Bots and malware

Uploaded on

How to build bots / Malware and how Moles work

How to build bots / Malware and how Moles work

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • Botnet access to the Kad networkOne of the most outstanding new features of TDL-4 is the kad.dll module, which allows the TDSS botnet to access the Kad network. So what do the cybercriminals want with a publicly accessible file exchange network?We have known about botnets controlled via P2P for some time now, although until now, these were closed protocol connections created by the cybercriminals themselves. In contrast, TDSS uses a public P2P network in order to transmit commands to all infected computers in the botnet. The initial steps of how TDSS makes use of Kad are given below: The cybercriminals make a file called ktzerules accessible on the Kad network. The file is encrypted and contains a list of commands for TDSS. Computers infected with TDSS receive the command to download and install the kad.dll module. Once installed, kad.dll downloads the file nodes.dat, which contains the publicly accessible list of IP addresses of Kad network servers and clients. The kad.dll module then sends a request to the Kad network to search for the ktzerules file. Once the ktzerules files has been downloaded and encrypted, kad.dll runs the commands which ktzerules contains.


  • 1. BOTNET
  • 2. WILL NOT TALK ABOUT - How to flight a Boeing 787 - Or a Boeing 777 Blow computer remotely
  • 3. WILL TALK ABOUT - Basic introduction to internet security - What is Botnet? C & C? How does it get to your computer? - Different module - Real life story - Live example
  • 4. Bottom Line A Bot is simply an automated computer program, or robot. BOT Making your computer into Bot using Trojan, Malware, etc.. The Bot will installed on the victim computer and will be communicate with the C&C server.
  • 6. HOW YOU BUILD A BOT? Easy, Bot Builder. Although you can re-create one from scratch.
  • 7. SPREAD THE WORD… So, we create this great Bot now lets spread it via…. But how?!? Via affiliate program, torrent, emule any p2p that are out there. For example lets {Some.New.Movie}.blu.ray and yes we can make it be 5GB although our bot will be only 100KB. Yes, sometimes will see {} 565KB, Yeah right.
  • 8. SPREAD THE WORD… django unchained
  • 9. SPREAD THE WORD… Affiliates?!?
  • 10. C&C Command and Control Server In the old day a server that collect the victim data. Today much more complicated - Encrypted network connections Botnet access to the Kad network
  • 11. AN ANTIVIRUS OF ITS OWN Bootkit will infects the MBR in order to launch itself This is a classic method used by downloaders which ensures a longer malware lifecycle and makes it less visible to most security programs.
  • 13. BOTNET ACCESS TO THE KAD NETWORK So what do the cybercriminals want with a publicly accessible file exchange network? 1. Cybercriminals make a encrypted file the contains list of commands 2. Infected computer receive command to download and installing any module. 3. After the installation process the victim get the nodes which contains the publicly accessible list of IP addresses of network servers and clients (Kad server and clients). 4. The module then sends a request to the Kad network to search for the right file. 5. Once the files has been downloaded and encrypted, the dll file runs the commands
  • 14. PROXY MODULE Basically proxy server on the victim computer. - This module facilitates the anonymous viewing of Internet resources via infected machines. - New way making money $$, offering anonymous Internet access as a service, at a cost of roughly $100 per month. - Hiding the network and C&C servers.
  • 15. ANOTHER COOL WAY FOR PROXY FAST FLUX Fast flux DNS takes advantage of the way load balancing is built into the DNS. It allows an administrator to register a number of IP address with a single host name (for ex:,, etc…) And the secret is the TTL,
  • 17. REAL LIFE EXAMPLE :: TDL4 Couple of Facts: 1. TDSS is one of the most sophisticated threat. 2. TDSS uses a range of methods to evade signature, heuristic, and proactive detection. 3. Uses encryption to facilitate communication between its bots and the botnet command and control center. 4. powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system. 5. Algorithm encrypting the protocol used for communication between infected computers and botnet command and control servers. 6. Kad.dll module which allows the TDSS botnet to access the Kad network. 7. Socks.dll has been added to TDSS‟s svchost.exe; it is used to establish a proxy server on an infected computer. 8. Smart ways to get command using encrypted files and different servers.
  • 18. WAYS TO SOLVE 1. Wireshark view logs and information 2. DNS server logs, when working under cooperation proxy server. 3. Bios , stop infection MBR.
  • 19. SOME MORE REAL LIFE STORIES • Chinese banker Trojan: There are 242 million e-commerce users (according to Dec 2012), it mean nearly half of the users in Internet users in China. (There is lots of money involve!) Win32.Bancyn.a, was named „Floating Cloud‟, and was used to steal several millions of dollars from e-commerce users. • Social Network Trojan (Brazil): "PimpMyWindow", an adware and click-fraud scheme that has infected several Brazilian Facebook users in recent days, works. Basically a browser plugin that communicate with the “Criminal” server and send the user information whenever is logged in to one of the Brazilian banks.
  • 20. The email asks to send an advance payment to the lottery so that they can release the prize money. Lots of naive users get fooled by the scammers and end up wasting their money. 419 NIGERIAN SCAMS A sample 419 Scam email ------------------------------------Sender: Subject: !!!CONGRATULATIONS YOU ARE A WINNER!!! FROM THE LOTTERY PROMOTIONS MANAGER, THE UNITED KINGDOM INTERNATIONAL LOTTERY, PO BOX 287, WATFORD WD18 9TT, UNITED KINGDOM. We are delighted to inform you of your prize release from the United Kingdom International Lottery program. Your name was attached to Ticket number; 47061725, Batch number; 7056490902, Winning number; 07-14-24-37-43-48 bonus number 29, which consequently won the lottery in the first category....
  • 21. SLIDESHARE.NET ATTACK Example 2: April 23, 2008 • Slideshare was down for a few days due to DDOS attack that originated from China. • The attack reached a peak of 2.5GB/sec and consisted entirely of packets sent from China • 2.5 GB/sec?!?! Try to imagine how many bots were involve.
  • 22. HOPE YOU ALL ENJOY! “The quieter you become, the more you are able to hear…”