Botnets - Detection and Mitigation

944 views

Published on

A presentation about Botnets

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
944
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
55
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Botnets - Detection and Mitigation

  1. 1. Botnets - Detection and Mitigation Literature study presentation By Ajit Skanda Kumarawamy (1735764) Faculty of Exact Sciences VU Amsterdam Under the guidance of Dr.Corina Stratan Faculty of Exact Sciences VU Amsterdam
  2. 2. Topics IntroductionStudy of botnet detection and mitigationtechniques Storm worm BotHunter BotSniffer RBSeeker Torpig Botnet Takeover Conclusion
  3. 3. Botnets – an introduction What is a bot? A computer that is running piece of malware Without knowledge of host/owner through external instructions Can be self-propogating What is a botnet? A co-ordinated group of bots under the control of a botmaster Act in a similar or co-related manner Used for fraudulant and abusive activities
  4. 4. Types of Botnets IRC based HTTP based P2P based
  5. 5. Attacks of botnets DDOS attacks Spamming Key logging and data/identity thefts Phishing and pharming Click fraud Distribution of other adware/spyware.
  6. 6. C&C and its role Command and Control – nerve centre of botnets Publish/push commands (Re)Organize botnets into subnets Methods of communicationKey component of botnet mitigation is to identifyC&C communication protocol
  7. 7. Methods for identifying botnets Signature based detectionCompare incoming and outgoing packets of data to a set of knownsignatures of bot binaries Anomaly based detectionAn analytical method for identifying and studying botnets ratherthan a preventative processAnalyse the network traffic for any irregular behavior like TCP Synscanning
  8. 8. Steps for mitigation of botnetsThe three generic steps for mitigation of botnets: Acquiring and analyzing a bot. Infiltrate the botnet.Identify and takedown the C&C server/botmaster.
  9. 9. Storm worm – a case studyMost virulent P2P bot out there in the wild(Peacomm,Nuwar or Zhelatin) Uses the OVERNET and an own P2P networkPropogates using e-mails (attachment orembedded link) Uses specific keys as rendezvous point/ mailbox Controller publishes commands at keys
  10. 10. Storm worm – analysis andmitigationObtain bot binary using a spam trap and a clienthoneypot Compute keys - two methods Use a Sybil attack to infiltrate the Stormnet Mitigate using Eclipsing content and polluting
  11. 11. BotHunter – Infection lifecyclemodel
  12. 12. BotHunter - Architecture
  13. 13. BotSniffer – Spatial temporalcorrelation and similarity
  14. 14. BotSniffer - Architecture
  15. 15. RBSeeker Used for detecting Redirection bots Spam source sub-system Netflow analysis sub-system Active DNS anomaly detection sub-system Correlation of aggregated data
  16. 16. Takeover of the Torpig Botnet Data harvesting bot - financial data Fast flux vs Domain flux Deterministic DGA and weak C&C communication procedure Sinkholing .net and .com domains 25/01/2009 – 04/02/2009 8310 accounts with range of $83K - $8.3M
  17. 17. Conclusions Botnets provide services to interested partiesBotnet detection techniques should go hand inhandCo-operation between authorities, registrars,ISPsLower layers of Botnet infrastructure should bedismantled
  18. 18. Thank you

×