Lab 10: Botnets - Internetwork Security - Fall 2007 | ECE 4112, Lab Reports of Electrical and Electronics Engineering

Material Type: Lab; Class: Internetwork Security; Subject: Electrical & Computer Engr; University: Georgia Institute of Technology-Main Campus; Term: Spring 2007;

Typology: Lab Reports

Pre 2010

Uploaded on 08/05/2009

koofers-user-t35-1
koofers-user-t35-1 🇺🇸

9 documents

1 / 61

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
ECE4112 Internetwork Security
Lab 10: Botnets
Group Number: _________
Member Names: ___________________ _______________________
Date Assigned: March 27, 2007
Date Due: April 3, 2007
Last Edited: April 10, 2007
Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so
that you will have time to complete the lab. Answer ALL questions in the Answer Sheet and be sure you
turn in ALL materials listed in the Turn-in Checklist on or before the Date Due.
Goal: The goal of this lab is to introduce you to the concept of Botnets, and showcase some features
of popular bots.
Summary: You will install two different bots, use them to carry out attacks, and analyze the
results.
Background: Read Appendix A: “Bots, Drones, Zombies, Worms and Other Things
That Go Bump in the Night” (www.swatit.org/bots) and Appendix B: “Tracking Botnets” (http://
www.honeynet.org/papers/bots/).
Prelab Questions: None
Lab Scenario: For this lab you will set up an IRC server on your Red Hat 4.0 host
machine and then infect two virtual machines (one Windows one Linux) with bots that will
connect to it. To help with the transfer of files between all of the machines, it may be helpful to
set up Shared folders on the virtual machines. To do so, see Appendix C.
NOTE:
Some groups report getting errors during the IRC install because in a
previous lab, they had run a virus that added exploit code to the
beginning of the headers and they didn't restore the originals. To get
it back you just need to copy back a good version:
cp /usr/include/stdio.h /usr/local/include/
If you are having trouble connecting to the IRC server (running on the
WS 4.0 machine) from the virtual machines, then in a terminal in the WS
4.0 machine, type the following:
1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d

Partial preview of the text

Download Lab 10: Botnets - Internetwork Security - Fall 2007 | ECE 4112 and more Lab Reports Electrical and Electronics Engineering in PDF only on Docsity!

ECE4112 Internetwork Security

Lab 10: Botnets

Group Number: _________ Member Names: ___________________ _______________________ Date Assigned: March 27, 2007 Date Due: April 3, 2007 Last Edited: April 10, 2007 Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions in the Answer Sheet and be sure you turn in ALL materials listed in the Turn-in Checklist on or before the Date Due. Goal: The goal of this lab is to introduce you to the concept of Botnets, and showcase some features of popular bots. Summary: You will install two different bots, use them to carry out attacks, and analyze the results. Background: Read Appendix A: “Bots, Drones, Zombies, Worms and Other Things That Go Bump in the Night” (www.swatit.org/bots) and Appendix B: “Tracking Botnets” (http:// www.honeynet.org/papers/bots/). Prelab Questions: None Lab Scenario: For this lab you will set up an IRC server on your Red Hat 4.0 host machine and then infect two virtual machines (one Windows one Linux) with bots that will connect to it. To help with the transfer of files between all of the machines, it may be helpful to set up Shared folders on the virtual machines. To do so, see Appendix C. NOTE:  Some groups report getting errors during the IRC install because in a previous lab, they had run a virus that added exploit code to the beginning of the headers and they didn't restore the originals. To get it back you just need to copy back a good version: cp /usr/include/stdio.h /usr/local/include/  If you are having trouble connecting to the IRC server (running on the WS 4.0 machine) from the virtual machines, then in a terminal in the WS 4.0 machine, type the following:

$ service iptables stop to disable the firewall. Also make sure other firewalls are disabled. Figure 1 - Lab Scenario Network Diagram Section 1: Setup

