4. Botnet
• A botnet is a collection of infected machines (bots)
controlled by a bot herder through a C&C server
C&C
server
malware
malware
malware
Bot herder
4
5. Financial Botnets
• This breed of botnets is designed and deployed to
conduct financial crimes such as online fraud, money
laundering, and identity theft by infecting a large number
of end-user systems across the globe.
5
6. 232 devices are infected
per minute
• An RSA study further disclosed that every minute on the
Internet approximately 232 computers are being infected
with malware globally.
6
7. Spread bots 1/3
• There are several ways to spread bots but phishing and
drive-by download attacks are the two most prominent
ones
7
8. Spread bots 1/3
Phishing
• attack are executed through emails embedded with
malicious links that are distributed to a large set of users.
• This attack exploits the users’ gullibility using social
engineering tricks.
• Upon clicking a web link, the user’s browser is redirected
to a malicious domain which serves malware.
8
9. Spread bots 1/3
drive-by download
• an attacker compromises a high-traffic website and
injects code that points to a malicious domain.
9
10. Spread bots 2/3
• On visiting a malicious domain, a Browser Exploit Pack
(BEP), an automated framework consisting several
exploits, fingerprints the browsers environment, and if
found vulnerable, an appropriate exploit is served to
compromise the machine.
10
12. Botnets have Become
Bigger and Better
Statistic shows the total number of bots present in the various families of botnets when taken down by FBI in different takedown operations.
12
13. Top 4 Financial Botnets
• A Kaspersky study [9] found that the top 4 financial
botnets are Zeus (variants), SpyEye, Carberp and
Citadel.
13
14. Top 4 Financial Botnets
• Carberp botnet caused approximately close to $250
million in losses
• Citadel botnet caused $500 million losses to
companies and organizations across the globe.
• Earlier versions of Zeus and SpyEye botnets
collectively stole $100 million from target organizations
14
16. Test Step
• 1.we used an infiltration technique where we joined the
botnet environment to better understand its behavior
• 2.We conducted several tests using active and passive
approaches for investigating infections:
o Continuous monitoring and traffic analysis
o Reverse engineering and behavior analysis
o Penetration testing
16
17. anti anti-VM bot
• do something made the VMware machines behave like a
standard operating system
o ex:
• VMWare support tools were not installed
• kernel debugging was turned off
• the Media Access Control (MAC) address was modified
• Desktop Management Information (DMI) related to Basic Input Output
System (BIOS) and certain components of operating system (VM) were
modified
17
22. Exploitation
Mutex object can be used to determine whether the system is already infected or not,
and detecting the presence of virtual machines, traffic analyzers, Anti-Viruses(AV) in the
system.
the PDEF+ component is designed to check the effectiveness of bots in bypassing anti-
virus systems running on the client side
22
25. Defensive Mechanisms
Socks Proxy
bot herders can restrict source direct access to the C&C panels offer vertify method, if
bot match, it allow the bot to download configuration file limit source of incoming http
request
Domain Generation Algorithms
generate pseudorandom domain names,
Advantage is that use DGAs to strengthen their C&C communication channels so that
fingerprinting of C&C servers becomes more difficult
25
26. Module
• This design shows that the bots can be extended by building
additional plugins that can be incorporated directly to execute
extended code in the infected system.
o For example,
• the malware author can design a new plugin for a specific bot and use the C&C
panel to update the bot by sending an updated configuration having a new plugin
listed in it. When the bot gets updated, the new pluginsimply executes.
26
28. Data Exfiltration
• Man-in-the-Browser Attacks
o MitB is capable of manipulating the communication flow of various browser
components
o most common MitB attack techniques based on hooking used by bots:
• Form-grabbing
• WebInjects
• WebFakes.
28
35. Analytical Observations
• Use of DGAs as a C&C communication mechanism has
increased in last few years and we expect this trend to
continue in the future
35
36. Analytical Observations
• the bots primarily target browsers to steal sensitive
information pertaining to critical websites. Almost every
HTTP-based botnet performs browser hooking to carry
out nefarious tasks.
36
37. Analytical Observations
• distribution using automated exploit frameworks called
browser exploit packs which exploit a specific
vulnerability in browser components and download bots
onto the user systems without their knowledge
37
39. Analytical Observations
• use Windows built-in cryptographic APIs with custom
encryption routines to avoid detection and further
complicate any analysis.
39
41. Challenges
• HTTPS is an end-to-end security solution that protects
from Man-in-the-Middle (MitM) attack but it does not
provide any protection against MitB attacks
41
42. Challenges
• TFA does not protect from MitB attacks
o TFA raises the bar with respect to the ease of use of stolen authentication data,
but TFA neither prevents the theft nor eliminates the data’s value.
42
43. Challenges
• Developing signatures for IPS/IDS for bot detections fail
to stop unknown malware (financial botnets) running in
the wild. The thriving botnet ecosystem is proof of that
43
45. Solutions
To defend against WebInject attacks
• One solution is to build an HTML/JavaScript-based
webpage verification system that detects modifications
that have happened when webpages are rendered in the
browser.
45
46. Solutions
To foil Form-grabbing attacks
• data is encrypted before it is exfiltrated by the bot from
the infected system.
46
47. Solutions
to overcome malware detection VM
• building next-generation complete emulated
environments by simulating the physical hardware
including CPU, memory, etc.
47
48. Solutions
to protect enterprises against unknown attacks
• data mining and machine learning can play a vital
role ,but such solutions are still not able to cope with
existing and emerging threats.
48
49. Solutions
Other
• understanding how one bot detects the presence of
other bot
o ex:
o if mutex names are used by SpyEye to detect Zeus bots, the same patterns can
be fed to end-user security solutions (anti-virus engines) to detect and eradicate
the bots
49
50. Solutions
The most important way
• Technology alone cannot protect users from all types of
malicious attacks.
• Improved user education which instructs the user to
understand the importance of safe surfing habits, best
and secure ways to perform online banking, avoid
visiting the destinations which they are not sure of, etc.
50