Different Types of Bots
There are many types of bots in the wild. In this section we present some of the wide-spread and well- known bots. Now we discuss some of the basic concepts regarding botnets and their features as well. There are some lists of bots with their functionality associated with them.SDBot/RBot/UrBot:
This class of malware is at the moment the most effective one. SDBot is written in very poor C language. It is successor of RBot , UrBot and probably many more. The source code of this bot is not well architecture, anyhow attackers like it and it has been used in a wild. It has some common features with AgoBot and it has not a very long list of commands not its implementation as sophisticated.mIRC-based Bots/GT Bots:
There are many version of them that it is hard to get overview of all forks. mIRC itself is a popular IRC client for windows. GT is an abbreviation for Global Threat and this is the common name used for all mIRC-scripted bots. These bots launch an instance of the mIRC chat-client with a set of scripts and other binaries. One binary you will never miss is a HideWindow executable used to make the mIRC instance unseen by the userAgoBot/PhatBot/ForBot:
This is probably the best known bot.. There are different 5000 known versions of AgoBot and steadily increasing. The Bot is written in C++ with cross platform capabilities. The Bot is structured in a very modular way and it is very easy to add commands for other vulnerabilities. AgoBot uses LibPcap (packer sniffing library) to sniff and sort traffic. It also provide Rootkit capabilities like file and process hiding and hide its own presence on compromised hosts. Furthermore reverse engineering to this bot is hard since it includes functions to detect debuggers.Except these three types that we find often, there are other bots that we find more seldom.
DSNX Bots:
the Data Spy Network X bot is written in C language and has more convenient plugin interface. An attacker can easily write scanners and spreaders as plugins and extend the bot's features.This bot has one major disadvantage: the default version does not come with any spreaders. But plugins are available to overcome this gap. Furthermore, plugins that offer services like DDoS-attacks, port scan interface or hidden HTTP-server are available.Kaiten:
This bot also lacks in spreader too and written for Linux/Unix systems. Weak authentication makes it very easy to hijack a botnet running with Kaiten. It offers an easy remote shell, so checking for further vulnerabilities to gain privileged access can be done via IRC.Perl-Based Bot:
This bot is very simple written in Perl language and have different versions. Novelty of this bot is that it consists of few hundred lines of code and mostly used for DDoS attacks for Unix bases systems.http://www.honeynet.org/node/53
DDoS Botnet Tools
The originator of a Botnet is commonly referred to as a "bot herder" or "bot master." This individual controls the Botnet remotely, often through an IRC server or a channel on a public IRC server – known as the command and control (C&C) server. To communicate with the C&C server, the bot master uses various hidden channels, including seemingly innocuous tools like Twitter or IM. More advanced bots automatically seek out more resources to exploit, joining more systems to the Botnet in a process known as “scrumping.”Botnet servers may always communicate and cooperate with other Botnet servers, creating entire communities of Botnet’s, with individual or multiple bot masters. This means that any given Botnet DDoS attack may actually have multiple origins, or be controlled by multiple individuals, sometimes working in coordination, sometimes working individually.
Botnets are available for rent or lease from various sources, and use of Botnet’s are auctioned and traded among attackers. Actual marketplaces have sprung up - platforms that enable trading in huge numbers of malware-infected PCs, which can be rented and used in Botnet DDoS or other attacks. These platforms provide Botnet DDoS attack perpetrators with a complete and richly-featured toolkit, and a distribution network as well.
Some of the most common tools for initiating a Botnet DDoS attack are easily downloaded from multiple online sources, and include:
Slow Loris:
This tool is really dangerous for the systems running Apache, TomCat and GoAhead web server. Slowloris is a highly-targeted attack, enabling one web server to take down another server, without affecting other services or ports on the target network.Qslowloris:
This tool provide Graphical user interface that makes the program highly easy to use, it uses QT libraries to execute the methods used by the Slow Loris.Apache Killer:
Utilizes an exploit in the Apache OS first discovered by a Google security engineer. Apache Killer pings a server, tells the server to break up whatever file is transferred into a vast number of tiny chunks, using the "range" variable. When the server tries to comply with this request, it runs out of memory, or encounters other errors, and crashes.DDoSim:
This tool can be used in a laboratory environment to simulate a DDoS attack, and helps measure the capacity of a given server to handle application-specific DDOS attacks, by simulating multiple zombie hosts with random IP addresses that create TCP connections.http://www.incapsula.com/ddos/ddos-attacks/botnet-ddos.html
No comments:
Post a Comment