This document discusses botnets, which are networks of compromised computers controlled by cybercriminals without the owners' knowledge. Botnets are created using malware that turns computers into "bots" which can be instructed to perform tasks like sending spam or launching cyberattacks. The document describes how botnets are built, classified, and used illegally for crimes. It also provides information on protecting against and detecting bot infections on computers and mobile devices.

1. ©
AR
AG
AS

2. ©
AR
AG
AS

3. ©
AR
AG
AS

4. BOTNET BATTLE
A single compromised computer can be a pain to deal with, but a
collection of compromised computers can wreak havoc around
the world.
Leaving our computer vulnerable to attack makes us a danger,
not just to ourselves but to everyone on the internet.
How do botnets work?
What’s the risk?
How can we protect ourselves?
©
AR
AG
AS

5. WHAT IS A BOTNET?
The term bot is short for robot.
Criminals distribute malware turning our computer into a bot.
Computers perform automated tasks over the internet
without us knowing it.
Criminals use bots to infect large number of computers.
These computers form a network which is popularly called as
botnet.
©
AR
AG
AS

6. RISKS OF BOTNET
Criminals use botnets to
Send out spam email messages.
Spread viruses.
Attack computers + servers.
Commit other kinds of crime + fraud.
If our computer becomes part of a botnet, then our
computer might slow down and we might be helping
cyber criminals indirectly.
©
AR
AG
AS

7. DEBUTS IN 2000
In the year 2000, a Canadian teenager launched
a series of distributed denial-of-service attacks
against several high-profile web sites.
The teen targeted Yahoo, Dell, eBay, amazon
and many others by flooding the sites with
massive amounts of junk traffic until their
servers crashed.
©
AR
AG
AS

8. BOTNETS CLASSIFICATION
Botnets can be classified into two prime categories:
Legal botnets
Illegal botnets
©
AR
AG
AS

9. LEGAL BOTNETS
The term botnet is widely used when several IRC bots have
been linked and set channel modes on other bots and users
while keeping IRC channels free from unwanted users.
This is where the term is originally from, since the first illegal
botnets were similar to legal botnets.
A common bot used to set up botnets on IRC is eggdrop.
©
AR
AG
AS

10. ILLEGAL BOTNETS
Botnets sometimes infect computers whose security defences
have been violated and control granted to a third party.
Each such infected device, known as a "bot", is created when a
computer is penetrated by software from a malware distribution.
The botmaster directs the activities of these infected computers
through communication channels formed by IRC and HTTP.
©
AR
AG
AS

11. WHAT IS A BOT?
A "bot" is a type of malware that allows an attacker to take
control over an affected computer.
Bots are usually part of a network of infected machines.
Since a bot infected computer does the bidding of its master,
many people refer to these victim machines as zombies.
The cybercriminals that control these bots are called
botmasters.
©
AR
AG
AS

12. BOT + EXPLOIT SELECTION
Botnets typically begin when Botmaster downloads a bot
program and exploit code.
Bot programs such as AgoBot, IRCBot, etc are freely
available on the internet.
Exploits for Windows OS are generally selected.
These exploits are attractive both due to large number of
exploits available and the widespread adoption of
Windows amongst business + residential users.
©
AR
AG
AS

13. CONTROL CHANNEL
After selecting the bot + exploit combination, the
Botmaster must now setup one or more control channels.
The most common technique is to use public IRC servers to
control the botnet.
The Botmaster needs a control channel in order to issue
commands to and receive feedback from the botnet.
Control channels are frequently moved to avoid detection.
©
AR
AG
AS

14. INITIAL INFECTION
The Botmaster must now begin to build the zombie army
that will include the botnet.
Using the chosen exploit, the Botmaster cracks and takes
control over a handful of systems.
©
AR
AG
AS

15. C + C MECHANISM
COMMAND AND CONTROL MECHANISM
A collection of computers is useless without some
control mechanism.
The command and control constitutes the
interface between the botnet and the botmaster.
The botmaster commands the c&c.
The c&c commands the bots.
©
AR
AG
AS

16. BOTNET WITH ZOMBIES
©
AR
AG
AS

17. BOTNET STATISTICS
©
AR
AG
AS

18. DOSNET
A type of botnet & mostly used as a term for malicious
botnets.
DoSnets are used for DDoS attacks which can be very
devastating.
Well-known DoSnet software includes
→ TFN2k
→ Stacheldraht
→ Trinoo.
©
AR
AG
AS

19. DOSBOT
The denial of service bot is the client which is used to connect
to the network.
It’s also the software which performs any attacks.
The vast majority of the bots are written in the
→ C
→ C++
→ Java
©
AR
AG
AS

