 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for?  Preventions of getting a bot.

 According to Cisco (2007), “Botnets: The New Threat Landscape”, They are the primary threat on the internet today.  They have no limit to there size… › Used for large scale attacks such as digital vandalism (SPAM) or financial gain (click fraud).

To understand botnets, we need to know what a bot is… › A bot is a malicious application, short for software robot. › An automated program that runs silently on an infected host (Drone). › Bot waits for command from creator (bot master) › Communication between the master and drone are through a IRC, such as IM.

 A network of bot infected computers. Consisting of hundreds or thousands of drones (zombie army).  Central control by a 3 rd party.  Acting on a single purpose, depending on the motive of the bot master.  Often use for a large scale attack

 Simply point/click software  Set up a C&C (Command & Control)  Need many bot infected computers (drones). The more bots in the zombie army, the more power/capiablity  High speed internet connection to communicate with the drones via IRC.

Internet Relay Chat (Centralized) eXtensible Messaging and Presence Protocol (Decentralized)  Real time message eg. Text or chat  botnets are controlled by an Internet relay Chat(IRC) system.  IRC operates on an open protocol (port) that use TCP.  IRC network can be expanded to other IRC network.  IM are easier to detected in the IRC  IRC networks are taking measures to block access to botnets, Bot master must find their own servers  Decentralized central control  Requires no open port  Messages are encrypted, making it difficult to detect.  Able to work behind firewalls  Similar to how work, can be used anywhere.

 With about 600 million system connected to the internet, about 150 million are infected by a bot software.  1 out 4 computers connected to the internet are comprised by a bot.

 Bots are acquire like any other malicious program/software e.g. trojans and virus. › Piggybacked software installations › Drive-by downloads › Browser add-ons such as plug-in › Downloads from an untrusted site

 Botnets are flexible and are capable of many attack such as… › Distributed Denial of Service attacks (DOS) › SPAM › Click Fraud › Spyware AND many more!!!

Digital vandalism Target site becomes slowed or unavailable due to…  interruption of physical network mechanism.  use of computational resources, eg. bandwidth, disk space.  Overwhelm the target by sending many digital package. The target site wouldn’t be available to perform normal functions Even though targets are sites, routers and switches also fails.

1. A spammer sends money/request to a bot master. 2. Botnet master generates spam details. 3. Spam details is sent to the zombie army. 4. Drones execute the command. 5. Spams are forward to SMPT servers. 6. Spam is delivered to in boxes 7. Info is sent back to the botmaster, if recipients open mail and compromise their computer. * Wikipedia/spam

 Online advertising pays affiliates for generating clicks per advertisings, also known as pay per clicks advertising (PPC).  What if… › Ad clicking were simulating › Manipulated by botnets

 An application installed on your computer without your consent, spyware can monitor your activities by… › screen shot capture › Network packet captures › keystroke logger › data theft

Keystroke Loggers Network packet Sniffer  Keystroke logger are able to capture… › Passwords › Communications e.g. IM and s › CC Info › Personal data (identity theft)  A program that is able to intercept a data package, route it to the interceptor and analyzed the data.  Also, this program can be use to see if competing botnets are with proximity. › Bot master can steal that certain bot to make it part of his/her botnet.

Screen Shot capture Data theft  Works just like keystroke logger  Capture image  Able to enable webcam and mic  Search protected storage credentails  Search for other valuable data such as passwords  Obtaining IM contacts and contacts (SPAM list)  Able to obtain files such as word and pptx

 First discover in January 2007  One source says that the network consisting of 1 to 50 million drones by September 2007, another sources says between 250,000 to 1 million.  Is responsible of 8% of malware for Windows OS and 8% of spam.  Powerful enough to shut down a country’s internet.  Using only 10%-20% of its network.

 Regularly update browser and anti-virus.  Switch browser and/or OS › Most botnets are written for the most commonly used browser such as IE. The same goes for OS. The safer ones are MAC’s, most botnets target Windows OS.  Hire a Web-filtering service › Service that informs user of a site of acting unusual and sites that are known for malicious activity and then blocks them from the user.  Deploy intrusion-detection and intrusion- prevention systems › IDS: An application that monitors network and/or system activities for malicious activities or policy violations. › IPS: Same as IDS, but the application filters the malicious package and allow the rest of the content to stream to the user.

 side1.html?page=1 side1.html?page=1    “Net Living Dead”, 2008, David Harley, pg13-16,  html  ,00.html  d_html/  side1.html?page=1   _software _software 