Building a Better Botnet
by Alexander KarstensEarlier this year, Dennis and Kyle put together a screencast overview of BreakingPoint's capabilities for simulating botnets. Today, I'd like to go into a little more detail about the AppSim component that's most associated with malicious traffic, IRC.
While most of our AppSim components are used to simulate good, normal traffic -- HTTP, Oracle, VoIP, etc. -- IRC stands out as a protocol that is, for better or worse, often associated with malicious traffic. Of course, not everything on IRC evil. However, IRC is the traditional medium for setting up command and control channels for botnets, those armies of compromised end-user machines performing attacks such as DDOSes, spam campaigns, vulnerability scanning, and other evil deeds. So, for most ISPs and enterprises, it's not very useful to just detect the presence of IRC traffic; it's much more worthwhile to detect particular patterns associated with botnet activity. Given that, let's build up a quick botnet that your fancy expensive detection device claims coverage for to see what sticks. In this example, we'll model a fictional botnet (DdosHax) that uses channel topic changes to signal to compromised hosts, from the point of view of the bot herder's local network.
First, we'll fire up the IRC AppSim Superflow editor, and populate a new superflow with the IRC actions we're interested in:
That gives us a channel join, a couple of other users joining the same channel (our bots), a topic change (the command), and the bot responses (command acknowledgements).
Next, we'll fill in the salient details of the bot herder's user name and the network he's joining.
And finally, we'll set the options for our flow actions so this all looks like a typical botnet communication. We can set the command of "!sf 192.168.1.1" to the channel topic:
And generate a response from several peers:
Here, we can see that the naming convention is pretty flexible for the number of bot hosts we'd like to simulate. In this case, we set a range between "a0" and "b9", which gives 20 remote peers, all of whom include the range indicator in their names (zombie-a0 through zombie-b9). If we'd prefer randomized names, we could uncheck the "Include Range in Name?" options, and if we wanted completely random names, we'd uncheck Peer Nick Prefix as well. If you wanted a hundred peers, simply set the range from 1 to 100, or 'aaa' to 'adv', or whatever other range naming scheme that strikes your fancy.
Once this AppSim is run on the wire, we can take a look at the traffic with a regular packet sniffer:
That looks pretty evil to me -- and best of all, the whole procedure took about five or six minutes to set up from scratch, without all the futzing around with setting up real IRC servers and clients, writing scripted actions and responses, or editing up packet capture files.
