Know your Enemy: Tracking Botnets The Honeynet Project & Research Alliance Presented by: Jonathan Dowdle Motivation To study the activities of BotNets and their owners What a Botnet is Not Introduction What is a BotNet? What is a HoneyNet? Who are the victims? What vulnerabilities are used? What can a BotNet be used for? HoneyNet BotNet Method Setup HoneyNet of 3 machines Analysis mwcollectd2 drone Uses of Botnets DDoS (Distributed Denial of Service) Attack Spamming Sniffing Traffic Keylogging Spreading Malware Google AdSense Abuse Attacking IRC Networks (similar to DDoS) Manipulating online polls/games Mass identity theft Types of Bots Most common bots Agobot / Phatbot / Forbot / XtremBot SDBot / RBot / UrBot / UrXBot GT-Bots Less common bots DSNX Bots Q8 Bots kaiten Perl-based bots How Bots Work The Server Unreal IRCd ConferenceRoom HoneyNet Tracking Botnets IRC login information is sniffed when bot on Honeypot connects Using login information gathered we can connect to master IRC server Tracking Botnets -- Observing Commands from master can be observed in channel Custom IRC client is usually needed Custom IRC Client drone Lessons Learned Number of botnets 100 botnets over 4 months 35 live botnets as of papers publish date Number of hosts ~220,000 unique IP addresses joining at least one of the monitored channels The number may be larger due to some hosts not showing joining clients into a channel Lessons Learned Cont. Typical Size of Botnets 100s up to 50,000 hosts Dimension of DDoS-attacks 226 DDoS-attacks against 99 unique targets Strengths Moderate learning curve Paper is presented in ordinary language Novel method of determining methods and attacks used by Botnet owners Weaknesses Focuses only IRC-based bots More data could have been provided Further Research Vulnerability modules Shellcode parsing modules Fetch modules