1.1 Setting up the IRCd server

IRC networks, while not as popular as many web-based chatrooms, are considered part of the “underground” Internet, and public IRC servers are home to many hacking groups and illegal software (warez) release groups, mainly because of the relative anonymity users can have while connected to IRC. Because of this, botnets are a feasible method of controlling victims without directly connecting to them. IRC servers are usually part of a network, providing multiple servers for clients to connect to (if one is closer, or less loaded), which enhances the hard-to- trace nature of IRC. For the first section of the lab, we will need to set up an IRC server on our host machine to simulate a public server where the attacker would control the infected machines. Copy the file irc2.11.1.tgz from the NAS to your host machine. Perform the following procedure to set up the IRC daemon on the WS4.0 machine: _# tar –xzvf irc2.11.1.tgz

cd irc2.11.

./configure

cd i686-pc-linux-gnu

make all; make install_

IRCd IRC client (Attacker) Infected XP machine (Victim) Redhat WS4. Infected RedHat machine (Victim)

Figure 2 - Connected to an IRC channel You will now be in the newly created #ece4112 channel. Note that IRC channels are similar to radio channels, if there were an infinite number of frequency bands available. The “chat rooms” are created by a user joining the same channel as other users. The channel user list is displayed on the right side of the screen; this is where the bots will appear when they are running properly on an infected machine.

1.2 Setting up the Virtual Machines

You will be using two of your existing virtual machines: one Windows XP and one RedHat 7.2. No additional setup is needed. Section 2: SDBot The first bot you will work with is SDBot, which is written in C and uses IRC to communicate with the bot master. It is neither the most powerful bot nor the most popular, but the setup is straightforward, and the version of the code we have has the self-replicating routines removed, so it is easier to control.

2.1 Installation and Configuration

Copy the SDBot folder from the NAS to your Windows XP virtual machine. Because SDBot is a C program, we have to install a windows C compiler. In the SDBot folder run the file lccwin32.exe to install the compiler. Click through the install process, leaving all of the default options in place. Once LCC is installed, open the sdbot05b.c file in Wordpad and scroll down to the section labeled “bot configuration.” Make the following changes to the listed variables:

  1. botid[] = “f00f00”  botid[] = “bot1”
  2. password[] = “bar”  password[] = “password”
  3. server[] = “irc.dal.net”  server[] = “ircserver”
  4. port = 6667  port = 6668
  5. channel[] = “#foobar”  channel[] = “#ece4112”
  6. filename[] = “syscfg32-bot.exe”  filename[] = “4112SDbot.exe” This sets up the bot to connect to the IRC server we set up on the WS 4.0 host machine. Save the file as 4112bot.c and exit Wordpad. Now, brows to C:\windows\system32\drivers\etc and edit the hosts file in Notepad to include the line: _ ircserver_ Save the file. Now run the make-lcc-4112.bat file to create a 4112bot.exe executable. This is the executable that you would need to get onto a victim machine and launch to make it part of your botnet. How to get the .exe onto a victim machine is beyond the scope of this lab, but recall techniques learned in previous labs. Once the SDbot is installed, all firewall software will need to be disabled so that it won’t interfere with our experiments. Open the task manager, click the Processes tab, and end the blackice.exe and blackd.exe processes. This will need to be done after every reboot. Also ensure that the windows firewall is disabled by navigating to the control panel and clicking on the Network Connections icon. Then right click the active connection icon, select Properties, click the Advanced tab, and ensure that the Windows firewall is turned off.

2.2 Meet Your Bot

Run the 4112bot.exe executable on the XP virtual machine. Go back onto your host machine and watch the X-Chat window. Within a few minutes a host with random letters for a username should log into your channel; this is your bot. Log into your bot by typing:

Q2.4. How many bots would be needed to flood a 1 Gbit link with UDP packets? Q2.5: How might this attack be prevented from the perspective of the flood target? From the perspective of the infected victim?

2.4 Ping Flood

Now we’ll use the bot to execute a PING flood attack against the same target.

