Your SlideShare is downloading. ×
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting

244

Published on

Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting in Adobe Systems, Noida

Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting in Adobe Systems, Noida

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
244
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. #BOTNET Utsav Mittal Founder and Principal Consultant at Xiarch Pvt Ltd
  • 2. WHAT IS BOTNET ? • Network of Infected Host. • Botnet is a network of compromised computers (#zombies) under the control of remote attacker (#botmaster). • Controller of botnet is able to direct the activities of these compromised system. #Bot Terminology > Bot Herder (#botmaster) > Bot > Bot Client > IRC / HTTP based Server > Command & Control Channel (C&C)
  • 3. WHAT DOES IT LOOK LIKE WHEN YOU CONNECT Look like regular IRC C&C !
  • 4. WHAT DOES IT LOOK LIKE WHEN YOU CONNECT Bot Connected !
  • 5. IRC COMMANDS – THAT A HIJACKER WOULD USE
  • 6. HISTORY OF BOTNET • Sub7 & Pretty Park (a Tr0jan & a W0rm) infected machine connecting to an internet relay chat (IRC) channel to listen for malicious commands. • in 2002 Agobot introduced the concept of staged attack. • [+] install a back door, the second try to take out anti-virus software and third blocked access to security vendor websites. • Rbot also appeared in 2003 – a family of bots which used compression and encryption algorithms to evade detection.
  • 7. BOT BOT Botnet Architecture BOTMASTER BOT C&C C&C Recruiting Recruiting Recruiting
  • 8. ATTACKING BEHAVIORS • Infecting new hosts • Social engineering and distribution of malicious emails or other electronic communications (i.e. Instant Messaging) • Example - Email sent with botnet disguised as a harmless attachment. • Stealing personal information • Keylogger and Network sniffer technology used on compromised systems to spy on users and compile personal information • Phishing and spam proxy • Aggregated computing power and proxy capability make allow spammers to impact larger groups without being traced. • Distributed Denial of Service (DDoS) • Impair or eliminate availability of a network to extort or disrupt business • CPU Abusing • Uses Victim CPU to perform bitcoin mining or brute force hash reversing and password attacks eg.ZeroAccess ,Skynet
  • 9. ATTACK VECTOR • USB Drives • EMAIL • FILES • BUGGY SOFTWARES • OPEN PORTS • Others . .
  • 10. BOTNET COMMUNICATION METHODS • HTTP • IRC • P2P • Others . .
  • 11. CURRENT BOTNET • What is Tor ? Tor is short for The Onion Router and was initially a worldwide network of servers developed with the U.S. Navy that enabled people to browse the internet anonymously.
  • 12. TOR BASED BOTNET
  • 13. ANDROID TOR BASED BOTNET
  • 14. HTTP COINER BOTNET
  • 15. BITCOIN MINING BOTNET
  • 16. FBI — Botnets Infecting 18 Computers per Second.
  • 17. BROWSER BASED BOTNET • Abuse HTML5 to DDoS • + Jeremiah Grossman and Matt Johansen showed that it is possible to initiate a massive distributed denial of service (DDoS) attack via a browser-based botnet. • + This abuse of HTML5 can lead to spamming, bitcoin generation, phishing, internal network reconnaissance, proxy network usage, and spreading of worm via XSS attacks or SQL injections.
  • 18. HOW ? Attackers need only to invest on fake online ads which are inexpensive. Because networks serving ads on websites allow the execution of JavaScript, the attackers craft the JavaScript to make hundreds or thousands of users connect to a targeted site simultaneously, which may be enough to make the victim site inaccessible. dDOS !
  • 19. ABUSES OF HTML5 + 1. Spamming 2. Bitcoin generation 3. Phishing 4. Internal network reconnaissance, 5. Proxy network usage 6. Spreading of worm via XSS attacks or SQL injections.
  • 20. BENEFITS ~ • No malware to detect. • No trace , few alarms. • Very very easy • Everyone browser is vulnerable (by default)
  • 21. DISTRIBUTION OF “JAVASCRIPT MALWARE” • HTML Injection on popular Website and Forums (blog , war3z) • Man in Middle Attack • EMAIL Spam (HTML) • Third Part web Widgets
  • 22. "The most reliable , cost effective method to inject evil code is to buy an ad “ ~Douglas Crockford
  • 23. Thank You

×