Jim Binkley

Chapter 1 – Botnets: A Call to Action

This chapter reviews botnet and its relevance. Botnet is an army of compromised computers that takes orders from a botherder, which is an immoral hacker who uses the botnet for financial gain or as a weapon against others. Botnet technology is the next killer Web application. It is a tremendous force multiplier for organized crime. Bot technology has evolved from simple agents that played games with users to mercenary robotic armies without morals, ready to carry out designer crimes on demand. Todays bots are easy to customize, modular, adaptive, targetable, and stealthy. Botnet attacks are targetable, that is, the hacker can target a company or a market sector for these attacks. Even though botnets can be random, they can also be customized to a selected set of potential hosts. The botherder can configure the bot clients to limit their scanning to hosts in a defined set of Internet Protocol (IP) addresses. This kind of targeting capability leads to the capability to market customized attacks for sale.

Chapter 5 – Botnet Detection: Tools and Techniques

This chapter reviews the tools and techniques used for botnet detection. It discusses about abuse reporting, the common network-monitoring tools like netflow, as well as the confinement techniques like firewalls and broadcast domain management. A flow is defined as a one-way data tuple consisting of: an IP source and destination address, TCP or UDP source and destination ports, IP protocol number, flags, packet and byte counts, and the start- and end-of-flow timestamps. Thus a flow represents an aggregated statistic. A netflow can be used to deduce busy networks and to do protocol analysis. It has become an industry standard for network monitoring and is useful for analyzing routing (BGP/AS traffic matrixing) as well as the IP network-to-network traffic. As with SNMP, a network-monitoring tool can be used to detect anomalies such as DoS attacks. Since netflow data includes IP addresses and ports, and can be used to look for scanning attacks. The chapter concludes by reviewing the role of darknets, and honeypots.

Chapter 4 – Common Botnets

This chapter reviews some of the major bot families—specifically, SDBot, RBot, Agobot, Spybot, and Mytob. Bots are a serious threat to Internet and computer network security. Viruses and worms have wreaked havoc on the Internet, while the phishing attacks and spyware are both growing threats to the computer security. However, bots are unique among malware in their ability to provide tens or thousands of compromised systems lying dormant and waiting to be used as an army for all kinds of malicious activities. All the bot families share one propagation method. Virtually every bot family shares a common means by seeking out unprotected or poorly secured network shares to attack. Different bot families introduce different aspects that set them apart. Some of these aspects include: the RBot introduces the use of compression algorithms to encrypt the bot code, the Agobot pioneered the use of P2P networks as a propagation method, the Spybot added spyware functionality such as keystroke logging, and the Mytob worm combined a bot (SDBot) with a mass-mailing worm—marking a shift in the malware code to hybrid attacks that combine different types of malware.

Chapter 6 – Ourmon: Overview and Installation

This chapter discusses the various aspects of ourmon that pertain to low-level anomaly detection and higher-level detection of botnets. It introduces ourmon and explains its working and installation. Ourmon is a free open-source tool downloadable from www.sourceforge.com. As a software, ourmon is a packetsniffing system and has to be hooked up to a network in such a way that it either gets all the packets via an Ethernet switch set up to do port mirroring or via the older Ethernet hub technology that by default shares all the packets on all the Ethernet ports. This setup is known as the network capture. Ourmon—a self-contained system, can be installed anywhere on a UNIX system. The best approach is to unpack it. There are four available pieces of software that the open-source ourmon system considers. Three of them need to be installed beforeone can run configure.pl. The most important system dependencies inlude: Web server, libpcap.a, and libpcre.a.

Chapter 11 – Intelligence Resources

This chapter discusses the resources that are useful in providing information about a threat or enemy. Intelligence has extended to include information about electronic threats such as botnets, other than the information collected about a human threat or enemy. Using these resources, one can determine what to check on the systems, be informed of new threats, and identify existing bots that may be affecting the network. Botnets are designed to allow botherders remote control of other computers, thus hiding the botherders identity by providing false information on who is sending spam, attacking systems, or providing services like pirated software and files. Information can be gathered when a botnet resides on a network, or when a site is victim to an attack. The intelligence one gathers can be used to identify what botnet is running on systems, and may be used to ultimately identify and prosecute the botherder. One of the first indications of a botnet problem is revealed in the log files from firewalls, and in those generated by scans of hosts and network traffic.

Chapter 8 – IRC and Botnets

This chapter discusses the ourmons internet relay chat (IRC) facility and reviews how it can be used to detect botnet client meshes, botnet server meshes, and the occasional compromised host that may be hosting an IRC-related hacker channel. The IRC is an Internet engineering task force specified protocol. It has been popular with hackers because: there is no need to register accounts or handles, it is easy to set up ones own channels and servers, and for discussing the distribution of illegal files (warez) and attack methodologies. The four kinds of IRC protocol messages that ourmon understands are: JOINS, PINGS, PONGS, and PRIVMSG. JOINS and PRIVMSG messages contain the channel names, and ourmon uses those messages along with the IP addresses in the IP header to construct a list of channels with associated IP hosts. It keeps track of PING and PONG messages because they indicate basic IRC mesh connectivity.

Chapter 9 – Advanced Ourmon Techniques

This chapter discusses the ourmons automated packet capture feature that can be used to automate packet capture by the probe. It reviews the associated event-logging mechanism in ourmon and considers the various kinds of events that show up in the daily system event log. The various techniques—that include ways to mine the ourmon files for data, the sniffing tools including ngrep, and an ourmon toolkit tool called ircfr, are also discussed. In the ourmon.conf file, it is possible to turn on various automated packet capture triggers. This implies that when some integer counter hits a threshold of some sort ( like 60 hosts), the ourmon will record the next N packets in a file. The tcpdump file implies that it can be replayed with any sniffer software that uses the well-known pcap (www.libpcap.org) packet capture library. This is commonly used by tools like ourmon, Snort, and, the tcpdump itself—which is an open-source network sniffer (found at www.libpcap.org). There are three ourmon triggers that are closely associated with anomaly detection. These include: the tworm trigger, the UDP weight trigger, and the drops trigger.

Chapter 10 – Using Sandbox Tools for Botnets

This chapter discusses the malware analysis using the CWSandbox tool. It reviews the general sandbox architecture and its components. The results achieved on live sandbox systems, by successfully analyzing more than 10,000 malware samples—are also discussed. The CWSandboxis an application for the automatic behavior analysisof malware. This dynamic analysis is performed by executing this application in a controlled environment and catching all its relevant calls to the Windows API. Since these API calls are used for accessing Windows system resources such as files, the registry, or the network, all the malwares actions can be examined. In the next step, a high-level summarized report is generated from this monitored data. CWSandbox is not only used to create analysis reports for single malware samples, but also integrated into a bigger system, the automated analysis suite (AAS) . This suite consists of several software components and is used to collect and analyze malware automatically.

Chapter 2 – Botnets Overview

This chapter discusses about the Internet Relay Chat Command and Control Server(IRC C&C). With botnets, hackers (botherders) are able to wield thousands of computers to operate according to their will. By using a command interpreter to execute a common set of commands, a botherder is able to coordinate and manage these commands. Botnets advertise their availability on IRC channels and other places, and sell all or portions for others to use. When recruited, the botclients are instructed to subscribe to an IRC server, on a specific channel. Each channel has several different topics. The main channel topic directs the botclient to go to a string of additional channels. Thus the botclients are a collection of software that is being put to malicious use. The software can include viruses, Trojan backdoors, remote controls, hacker tools such as the tools to hide from the operating system, as well as the nonmalicious tools that are useful.