  1. Open up ethereal and filter the packets with these expressions: ((ip.src==) && (ip.dst==< RH7.2 ip>) && icmp)
  2. Click on the Capture tab and click on Options.
  3. Make sure "real time" and "automatic scrolling" under display options is checked and start Capture.
  4. Use the command reference to find the command for a PING flood. Use 1000 packets of size 4096, sent to the RedHat 7.2 machine. Use a 1 ms delay.
  5. Wait until the bot displayed "finished sending packets to < WS4.0 ip>".
  6. Stop Ethereal.
  7. click on the Statistics tab on the ethereal
  8. Click on “Summary”
  9. Check the Avg MBit/s traffic Displayed Q2.6. What command did you use? Q2.7. How many bots would be needed to flood a 1 Gbit link with ICMP packets? Q2.8. From the result of the two floods, which one is more efficient: UDP or ICMP flood? Q2.9. Based on your answer to question 2.7, when would you not use the more efficient one?

2.5 Fraudulent Pay-per-click Count

Another use that botnets have been put to is to generate a fraudulent number of webpage referrals in pay-per-click advertising schemes. This is how it works: An advertising agency puts up a “banner” on an individual’s webpage, and pays the individual a nominal amount every time a visitor to the webpage clicks on the banner (which is a link to the sponsor’s website). Botnets can be used to generate large numbers of false “clicks” on these banners, thus fraudulently earning the individual a lot of money. This is how this is accomplished:

  1. Open up ethereal and filter the packets with these expressions: ( ((ip.src==) && (ip.dst==57.35.6.10) && tcp) || (ip.src==57.35.6.10 && (ip.dst==< WinXP IP >) && tcp) )
  2. Click on the Capture tab and click on Options.
  3. Make sure "real time" and "automatic scrolling" under display options is checked and start Capture.
  4. SDbot command for fraudulent pay-per-click: .visit http://57.35.6.10/index.html http://.com
  5. Wait until the bot displayed “url visited.”
  6. Stop Ethereal.
  7. Now examine any tcp packet by right-clicking and selecting “Follow TCP stream.” Screenshot #2: Take a screenshot of the tcp stream showing the source and referrer web page.

2.6 Bot Removal

Open up the Task Manager (Ctrl+Alt+Del) and you should see the bot running under the conspicuous process name 4112SDBot.exe ; if you were trying to hide the bot, you would, of course, pick a much less obvious name. Use the Task Manager to kill the process and restart your virtual machine. Once it has rebooted open up Task Manager again. Your bot should still be running. This is one of the most powerful things about bots; once you infect a computer, it stays infected (unless the user gets smart and fully deletes it).

  1. Use Task Manager to kill the process again.
  2. Open the file “sdbot05a.c”
  3. Search for the function “void uninstall (void)” and examine its code From this, you should be able to tell what the names of SDBot’s registry entries are. Q.2.10. Where are the registry entries? Why are the entries placed in these two locations?
  4. Open the registry editor by clicking StartRun and typing in “regedit”.
  5. Delete the registry entries as described by the source code and restart the virtual machine.
  6. Verify that sdbot05a.exe and TEMP.exe no longer show up as processes in Windows Task Manager. Q.2.11. How would a user know where in their registry the bot is located if the source code were not available for inspection? Section 3: q8Bot

You should see q8bot running plain as day. Note the bot’s process id. Now, run: ps –ef The bot is gone! Use the man pages to figure out what the –e and –f flags do. Q3.1. What process is listed as running using q8bot’s process id when you used ps –ef? Q3.2. Open the bot’s source code and identify the lines responsible for this renaming. Why does this renaming only work when the –f flag is used? (Hint: look at the other entries with and without the –f flag. What is different about the process names displayed in the corresponding lists?) Q3.3. Of what we have done so far, what could we have done differently to make the bot less noticeable when not using the –f flag? (You’ve only done one thing with the bot so far…) If your bot has started up successfully, in a couple of minutes it should log in to the IRC server. The bot will log into the server with a random username. Note that the IRC server does not allow users to log in with the same nickname. Hence, the bot generates a random nickname each time it connects. Can this be used to detect the bot on the network? Screenshot #3: Take a screenshot of the X-Chat window showing the bot successfully joining the channel.

