[2010 CodeEngn Conference 04] Max - Fighting against Botnet

Uploaded on

2010 CodeEngn Conference 04 …

2010 CodeEngn Conference 04

사이버 전쟁의 대표적 공격 무기가 되어버린 봇넷은 네트워크가 점점 초고속화되고, 복잡해진 상황속에서 7.7 DDoS와 같은 DDoS 공격, 인터넷 계정이나 금융 정보등과 같은 개인 정보 유출 등이 봇넷을 통해 이루어지고 있는 상황이다. 이에 해당 주제 발표에서는 실제 사이버상에서 운영되고 있는 봇넷들을 분석해 보며, 그들의 추구하는 봇넷 비즈니스 모델을 찾아보려 한다. 또한, 봇넷의 설계, 운영, 관리, 대응에 관한 시연 그리고 봇넷들간의 전쟁에 대해 이야기하고자 한다.


More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Fi hti i tFi hti i t B t tB t tFighting againstFighting against BotnetBotnet MaXMaXMaXMaX ( maxoverpro@gmail.com )( maxoverpro@gmail.com ) www.CodeEngn.com 2010 4th CodeEngn ReverseEngineering Conference
  • 2. AgendaAgenda • Introduction to Botnet. • Botnet History. • Recent Botnet Trends. • Botnet Life Cycle. • Botnet Communication. • Use of Botnets. • Botnet Economics. • Botnet Analysis. • Botnet detection and responseBotnet detection and response. • Demonstration.
  • 3. Introduction toIntroduction to BotnetBotnet BotBot( Zombie, Robot )( Zombie, Robot ) : Bot In an automated way to perform functions for the program. BotBot ClientClient : Infected machine. BotnetBotnet : Botnet Bots connected to a particular channel. ( IRC, HTTP, P2P, WEB, I.M ) - Controlled by Botmaster or Botherder. C&C 1 Botmaster Botherder BotmasterBotmaster oror BotherderBotherder : Can control the group remotely. C&C-1 C&C-2 C&C(Command and Control )C&C(Command and Control ) : - Communication channel for Command and Control.
  • 4. Introduction toIntroduction to BotnetBotnet Like it! Botnet J iJoin … Bot Update Botmaster Bot Bot Update 0-Day
  • 5. BotnetBotnet HistoryHistory
  • 6. BotnetBotnet HistoryHistory 1988 Invention of IRC 1989 Greg Lindahl ( GMBot/Hunt the Wumpus - IRCBot ) 1993 Eggdrop ( IRC Bot ) 1999 Remote Control Trojan ( PrettyPark, SubSeven, NetBus ) 2000 GTBot ( Based on the mIRC ) 2002 SDBot, AgoBot, Gaobot ( Backdoor , Kill-AV, Hidden, Downloader, Payload ) 2003 SpyBot, Rbot ( Keylogging, Spyware, Weak Password, Packing ) 2004 PolyBot( Polymorphic ) 2005 MyDoom ( mass email worm with BOT IRC and C&C ), Zeus 2007 StormWorm 2008 Waledac, Conficker 2009 Mariposa
  • 7. RecentRecent BotnetBotnet TrendsTrends
  • 8. BotnetBotnet Life CycleLife Cycle Rallying /Rallying / Listen /Listen / Command :Command : ExploitationExploitation Rallying /Rallying / SecureSecure BotnetBotnet Listen /Listen / PayloadPayload Command :Command : EraseErase •• Malicious Code.Malicious Code. •• UnpatchedUnpatched VulnerabilitiesVulnerabilities •• JoinJoin BotnetBotnet •• Kill AntiKill Anti VirusVirus •• BotnetBotnet command.command. •• PayloadPayload •• Erase Evidence.Erase Evidence. •• BotBot•• UnpatchedUnpatched Vulnerabilities.Vulnerabilities. •• Backdoor.Backdoor. •• Worm.Worm. •• Remote Access Trojans.Remote Access Trojans. •• Password Guessing.Password Guessing. •• Kill AntiKill Anti--VirusVirus •• HiddenHidden •• DownloaderDownloader •• RootkitRootkit •• PayloadPayload •• UpdateUpdate •• BotBot
  • 9. BotnetBotnet CommunicationCommunication (Infection Channel)(Infection Channel) • E-MailE Mail • Instant Messenger • Social NetworkSocial Network • Downloader ( Malicious Site ) • P2PP2P • File shareing
  • 10. BotnetBotnet CommunicationCommunication (Topology)(Topology) Star Multi-Server Hierarchical Random Fast-flux Random
  • 11. BotnetBotnet CommunicationCommunication (Protocols)(Protocols) IRC HTTP P2P I.M …
  • 12. Use ofUse of BotnetBotnet • PhishingPhishing • Spam • DDoS • Click FraudClick Fraud • Adware/Spyware Install • Information theft • Keystroke Logging• Keystroke Logging • Stealing information or files
  • 13. BotnetBotnet EconomicsEconomics $1~$500/ Identity collector WebSite WebSite Developer Or WebSite Hacker $200~2000/Site Account&Credit card Shop mall $200~2000/Site Malware Writer Malware Distributor. Victim UserVictim User Shop mall Information $300~$3500/Malware $25~50/Update Botnet Owner Payment Service$10/Million $200/H Resellers$200/Hour Spammers
