 I've been like the lost cat a clock of my name is Vicky Navratilova and Um, you may remember me from such embarrassing moments as last night's hacker Jeopardy But now I'm here to give a talk on What is it till too short this wireless thing my shoulder Speak into my lapel right too. Um, is that better? So, no Okay, what about that? Okay, how's that? Is that good? Is this better? Okay, so So this talk is basically about distributed denial of service bots and how Today they're all efficient and very easy to use but they evolved from So two different sets of code So they have like your IRC history and your denial of service history together. They form what we have today Which is a modern network killing robot? The reason I'm interested in this is because I work for a university and most of the machines that we have that are compromised End up having one or more of these bots on them and usually find them because they start scanning out I also spend a lot of time on IRC. So it's a natural thing for me to talk about when these two things come together so What I'd like to cover first is how do you create a network killing robot? So what? You end up doing is you take the bet the strengths of IRC scripting plus the strengths of distributed denial of service tools and You bring them together. So what this means is that you make the tools easy for lots of newbies and so on to use which means the second generation or so of DUS tools were very hard to pronounce they were Difficult to use Some would say they were UNIX based. So yeah, it had to have some sort of prerequisite knowledge in order to be good at using them and That really cut off a large user base of people who can attack other people So if you open it up to the people who don't know so much about computers, then you have much more widespread tools Another way to make it easy is you automate everything so you script everything so you don't need to know you know stuff you just click a button and It's also distributed over IRC, which is a really Great way to get it across the world across different networks. It reduces a single point of failure. It's redundant It's load balancing. It's all the other buzzwords you want but in a bad way Also geeks are Generally not so good at expressing themselves so they go on the IRC and They can use these tools to express their feelings towards others feelings like anger rage hatred resentment So you get the idea So this talk is about IRC which at Lyola we called it I repeat classes because that's what the freshman ended up doing Once they got addicted to IRC This is a really good way to spread things because it's everywhere and it's relatively benign people like they look at you Funny, maybe if you run it, but they don't think you're necessarily up to no good And it's a why everyone uses it because then they can talk to their friends in other countries for free It's also really easy to use because they have a bunch of different clients out that are dead to different things Different queues and so on you have distribution of service tools that Like I mentioned go along with IRC because of their natural things to distribute over IRC, I guess. Oh and also IRC is more or less relatively static as a technology DOS tools as people find ways to block them people have to put more engineering effort into find counter counter steps to counter the counter steps Right So So early DOS attacks back in like the beginning of the 90s or so you first had simple things like Well, you had ping floods which were flooding people with pings You also had ping of death, which is like one ping packet that was really big that could crash a computer Then it that became when you have ping floods It was mostly a matter of who had the bigger network connection was the person that was going to win So if you were at a university and someone else was that on a dial-up connection, then of course you were gonna win So people found ways to get around that by coming up with things like Smurf attacks And what that does is I send a ping to someone Think right Basically I send a Ping with a fake return address, which is a broadcast address and so You well the end result is you have one packet that sent out and you get a couple hundred responses in return So that was a way to get around the my bandwidth is not as big as yours problem eventually you had things like sin floods which were even smarter about Using a small amount of packets to take people off the network because they would Just basically overload the machine with a bunch of open connections, which like pretend your machine It has a switchboard for like a you know phone operators. They answer the phones. It's like they It's like one machine calling the other machine's switchboard and and lighting up all the phones the the switchboard operators answering and then nobody Saying anything on the other end that way you've tied up the resources where they're not able to accept any more incoming calls and Possibly even reboot the machine or bring it to a slowdown Eventually the operating system writers figure out how to write network stacks that would keep that from happening But for a while it was an effective way to do stuff This is a cute little cartoon with Smurf in it. Well, there's nothing much to do with Smurf attacks, but Hmm, so These early tools were out in about the early 90s eventually Some people came up with distributed denial of service tools Then the difference is with the first DOS tools you'd have one-to-one correlation between Attacker and victim and with these you'd have one attacker They would control a bunch of zombies and they would tell the zombies to attack a victim they were pretty famous in about 1997 I think in 1998 Because they took down a bunch of famous websites like yahoo.com and ebay.com and then they were all over the news and then David Dietrich did a whole bunch of white papers on