Presentation is loading. Please wait.

Presentation is loading. Please wait.

Botnets by Mehedy Masud September 16, 2009. Botnets ● Introduction ● History ● How to they spread? ● What do they do? ● Why care about them? ● Detection.

Published byRudolf Craig Modified over 8 years ago

Similar presentations

Presentation on theme: "Botnets by Mehedy Masud September 16, 2009. Botnets ● Introduction ● History ● How to they spread? ● What do they do? ● Why care about them? ● Detection."— Presentation transcript:

1 Botnets by Mehedy Masud September 16, 2009

2 Botnets ● Introduction ● History ● How to they spread? ● What do they do? ● Why care about them? ● Detection and Prevention

3 Bot ● The term 'bot' comes from 'robot'. ● In computing paradigm, 'bot' usually refers to an automated process. ● There are good bots and bad bots. ● Example of good bots: – Google bot – Game bot ● Example of bad bots: – Malicious software that steals information

4 Botnet ● Network of compromised/bot-infected machines (zombies) under the control of a human attacker (botmaster) IRC Server Botmaster IRC channel Code Server Updates Vulnerable machines Attack IRC channel C&C traffic BotNet

5 History ● In the beginning, there were only good bots. – ex: google bot, game bot etc. ● Later, bad people thought of creating bad bots so that they may – Send Spam and Phishing emails – Control others pc – Launch attacks to servers (DDOS) ● Many malicious bots were created – SDBot/Agobot/Phatbot etc. ● Botnets started to emerge

6 TimeLine 19891999200020022003Present 2006 RPCSS GM (by Greg, Operator) recognized as first IRC bot. Entertained clients with games GT bots combined mIRC client, hacking scripts & tools (port - scanning, DDos) W32/Agobot bot family added modular design and significant functionality W32/Mytob hybrid bot, major e-mail outbreak W32/PrettyPark 1 st worm to use IRC as C&C. DDoS capable W32/Sdbot First family of bots developed as a single binary Russian named sd W32/Spybot family emerged 20012004 2005

7 Cases in the news ● Axel Gembe – Author or Agobot (aka Gaobot, Polybot) – 21 yrs old – Arrested from Germany in 2004 under Germany’s computer Sabotage law ● Jeffry Parson – Released a variation of Blaster Worm – Infected 48,000 computers worldwide – 18 yrs old – Arrested, sentenced to 18 month & 3yrs of supervised released

8 How The Botnet Grows

9

10

11

12 Recruiting New Machines ● Exploit a vulnerability to execute a short program (exploits) on victim’s machine – Buffer overflows, email viruses, Trojans etc. ● Exploit downloads and installs actual bot ● Bot disables firewall and A/V software ● Bot locates IRC server, connects, joins – Typically need DNS to find out server’s IP address – Authentication password often stored in bot binary ● Botmaster issues commands

13 Recruiting New Machines

14 What Is It Used For ● Botnets are mainly used for only one thing

15 How Are They Used ● Distributed Denial of Service (DDoS) attacks ● Sending Spams ● Phishing (fake websites) ● Addware (Trojan horse) ● Spyware (keylogging, information harvesting) ● Storing pirated materials

16 Example : SDBot ● Open-source Malware ● Aliases – Mcafee: IRC-SDBot, Symantec: Backdoor.Sdbot ● Infection – Mostly through network shares – Try to connect using password guessing (exploits weak passwords) ● Signs of Compromise – SDBot copies itself to System folder - Known filenames: Aim95.exe, Syscfg32.exe etc.. – Registry entries modified – Unexpected traffic : port 6667 or 7000 – Known IRC channels: Zxcvbnmas.i989.net etc..

17 Example : RBot ● First of the Bot families to use encryption ● Aliases – Mcafee: W32/SDbot.worm.gen.g, Symantec: W32.Spybot.worm ● Infection – Network shares, exploiting weak passwords – Known s/w vulnerabilities in windows (e.g.: lsass buffer overflow vulnerability) ● Signs of Compromise – copies itself to System folder - Known filenames: wuamgrd.exe, or random names – Registry entries modified – Terminate A/V processes – Unexpected traffic: 113 or other open ports

18 Example : Agobot ● Modular Functionality – Rather than infecting a system at once, it proceeds through three stages (3 modules) ● infect a client with the bot & open backdoor ● shut down A/V tools ● block access to A/V and security related sites – After successful completion of one stage, the code for the next stage is downloaded ● Advantage? – developer can update or modify one portion/module without having to rewrite or recompile entire code

19 Example : Agobot ● Aliases – Mcafee: W32/Gaobot.worm, Symantec: W32.HLLW.Gaobot.gen ● Infection – Network shares, password guessing – P2P systems: Kazaa etc.. – Protocol: WASTE ● Signs of Compromise – System folder: svshost.exe, sysmgr.exe etc.. – Registry entries modification – Terminate A/V processes – Modify %System\drivers\etc\hosts file ● Symantec/ Mcafee’s live update sites are redirected to 127.0.0.1

20 Example : Agobot ● Signs of Compromise (contd..) – Theft of information: seek and steal CD keys for popular games like “Half-Life”, “NFS” etc.. – Unexpected Traffic: open ports to IRC server etc.. – Scanning: Windows, SQL server etc..

