SlideShare a Scribd company logo

Intro to Botnets - Bilal ZIANE

Bilal ZIANE
Bilal ZIANE

www.ZIANEBilal.com Introduction to Botnets

Technology
1 of 12
Download to read offline
Introduction to Botnets Introduction to Botnets ZIANE Bilal http://www.ZIANEBilal.com
1 www.ZIANEBilal.com 1
2 Definition of a Botnet www.ZIANEBilal.com 1- Definition of a Botnet A bot is an abbreviation for a software robot that can be used for malicious or beneficial purposes, but in this post I will focus on the bad manipulation of botnets, I will try to explain that kind of botnets that allow attacker to remotely control the affected computer without the owner knowledge. Indeed, what is a Botnet? Botnet or Drone-Army, designed as a Zombie-Army as well, is an abbreviation for a robot Network. Botnet is a network of compromised computers that can be remotely controlled by an attacker, called the BotMaster or BotHerder and each infected computer by a bot can be referred as a Zombie or as a Drone. Bots are remotely controlled through commands sent via the internet by the Botmaster using the C&C server, which stands for Command and Control server (C&C) a remote control & communication channels, for sending and receiving commands between the Botherder and the Zombies. 2
3 Attacking Behavior of Botnets www.ZIANEBilal.com Sizes of Botnets Zeus: 3.6 million compromised computers Koobface: 2.9 million TidServ: 1.5 million Trojan.Fakeavalert: 1.4 million TR/Dldr.Agent.JKH: 1.2 million 2- Attacking Behavior of Botnets  Distributed Denial-of-Service Attacks  Installing Advertisement Addons  Spamming  Google AdSense abuse  Sniffing Traffic  Manipulating online polls/games  Keylogging  Mass identity theft  Spreading new malware  Phishing attacks Figure representing how botnets are used in DDos attacks. 3
4 Types of Botnets www.ZIANEBilal.com 3- Types of Botnets Many types of botnets exist, I will try the explain the most used ones, starting by the HTTP botnet the most commonly used, which exploits vulnerabilities in web browsers, then a I will give short presentation of the IRC Botnet that give the attacker to silently control computers through internet relay chat channel, and at the end the P2P Peer to Peer Botnet that infect files shared on P2P services. A- HTTP Botnets: Used for creation and control of botnets. The zombies sign into an HTTP server at listening mode waiting for commands from the Botmaster, or they will visit pre-designated sites to get commands that are coded into the site’s files. Many HTTP bots have their own servers for downloading malware, phishing, etc. B- IRC Botnets: The most botnets rely on the IRC protocol. This is because the IRC protocol has been around the longest, and that is where earlier botnets operated before HTTP came along. IRC is used by a wide variety of applications to allow users to have simple text based chatting environments. Infected IRC clients log into a specific IRC server and wait for specially formatted text messages that contain commands. Commands can also be encoded into the title or name of the chat channel, so that every bot entering can be given commands. IRC Botnets are generally the most complex and the hardest to detect. C- P2P Botnets: Many P2P applications are utilized by bot herders to share files that have bots and malware attached. In most cases, these bots are pre- programmed to perform specific functions when a file is opened, or when a container application like a game or desktop application is installed. The main reason why IRC is so popular is: A- Easiness - setting up private servers or use existing ones are easy B- Interactivity - full two-way communication between the server and client. C- Control – all the needed functionalities already exist in the IRC protocol (credentials such as usernames, passwords and channels) D- Redundancy possibilities – by linking several servers together, one server can go down while the botnet is still functioning by connecting to other IRC servers. 4
5 Botnet topologies www.ZIANEBilal.com 4- Botnet topologies Botnets come in all kinds of shapes and sizes. As a result, they employ a range of C&C topologies and each have relative strengths and weaknesses. C&C topologies encountered in the wild typically match one of the following types: A- Star typology [+] Strengths: Speed of control, due to the direct communicationbetween the bot and C&C server instructions are transferred rapidly. [-] Weaknesses: If the C&C server is down the botnet will be useless. 5
6 Botnet topologies www.ZIANEBilal.com A- Multi-server [+] Strengths: Geographic optimissation, Multiple geographically distributed C&C servers speed up communications between botnet elements. And if one single C&C goes down, the botnet operator still maintain control over all bot agents. [-] Weaknesses: Require multiple C&C server infrastructures. B- Hierarchical [+] Strengths: Interception or hijacking of bot agents will not enumerate all numbers of the botnet and is likely to reveal the C&C server. [-] Weaknesses: slow communication among bots breaches, causing a high degree of latency and that makes attacks and malicious operations difficult. 6
