Present By:Muhammad Aniq Eastrarulkhair Bin Mohmad Hairin
What is Botnet History of Botnet Botnet Usage How do they do it How a Botnet is controlled Why are Botnet is a Threat Botnet Detection Q&A
The term ‘bot’ or ‘robot’ refer to a program that: -perform repetitive tasks OR -Acts as an ‘agent’ or user interface for controlling others program Bots can be very beneficial programs when they are designed to assist a human user, either by automating a simple task, or by simplifying a users control over various programs or systems. Example google bot and game bot.
Unfortunately, bots can also be created to perform malicious tasks that compromise the system or any information stored on the machine. The bot in botnets definitely refers to the second type, as these bots are used by an attacker to hijack and control a computer system.
When more than one computer has the same bot installed on it, the multiple infected machines form a network, which is under the direct control of the attacker. This network is a botnet – a network of enslaved computer systems infected with malicious bot programs. A single machine in a botnet can be referred to as a bot, a zombie or a zombie computer.
First existence of botnet started in August 1988 when IRC invented at University of Oulu, Finland 1989 - First bot - “GM” -assist user to manage their own IRC Connections May 1999 – Pretty park Reported in June 1999 in Central Europe Internet Worm – a password stealing trojan 1999 – Subseven Remote controlled trojan
2000 – GTbot (Global Threat) New capabilities - port scanning, flooding and cloning Support UDP and TCP socket connections Support IRC Server to run malicious script 2002 – SDbot Written by Russian Programmer by the name ‘SD’ 40Kb – C++ Code First to publish the code for hackers via website Provided e-mail and chat for support 2002 – Agobot Modular update Spread through Kazaa, Grokser and etc
2003 – Spybot or Milkit Derived from SDbot Come with spyware capabilities Spread via file sharing applications and e-mail 2003 – Rbot Backdoor trojan on IRC Compromised Microsoft vulnerable share Port 139 and 445 Based on MSRT Report in June 2006 by Microsoft - 1.9 million PCs affected worldwide 2004 – PolyBot Polymorphism capabilities Based on Agobot
2005 – MyBot New version of SpyBot Hybrid coding Spread via file sharing applications and e-mail 2006 – P2P Based Bot 1st generation - “SpamThru”, “Nugache” Basd on “Gnutella” file sharing 2nd Generation – “Peacomm’ Pure Distributed P2P 2007 – “Storm Botnet” Truly pure P2P No single point of failure Provided high resilience, scalability and difficulty in tracking
2010 – Stuxnet spreads via Microsoft Windows, and targets Siemens industrial software and equipment malware that spies on and subverts industrial systems targeted five Iranian organizations - uranium enrichment infrastructure in Iran September 2011 – Duqu Duqu is a computer worm discovered on 1st September, 2011 Operation Duqu is the process of only using Duqu for unknown goals
DDOS Spam Sniffing traffic Keylogging Installing Advertisement Addons and Browser Helper Objects (BHOs) Manipulating online polls/games Mass ID theft
The attacker giving directions to the botnet is usually referred to as the botherder or controller. Botnets used to be run by individuals, but in recent years, botnets have become more commercialized, and it is thought that many botnets nowadays are in the hands of criminal syndicates. To control the botnet, the botherder uses an application known as a client program to issues commands to the bot programs installed on zombies. This is very similar to how a backdoor is controlled and allows the botherder to operate very efficiently, as they can easily give instructions to a single zombie, or multiple zombies, or even the entire botnet - all via a single client program.
Using the client, the botherder can direct a single zombie to perform a certain action. For example, it can be ordered to send all the e-mail addresses stored on its hard drive to a remote website, where it can be added to a spammers mailing list. Alternatively, all the zombies in the botnet can be commanded to perform the same routine, such as sending requests to a specific website (basically, a Denial of Service or DoS attack). The relationship between the zombies and the client controlling them is known as a command-and-control (C&C)infrastructure. The zombie or website or server that hosts the client is known as the C&C server. The following image is a simplified view of this infrastructure:
Of course, in real life, a botnets organization can be far more complicated. Some botnets will use multiple C&C servers, using the redundancy as a type of protection; others will have only one C&C server, but will continually change the machine the client application is saved on, also for better security. Botherders put in all these security measures for one simple reason: the C&C server is the nerve center of the entire botnet, and also its Achilles heel.
These malicious bots can arrive on a victim machine in many ways. The most common method involves dropping the bot in the payload of a Trojan or a similar malware. Other methods include infecting the computer via a drive- by download, or distributing the bot via spam e-mail messages with infected attachments. Once installed, the bot can take control of the system. A remote attacker can then give commands to the infected computer via the bot and force it to perform malicious actions. In this context, a bot is very similar to a backdoor program, which is also forcibly planted on a computer and used by a remote attacker to direct the infected machine.
