In the news recently was an interesting story about MetaFisher (also known as Spy-Agent), a Trojan horse program that steals personal financial information. What was particularly interesting about the news report that I received from iDefense was screenshots of the control interface used by the MetaFisher bot network (botnet) operators. The images give a good idea of what goes on behind the scenes of botnets. If you've already looked at the news story that I posted on our Web site and didn't see the images, be sure to check it again--I added the images on Monday. You can link to the story from the MetaFisher news story below.
Botnets are a huge problem. Understanding how bots work helps us understand how to defend against them and how to shut down botnets. Every antivirus vendor and many other types of security vendors hold a wealth of information about untold numbers of bots. However, when these companies publish alerts and advisories about bots, the reports rarely contain greatly detailed information that describes the inner workings and capabilities of the bots. So learning how a bot behaves is typically rough work. Even if you manage to capture a bot, you're left to reverse-engineer it on your own.
Paul Barford and Vinod Yegneswaran of the University of Wisconsin Computer Sciences Department wrote an excellent white paper, "An Inside Look at Botnets." The pair give detailed insight into four types of bots, including those based on Agobot, SDBot, GT Bot, and Spybot.
If you read the white paper, you'll learn that although most bots today operate in conjunction with Internet Relay Chat (IRC) servers (which makes shutting down botnets somewhat less difficult), some bots are beginning to gain peer-to-peer functionality. This evolution of course means that shutting down botnets will become more difficult in many cases in the future.
What I found particularly interesting about the white paper is that Barford and Yegneswaran reveal the complete command sets of the bot variants they examined. The commands include those used by bots during interaction with IRC servers and those used by bots for interactivity with the local host on which the bot is installed. For example, some bots can scan the registry to obtain CD-ROM keys, AOL account information, PayPal account information, and so on. Some bots can also lock down a host to some extent by disabling services selectively as well as starting the bot operator's services of choice. These commands give botnet operators a huge amount of control over infected systems.
Other commands let the botnet operators perform exploits and attacks. For example, Agobot (which is among the most sophisticated of bots today) can scan for systems with vulnerabilities in DCOM, DameWare Development software, and Famtech International's RADMIN; scan for back doors left open by Bagle and MyDoom; and brute-force-crack NetBIOS and Microsoft SQL Server passwords. Agobot can also launch seven types of Distributed Denial of Service (DDoS) attacks. Adding to the danger level, Agobot is polymorphic to some extent, with four ways of obscuring its network communications.
This is just a brief summary of some of the information you'll learn by reading "An Inside Look at Botnets." The paper (available in PDF format at the URL below) is a real eye-opener, particularly if you don't have much knowledge of how bots operate. The information can help you think of ways to detect some of the related activity on your networks. It's definitely worth the read.
http://www.cs.wisc.edu/~pb/botnets_final.pdf
Register