7 Example of well-known Botnets www.ZIANEBilal.com B- Random [+] Strengths: Lack of a centralized C&C infrastructure and the many-to-many communication links between bot agents make it very resilient to shutdown. [-] Weaknesses: Command latency and botnet enumeration. 5- Example of well-known Botnets • Agobot/Phatbot/Forbot/XtremBot. • SDBot/RBot/UrBot/UrXBot. • mIRC-based Bots - GT-Bots. • DSNX Bots. • Q8 Bots. • Kaiten. 7
8 Botnet Detection www.ZIANEBilal.com 6- Botnet Detection A- Static analysis The static method analysis for botnet detection is based on detecting malicious activities in the network, including URLs, IP addresses and executable binaries, process of identifying bad items. In such methods of botnet detection, the items are checked against the familiar dangerous and malicious items. These include IP addresses, URLs, executable binaries. The entire procedure can be quite fast if the list of the items is up to date and accurate. This process of identifying the bad items is relatively risk free. However, when it comes to practice, performing only static analysis is not a helpful way of maintaining a botnet free network. This is due to the fact that the developers of malware are continuously creating threats that are completely undetected. The developers use different types of techniques in order to avoid getting detected by the security researchers and antivirus tools. These techniques are:  Methods of URL obfuscation  Polymorphism  Changing the IP addresses at a fast rate  Using lots of URLs which ultimately connect to a particular resource.  Serving various web pages or downloads B- Behavioral analysis This is really a powerful method of botnet detection. However, it requires a suitable environment for observing the behavior of the computer and there is a risk of the false positives that can make the process of diagnosis more difficult. The procedure can get more complicated if certain malware do not run. Once it was often seen bots attempting connection in every port of the target computers in a sequence. This helped the target computer in easily recognizing an attacker. Now most of the bots spread by using targeted attacks. Some parts are examined by them. This generally involves the ports which are used by another service. There are several preventive measures that you can take for getting rid of a botnet. 8
9 Botnet Detection www.ZIANEBilal.com C- OURMON and Botnet Detection Ourmon is an open source, UNIX based tool, Designed for network packet sniffing and port monitoring. Ourmon has two parts: 1. The FRONT-END for sniffing packets. 2. The BACK-END for log entries and ASCII reports. How can be used to detect Botnet? By collecting IRC information using its IRC module and the TCP report to figure out if the IRC channel is a botnet. http://sourceforge.net/projects/ourmon/ http://ourmon.sourceforge.net/ How to ensure the computer is safe from the botnet attacks?  Install a firewall and keep it ON.  Install good quality AV software, with a regular update.  Install some kind of intrusion detection software in the computer that will informe you if you are under any attack from other networks.  Install Botnet removal software, many of them available for free out there. 9
10 Resources www.ZIANEBilal.com 7- Resources • Know your Enemy: Tracking Botnets: http://www.honeynet.org/book/export/html/50 • The history of the botnet: http://countermeasures.trendmicro.eu/the-history-of- the-botnet-part-i/ • Attack of the Bots: http://www.wired.com/wired/archive/14.11/botnet_pr.html • Storm botnet: http://en.wikipedia.org/wiki/Storm_botnet • Good botnets to take on the bad boys: http://www.pcpro.co.uk/news/191040/good-botnets-to-take-on-the-bad-boys • America's 10 most wanted botnets: http://www.networkworld.com/news/2009/072209-botnets.htm • Anomaly-Based Botnet server detection: http://web.cecs.pdx.edu/~jrb/jrb.papers/flocon/flocon.pdf 10
11 Resources www.ZIANEBilal.com Contents 1- Definition of a Botnet ..................................................................................................................2 2- Attacking Behavior of Botnets ......................................................................................................3 3- Types of Botnets .........................................................................................................................4 4- Botnet topologies........................................................................................................................5 5- Example of well-known Botnets ...................................................................................................7 6- Botnet Detection.........................................................................................................................8 7- Resources ................................................................................................................................. 10 11

