Doron Segal, profile picture
Uploaded byDoron Segal
PPTX, PDF658 views

Bots and malware

This document provides an overview of botnets, including what they are, how they work, and examples of real botnets. It defines a botnet as a network of compromised computers called bots that are controlled remotely and in a coordinated way without the owner's consent. The document discusses how botnets infect computers using malware, how they communicate with command and control servers, how they are used to conduct DDoS attacks, steal money and personal information, and ways that botnets can be detected and mitigated.

Embed presentation

Download to read offline
BOTNET
WILL NOT TALK ABOUT - How to flight a Boeing 787 - Or a Boeing 777 Blow computer remotely
WILL TALK ABOUT - Basic introduction to internet security - What is Botnet? C & C? How does it get to your computer? - Different module - Real life story - Live example
Bottom Line A Bot is simply an automated computer program, or robot. BOT Making your computer into Bot using Trojan, Malware, etc.. The Bot will installed on the victim computer and will be communicate with the C&C server.
HOW DOES IT WORKS
HOW YOU BUILD A BOT? Easy, Bot Builder. Although you can re-create one from scratch.
SPREAD THE WORD… So, we create this great Bot now lets spread it via…. But how?!? Via affiliate program, torrent, emule any p2p that are out there. For example lets {Some.New.Movie}.blu.ray and yes we can make it be 5GB although our bot will be only 100KB. Yes, sometimes will see {some.great.movie.avi} 565KB, Yeah right.
SPREAD THE WORD… django unchained
SPREAD THE WORD… Affiliates?!?
C&C Command and Control Server In the old day a server that collect the victim data. Today much more complicated - Encrypted network connections Botnet access to the Kad network
AN ANTIVIRUS OF ITS OWN Bootkit will infects the MBR in order to launch itself This is a classic method used by downloaders which ensures a longer malware lifecycle and makes it less visible to most security programs.
SEARCH FOR SYSTEM REGISTRY FOR OTHER MALICIOUS PROGRAM
BOTNET ACCESS TO THE KAD NETWORK So what do the cybercriminals want with a publicly accessible file exchange network? 1. Cybercriminals make a encrypted file the contains list of commands 2. Infected computer receive command to download and installing any module. 3. After the installation process the victim get the nodes which contains the publicly accessible list of IP addresses of network servers and clients (Kad server and clients). 4. The module then sends a request to the Kad network to search for the right file. 5. Once the files has been downloaded and encrypted, the dll file runs the commands
PROXY MODULE Basically proxy server on the victim computer. - This module facilitates the anonymous viewing of Internet resources via infected machines. - New way making money $$, offering anonymous Internet access as a service, at a cost of roughly $100 per month. - Hiding the network and C&C servers.
ANOTHER COOL WAY FOR PROXY FAST FLUX Fast flux DNS takes advantage of the way load balancing is built into the DNS. It allows an administrator to register a number of IP address with a single host name (for ex: google.com, facebook.com, etc…) And the secret is the TTL,
WAYS TO TRANSFER MONEY
REAL LIFE EXAMPLE :: TDL4 Couple of Facts: 1. TDSS is one of the most sophisticated threat. 2. TDSS uses a range of methods to evade signature, heuristic, and proactive detection. 3. Uses encryption to facilitate communication between its bots and the botnet command and control center. 4. powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system. 5. Algorithm encrypting the protocol used for communication between infected computers and botnet command and control servers. 6. Kad.dll module which allows the TDSS botnet to access the Kad network. 7. Socks.dll has been added to TDSS‟s svchost.exe; it is used to establish a proxy server on an infected computer. 8. Smart ways to get command using encrypted files and different servers.
WAYS TO SOLVE 1. Wireshark view logs and information 2. DNS server logs, when working under cooperation proxy server. 3. Bios , stop infection MBR.
SOME MORE REAL LIFE STORIES • Chinese banker Trojan: There are 242 million e-commerce users (according to Dec 2012), it mean nearly half of the users in Internet users in China. (There is lots of money involve!) Win32.Bancyn.a, was named „Floating Cloud‟, and was used to steal several millions of dollars from e-commerce users. • Social Network Trojan (Brazil): "PimpMyWindow", an adware and click-fraud scheme that has infected several Brazilian Facebook users in recent days, works. Basically a browser plugin that communicate with the “Criminal” server and send the user information whenever is logged in to one of the Brazilian banks.
The email asks to send an advance payment to the lottery so that they can release the prize money. Lots of naive users get fooled by the scammers and end up wasting their money. 419 NIGERIAN SCAMS A sample 419 Scam email ------------------------------------Sender: uk_national_lottery_005@hotmail.com Subject: !!!CONGRATULATIONS YOU ARE A WINNER!!! FROM THE LOTTERY PROMOTIONS MANAGER, THE UNITED KINGDOM INTERNATIONAL LOTTERY, PO BOX 287, WATFORD WD18 9TT, UNITED KINGDOM. We are delighted to inform you of your prize release from the United Kingdom International Lottery program. Your name was attached to Ticket number; 47061725, Batch number; 7056490902, Winning number; 07-14-24-37-43-48 bonus number 29, which consequently won the lottery in the first category....
SLIDESHARE.NET ATTACK Example 2: April 23, 2008 • Slideshare was down for a few days due to DDOS attack that originated from China. • The attack reached a peak of 2.5GB/sec and consisted entirely of packets sent from China • 2.5 GB/sec?!?! Try to imagine how many bots were involve.
HOPE YOU ALL ENJOY! “The quieter you become, the more you are able to hear…”

