The UBoat botnet is a proof-of-concept botnet that has been designed primarily for penetration testing and educational purposes. The author behind it has specifically stated that the main purpose behind it is to help security engineers understand how botnets can impact specific networks. As such any malicious use of it is considered illegal. The tool is publicly available for anyone to use, this means that both experts and hackers can download and utilize it. It can be extended or modified which can lead to the creation and upload of additional modules.
UBoat Proof-of-Concept Botnet Design & Feature
The UBoat botnet is coded entirely in C++ and contains no external dependencies, this means that it will run without installing any additional packages. An important characteristic is the fact that it provides for encrypted communications between the host and the client. This makes it very difficult for network administrators to find out that there is an ongoing attack when a low impact attack has been initiated.
Connections to the end hosts can be made both in a redundant and persistent way:
- Persistent Installation — The UBoat botnet continously sends out packets of information which maintains an active connection to the hosts. This prevents the connection from being lost.
- Redundancy — It allows the botnet operators to set up a fallback server address or domain in the case the main server address is not accessible.
The botnet controllers have the ability to initiate two major types of DDOS attacks:
- TCP Flood — This is the classic attack of this type which is done by sending out numerous SYN packets to the victims. The attacks will spoof the source IP address thereby the replies will not come back to it.
- UDP Flood — This attack is based on the idea that the botnet will need to overwhelm the random ports on the targeted hosts with packets containing UDP datagrams.
The malicious component can be used to infiltrate the host machine and modify important values used by it. Key parameters include system values, hardware information ID, IP address and etc. They can be both extracted and changed by the operators.
By gaining access to the machines the malware operators will have the ability to execute arbitrary commands. The UBoat botnet also acts as a keylogger in both a passive or active version. Using this malware the hackers can also deliver, update or uninstall other threats to the host systems as well.
The available modular engine makes sure that the operators can extend it further with new functions.