3.2 Using q8bot

To say that q8bot is not user friendly is an understatement. The source code itself has little or no comments and is structured to ensure minimum readability. Of course, it is malicious software, and not expected to live up to the strict industry source code standards! However, there is a little help in the code which will enable us to explore the functionality of this bot. Look for the function titled “help” in the code. You will see a listing of commands the bot understands. Q3.4 List any three commands that you find there which you think might be useful to the attacker. Which command do you think can perform great damage?

Now, we will use the TSUNAMI command to launch a DoS attack against your Windows XP virtual machine. As can be seen in the source code, the format is TSUNAMI . On your host machine, open ethereal and filter the packets using: _ip.src == && ip.dst == _ Start capture. In your X-IRC client window, type: TSUNAMI 10 This command will launch a DoS attack against the XP virtual machine. Q3.5 What destination port is the attack traffic directed to? Note that the bot may quit after it has completed the attack (I tried to fix it, but the code is a mess, so I couldn’t get at all of the exit calls). If this happens, just restart it on your Red Hat virtual machine. Our aim in this lab is not turn students into script-kiddies. And so far, you have done nothing but just use existing source code to launch attacks. The actual source code for the q8bot was not functional and we had to make a few changes to get the DDoS attacks to work. It will be a good exercise to get your hands dirty and get the PAN attack to work. Q3.6 Make changes to the source code so that the PAN attack can execute successfully. For help, look at the differences between the code for pan function and the tsunami function in the source file. List the changes that were required to get it to work. Q3.7 What command did you issue on the irc channel to launch the PAN attack? Screenshot #4: Take a screenshot of the ethereal capture of the PAN tcp/syn flood attack to your WinXP virtual machine copy. Q3.8 Can botnets be formed by relying on protocols other than IRC? If yes, give a possible protocol that can be used. Section 4: HoneyNet Botnet Capture Analysis

Turn-in checklist You need to turn in:  Answer sheet.  4 screenshots  Any corrections or additions to the lab.

Appendix A: www.swatit.org/bots

1. What Is A Bot and What Is A Bot Not. Firstly the term Bot is derived from the word Robot which in turn is derived from the Czechoslovakian word "robota" which simply means work. Bot is a generic term and is used to describe an automatom or automated process in both the real world and the computer world. Search engines use Bots to spider websites with and online games such as Quake use Bots as artificial opponents. Bots do not need to eat, drink or sleep and will relentlessly do their masters bidding until told to stop. The Bots we are covering are IRC Bots and they operate in much the same manner. Bots are often also commonly referred to as Zombies or Drones which are incorrect terms mainly used by the media as it creates a much more fearsome image. One of the first bots written for Unix machines was released as Eggdrop Bot, by which it is still known today. I am informed by the current head of development for Eggdrop Bot, Jeff Fisher that Eggdrop was first created in 1993 and can be downloaded from www.eggheads.org. Various Trojan Bots also have bot in the name given to it by the authors, for example : SubSeven Bot, Bionet Bot, AttackBot, GT Bot, EvilBot and SlackBot to name just a few specimens. In actuality a Zombie is a Unix process which is dead and has not yet relinquished it's process table slot, rather like a ghost. Furthermore, a drone is similar to a zombie and is also still not an accurate description of an IRC Bot. 2. Chronology of IRC Bots IRC Bots have existed for many years now and are certainly by any means a new discovery. Eggdrop Bot for all flavors of Unix have been around several years and were usually used to protect IRC channels in the owner's absence. Generally these Bots are used for valid and useful purposes but as you can create your own TCL scripts, they have much scope to also be used for malicious purposes. Versions of Eggdrop Bot for Windows also exist under the name of Win Eggdrop. I have seen several versions for Windows that have been patched so that they run as an invisible process (as a Trojan). More information on Eggdrop Bots along with a full range of scripts can be found at www.eggheads.org Malicious Trojan Bots for Windows have existed for at least four years with early know versions being Bots such as, AttackBot, which was a precursor to the Subseven Bot. The knowledge gained from the development of AttackBot along with the code was applied in a condensed form into the Subseven Bot. You can find a description, or be it not an accurate description of AttackBot at Dark-e and information regarding the Subseven Trojan. Past articles have been written about specific types of Trojans that connect to IRC and launch DDOS (distributed denial of service) and one very good article on the subject can be found at Idefense read the PDF Adobe Acrobat file and also read this article by Idefense This article is an analysis of Subseven Trojan's ability to launch DDOS and although covering a version of Subseven that is now nearly two years old and a little outdated, but was and still is very accurate in its assessment. 3. The Distinct Types of Bots. IRC Bots come in several different flavors and for several different operating systems. For Windows, there are three specific types of Bots, (1.) Bots that consist of a single binary, such as AttackBot, SubSeven, EvilBot, SlackBot etc. (2.) Bots that use one or more binaries and open source script files normally based around mIRC 32 and commonly referred to as GT Bot (Global Threat) which we cover in a lot more detail here URL?? as they are the easiest to edit and create new variants of due to their being open source mIRC scripted files. (3.) Bots that are a backdoor in another program such as Socket Clone Bots in mIRC which when you