them and down He's really famous because of that and nothing like this is happening anymore where DDS tools are taking on large websites because websites eventually got smart about Relocating their servers to places with larger bandwidth Places where they can put redundant servers on different parts of the internet So if one part of the backbone went down, they'd still be up because everything would be about someplace else So I think that's why IRC DDS tools don't get as much play today as they did back then But they're much more widespread and they take down a lot more machines than they used to so These were hard to use they generally ran on Unix and you generally have to Break into a machine and then manually put this on there now that all is automated It's harder to track back to the attacker because you had that middle zombie layer There are also much more contention over machines that were Infected with these things because they were harder to break in they become more valuable therefore And then they start being password protected and people would steal each other's zombies and so on This is a brief history of IRC So parallel to the DOS stuff developing there was all these IRC scripts that were developing tool because You had a lot of people spending a lot of time at IRC and then eventually they realized that there's stuff that they can't do But they want something to do it so then they started writing scripts and one of the first famous scripts That's still in use today is egg drop bot. So this was written in the early 90s and You can still download it as far as it tells a really good bot and This is what I would call a good IRC bot There's like good and evil and there's some that's in the middle, but this is generally benign it can be used for evil But it's it's pretty good at doing what it's supposed to without breaking anything This was first used to do things like when You are on IRC and if everyone gets somehow kicked off the channel the first person that comes back on has ops Which means they can control the channel so you'd want this to stick around and watch for that and then sort of just do a Predetermined set of simple tasks where it doesn't have to sleep the important things that it's it's always there on the network so After a while, I think maybe two or three years later. They came out with a bounce IRC bounce proxy and This falls into the gray category can be used for good. It can be used for evil It's found on a lot of compromised machines Generally because it is really useful for hackers. It lets you connect to it And then it will forward your connection to an IRC server and that helps you because if someone wants to attack you They'll attack the bounce machine and not you also you can Tell that to it or you can join it on like port 80 or something like that So then if you need to IRC from work and you have a firewall They'll only let a couple ports out you can go through this and get through your corporate firewall. So that's handy You can also password protect it so that a bunch of people can't get on to it Because if some asshole gets on there and then pisses people off and they try to take that machine up the network Then your bounce machine is down Even if you don't care about the About the machine, then I guess you don't Can't spell anonymous Anyway You don't care about the machine you probably don't care But most people have only one or two shell machines and they hold on to them really tightly They don't want to get them in trouble And again, the worst thing it can do is slow down your IRC connection if someone starts to connect it It starts to attack your bounce server because they're not going to get you directly So here's where the two tools started coming together I was gonna have a fancy little graphic With like a Darwinian evolution timeline thing and and um, but I was sleeping instead Is it like imagine if you will that like form put this into a big visual picture where you start with IRC scripts which were handy for things like Minding channels and aliases for sending files. You don't have to type out the whole entire command line Then those turn into IRC bots Well, those are the ones that keep the channel off all your way Then what would happen is that net splits would happen net splits are when Two servers on the same IRC network would break off and some of the people go on one side and some of the people Go on the other side of the net split and what you can do is this happened accidentally And eventually people figured out that When they joined back together the first person to get back on gets ops again so you want bots there to Try and keep these accidental things from breaking who gets ops Eventually people started to intentionally cause net splits just so that they could ride the net split get ops So then bots became even more important then They would then it would be bot versus human and eventually there was one bot to caught the net cause the net split another bot to keep the net split from giving other an ops you had bot versus bot and Then people just started to get really pissed off and packs or people because They weren't very creative and they just wanted to flood them. So that was around in the mid 90s Which I have this theory is all about the same time when AOL came on the network when Clinton was like, hey, let's give subsidies for people to work in the tech industry everyone get on the internet and then like everyone gone on the internet and there's a bunch of like mean stupid people and And then everyone got angry all of a sudden and then people start DOSing themselves Also IRC bots used to be mostly Unix because they were like, I don't know lead things to run or something And now they're mostly windows So you've got a wide variety of stuff to run if you don't have an operating system. That's decent operating system And then it finally got to the point