21 DDos Attack ● Goal: overwhelm victim machine and deny service to its legitimate clients ● DoS often exploits networking protocols – Smurf: ICMP echo request to broadcast address with spoofed victim’s address as source – Ping of death: ICMP packets with payloads greater than 64K crash older versions of Windows – SYN flood: “open TCP connection” request from a spoofed address – UDP flood: exhaust bandwidth by sending thousands of bogus UDP packets

22 DDoS attack ● Coordinated attack to specified host Victim Attacker Master (IRC Server) machines Zombie machines

23 Why DDoS attack? ● Extortion – Take down systems until they pay – Works sometimes too! ● Example: 180 Solutions – Aug 2005 – Botmaster used bots to distribute 180solutions addware – 180solution shutdown botmaster – Botmaster threatened to take down 180solutions if not paid – When not paid, botmaster use DDoS – 180Solutions filed Civil Lawsuit against hackers

24 Botnet Detection ● Host Based ● Intrusion Detection Systems (IDS) ● Anomaly Detection ● IRC Nicknames ● HoneyPot and HoneyNet

25 Host-based detection Virus scanning Watching for Symptoms Modification of windows hosts file Random unexplained popups Machine slowness Antivirus not working Watching for Suspicious network traffic Since IRC is not commonly used, any IRC traffic is suspicious. Sniff these IRC traffic Check if the host is trying to communicate to any Command and Control (C&C) Center Through firewall logs, denied connections

26 Network Intrusion Detection Systems ● Example Systems: Snort and Bro ● Sniff network packets, looks for specific patterns (called signatures) ● If any pattern matches that of a malicious binary, then block that traffic and raise alert ● These systems can efficiently detect virus/worms having known signatures ● Can't detect any malware whose signature is unknown (i.e., zero day attack)

27 Anomaly Detection Normal traffic has some patterns Bandwidth/Port usage Byte-level characteristics (histograms) Protocol analysis – gather statistics about TCP/UDP src, dest address Start/end of flow, Byte count DNS lookup First learn normal traffic pattern Then detect any anomaly in that pattern Example systems: SNMP, NetFlow Problems: Poisoning Stealth

28 IRC Nicknames Bots use weird nicknames But they have certain pattern (really!) If we can learn that pattern, we can detect bots & botnets Example nicknames: USA|016887436 or DE|028509327 Country | Random number (9 digit) RBOT|XP|48124 Bot type | Machine Type | Random number Problem: May be defeated by changing the nickname randomly

29 HoneyPot and HoneyNet HoneyPot is a vulnerable machine, ready to be attacked Example: unpatched windows 2000 or windows XP Once attacked, the malware is caught inside The malware is analyzed, its activity is monitored When it connects to the C&C server, the server’s identity is revealed

30 HoneyPot and HoneyNet Thus many information about the bot is obtained C&C server address, master commands Channel, Nickname, Password Now Do the following make a fake bot join the same IRC channel with the same nickname/password Monitor who else are in the channel, thus observer the botnet Collect statistics – how many bots Collect sensitive information – who is being attacked, when etc..

31 HoneyPot and HoneyNet Finally, take down the botnet HoneyNet: a network of honeypots (see the ‘HoneyNet Project’) Very effective, worked in many cases They also pose great security risk If not maintained properly - Hacker may use them to attack others Must be monitored cautiously

32 Summary Today we have learned What is botnet How / why they are used How to detect / prevent

33 Questions ?

Download ppt "Botnets by Mehedy Masud September 16, 2009. Botnets ● Introduction ● History ● How to they spread? ● What do they do? ● Why care about them? ● Detection."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
Botnets ECE 4112 Lab 10 Group 19.

Botnets ECE 4112 Lab 10 Group 19.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
Honeypots, Honeynets, Bots and Botenets Source: The HoneyNet Project

Honeypots, Honeynets, Bots and Botenets Source: The HoneyNet Project
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Introduction to Security Computer Networks Computer Networks Term B10.

Introduction to Security Computer Networks Computer Networks Term B10.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
Computer Security and Penetration Testing

Computer Security and Penetration Testing
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
DDos Distributed Denial of Service Attacks by Mark Schuchter.

DDos Distributed Denial of Service Attacks by Mark Schuchter.

Similar presentations

Ads by Google