executable created by a program called PaquetBuilder32 and execute it. This would install a GT Bot that connects to IRC.Dal.Net and joins target channels and autosends by DCC (Direct Client To Client Protocol) a copy of the Web Downloader Trojan which infects more machines. This works in two parts with one Bot infecting other users to create more Bots and the other logging onto a different IRC server to report for duty for DDoS attacks. Over the course of our studies we have collected and assimilated a lot of information and IRC channel logs and screen captures showing alsorts of different Bot activity including DDoS attacks. (b.) Once the Trojan is run it secretly installs itself and creates a method to restart itself. Commonly used is the WIN.INI run = or load= lines or the SYSTEM.INI under shell= after explorer.exe eg. (shell=explorer.exe ,trojanbot.exe) or loads from the Registry or Start Up folder. (c.) When installed and running the Bot will attempt to connect to an IRC Server on a pre designated port. The most common connection port to attempt connection to is the default Port 6667. It should also be considered that IRC Servers usually listen on several other ports by default including 6660, 6661, 6662, 6663, 6664, 6665, 6666, 6668, 6669 and 7000. These other ports are often used so that the more commonly known Port 6667 is not shown in Netstat as a remote port that the computer is connected to. Another thing that should be noted is that an IRC Server is not limited to the ports listed above an in fact can be set to listen on any port for connections. IRCD versions for Windows are often configured to run on Port 80 or othe similar ports which wont arouse too much suspicion as a remote port connection. Some BotNets run Trojanized Windows IRCDs such as Unreal IRCD 3.0 for Windows which has been adapted to run as a hidden task under the process name Coresrv.exe and it loads Coresrv.dat as the IRCD configuration file. This enables BotNets to be hidden on non public providers machines which are a lot harder to have removed than a simple complaint to a shell host provider. The user must first be contacted which is no easy task especially when having to do it through the ISP which often has little or no conception of what this stuff is or how it works. They most probably think email of complaint are the ravings of some mad man with an overactive imagination and who could blame them as a lot of it sounds too fantastic to be true. Most BotNets are however forced to join public or private IRC Servers hosted by commercial shell hosting companies operating on a Unix flavoured operating platform. Once connected to IRC the Bot will log into the predetermined rendezvous channel to await further instructions from it's Master. (d.) Often as these Bots join the IRC channel the Master will log into them with a special and sometimes encrypted access password. This ensures that the Bots cannot be controlled by other people and makes it harder for someone to hijack the BotNet. After the login has been accepted if indeed it was required the Bots are now ready to be put to work. Our screen capture archive which we obtained from undercover surveillance shows much activity going on in these Bot channels with lots of DDoS attacks and IRC floods being invoked. Even as I write I am witnessing channels being heavily flooded on DALnet by floods of GT Bots which hardly display any of the traits of sluggish and lifeless Zombies. As I sit here so far over 50 different channels have been brought to a stand still by huge floods of data where the Bot connects, sends a message to the channel and immediately disconnects and then reconnects and performs the action repeatedly in a loop until ordered to stop on the remote server. As this is of extra added interest I have decided to also include screenshots of both the remote IRC channel where the orders are given and one of the channels which were attacked. The attack being launched here and the results of the attack and what the victims saw here. The screen captures from when I joined the channel to observe the BotNet. here and here show the number of GT Bots in each of the channels. The channel modes should be also noted which appear in the title bar of the channel window as +mnprtu which is set that way to hide the nicknames of the Bots in the channel from the user list on the right hand side of the image. We will be covering channel moding and what these modes mean and do in section 4 (f.) of this article.