where people use the scripting and the DOS tools So they can automatically scan for say null passwords on Microsoft Windows machines They'll cut they'll break in or I mean if it's a null password It's not really much of a break-in and then copy their files over and to the compromised machine and install IRC bots Like egg drop or BNC a lot of people have their own IRC servers installed On the victim machines because then you don't have to go through official IRC server channels and so on So that's always handy if you're doing like where is trading and whatnot if you have your own IRC server And you don't have to worry about ops getting on you about like don't do this legal stuff here So at the same time, okay, so this is the other half of the parallel evolution thing you have denial of service tools These become common later than IRC. It's again when a lot of people start getting on the internet they were Existing probably before IRC, but it wasn't too sophisticated It was mostly stuff that was accidental like you have CS students They're doing the first programming projects and they accidentally do a while one fork loop or something They fork off a bunch of processes on the machine. It slows everything down possibly crashes it Also known as a fork bomb You also have Network denial of service again this started in the at around the same time that a well became popular and Clinton said hey everyone get on the internet and You started with your simple network flood was a banner of who is the bigger bandwidth your amplified network flood of getting smart about using less bandwidth to cause more damage and then you figure out how to exploit Weaknesses on the machine itself when they're to bring it down instead of it being a brute force sort of thing And that's where you get like sin floods and so on Then eventually people want to cause you more damage with less resources That's where you get into distributed denial of service where you send out One command and then a bunch people do the work for you So then Trino and stockled rocked We're released and they each have their own features in terms of security and what kind of floods they can do and things like that David Dietrich has done a really good job writing white papers on this stuff So if you look up his papers, he's at University of Washington He's just goes into unbelievable my new technical detail about how the things work and Around that time though breaking and downloading was done manually a lot eventually when IRC and distributed and denial of service came together as When people realized they can use IRC, which is a network. They're already using which is really widespread to control their zombie machines Instead of having to set up separate networks all by themselves So today is modern network killing robot, which doesn't really kill a lot of networks just like the smaller ones So that's sort of a misnomer But they control everything in one package you can get it's sort of like a one-stop shopping sort of thing where you get your tool to scan break in and Copy your IRC bot onto the machine and he doesn't really take a lot of effort It's mostly a matter of scanning every single IP address that you can scan and then Statistically, you're gonna have a certain amount of Voldemort machines So we have a lot of users that say Why would a hacker want to break into my machine? I haven't done anything and we explained to them there's nothing to do about you You have an IP address and it's just sort of like blind machination of Scanning and breaking in So everyone's vulnerable and don't be too paranoid and all that stuff Sometimes listen to us most time. They don't which is why they have Machines broken into and then that's where we come in at the University so part of the great thing about the IRC bots is now you have a large amount of machines that can attack and You're getting new ones all the time. So you can get a really Nice distributed enough service network set up without having to do a lot of effort or not as much as you did in the past so These networks of just of denial of service machines are called DOS nets Nowadays, this is really hard to see See I can guess what slide I'm on Right Well to summarize what's on the slide So I was thinking like Immigrant child labor became really expensive So you didn't want to hire this like poor Indian children to break into machines anymore So people started automating distributed on service by using robots They're harder filter because they come from all over just because the IRC is everywhere and They may or may not use sports spoofed source addresses where they pretend that they're someone else because Botnet nodes are really cheap to get new ones Plus there's a lot of people that do egress filtering not on the main backgrounds, but individual networks So you don't need to fake your address and sometimes you will not be successful If you do because you won't be able to attack other people because of egress filtering so These are also really widespread because the media doesn't call any attention to them a lot of people don't know about them People in the security industry. They don't know about DOS nets. They didn't know about like robots that sit on IRC and so on Also, they hide in legitimate IRC traffic. There's no special ports used So it's kind of hard to find them you can use things like snort But they're fully modifiable so you can change the commands to something that aren't standard And then snort won't be able to find it unless you write your own signatures and well Then that's impossible to figure out all the possible variations in which they can change things Those are so easily scriptable So the way these things avoid attack detection Is they hide in channels that people can't see that the channels are hidden or it looks like the channel is empty There's weird characters in the channel name that aren't