WikiPrint - from Polar Technologies

Rubot Documentation

RuBot was created by Chris Lee to provide a framework in ruby to study different botnets in a safe environment. One of these botnets is a simple worm propagation which has each bot connect to an IRC server. This code will allow the user to initiate a worm in one node and have to worm propagate to multiple other nodes. Each time a node is compromised it will run a payload and connect to an IRC server to receive commands. All user commands can be given via SEER. The payload and additional IRC commands have to be specified by changing the code.

In order to have this worm run in your experiment through SEER you need to have rubot.tgz installed on each node. Inside of the NS file you need to have:

tb-set-node-tarfiles [set $node] /usr/ /proj/Deter/tarfiles/rubot.tgz

So the RuBot framework will be loaded onto each node. Replace ‘$node’ with the node(s) you want to have RuBot on. The ‘/usr/’ is where RuBot will be unzipped. RuBot needs to be unzipped in the /usr directory.

The next step is copping wormAgent.py into a place where SEER can find it and load it as an attack agent. To do this wormAgent.py needs to be copied from /users/arod/seer_rubot/modules and placed in a directory in either your directory or your projects directory. The directory needs to be set up with three sub directories titled modules, source, scripts. For example /users/arod/seer_rubot which has modules, source, and scripts as subdirectories. Place wormAgent.py in the modules subdirectory. Inside of the NS file place:

tb-set-node-startcmd $node "sudo python /share/seer/v160/experiment-setup.py Basic -d /users/arod/seer_rubot wormAgent"

Replace ‘/users/arod/seer_rubot’ with the path to your seer directory not the path to the wormAgent.py and replace ‘$node’ with each node in your experiment.

When you start SEER select the 'Worm' agent from the attack menu. The 'IRC Host' variable specifies which node will run the IRC server Make sure each node has a path to the IRC server so they can talk. This worm is started at one node and pointed towards other nodes within the network. The node which starts the worm is specified by the 'Worm Start' variable. This node needs to be different from the IRC server. The worm does not penetrate any defenses, but will successfully defeat a node if the node has a vulnerable server running on it (vulnserv.rb). Select the nodes you want to become vulnerable in the 'Vulnerable Servers' variable. The worm will branch out from the 'Worm Start' node and will attack the IP addresses you specify in the 'Target IPs' variable.

Once the vulnerable node has been 'attacked' by the worm it will run a series of commands embedded in vulnserv.rb. These commands are running the payload, initiating communication with an IRC server, and attacking the next level of IP addresses. The current payload is a get call to a website. The communication between the bots and the IRC server is limited. The bots will accept commands from the nick 'botmaster.' The only commands they respond to are 'hi' and 'quit.' For 'hi' each bot will respond with 'hi' and for 'quit' each bot will leave the IRC server and stop running vulnserv.rb. More commands can be programed by altering vulnserv.rb.

Once the variables have been set, STARTIRC will start the IRC server and STARTBOT will begin the propagation of the worm. You can monitor the status of the bots logging onto the IRC server by joining the IRC server on channel #test.