the data
an excellent honeypot and is quite cheap even though a Windows license is not free.
*nix honeypot with chroot jails
very low resource
the possibility of a smart virus breaking the chroot jail is fairly high.
actually getting 0wned is not the goal when tracking botnets.

Tor:

an excellent resource for anonymous hacking
with caveat
analyzing traffic from a Tor end node
possibly give away the IPs of many malicious boxes
filtering for known exploits and such is a privacy violation
could make you liable under CFAA or various other inane computer and telecom laws
I only suggest this for the most evil of botnet attackers.

Destroying Botnets

Destroying a Botnet:

destroying anything, legal or not, is prohibited by CFAA and a dozen other laws
I suggest only doing the analysis, utility writing, handwaving, and incentive-giving parts of this section.
As far as I'm concerned, analysis and utility writing are completely benign white hat activities
ought to be done for the security of our networks
If you really must destroy a botnet

wifi
MAC address spoofed
through Tor so that it cannot be traced back to you.
Even then you should be ready to fight criminal charges filed against you.
It's only common fucking sense.
---No Warranty---

Attacks:

compiled a list of suspect IPs in the previous chapter
Nmap this list to find out what type of computers, services, and such are running.
If there is no response from ping,

the box may be down or may have picked a new dynamic IP.
This happens often in botnets.

If you get obvious exploit ports open, record them.

Attack the protocol
trivial protocol (flat shell/ftp), you can just bash the hell out of it.

to fix the box

Windows firewall can be turned on remotely.
patched remotely
Given root, nearly all boxes can be remotely administered

to perfect health
or perfect destruction
whichever is more appealing.

a sophisticated botnet

there may be tools that exist already to exploit the protocol
If there are no tools, you can reverse engineer the protocol
either by using a honeypot or by elegant attacks.

Botnet Defense:

4-hacker brainstorm
on the way back from Defcon 14
conclusion that a proper botnet can avoid attacks
a mesh configuration or a star configuration,
strong authentication
obsfucation
so forth
non-communicating botnet could have all ports closed.
communicating botnets at some point, there must be a box with an open port.
The virus could patch the holes and firewall the ports.
it is possible that a botnet could survive all attempts to destroy it.
While this is sad, it is a fact
if we can lock down our boxes, so can anyone, even a botnet.
not yet the case
Most botnets are flawed
re-exploited by anyone who is interested enough

Hands-on Tutorial? Yes.

Future of Botnets

The End of Botnets:

firewalls
program update utilities
secure programming techniques advance
exploits could be dramatically reduced
in the future, botnets will be extinct.
In their place will be:
very specialized exploits
cutting edge software
not in common use.
I could list 10 vulnerabilities in SOAP
only 5 were discussed in a Defcon 13 talk [10].

10) Stamos and Stender. "Attacking Web Services: The Next Generation of Vulnerable Apps." Defcon 13. July, 2005

A New Hope:

respected security researcher said off the record

currently undeveloped countries will
write insecure code
new exploits
botnets, viruses, exploits, and such
well into the next decade

Other hackers are not so sure

While all parties agree that Russians are insane (in a joking manner),
we disagree on whether we can protect against the threat.
Linux, BSD, OSX, or Vista:

actually provide the security that they have developed
if widely accepted

reactive security against malware may finally become a thing of the past.

Operating systems:

Linux, OpenBSD, NetBSD, and Mac OSX
all use many obvious secure coding practices
reduce the number of possible remote vulnerabilites
The Linux 2.6.12 kernel added 8k of stack randomization

preliminary analysis: no

GR Security patch

many preventitive security measures for the Linux kernel
absolutely absurdly useful against exploits in vulnerable code.

OpenBSD

kernel and admin systems
designed to protect against vulnerable code being exploited.

Windows XP

firewall to close the gaping holes in it's security
it is extremely flawed

Windows Vista

Currently vaporware
is planned to have Address Space Layout Randomization (ASLR)
which will attempt to curb exploitation of vulnerable code. [11]

11) Lemos, Robert. "Microsoft defends Vista by mixing up memory." URL: http://www.securityfocus.com/brief/222 2006-06-02

Non-preventable:

quantifiable: Web, mail, p2p, and other servers
will continue to provide remote vulnerabilites
can be improved with secure coding practices and vulnerability assessment
Custom web software will have
file permission vulnerabilities
shell injection
SQL injection
weak passwords
various other problems
Social Engineering
Each of these can be improved
education and improvements in software development methods
never solved

Philosophy of Botnets

Why:

botnets, botnet defense, and reactive security needs to be discussed.
Microsoft has a vested interest in blaming hackers
will say that prosecution and updates are the solution to botnets
prosecution and updates are both flawed
Better security practices and updates will eventually solve the problem
However, prosecution does not benefit anyone
except the black hat who will get a high salary job.

Without black hats:

still need security
we do not want _anyone_ to have control over our machines.
everyone is a black hat
To blame black hats for security problems is like blaming dancers at a disco that burns down.
The lack of black hats makes software developers lazy on security.
only massive harm is a valid motivation for software developers to fix their software.
This means that "criminals" are doing customers a valid service
even by the very harm that they are doing to them
This point will never be accepted by mainstream software developers
they are by definition quite stubborn
resistant to logic that requires them to work for free
their bottom line is always more important than security

What to do?

develop the utilities described above
detect, analyze, and destroy botnets.
Release these utilites with appropriate switches
allow a person to do anything
These utilities are as legit as the exploits released to attack vulnerabilities in legitimate code.

Questions?

Javantea aka. Joel R. Voss
AltSci Concepts
Neg9: http://Neg9.org/
jvoss@myuw.net