Botnets are collections of internet-connected computers that are controlled by cybercriminals without the owners' knowledge. The document discusses how botnets work through command-and-control servers, the threats they pose such as distributed denial-of-service attacks and spam, and methods for detecting and preventing botnet infections and activity. It also analyzes the findings of a study on botnet technologies, including their propagation, exploits, evasion techniques, and implications for security research.

1. BOTNET Study in Internet Crime and Their Threats Presented by: Farheen K. Siddiqui, Richa Srivastava and Shobhini Job M.Tech, CSE Lakshmi Narain College Of Technology ( LNCT ), Bhopal.

2. What are Botnets? How do they work? Threats caused by Botnets Detection and Prevention Methods Analysis of Botnets Conclusion

3. BOT + NET = BOTNET “ A botnet is a collection of computers, connected to the internet, that interact to accomplish some distributed task.” - Typically refers to botnets used for illegal purposes. Controlled by one person or a group of people (aka. the botmaster) - Under a command and control structure (C&C)

5. Botmaster infects victim with bot (worm, social engineering, etc) Bot connects to C&C server. This could be done using HTTP, IRC or any other protocol. Botmaster sends commands through C&C server to bot. Repeat. Soon the botmaster has an army of bots to control from a single point

8. Distributed Denial of Service (DDoS) Spam/Phishing Ad-ware Click Fraud Others…

9. DDoS has been available in bots since the beginning Used for extortion - Take down systems until they pay – threats work too!

10. Many bots are able to send out spam or phishing attempts Spam are bulk emails in mass quantity Gives the spammer/phisher a way to send out thousands of emails and easily beat spam defenses Phishing is luring user to reveal personal detail

11. Ad-ware pays by the number of “installs” a person has Many bots download and install ad-ware when they are loaded - Often multiple versions of ad-ware Generates income from ad-ware revenues

12. Online advertisers pay by the number of unique “clicks” on their ads Thousands of bots can generate thousands of unique clicks Botmaster “rents” out the clicks and gets a piece of the revenue Clickbot.A botnet found with more than 34,000 machines in it

13. Malware installation - Rootkits - Other malware to increase the odds of keeping that machine Spyware - Identity Theft - Sniff passwords, keystroke logging - Grab credit card, bank account information Rent out the botnet! - Pay as little as $100 an hour to DoS your favorite site!

14. Anti-Malware Technology IDSes (Intrusion Detection Systems) IPSes (Intrusion Prevention Systems) Honeypots

15. botnet control mechanisms host control mechanisms propagation mechanisms exploits and attack mechanisms malware delivery mechanisms obfuscation methods and deception strategies

16. Finding: The predominant remote control mechanism for botnets remains Internet Relay Chat (IRC) and in general includes a rich set of commands enabling a wide range of use. Implication: Monitors of botnet activity on IRC channels and disruption of specific channels on IRC servers should continue to be an effective defensive strategy for the time being.

17. Finding: The host control mechanisms used for harvesting sensitive information from host systems are ingenious and enable data from passwords to mailing lists to credit card numbers to be gathered. Implication: This is one of the most serious results of our study and suggests design objectives for future operating systems and applications that deal with sensitive data.

18. Finding: There are at present only a limited set of propagation mechanisms available in botnets with Agobot showing the widest variety. Simple horizontal and vertical scanning are the most common mechanism. Implication: The specific propagation methods used in these botnets can form the basis for modeling and simulating botnet propagation in research studies

19. Finding: Exploits refer to the specific methods for attacking known vulnerabilities on target systems. Implication: The set of exploits packaged with botnets suggest basic requirements for host-based anti-virus systems and network intrusion detection and prevention signature sets.

20. Finding: Shell encoding and packing mechanisms that can enable attacks to circumvent defensive systems are common. Implication: A significant focus on methods for detecting polymorphic attacks may not be warranted at this time but encodings will continue to present a challenge for defensive systems.

21. Finding: All botnets include a variety of sophisticated mechanisms for avoiding detection (e.g., by anti-virus software) once installed on a host system. Implication: Development of methods for detecting and disinfecting compromised systems will need to keep pace.

22. Finding: Deception refers to the mechanisms used to evade detection once a bot is installed on a target host. These mechanisms are also referred to as rootkits. Implication: As these mechanisms improve, it is likely to become increasingly difficult to know that a system has been compromised, thereby complicating the task for host-based anti-virus and rootkit detection systems.

23. objective is to expand the knowledge base for security research Some of the most important of findings: - the diverse mechanisms for sensitive information gathering on compromised hosts, - the effective mechanisms for remaining invisible once installed on a local host, and - the relatively simple command and control systems that are currently used moving towards peer-to-peer infrastructure in the near future.