Overview What is a BotNet? Internet Relay Chat How to become part of a BotNet? What damage can they do? How to combat them?
What is BotNet? Bot or Zombie computer. Programs which respond autonomously to particular external events are bots. Network of Bots is BotNet. Operator giving instructions to only a small number of machines. These machines then propagate the instructions to other compromised machines, usually via IRC.
Types of Bots Some popular Bots : GT-Bot Global Threat bot based on IRC clients for window. Used to control the activity of the remote system. AgoBot Most popular bots used by crackers. It is written in C++ It provides many mechanisms to hide its presence on the host computer
Types of Bots DSNX Dataspy Network X bot Written in C++ New functionality to this bot is very easy and its simple plug–in architecture. SDBot Written in C Unlike Agobot, its code is not very clear and the software itself comes with a limited set of features
Internet Relay Chat IRC stands for Internet Relay Chat. Protocol for real time chat communication. Based on Client-Server Architecture. IRC user communication mode Public Private. Flexible & allow user to hide identity.
Elements of An AttaCk An attacker first spreads a trojan horse, which infects various hosts. These hosts become zombies and connect to the IRC server in order to listen to further commands. The IRC server can either be a public machine in one of the IRC networks or a dedicated server installed by the attacker on one of the compromised hosts. Bots run on compromised computers, forming a botnet.
How to become part ofBotNet Trojans Spread by social engineering (Spam, Software Download) email attachment SMTP engine Direct infection Scan and exploit (Blaster…) Exploit Spread by social engineering (Phishing) Bad luck (visit the wrong site…)
What damage can they do?1. DDoS Victim is flooded with more request than it can handle. used to damage or take down a competitor’s website. Example: On-line gambling sites (e.g. Total bet) Anti DDoS by utilising widely distributed DNS and Hosting servers Hit by DDoS towards their DNS, affected 4% of their customers
Fraud Pay per click adware Harvest large number of Bots to spread adware Collect Banking details, selling credit card numbers by the thousand Identity Theft ($25 up to $200 for identity with a good credit record) Use of resources Proxy Spam DDoS
How to Combat them? Firewalls/AV Desktop management Education Secure OS Law enforcement National high tech crime unit FBI
How to Combat them? Netstat Flexible tool available both for Windows and UNIX systems. Its main function is control of the active ports Netstat examines listening TCP and UDP ports. Provides detailed information on network activity.
Questions ? & Summary Botnets What they are How they grow What they do How to combat