More Related Content

PDF
Securing Internet communications end-to-end with the DANE protocol
byAfnic
 
DOCX
Zeus
byMaGn3t0
 
PDF
microservice
byDoron Segal
 
PDF
Selenium
byDoron Segal
 
PDF
Microservice
byDoron Segal
 
PDF
Rest API's
byDoron Segal
 
PDF
Node.js
byDoron Segal
 
PDF
SEO: Getting Personal
byKirsty Hulse
 
Securing Internet communications end-to-end with the DANE protocol
byAfnic
 
Zeus
byMaGn3t0
 
microservice
byDoron Segal
 
Selenium
byDoron Segal
 
Microservice
byDoron Segal
 
Rest API's
byDoron Segal
 
Node.js
byDoron Segal
 
SEO: Getting Personal
byKirsty Hulse
 

Similar to Bots and malware

PPTX
Mcs2453 aniq mc101053-assignment1
byAniq Eastrarulkhair
 
PDF
A short visit to the bot zoo
byUltraUploader
 
PDF
Botnetsand applications
byUltraUploader
 
PPT
Defending Against Botnets
byJim Lippard
 
PPTX
Bots and Botnet
byHicube Infosec
 
PPTX
It act seminar
byAkshay Sharma
 
PPT
Botnet
byJoshin Gomez
 
PPT
Cybersecurity, Hacking, and Privacy
byNicholas Davis
 
PDF
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...
byOWASP Delhi
 
PPTX
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
byEric Vanderburg
 
PDF
Taming botnets
byf00d
 
PDF
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
byPositive Hack Days
 
PPTX
BOTLAB excersise
byAnthony Stamm
 
PDF
Network security
byLukeDaniel12
 
PPT
BotNet Attacks
byRangana lakmal
 
PDF
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
byAPNIC
 
PPTX
Surfing with Sharks KS ED TECH 2012
byinf8nity
 
PDF
BOTNET
byArjo Ghosh
 
PDF
BOTNETS
byArjo Ghosh
 
PPTX
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
byEric Vanderburg
 
Mcs2453 aniq mc101053-assignment1
byAniq Eastrarulkhair
 
A short visit to the bot zoo
byUltraUploader
 
Botnetsand applications
byUltraUploader
 
Defending Against Botnets
byJim Lippard
 
Bots and Botnet
byHicube Infosec
 
It act seminar
byAkshay Sharma
 
Botnet
byJoshin Gomez
 
Cybersecurity, Hacking, and Privacy
byNicholas Davis
 
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...
byOWASP Delhi
 
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
byEric Vanderburg
 
Taming botnets
byf00d
 
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
byPositive Hack Days
 
BOTLAB excersise
byAnthony Stamm
 
Network security
byLukeDaniel12
 
BotNet Attacks
byRangana lakmal
 
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
byAPNIC
 
Surfing with Sharks KS ED TECH 2012
byinf8nity
 
BOTNET
byArjo Ghosh
 
BOTNETS
byArjo Ghosh
 
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
byEric Vanderburg
 

Recently uploaded

PPTX
computer science class 11 ( phishing and fraud mails) .pptx
bybalajichess314
 