(e.) An idea of how Bots are used to spam becomes obvious when you look at this image here showing GT Bots being commanded to spam a remote IRC Network with fake virus warnings urging people to go and download a fake cure which will make them become infected with a GT Bot. This is a common and effective strategy amongst BotNet owners to play on normal users fears and concerns. These Bots are normally joined into popular channels with several hundred people in them and message everybody as they join with a spam message such as the one in the above image. They are able to generate huge amounts of spam per session and infect many users that increase the head count of the BotNet and of course make any attacks launched more devastating. (f.) BotNets often draw attention to themselves by traffic patterns which are soon picked up on by vigilant IRC Administrators or Shell Providers and the channels they join closed or the shell account removed due to abuse complaint. If they joined a fixed IRC Server name or IP address the likelihood is that they would all be lost from some basic action on the part of the service providers. This is why BotNets often follow dynamic hosts which are quick and easy to edit to repoint the entire army elsewhere if accidently stumbled upon or banned from an IRC Server or channel. If the dynamic address that the Bots follow can be identified then it is not too hard to complain to the provider of the dynamic account and request that it be null routed. The smart money is always on going after the dynamic DNS if you can recover the information as to which dynamic it is using. A common provider of free dynamic accounts is dyndns.org. These accounts can be and are used for many legitimate purposes but are also unfortunately prone to misuse by some users. Dyndns has strong terms of service governing these accounts and abuse of them. In our experiences with dyndns the abuse department rigidly enforces their policies and terminates abused accounts promptly when proof of abuse is provided. You will find here one example of how abuse was handled without a report even being made to the abuse department. here When the Bots are connected to the IRC Server the channel they join is usually set with various channel modes to restrict access or help stealth the fact that the channel or the occupants of the channel are there. Unreal IRCD which is a popular choice with BotNet Masters covers the channel modes in it's own commands document so I will refer to that rather than do a complete rewrite. here You may notice from the images in the gallery here the modes the channel is set at and be able to quickly reference them from the Unreal IRCD document about halfway down. Typically the channels will be set with these modes at least. +s (secret : cannot be seen in channels list) +u (userlist is hidden) +m (moderated : a user cannot send text to that channel unless they have operator @ access or +v voice) +k (cannot enter the channel unless you know the correct key)

5. Conclusions. (a.) People should be reasonably paranoid about accepting any files over the Internet from chatrooms or visiting web sites that they do not know without at least checking that their web browser is updated with the latest critical updates if they use Microsoft Internet Explorer. Test the security of your Internet Explorer here. Many files are spread on IRC as *.MPEG.zip or *.MPEG.exe and other similar names to fool people into accepting them. Even scanning files with Anti Virus scanners is not always good enough defense as unknown Trojans would not be identified. Additional references here , here and here.

Appendix B:

http://www.honeynet.org/papers/bots/

Know your Enemy:

