#BOTNET
Utsav Mittal
Founder and Principal Consultant at Xiarch Pvt Ltd

WHAT IS BOTNET ?
• Network of Infected Host.
• Botnet is a network of compromised computers (#zombies) under the control of
remote attacker (#botmaster).
• Controller of botnet is able to direct the activities of these compromised system.
#Bot Terminology
> Bot Herder (#botmaster)
> Bot
> Bot Client
> IRC / HTTP based Server
> Command & Control Channel (C&C)

WHAT DOES IT LOOK LIKE WHEN YOU CONNECT
Look like regular IRC C&C !

WHAT DOES IT LOOK LIKE WHEN YOU CONNECT
Bot Connected !

IRC COMMANDS – THAT A HIJACKER WOULD USE

HISTORY OF BOTNET
• Sub7 & Pretty Park (a Tr0jan & a W0rm) infected machine
connecting to an internet relay chat (IRC) channel to listen for
malicious commands.
• in 2002 Agobot introduced the concept of staged attack.
• [+] install a back door, the second try to take out anti-virus
software and third blocked access to security vendor websites.
• Rbot also appeared in 2003 – a family of bots which used
compression and encryption algorithms to evade detection.

BOT
BOT
Botnet Architecture
BOTMASTER
BOT
C&C C&C
Recruiting
Recruiting
Recruiting

ATTACKING BEHAVIORS
• Infecting new hosts
• Social engineering and distribution of malicious emails or other electronic
communications (i.e. Instant Messaging)
• Example - Email sent with botnet disguised as a harmless attachment.
• Stealing personal information
• Keylogger and Network sniffer technology used on compromised systems to spy on
users and compile personal information
• Phishing and spam proxy
• Aggregated computing power and proxy capability make allow spammers to impact
larger groups without being traced.
• Distributed Denial of Service (DDoS)
• Impair or eliminate availability of a network to extort or disrupt business
• CPU Abusing
• Uses Victim CPU to perform bitcoin mining or brute force hash reversing and password
attacks eg.ZeroAccess ,Skynet

ATTACK VECTOR
• USB Drives
• EMAIL
• FILES
• BUGGY SOFTWARES
• OPEN PORTS
• Others . .

BOTNET COMMUNICATION METHODS
• HTTP
• IRC
• P2P
• Others . .

CURRENT BOTNET
• What is Tor ?
Tor is short for The Onion Router and was initially a worldwide network of servers developed with
the U.S. Navy that enabled people to browse the internet anonymously.

TOR BASED BOTNET

ANDROID TOR BASED BOTNET

HTTP COINER BOTNET

BITCOIN MINING BOTNET

FBI — Botnets Infecting 18 Computers per Second.

BROWSER BASED BOTNET
• Abuse HTML5 to DDoS
• + Jeremiah Grossman and Matt Johansen showed that it is
possible to initiate a massive distributed denial of service
(DDoS) attack via a browser-based botnet.
• + This abuse of HTML5 can lead to spamming, bitcoin
generation, phishing, internal network reconnaissance, proxy
network usage, and spreading of worm via XSS attacks or SQL
injections.

HOW ?
Attackers need only to invest on fake online ads
which are inexpensive. Because networks serving
ads on websites allow the execution of
JavaScript, the attackers craft the JavaScript to
make hundreds or thousands of users connect to
a targeted site simultaneously, which may be
enough to make the victim site inaccessible.
dDOS !

ABUSES OF HTML5 +
1. Spamming
2. Bitcoin generation
3. Phishing
4. Internal network reconnaissance,
5. Proxy network usage
6. Spreading of worm via XSS attacks
or SQL injections.

BENEFITS ~
• No malware to detect.
• No trace , few alarms.
• Very very easy
• Everyone browser is vulnerable (by default)

DISTRIBUTION OF “JAVASCRIPT MALWARE”
• HTML Injection on popular Website and Forums
(blog , war3z)
• Man in Middle Attack
• EMAIL Spam (HTML)
• Third Part web Widgets

"The most reliable , cost effective method to
inject evil code is to buy an ad “
~Douglas Crockford

Thank You