RuBot was created by Chris Lee to provide a framework to study different botnets in a safe environment. One of these botnets is a simple worm propagation which has each bot connect to an IRC server. In order to have this worm run in your experiment through SEER you need to have rubot.tgz installed on each node. Inside of the NS file you need to have:
tb-set-node-tarfiles [set $node] /usr/ /proj/Deter/tarfiles/rubot.tgz
So the RuBot framework will be loaded onto each node. Replace ‘$node’ with the node(s) you want to have RuBot on. The ‘/usr/’ is where RuBot will be unzipped. RuBot needs to be unzipped in the /usr directory.
The next step is copping wormAgent.py into a place where SEER can find it and load it as an attack agent. To do this wormAgent.py needs to be copied from /users/arod/seer_rubot/modules and placed in a directory in either your directory or your projects directory. The directory needs to be set up with three sub directories titled modules, source, scripts. For example /users/arod/seer_rubot which has modules, source, and scripts as subdirectories. Place wormAgent.py in the modules subdirectory. Inside of the NS file place:
tb-set-node-startcmd $node "sudo python /share/seer/v160/experiment-setup.py Basic -d /users/arod/seer_rubot wormAgent"
Replace ‘/users/arod/seer_rubot’ with the path to your seer directory not the path to the wormAgent.py and replace ‘$node’ with each node in your experiment.
When you start SEER select the 'Worm' agent in the attack menu. The 'IRC Host' variable specifies which node the IRC server will run on. Make sure each node has a path to the IRC server so they can talk. This worm is started at one node and pointed towards other nodes within the network. The node which the worm starts from is specified by the 'Worm Start' variable. This node needs to be different from the IRC server. The worm does not penetrate any defenses, but will successfully defeat a node if the node has a vulnerable server running on it (vulnserv.rb). Select the nodes you want to become vulnerable in the 'Vulnerable Servers' variable. The worm will branch out from the 'Worm Start' node and will attack the IP addresses you specify in the 'Target IPs' variable.
Once the vulnerable node has been 'attacked' by the worm it will run a series of commands embedded in vulnserv.rb. These commands are running the payload, initiating communication with an IRC server, and attacking the next level of IP addresses. The current payload is a get call to a website. The communication between the bots and the IRC server is limited. The bots will accept commands from the nick 'botmaster.' The only commands they respond to are 'hi' and 'quit.' For 'hi' each bot will respond with 'hi' and for 'quit' each bot will leave the IRC server and stop running vulnserv.rb. More commands can be programed by altering vulnserv.rb.
Once the variables have been set, STARTIRC will start the IRC server and STARTBOT will begin the propagation of the worm. You can monitor the status of the bots logging onto the IRC server by joining the IRC server on channel #test.