printable things like that Also, they're much more flexible than other district denial of service drones just because you can upgrade them to Do you run any sort of attack that you want after they've been installed and because it's MIRC scripting you can just plug in whatever attack you want So then the obvious question to us is University security people how are people getting infected with this stuff and It's most the times really come and get it method. It's not so much people clicking on email Attachments and things like that. This is really stereotypical users dumb user behavior, but that's not Usually the way these things are infected you start With something if they're on IRC That's probably the easiest way to get them to download stuff because you message them something saying hey There's hot pictures of Jennifer Lopez at this website or here's an American screen screen American flag screensaver Download this and you'll get an American flag screensaver American flag like pointers or whatever and it's really really small The file that you download it can be like 10 or 20k and it's it's not really And if you can name it anything pretty much and a lot of people don't pay attention They'll see like mp3 in the title. Well, just assume it's an mp3 And a lot of also there's a lot of machines with blank admin passwords Especially Windows XP because you can't find the stupid admin account when you try to look in a control panel of users you have to Do a bunch of other stuff. That's not too obvious. They have the average home user isn't going to do to reset their admin password So there's a lot of machines bad passwords blank passwords Also another popular trick is to scan for something like sub seven sub seven was a Trojan that came out like I don't know Five or six years ago a really long time ago And if you have any kind of virus protection at all you'll be able to find it So the plant the theory is that if someone's infected sub seven they don't care about their computer security at all So they're free to infect with it every with whatever you want to because they're not going to notice it they're pretty oblivious to what's going on with their machine and That goes that leads into evil bot which was a in an evil Robot like egg drop was good. This is sort of the evil IRC bot example And this is a backdoor Windows Trojan and it adds up to the registry to start at boot time pretty much all Bots do that is to make sure that they're always running and It puts up a backdoor if you end a map a lot of these machines you'll see weird ports open You'll tell that to them sometimes they'll get something useful in terms of what it is sometimes you won't but a Lot of weird ports open is one way that we use determine if something's been broken into And then GT bot this is the big IRC Denial of service bot that everyone uses it's the most popular one. There's a bunch of different variants It's pretty much GT bot and SD bot this came out relatively recently three years ago And it's Windows based is basically an MR MRC client and it runs MRC and has a bunch of MRC that I and I bought scripts And it runs in stealth mode using the hide window program So as soon as you install it it hides the window it doesn't show up in task manager Doesn't show up in anything that you'd normally use to look at processes and There's this can be downloaded by people who thinks it's just an MRC client because it is an MRC client But it has a bunch of things an I and I file that make it responsive to people issuing it certain commands and all that stuff is scripted in the MRC I and I file this also sports plugins so You can have it Download you can download whatever you want if you want a BGP attack you just Tell it to upgrade go to a web certain websites download something and then you'll have a new plugin for BGP attacks This is what it looks like When you go on to the channel that in which GT bot is a GT bot or more of them is on you as an operator you can You can set who can issue commands on these bots based on your nickname and what Hostname you're coming from to make sure that not just anyone can issue commands if they stumble onto your IRC channel with your bot stash on them and These are much easier to use than treating the stock will drop and so on because If you get it wrong listen text wrong, it'll give you a nice little usage thing saying no This is how you you know, this is how you run this command So you run that command so it's again a lot more user friendly than the other stuff Which is pretty much you had to know what you're doing and and not get much feedback so these are more commands that These things can do they can flood channels for you. They can do port scans of different machines for you and they can get an update from a web page and If you're if the address you give it matches a pre-selected I URL that was in the configuration file, then you can Update things that way These are a bunch of registry key settings that get set These are if you look for these registry key settings on your computer. They are probably pretty good I probably pretty good indication that you've been infected but this stuff is Pretty much available online anywhere If you want to look that up later So the question is how do you remove GT bot once it's on your machine? Because if it has a hidden window and you can't see it in process manager and so on so Generally, we find at the universities if you have something like this installed on your machine You're probably gonna have a lot of other problems with your machine There's probably other backdoors on there. You don't know about you're not gonna be able to get rid of all of them yourself So it's probably a good idea to reformat reinstall. That's what we end up telling our users to do If all if you are gonna trust on blind faith that you don't have anything else wrong with your computer You can run a