Recommended

Honeypots
HoneypotsHoneypots
HoneypotsBilal ZIANE
 
Les agents intelligents et les SMA
Les agents intelligents et les SMALes agents intelligents et les SMA
Les agents intelligents et les SMABilal ZIANE
 
Rapport eucalyptus cloud computing
Rapport eucalyptus cloud computingRapport eucalyptus cloud computing
Rapport eucalyptus cloud computingBilal ZIANE
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 

Recommended

Honeypots
HoneypotsHoneypots
HoneypotsBilal ZIANE
 
Les agents intelligents et les SMA
Les agents intelligents et les SMALes agents intelligents et les SMA
Les agents intelligents et les SMABilal ZIANE
 
Rapport eucalyptus cloud computing
Rapport eucalyptus cloud computingRapport eucalyptus cloud computing
Rapport eucalyptus cloud computingBilal ZIANE
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture CodeSkeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 

More Related Content

Recently uploaded

Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Recently uploaded (20)

Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

Featured

PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...DevGAMM Conference
 

Featured (20)

Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
 

Intro to Botnets - Bilal ZIANE

  • 1. Introduction to Botnets Introduction to Botnets ZIANE Bilal http://www.ZIANEBilal.com
  • 2. 1 www.ZIANEBilal.com 1
  • 3. 2 Definition of a Botnet www.ZIANEBilal.com 1- Definition of a Botnet A bot is an abbreviation for a software robot that can be used for malicious or beneficial purposes, but in this post I will focus on the bad manipulation of botnets, I will try to explain that kind of botnets that allow attacker to remotely control the affected computer without the owner knowledge. Indeed, what is a Botnet? Botnet or Drone-Army, designed as a Zombie-Army as well, is an abbreviation for a robot Network. Botnet is a network of compromised computers that can be remotely controlled by an attacker, called the BotMaster or BotHerder and each infected computer by a bot can be referred as a Zombie or as a Drone. Bots are remotely controlled through commands sent via the internet by the Botmaster using the C&C server, which stands for Command and Control server (C&C) a remote control & communication channels, for sending and receiving commands between the Botherder and the Zombies. 2
  • 4. 3 Attacking Behavior of Botnets www.ZIANEBilal.com Sizes of Botnets Zeus: 3.6 million compromised computers Koobface: 2.9 million TidServ: 1.5 million Trojan.Fakeavalert: 1.4 million TR/Dldr.Agent.JKH: 1.2 million 2- Attacking Behavior of Botnets  Distributed Denial-of-Service Attacks  Installing Advertisement Addons  Spamming  Google AdSense abuse  Sniffing Traffic  Manipulating online polls/games  Keylogging  Mass identity theft  Spreading new malware  Phishing attacks Figure representing how botnets are used in DDos attacks. 3
  • 5. 4 Types of Botnets www.ZIANEBilal.com 3- Types of Botnets Many types of botnets exist, I will try the explain the most used ones, starting by the HTTP botnet the most commonly used, which exploits vulnerabilities in web browsers, then a I will give short presentation of the IRC Botnet that give the attacker to silently control computers through internet relay chat channel, and at the end the P2P Peer to Peer Botnet that infect files shared on P2P services. A- HTTP Botnets: Used for creation and control of botnets. The zombies sign into an HTTP server at listening mode waiting for commands from the Botmaster, or they will visit pre-designated sites to get commands that are coded into the site’s files. Many HTTP bots have their own servers for downloading malware, phishing, etc. B- IRC Botnets: The most botnets rely on the IRC protocol. This is because the IRC protocol has been around the longest, and that is where earlier botnets operated before HTTP came along. IRC is used by a wide variety of applications to allow users to have simple text based chatting environments. Infected IRC clients log into a specific IRC server and wait for specially formatted text messages that contain commands. Commands can also be encoded into the title or name of the chat channel, so that every bot entering can be given commands. IRC Botnets are generally the most complex and the hardest to detect. C- P2P Botnets: Many P2P applications are utilized by bot herders to share files that have bots and malware attached. In most cases, these bots are pre- programmed to perform specific functions when a file is opened, or when a container application like a game or desktop application is installed. The main reason why IRC is so popular is: A- Easiness - setting up private servers or use existing ones are easy B- Interactivity - full two-way communication between the server and client. C- Control – all the needed functionalities already exist in the IRC protocol (credentials such as usernames, passwords and channels) D- Redundancy possibilities – by linking several servers together, one server can go down while the botnet is still functioning by connecting to other IRC servers. 4
  • 6. 5 Botnet topologies www.ZIANEBilal.com 4- Botnet topologies Botnets come in all kinds of shapes and sizes. As a result, they employ a range of C&C topologies and each have relative strengths and weaknesses. C&C topologies encountered in the wild typically match one of the following types: A- Star typology [+] Strengths: Speed of control, due to the direct communicationbetween the bot and C&C server instructions are transferred rapidly. [-] Weaknesses: If the C&C server is down the botnet will be useless. 5