20. WAREZ
Botnets can be used to steal, store, or propagate warez.
Warez constitutes any illegally obtained or pirated
software.
Bots can search hard drives for software and licenses
installed on a victims machine.
Botmasters can easily transfer it off for duplication and
distribution.
©
AR
AG
AS

21. CONTROLLING BOTNET
Command Function
.capture. Generates and saves an image or video file.
.download. Downloads a file from a specified URL to the victim’s computer.
.find file. Finds files on the victim’s computer by name and returns the paths of any files found.
.getcdkeys. Returns product keys for software installed on the victim’s computer.
.key log. Logs the victim’s keystrokes and saves them to a file.
.open. Opens a program, an image, or a URL in a web browser.
.procs. Lists the processes running on the victim’s computer.
Some of the Botnet Commands from Win32 bot family:
©
AR
AG
AS

22. HOW BOTS WORK?
Bots creep into a person’s computer in many ways.
Bots often spread themselves across the internet by looking for
vulnerable, unprotected computers to infect.
 When they find an exposed computer, they quickly infect the
machine and then report back to their master.
Their goal is then to stay hidden until they are instructed to carry
out a task.
©
AR
AG
AS

23. AUTOMATED TASKS BY BOTS
Sending Stealing Denial of Service Click fraud
They send
→ Spam
→ Viruses
→ Spyware
They steal personal and private
information and communicate it
back to the malicious user:
→ Bank credentials
→ Credit card numbers
→ Sensitive informations
Launching denial
of service (DoS)
attacks against a
specified target.
Fraudsters use bots
to boost web
advertising billings
by automatically
clicking on internet
ads.
©
AR
AG
AS

24. PROTECT AGAINST BOTS
Limit your user rights when online.
Install top-rated security software.
Increase the security settings on your browser.
Update automatically to latest system patches.
Configure your software's settings to update automatically.
Never click on attachments unless you can verify the source.
©
AR
AG
AS

25. DETECTION + REMOVAL 1
RUBOTTED 2.0 BETA
Monitors our computer for potential infection and suspicious
activities associated with bots.
Protect our system by continuously monitoring our computer for
potential infection and suspicious activities with Rubotted.
→downloadcenter.trendmicro.com
©
AR
AG
AS

26. DETECTION + REMOVAL 2
MALICIOUS SOFTWARE REMOVAL TOOL
Checks our computer for infection by specific, prevalent
malicious software and removes the infection if it is found.
Microsoft releases an updated version of this tool on the
second Tuesday of each month.
→microsoft.com
©
AR
AG
AS

27. DETECTION + REMOVAL 3
NORTON™ POWER ERASER
Eliminates deeply embedded and difficult to remove crimeware
that traditional virus scanning doesn't always detect.
Norton Power Eraser is specially designed to aggressively target
scamware.
→security.symantec.com
©
AR
AG
AS

28. MOBILE BOTNETS
Targets smartphones, attempting to gain complete
access to the device and its contents as well as
providing control to the botmaster.
Mobile botnets give admin rights of the compromised
mobile devices, enabling hackers to
→Send e-mail or text messages
→ Make phone calls
→ Access contacts and photos, and more.
©
AR
AG
AS

29. EXAMPLES OF MOBILE BOTNETS
The Dreamdroid malware that compromised the Android devices.
The iPhone SMS attack that affected iPhone + iPad devices.
The Commwarrior affected Symbian series mobile devices.
The Zitmo that targeted Blackberry users.
©
AR
AG
AS

30. CONTROLLING MOBILE BOTNET
Command Function
Add Phone Number(s) Adds numbers to the forwarding list.
Commands are forwarded to all bots on the list.
Set sleep interval Sets how long the client waits before searching the P2P network for a
command.
Execute shell sequence Run a command in the shell.
Download URL Downloads a command file from the botmasters.
Some of the Botnet Commands from iBot family:
©
AR
AG
AS

31. PROTECT AGAINST MOBILE BOTS
Install the latest official OS for your smartphone.
Avoid pirated apps or apps from untrusted sources.
Download apps only from trusted and reputable app stores.
©
AR
AG
AS

32. DETECTION + REMOVAL
BULLGUARD MOBILE SECURITY 10
Detects and removes malware.
Monitor information that is being sent and received.
Remotely manage and monitor the smartphone.
→bullguard.com
©
AR
AG
AS

33. ©
AR
AG
AS

34. REFERENCES
©
AR
AG
AS

35. ANY QUESTIONS? 
©
AR
AG
AS

36. CREDITS
Alok Roy
Arjo Ghosh
Abhishek Sahu
©
AR
AG
AS

37. ©
AR
AG
AS