PPTX
congo red stain nd PAS STAIN histopathology
bybushrariaz1240
 
PDF
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
PDF
Mercury Computer Systems & The Cell Broadband Engine
bySlide_N
 
PDF
2025-CB-NCAE-slide-deck.pptx-1-83.pdf Virtual Orientation on the Administrati...
byNelizabethEsplaguera1
 
PPTX
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
PPTX
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
PDF
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
PDF
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
PDF
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
PDF
Implementing A Data Lakehouse Using Iceberg & Spark
byAnass Nabil
 
PPTX
WIFI Enabled 8 by 32 Matrix.pptx for final year project
bymdsabbirhossain524856
 
PPTX
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
PPTX
Accelerate Innovation with Engineering R&D Services
byChetu
 
PDF
Profiting from Technological Innovation: Managing Intellectual Property to Bu...
byDavid Teece
 
PDF
AI Data Analyst: Smarter Insights for Modern Real Estate Decisions
byLeni Analyst
 
PDF
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
PDF
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
PDF
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
PDF
Why Enterprises Are Moving to Dedicated Servers in the Netherlands
byAtal Networks
 
computer science class 11 ( phishing and fraud mails) .pptx
bybalajichess314
 
congo red stain nd PAS STAIN histopathology
bybushrariaz1240
 
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
Mercury Computer Systems & The Cell Broadband Engine
bySlide_N
 
2025-CB-NCAE-slide-deck.pptx-1-83.pdf Virtual Orientation on the Administrati...
byNelizabethEsplaguera1
 
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
Implementing A Data Lakehouse Using Iceberg & Spark
byAnass Nabil
 
WIFI Enabled 8 by 32 Matrix.pptx for final year project
bymdsabbirhossain524856
 
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
Accelerate Innovation with Engineering R&D Services
byChetu
 
Profiting from Technological Innovation: Managing Intellectual Property to Bu...
byDavid Teece
 
AI Data Analyst: Smarter Insights for Modern Real Estate Decisions
byLeni Analyst
 
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
Why Enterprises Are Moving to Dedicated Servers in the Netherlands
byAtal Networks
 