Botnets are considering a menace for three simple reasons: • To build them, attackers have to steal a computer from its legitimate user • Botnet operations can directly impact large numbers of real-world organizations and individuals • Botnets appear to be increasing in size and capability
Widespread Repercussions Once created, a botnet can be used to commit more malicious acts, such as stealing data, sending out spam and launching attacks. Even then, a botnet might be considered only a nuisance if its impact were limited to a few dozen, or even hundreds of infected machines. Unfortunately, botnets can perform actions that directly affect hundreds of thousands, or even millions of people. With Greater Size Comes Greater Power Generally, a botnets potential threat increases with its size, as the increased resources gives the controllers more power or capacity for their activities. For example, a DoS attack from a massive botnet is even harder to defend against than a similar attack from a smaller one, simply because a bigger botnet can generate more attack code.
An attacker who controls a botnet can do a wide range of actions, both TO individual machines in the botnet and WITH the entire resources of the botnet. Data Harvesting Most people store highly sensitive personal information on their computers - personal identification, work-related materials, e-mail addresses of all contacts and so on. If all these details are stored on a computer in a botnet, then the bot herder is almost guaranteed access to it. Such information can be sold, often to criminals intent on perpetrating or facilitating fraud. Botnets also actively harvest information related to banking accounts. For example, during research into the activities of the Torpig botnet in 2007, researchers observed the theft of credentials for thousands of accounts belonging to hundreds of financial institutions - all in a period of 10 days.
Stolen Resources Rather than purchase all the hardware and bandwidth necessary for their operations, botnet controllers can siphon the physical resources they need (processing power, storage space, bandwidth, etc) from their zombies. These resources can be put to various uses, such as: Cyber attacks A botnet can be used to launch a Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack against a target. The target can be any resource linked to the Internet, be it a major corporate website or a military database. Spam Generators Probably the most common way a botnet is used is to send out massive quantities of spam e-mails. Botnets known to perform this activity include Srizi and Storm. To give an idea of the size of this activity, in 2008 about 153 billion spam messages were sent out every day - an estimated 60 percent of which is botnet-generated.
Malware Distributors Another "product" being distributed by botnets is malware - trojans, viruses, worms and other things of that ilk. These offerings may be attached to spam e-mails or sent out via vulnerability exploits, or other methods. Storage Space Zombies in a botnet may also be used is as an illicit warehouse to store all the malicious or objectionable "merchandise" the botnet operators handle. The stored data may be everything from harvested personal details to pornographic images. Rental Last but not least, botnet owners can rent use of the botnet to other users, almost always for malicious purposes. This is an increasingly lucrative activity for the botnet herders. According to Yuval Ben-Itzhak, Chief Technology Officer of computer security company Finjan, the botnet controllers can "make as much as $190,000 in one day" renting out "their" computers.
Host Based Intrusion Detection Systems (IDS) Anomaly Detection IRC Nicknames HoneyPot and HoneyNet
Virus scanningWatching for Symptoms Modification of windows hosts file Random unexplained popups Machine slowness Antivirus not workingWatching for Suspicious network traffic Since IRC is not commonly used, any IRC traffic is suspicious. Sniff these IRC traffic Check if the host is trying to communicate to any Command and Control (C&C) Center Through firewall logs, denied connections
Example Systems: Snort and Bro Sniff network packets, looks for specific patterns (called signatures) If any pattern matches that of a malicious binary, then block that traffic and raise alert These systems can efficiently detect virus/worms having known signatures Cant detect any malware whose signature is unknown (i.e., zero day attack)
Normal traffic has some patterns Bandwidth/Port usage Byte-level characteristics (histograms) Protocol analysis – gather statistics about TCP/UDP src, dest address Start/end of flow, Byte count DNS lookupFirst learn normal traffic patternThen detect any anomaly in that patternExample systems: SNMP, NetFlowProblems: Poisoning Stealth
Bots use weird nicknamesBut they have certain pattern (really!)If we can learn that pattern, we can detect bots& botnetsExample nicknames: USA|016887436 or DE|028509327 Country | Random number (9 digit) RBOT|XP|48124 Bot type | Machine Type | Random numberProblem: May be defeated by changing thenickname randomly
HoneyPot is a vulnerable machine, ready to beattackedExample: unpatched windows 2000 or windowsXPOnce attacked, the malware is caught insideThe malware is analyzed, its activity ismonitoredWhen it connects to the C&C server, the server’sidentity is revealed
Thus many information about the bot is obtained C&C server address, master commands Channel, Nickname, PasswordNow Do the following make a fake bot join the same IRC channel with the same nickname/password Monitor who else are in the channel, thus observer the botnet Collect statistics – how many bots Collect sensitive information – who is being attacked, when etc..
Finally, take down the botnetHoneyNet: a network of honeypots (see the‘HoneyNet Project’)Very effective, worked in many casesThey also pose great security risk If not maintained properly - Hacker may use them to attack others Must be monitored cautiously