  • 14. BotnetBotnet AnalysisAnalysis
  • 15. BotnetBotnet AnalysisAnalysis SpamBotSpamBot WormWorm DownloaderDownloader Data StealerData Stealer •• MegaMega--DD •• RustockRustock •• Waledac •• SrizbiSrizbi •• Storm WormStorm Worm •• ConfickerConficker •• StrationStration •• KoobfaceKoobface •• BredolabBredolab •• ZeusZeus •• SrizbiSrizbi •• CutwailCutwail •• KrakenKraken •• GrumGrum •• XarvesterXarvester •• BagleBagle •• KoobfaceKoobface BagleBagle •• MaazbenMaazben •• LethicLethic
  • 16. BotnetBotnet Analysis /Analysis / KoobfaceKoobface
  • 17. BotnetBotnet Analysis /Analysis / BredolabBredolab 1St Bredolab : MS07-017 ( GDI Local Elevation of Privilege Vulnerability ) / CVE-2006-5758 2nd Bredolab : MS08-025 ( Windows Kernel Usermode Callback Local Privilege Escalation Vulnerability ) / CVE-2008-1084 3rd Bredolab : Flo Allo s local sers ith the SeDeb gPri ilegge pri ilege to e ec te arbitar code as kernel / CVE 2004 23393rd Bredolab : Flow Allows local users with the SeDebugPrivilegge privilege to execute arbitary code as kernel / CVE-2004-2339
  • 18. BotnetBotnet Analysis / ZeusAnalysis / Zeus NameServerZeus C&C
  • 19. BotnetBotnet detection and responsedetection and response • Anti-VirusAnti Virus • IDSIDS • IPSIPS • F/WF/W • C&C Down.C&C Down. • ~-….….
  • 20. BotnetBotnet AnalysisAnalysis
  • 21. BotnetBotnet AnalysisAnalysis
  • 22. [1] B C i i T l i U d di h i i i f b C d d C l G Oll[1] Botnet Communication Topologies, Understanding the intricacies of botnet Command-and-Control , Gunter Ollmann, VP of Research, Damballa, Inc. [2] Spam declines after hosting company shut-down, by Robert Vamosi [3] Botnets, the killer web app, Craig A.Schiller, Jim Binkley, Dvidd Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross [4] The economics of botnets, Yuri Namestnikov[4] The economics of botnets, Yuri Namestnikov [5] Botnet Communications and Detection, HKCERT [6] Cyber Attack Trend and Botnet, S.C.Leung [7] FastFlux&Zeus, Roman hussy [8] Botnet Mitigation Methods, Kris Seeburn [9] B A k T d S S S CERT I[9] Botnets Attacks Trends, S.S.Sarma, CERT-In [10] Botnet and Mass DDoS Attack, Heejo Lee, Hyunsang Choi, Korea University [11] A Taxonomy of Botnet Structures, David Dagon, Guofei Gu, Christopher P. Lee, Wenke Lee, Georgia Institute of Techonology [12] Bashing Botnets, Conficker Kills and other Service Improvements, Tom Le [13] Botnet Detection and Response Technology, Mi Joo Kim[13] Botnet Detection and Response Technology, Mi Joo Kim [14] Modeling Botnet Propagation Using Time Zones, David Dagon, Ciff Zou, Wenke Lee, Georgia Institute of Techonology [15] Botnet Detection and Response, The Network is the infection, David Dagon, Georgia Institute of Techonology [16] Web 2.0 Botnet Evolution KOOBFACE Revisited, Jonell Baltazar, TrendMicro [17] The Business of Cybercrime / A complex Business Model, TrendMicro [18] Th R l F f KOOBFACE Th L W b 2 0 B E l i d J ll B l J C R Fl T dMi[18] The Real Face of KOOBFACE : The Largest Web 2.0 Botnet Explained, Jonell Baltazar, Joey Costoya, RyanFlores, TrendMicro [19] Cutwail Botnet, Alice Decker, David Sancho, Louciif Kharouni, Max Goncharov, Robert McArdle, TrendMicro [20] Infiltrating WALEDAC Botnet’s Covert Operations, Jonell Baltazar, Joey Costoya, RyanFlores, TrendMicro [21] BREDOLAB’s Sudden Rise in Prominence, David Sancho, TrendMicro [22] Walowdac – Analysis of a Peer-to-Peer Botnet, Ben Stock, Jan Gobel, Markus Engelberth, Felix C. Freiling, Thorsten Holz[22] Walowdac Analysis of a Peer to Peer Botnet, Ben Stock, Jan Gobel, Markus Engelberth, Felix C. Freiling, Thorsten Holz
  • 23. Q&A?Q&A? Thank you!Thank you! www.CodeEngn.com 2010 4th CodeEngn ReverseEngineering Conference