Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Botnets - Detection and Mitigation


Published on

A presentation about Botnets

  • Be the first to comment

  • Be the first to like this

Botnets - Detection and Mitigation

  1. 1. Botnets - Detection and Mitigation Literature study presentation By Ajit Skanda Kumarawamy (1735764) Faculty of Exact Sciences VU Amsterdam Under the guidance of Dr.Corina Stratan Faculty of Exact Sciences VU Amsterdam
  2. 2. Topics IntroductionStudy of botnet detection and mitigationtechniques Storm worm BotHunter BotSniffer RBSeeker Torpig Botnet Takeover Conclusion
  3. 3. Botnets – an introduction What is a bot? A computer that is running piece of malware Without knowledge of host/owner through external instructions Can be self-propogating What is a botnet? A co-ordinated group of bots under the control of a botmaster Act in a similar or co-related manner Used for fraudulant and abusive activities
  4. 4. Types of Botnets IRC based HTTP based P2P based
  5. 5. Attacks of botnets DDOS attacks Spamming Key logging and data/identity thefts Phishing and pharming Click fraud Distribution of other adware/spyware.
  6. 6. C&C and its role Command and Control – nerve centre of botnets Publish/push commands (Re)Organize botnets into subnets Methods of communicationKey component of botnet mitigation is to identifyC&C communication protocol
  7. 7. Methods for identifying botnets Signature based detectionCompare incoming and outgoing packets of data to a set of knownsignatures of bot binaries Anomaly based detectionAn analytical method for identifying and studying botnets ratherthan a preventative processAnalyse the network traffic for any irregular behavior like TCP Synscanning
  8. 8. Steps for mitigation of botnetsThe three generic steps for mitigation of botnets: Acquiring and analyzing a bot. Infiltrate the botnet.Identify and takedown the C&C server/botmaster.
  9. 9. Storm worm – a case studyMost virulent P2P bot out there in the wild(Peacomm,Nuwar or Zhelatin) Uses the OVERNET and an own P2P networkPropogates using e-mails (attachment orembedded link) Uses specific keys as rendezvous point/ mailbox Controller publishes commands at keys
  10. 10. Storm worm – analysis andmitigationObtain bot binary using a spam trap and a clienthoneypot Compute keys - two methods Use a Sybil attack to infiltrate the Stormnet Mitigate using Eclipsing content and polluting
  11. 11. BotHunter – Infection lifecyclemodel
  12. 12. BotHunter - Architecture
  13. 13. BotSniffer – Spatial temporalcorrelation and similarity
  14. 14. BotSniffer - Architecture
  15. 15. RBSeeker Used for detecting Redirection bots Spam source sub-system Netflow analysis sub-system Active DNS anomaly detection sub-system Correlation of aggregated data
  16. 16. Takeover of the Torpig Botnet Data harvesting bot - financial data Fast flux vs Domain flux Deterministic DGA and weak C&C communication procedure Sinkholing .net and .com domains 25/01/2009 – 04/02/2009 8310 accounts with range of $83K - $8.3M
  17. 17. Conclusions Botnets provide services to interested partiesBotnet detection techniques should go hand inhandCo-operation between authorities, registrars,ISPsLower layers of Botnet infrastructure should bedismantled
  18. 18. Thank you