Bots and malware

  • 1.
  • 2.
    WILL NOT TALKABOUT - How to flight a Boeing 787 - Or a Boeing 777 Blow computer remotely
  • 3.
    WILL TALK ABOUT - Basicintroduction to internet security - What is Botnet? C & C? How does it get to your computer? - Different module - Real life story - Live example
  • 4.
    Bottom Line A Botis simply an automated computer program, or robot. BOT Making your computer into Bot using Trojan, Malware, etc.. The Bot will installed on the victim computer and will be communicate with the C&C server.
  • 5.
  • 7.
    HOW YOU BUILDA BOT? Easy, Bot Builder. Although you can re-create one from scratch.
  • 8.
    SPREAD THE WORD… So,we create this great Bot now lets spread it via…. But how?!? Via affiliate program, torrent, emule any p2p that are out there. For example lets {Some.New.Movie}.blu.ray and yes we can make it be 5GB although our bot will be only 100KB. Yes, sometimes will see {some.great.movie.avi} 565KB, Yeah right.
  • 9.
  • 10.
  • 11.
    C&C Command and ControlServer In the old day a server that collect the victim data. Today much more complicated - Encrypted network connections Botnet access to the Kad network
  • 12.
    AN ANTIVIRUS OFITS OWN Bootkit will infects the MBR in order to launch itself This is a classic method used by downloaders which ensures a longer malware lifecycle and makes it less visible to most security programs.
  • 13.
    SEARCH FOR SYSTEMREGISTRY FOR OTHER MALICIOUS PROGRAM
  • 14.
    BOTNET ACCESS TOTHE KAD NETWORK So what do the cybercriminals want with a publicly accessible file exchange network? 1. Cybercriminals make a encrypted file the contains list of commands 2. Infected computer receive command to download and installing any module. 3. After the installation process the victim get the nodes which contains the publicly accessible list of IP addresses of network servers and clients (Kad server and clients). 4. The module then sends a request to the Kad network to search for the right file. 5. Once the files has been downloaded and encrypted, the dll file runs the commands
  • 15.
    PROXY MODULE Basically proxyserver on the victim computer. - This module facilitates the anonymous viewing of Internet resources via infected machines. - New way making money $$, offering anonymous Internet access as a service, at a cost of roughly $100 per month. - Hiding the network and C&C servers.
  • 16.
    ANOTHER COOL WAYFOR PROXY FAST FLUX Fast flux DNS takes advantage of the way load balancing is built into the DNS. It allows an administrator to register a number of IP address with a single host name (for ex: google.com, facebook.com, etc…) And the secret is the TTL,
  • 17.
  • 18.
    REAL LIFE EXAMPLE:: TDL4 Couple of Facts: 1. TDSS is one of the most sophisticated threat. 2. TDSS uses a range of methods to evade signature, heuristic, and proactive detection. 3. Uses encryption to facilitate communication between its bots and the botnet command and control center. 4. powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system. 5. Algorithm encrypting the protocol used for communication between infected computers and botnet command and control servers. 6. Kad.dll module which allows the TDSS botnet to access the Kad network. 7. Socks.dll has been added to TDSS‟s svchost.exe; it is used to establish a proxy server on an infected computer. 8. Smart ways to get command using encrypted files and different servers.
  • 19.
    WAYS TO SOLVE 1.Wireshark view logs and information 2. DNS server logs, when working under cooperation proxy server. 3. Bios , stop infection MBR.
  • 20.
    SOME MORE REALLIFE STORIES • Chinese banker Trojan: There are 242 million e-commerce users (according to Dec 2012), it mean nearly half of the users in Internet users in China. (There is lots of money involve!) Win32.Bancyn.a, was named „Floating Cloud‟, and was used to steal several millions of dollars from e-commerce users. • Social Network Trojan (Brazil): "PimpMyWindow", an adware and click-fraud scheme that has infected several Brazilian Facebook users in recent days, works. Basically a browser plugin that communicate with the “Criminal” server and send the user information whenever is logged in to one of the Brazilian banks.
  • 21.
    The email asksto send an advance payment to the lottery so that they can release the prize money. Lots of naive users get fooled by the scammers and end up wasting their money. 419 NIGERIAN SCAMS A sample 419 Scam email ------------------------------------Sender: uk_national_lottery_005@hotmail.com Subject: !!!CONGRATULATIONS YOU ARE A WINNER!!! FROM THE LOTTERY PROMOTIONS MANAGER, THE UNITED KINGDOM INTERNATIONAL LOTTERY, PO BOX 287, WATFORD WD18 9TT, UNITED KINGDOM. We are delighted to inform you of your prize release from the United Kingdom International Lottery program. Your name was attached to Ticket number; 47061725, Batch number; 7056490902, Winning number; 07-14-24-37-43-48 bonus number 29, which consequently won the lottery in the first category....
  • 22.
    SLIDESHARE.NET ATTACK Example 2:April 23, 2008 • Slideshare was down for a few days due to DDOS attack that originated from China. • The attack reached a peak of 2.5GB/sec and consisted entirely of packets sent from China • 2.5 GB/sec?!?! Try to imagine how many bots were involve.
  • 23.
    HOPE YOU ALLENJOY! “The quieter you become, the more you are able to hear…”

Editor's Notes

  • #12 Botnet access to the Kad networkOne of the most outstanding new features of TDL-4 is the kad.dll module, which allows the TDSS botnet to access the Kad network. So what do the cybercriminals want with a publicly accessible file exchange network?We have known about botnets controlled via P2P for some time now, although until now, these were closed protocol connections created by the cybercriminals themselves. In contrast, TDSS uses a public P2P network in order to transmit commands to all infected computers in the botnet. The initial steps of how TDSS makes use of Kad are given below: The cybercriminals make a file called ktzerules accessible on the Kad network. The file is encrypted and contains a list of commands for TDSS. Computers infected with TDSS receive the command to download and install the kad.dll module. Once installed, kad.dll downloads the file nodes.dat, which contains the publicly accessible list of IP addresses of Kad network servers and clients. The kad.dll module then sends a request to the Kad network to search for the ktzerules file. Once the ktzerules files has been downloaded and encrypted, kad.dll runs the commands which ktzerules contains.