virus scanner and they'll catch bone and variant variants of gd bot and st bot and so on You can also download This tool from lockdown corp. It's basically the same thing as a virus scanner And there's a free version and a paid version Of the URL and for that at the end also then after you get rid of it you should You should at least delete the registry key that Actually, if you're running a virus scanner, it's gonna get rid of the registry key for you probably but you can manually Delete the registry key that it creates to make it start up again after every boot But like all things when you're modifying something important you should make a backup first and You can leave the MIRC keys there because they don't really affect system operation that much Only non recommend way of getting rid of these is to do it manually There's some of these bots that have triggers that when they sense they're being killed or they will delete things They could format your hard drive and so on and so forth So that's another bad reason For you to try and do it yourself and more reason that you should just reformat and reinstall once you find something like this on your machine So if you want to get rid of GT bot since it's just an MIRC Client with a bunch of INI files that have been specialized if you look for MIRC INI files on your system There's more of them. There should be so if you don't run MIRC and there's one on there Then it's a good indication that you're infected if you only have one copy installed There's like three or four is another good indication that you've been infected Because you should only have one MIRC INI file for each version of MIRC. So that's pretty easy to figure out Also, some of these bots are modified so you can script change the scripting and pretty much any aspect of this stuff So you can have it run off the stuff that isn't MIRC INI at all. It could be some other file Also, yeah, so you can kill the process and delete the files. Hope that nothing bad happens in terms of trojanning You should probably be sure the process is stopped running before you delete anything. That's kind of hard to do if You can't see the process But if you have another tool that gives a more comprehensive process list you could do it that way If one accidentally opens on your desktop, don't type anything into it because some people have tried that They're like, oh, I'm running an IRC and they start typing things in the window And then trojans get set off and then stuff gets deleted and so on and then the other Big bot other than GT bot is SD bot and that's more or less the same. It has slightly different Features slightly different command line stuff It's more or less the same thing just a different variant does pretty much all the same things as GT bot It can also be removed by using something like McAfee or another anti-virus program And so this is where I'm gonna do demonstration of bots So you get out of the mware or different So what I have here is I have the mware with a Linux Linux IRC server is that big enough for people to see so in this example, I have I'm Vicky so I'm the the purple user there and So this window down here is a TCP dump running So you can see where things are going back and forth 135 is the IRC server 136 is one of the infected bot machines I have and as you can see I was running some port scans of another victim machine and You can see that the first time The port scan is run. So these tools aren't particularly reliable. So you see it the first time it Finds no open ports and then the second time running it like a minute later. It finds some open ports You can run Like things like the info command and then all the bots on the network will respond and say I'm coming I'm coming from this operating system. I've transferred this many files. This is how long I've been up This is the current time where I am so This is the machine that's already infected as you can see there's nothing here to see terms of Terms of task manager nothing will be showing up. So there's nothing in the task manager But this is something that's actually running a bot and this is the If you get a GT bot you can download pretty much anywhere. This is what it will look like In terms of files you have gates which is the number of is the gateways that it has that's or servers That should be checking She is a really really really long List of servers. I seems that if some of them go down then you can just go to other ones And then these are the MIRC I&I files if you take a look at these it starts out with some pretty basic stuff like What my username is and things like that and then it goes off into this into the scripting so here you can see it's Scripting different commands like here's a port redirect command So you'd issued pound port redirect and then it would run this little script here to port redirection and There's so many aliases here That spread across a couple different files so you see it's it's got a lot of features and a lot of different commands that can run You have like Your flooding commands and and so on so forth and this is what it looks like when something is being infected So if you watch the task manager really closely you can see it popping up when GT bot gets started and then it will go away First like as soon as it comes up See it's like there and then because VMware is slow. It's And now it's gone and that's all that you see you're probably not gonna catch that Normally if you look here on um on a the TCP dump It's catching a lot of traffic because this new machine is connecting to the IRC server and this is 249.137 and You can see 249. Well 137 is still not on the IRC channel apparently So you go back to Linux machine you could see a Garra 5 which is that new bot that I just started has joined pound attempt which was hard-coded into the INI file and So now I have two bots. So now if I wanted to port scan