Tracking Botnets

Using honeynets to learn more about Bots

The Honeynet Project & Research Alliance http://www.honeynet.org Last Modified: 13 March 2005 Honeypots are a well known technique for discovering the tools, tactics, and motives of attackers. In this paper we look at a special kind of threat: the individuals and organizations who run botnets. A botnet is a network of compromised machines that can be remotely controlled by an attacker. Due to their immense size (tens of thousands of systems can be linked together), they pose a severe threat to the community. With the help of honeynets we can observe the people who run botnets - a task that is difficult using other techniques. Due to the wealth of data logged, it is possible to reconstruct the actions of attackers, the tools they use, and study them in detail. In this paper we take a closer look at botnets, common attack techniques, and the individuals involved. We start with an introduction to botnets and how they work, with examples of their uses. We then briefly analyze the three most common bot variants used. Next we discuss a technique to observe botnets, allowing us to monitor the botnet and observe all commands issued by the attacker. We present common behavior we captured, as well as statistics on the quantitative information learned through monitoring more than one hundred botnets during the last few months. We conclude with an overview of lessons learned and point out further research topics in the area of botnet-tracking, including a tool called mwcollect2 that focuses on collecting malware in an automated fashion.

Introduction

These days, home PCs are a desirable target for attackers. Most of these systems run Microsoft Windows and often are not properly patched or secured behind a firewall, leaving them vulnerable to attack. In addition to these direct attacks, indirect attacks against programs the victim uses are steadily increasing. Examples of these indirect attacks include malicious HTML- files that exploit vulnerabilities in Microsoft's Internet Explorer or attacks using malware in Peer- to-Peer networks. Especially machines with broadband connection that are always on are a valuable target for attackers. As broadband connections increase, so to do the number of potential victims of attacks. Crackers benefit from this situation and use it for their own advantage. With automated techniques they scan specific network ranges of the Internet

searching for vulnerable systems with known weaknesses. Attackers often target Class B networks (/16 in CIDR notation) or smaller net-ranges. Once these attackers have compromised a machine, they install a so called IRC bot - also called zombie or drone - on it. Internet Relay Chat (IRC) is a form of real-time communication over the Internet. It is mainly designed for group (one-to-many) communication in discussion forums called channels, but also allows one- to-one communication. More information about IRC can be found on Wikipedia. We have identified many different versions of IRC-based bots (in the following we use the term bot ) with varying degrees of sophistication and implemented commands, but all have something in common. The bot joins a specific IRC channel on an IRC server and waits there for further commands. This allows an attacker to remotely control this bot and use it for fun and also for profit. Attackers even go a step further and bring different bots together. Such a structure, consisting of many compromised machines which can be managed from an IRC channel, is called a botnet. IRC is not the best solution since the communication between bots and their controllers is rather bloated, a simpler communication protocol would suffice. But IRC offers several advantages: IRC Servers are freely available and are easy to set up, and many attackers have years of IRC communication experience. Due to their immense size - botnets can consist of several ten thousand compromised machines - botnets pose serious threats. Distributed denial-of-service (DDoS) attacks are one such threat. Even a relatively small botnet with only 1000 bots can cause a great deal of damage. These 1000 bots have a combined bandwidth (1000 home PCs with an average upstream of 128KBit/s can offer more than 100MBit/s) that is probably higher than the Internet connection of most corporate systems. In addition, the IP distribution of the bots makes ingress filter construction, maintenance, and deployment difficult. In addition, incident response is hampered by the large number of separate organizations involved. Another use for botnets is stealing sensitive information or identity theft: Searching some thousands home PCs for password.txt , or sniffing their traffic, can be effective. The spreading mechanisms used by bots is a leading cause for "background noise" on the Internet, especially on TCP ports 445 and 135. In this context, the term spreading describes the propagation methods used by the bots. These malware scan large network ranges for new vulnerable computers and infect them, thus acting similar to a worm or virus. An analysis of the traffic captured by the German Honeynet Project shows that most traffic targets the ports used for resource sharing on machines running all versions of Microsoft's Windows operating system:  Port 445/TCP (Microsoft-DS Service) is used for resource sharing on machines running Windows 2000, XP, or 2003, and other CIFS based connections. This port is for example used to connect to file shares.  Port 139/TCP (NetBIOS Session Service) is used for resource sharing on machines running Windows 9x, ME and NT. Again, this port is used to connect to file shares.  Port 137/UDP (NetBIOS Name Service) is used by computers running Windows to find out information concerning the networking features offered by another computer. The information that can be retrieved this way include system name, name of file shares, and more.