  • 7. 6 Botnet topologies www.ZIANEBilal.com A- Multi-server [+] Strengths: Geographic optimissation, Multiple geographically distributed C&C servers speed up communications between botnet elements. And if one single C&C goes down, the botnet operator still maintain control over all bot agents. [-] Weaknesses: Require multiple C&C server infrastructures. B- Hierarchical [+] Strengths: Interception or hijacking of bot agents will not enumerate all numbers of the botnet and is likely to reveal the C&C server. [-] Weaknesses: slow communication among bots breaches, causing a high degree of latency and that makes attacks and malicious operations difficult. 6
  • 8. 7 Example of well-known Botnets www.ZIANEBilal.com B- Random [+] Strengths: Lack of a centralized C&C infrastructure and the many-to-many communication links between bot agents make it very resilient to shutdown. [-] Weaknesses: Command latency and botnet enumeration. 5- Example of well-known Botnets • Agobot/Phatbot/Forbot/XtremBot. • SDBot/RBot/UrBot/UrXBot. • mIRC-based Bots - GT-Bots. • DSNX Bots. • Q8 Bots. • Kaiten. 7
  • 9. 8 Botnet Detection www.ZIANEBilal.com 6- Botnet Detection A- Static analysis The static method analysis for botnet detection is based on detecting malicious activities in the network, including URLs, IP addresses and executable binaries, process of identifying bad items. In such methods of botnet detection, the items are checked against the familiar dangerous and malicious items. These include IP addresses, URLs, executable binaries. The entire procedure can be quite fast if the list of the items is up to date and accurate. This process of identifying the bad items is relatively risk free. However, when it comes to practice, performing only static analysis is not a helpful way of maintaining a botnet free network. This is due to the fact that the developers of malware are continuously creating threats that are completely undetected. The developers use different types of techniques in order to avoid getting detected by the security researchers and antivirus tools. These techniques are:  Methods of URL obfuscation  Polymorphism  Changing the IP addresses at a fast rate  Using lots of URLs which ultimately connect to a particular resource.  Serving various web pages or downloads B- Behavioral analysis This is really a powerful method of botnet detection. However, it requires a suitable environment for observing the behavior of the computer and there is a risk of the false positives that can make the process of diagnosis more difficult. The procedure can get more complicated if certain malware do not run. Once it was often seen bots attempting connection in every port of the target computers in a sequence. This helped the target computer in easily recognizing an attacker. Now most of the bots spread by using targeted attacks. Some parts are examined by them. This generally involves the ports which are used by another service. There are several preventive measures that you can take for getting rid of a botnet. 8
  • 10. 9 Botnet Detection www.ZIANEBilal.com C- OURMON and Botnet Detection Ourmon is an open source, UNIX based tool, Designed for network packet sniffing and port monitoring. Ourmon has two parts: 1. The FRONT-END for sniffing packets. 2. The BACK-END for log entries and ASCII reports. How can be used to detect Botnet? By collecting IRC information using its IRC module and the TCP report to figure out if the IRC channel is a botnet. http://sourceforge.net/projects/ourmon/ http://ourmon.sourceforge.net/ How to ensure the computer is safe from the botnet attacks?  Install a firewall and keep it ON.  Install good quality AV software, with a regular update.  Install some kind of intrusion detection software in the computer that will informe you if you are under any attack from other networks.  Install Botnet removal software, many of them available for free out there. 9
  • 11. 10 Resources www.ZIANEBilal.com 7- Resources • Know your Enemy: Tracking Botnets: http://www.honeynet.org/book/export/html/50 • The history of the botnet: http://countermeasures.trendmicro.eu/the-history-of- the-botnet-part-i/ • Attack of the Bots: http://www.wired.com/wired/archive/14.11/botnet_pr.html • Storm botnet: http://en.wikipedia.org/wiki/Storm_botnet • Good botnets to take on the bad boys: http://www.pcpro.co.uk/news/191040/good-botnets-to-take-on-the-bad-boys • America's 10 most wanted botnets: http://www.networkworld.com/news/2009/072209-botnets.htm • Anomaly-Based Botnet server detection: http://web.cecs.pdx.edu/~jrb/jrb.papers/flocon/flocon.pdf 10
  • 12. 11 Resources www.ZIANEBilal.com Contents 1- Definition of a Botnet ..................................................................................................................2 2- Attacking Behavior of Botnets ......................................................................................................3 3- Types of Botnets .........................................................................................................................4 4- Botnet topologies........................................................................................................................5 5- Example of well-known Botnets ...................................................................................................7 6- Botnet Detection.........................................................................................................................8 7- Resources ................................................................................................................................. 10 11