Another machine you'll have two different bots port scanning at the same time and Again the first bot has found no ports So I've probably there's problems with timing out and so on but Yeah, so this is really useful if you want to port scan things and you don't want to be have it traced back to you So you can find you run it again. Now. They've found a Microsoft name service things on there So that should do it for demonstration. Oh And this is also kind of neat when um You have your hide window program that comes with it This one So hide window will hide windows, but also show you a list of hidden windows So this one's the GT bot just because it has no Like name or anything there so you can show it and you can see this little thing popped up here And that's what it looks like when you went shown. So again, it's it's pretty invisible So if you've got robots feeding at random people on your campus, that's one way to detect botnet on your network Otherwise if you want to get rid of these things since they're so well hiding themselves you're pretty much left with the options of Looking at a virus scanner Looking at flows, which are router information sort of things if you have access to Cisco routers You can have it spit out flows and gives connection reports of to and from addresses to and from ports How many bytes were transferred so on and so forth? So it's really handy if you're a net admin sort of person and what you want to look for in your flow Is you want to look for timing when I look for a machine being compromised and then immediately starting to get out So there's some really obvious things that you can look for like scanning port 445, which is you're trying blank passwords There's connection on that port and then really start scanning out You know you've probably gotten infected machine on your hands You can use an intrusion protection system like snort that'll catch things that haven't been heavily modified You can also subscribe to mailing list like first or nsp first is a So coalition of like groups that have been together since 85 or so and you have to Get membership and and so on I think they're at first org, but I'm not positive NSP is like network service providers list That's another thing where you have to get membership for so that's pretty much only available to people that run Large ISPs or university networks and stuff like that And but these railing lists are good because you have people who are on IR and ISPs They're watching their traffic. They can see botnets pop up and then they'll tell you hey Everyone on the list. There's a botnet on you know this IP address and this IP address and this is the server that they're using and Gets people's attention and then you can take down the botnets from the source by taking down the IRC server You can also use something like packet here This is another option if you run a really large network because you can get a packet here Which is supposed to band rate limit things like Kazaa and other file sharing programs So it would also it'll give you a nice list of people that have been using the most bandwidth on the network and There's a good chance that Those people are not doing it intentionally. They're doing it unknowingly because they've been infected That's another good place to look also machines lots of IRC traffic And ICMP traffic because they're flooding someone else. They're attacking someone else That's only a good sign from when they're actually attacking And also if you're on IRC a lot You sometimes see bots joining channels because they have formulaic nicknames like they were like Joe 71 You kick them off and they come back like Joe 72 sometimes. It's just an obnoxious person, but sometimes it's also a bot And Here's URLs If you want to download some of this stuff and play with it yourself. There's a lot of Different things at the web link source link You can get SD bot GT bot like winter bot and so on you can download it onto your machine and infect yourself And see what you can do and infect other people And the first URL there lockdown corp is where you'd get that like fancy little Thing that's just supposed to get bots and nothing else And also you can download egg drop and your BNC Play with those and so on so yeah, that's the end of the talk. Are there any questions? Ten minutes. Small networks are ones that haven't been massively Parallelized like they they're they don't a lot of people like CNN will Use Akamai because Akamai is like really giant pipes and they're also Physically diverse networks. So and if you're not paying out a lot of money to get super redundant Network bandwidth stuff then you're vulnerable to this sort of thing taking it out. Oh So the question was does the bot show up in the process list? So here you can See the process list. I don't see anything here. I mean, no, but I guess the question is no It doesn't show up there either Sorry, yes, I Am wrong Yeah, I guess that's it because here. I'm one of the bots just signed off The question is how often were these Hidden with a Windows root kit or installed automatically with Windows root kit How often do you what? generally I Don't see anything Most the time they aren't sophisticated enough to hide it on a kernel level It's just a hide window sort of thing because that's a lot easier to roll out But it's a pretty common thing with root kits like I don't know I'd buy it to guess I would say like 80% of the time or something depending on what you want your kit to do But yeah, it's pretty common Yeah, so the question is is there anything new after GT bot nesty bot and there are things But they're still given credit as being derivatives of GT bot because they still use the core and they've still got some They've got new features, but there hasn't been anything that's been different enough from the past to label some new category Okay, right. Thanks for coming to my talk