Presentation is loading. Please wait.

Presentation is loading. Please wait.

Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.

Published byHarold Hancock Modified over 5 years ago

Similar presentations

Presentation on theme: "Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development."— Presentation transcript:

1 CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2016

2 Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development of Botnets Randy Marchany - VA Tech IT Security Lab: Botnets

3 Botnets Collection of compromised hosts A network of ‘bots’
Spread like worms and viruses Once installed, respond to remote commands A network of ‘bots’ robot : an automatic machine that can be programmed to perform specific tasks. Also known as ‘zombies’

4 Platform for many attacks
Spam forwarding (70% of all spam?) Click fraud Keystroke logging Distributed denial of service attacks Serious problem Top concern of banks, online merchants Vint Cerf: ¼ of hosts connected to Internet

5 What are botnets used for?

6 IRC (Internet Relay Chat) based Control

7 IRC (Internet Relay Chat) based Control

8 Why IRC? IRC servers are: Attackers have experience with IRC
freely available easy to manage easy to subvert Attackers have experience with IRC IRC bots usually have a way to remotely upgrade victims with new payloads to stay ahead of security efforts

9 How bad is the problem? Symantec identified a 400K node botnet
Netadmin in the Netherlands discovered 1-2M unique IPs associated with Phatbot infections. Phatbot harvests MyDoom and Bagel infected machines. Researchers in Gtech monitored thousands of botnets

10 Spreading Problem Spreading mechanism is a leading cause of background noise Port 445, 135, 139, 137 accounted for 80% of traffic captured by German Honeynet Project Other ports 2745 – bagle backdoor 3127 – MyDoom backdoor 3410 – Optix trojan backdoor 5000 – upnp vulnerability

11 Most commonly used Bot families
Agobot SDBot SpyBot GT Bot

12 Agobot Most sophisticated 20,000 lines C/C++ code
IRC based command/control Large collection of target exploits Capable of many DoS attack types Shell encoding/polymorphic obfuscation Traffic sniffers/key logging Defend/fortify compromised system Ability to frustrate dissassembly

13 SDBot Simpler than Agobot, 2,000 lines C code Non-malicious at base
Utilize IRC-based command/control Easily extended for malicious purposes Scanning DoS Attacks Sniffers Information harvesting Encryption

14 SpyBot <3,000 lines C code Possibly evolved from SDBot
Similar command/control engine No attempts to hide malicious purposes

15 GT Bot Functions based on mIRC scripting capabilities
HideWindow program hides bot on local system Basic rootkit function Port scanning, DoS attacks, exploits for RPC and NetBIOS

16 Variance in codebase size, structure, complexity, implementation
Convergence in set of functions Possibility for defense systems effective across bot families Bot families extensible Agobot likely to become dominant

17 Control All of the above use IRC for command/control
Disrupt IRC, disable bots Sniff IRC traffic for commands Shutdown channels used for Botnets IRC operators play central role in stopping botnet traffic But a botnet could use its own IRC server Automated traffic identification required Future botnets may move away from IRC Move to P2P communication Traffic fingerprinting still useful for identification

18 Host control Fortify system against other malicious attacks
Disable anti-virus software Harvest sensitive information PayPal, software keys, etc. Economic incentives for botnets Stresses need to patch/protect systems prior to attack Stronger protection boundaries required across applications in OSes

19 Example Botnet Commands
Connection CLIENT: PASS <password> HOST : (if error, disconnect) CLIENT: NICK <nick> HOST : NICKERROR | CONNECTED Pass hierarchy info BOTINFO <nick> <connected_to> <priority> BOTQUIT <nick>

20 Example Botnet Commands
IRC Commands CHANJOIN <tag> <channel> CHANPART <tag> <channel> CHANOP <tag> <channel> CHANKICK <tag> <channel> CHANBANNED <tag> <channel> CHANPRIORITY <ircnet> <channel> <LOW/NORMAL/HIGH>

21 Example Botnet Commands
pstore Display all usernames/passwords stored in browsers of infected systems bot.execute Run executable on remote system bot.open Reads file on remote computer bot.command Runs command with system()

22 Example Botnet Commands
http.execute Download and execute file through http ftp.execute ddos.udpflood ddos.synflod ddos.phaticmp redirect.http redirect.socks

23 Current Botnet Control Architecture
C&C botmaster More than one C&C server Spread all around the world

24 Botnet Monitor: Gatech KarstNet
attacker A lot bots use Dyn-DNS name to find C&C C&C C&C cc1.com KarstNet informs DNS provider of cc1.com Detect cc1.com by its abnormal DNS queries bot bot DNS provider maps cc1.com to Gatech sinkhole (DNS hijack) bot KarstNet sinkhole All/most bots attempt to connect the sinkhole

25 Botnet Monitor: Honeypot Spy
Security researchers set up honeypots Honeypots: deliberately set up vulnerable machines When compromised, put close monitoring of malware’s behaviors Tutorial: When compromised honeypot joins a botnet Passive monitoring: log all network traffic Active monitoring: actively contact other bots to obtain more information (neighborhood list, additional c&c, etc.) Representative research paper: A multifaceted approach to understanding the botnet phenomenon, Abu Rajab, Moheeb and Zarfoss, Jay and Monrose, Fabian and Terzis, Andreas, 6th ACM SIGCOMM conference on Internet measurement (IMC), 2006.

26 The Future Generation of Botnets
Peer-to-Peer C&C Polymorphism Anti-honeypot Rootkit techniques

Download ppt "Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development."

Similar presentations

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.

BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.

Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
Botnets An Introduction Into the World of Botnets Tyler Hudak

Botnets An Introduction Into the World of Botnets Tyler Hudak
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Article presentation for: The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware Based on article by: Jaideep Chandrashekar,

Article presentation for: The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware Based on article by: Jaideep Chandrashekar,
BotNet Detection Techniques By Shreyas Sali

BotNet Detection Techniques By Shreyas Sali
Lecture 14 Page 1 CS 236 Online Worms Programs that seek to move from system to system –Making use of various vulnerabilities Other performs other malicious.

Lecture 14 Page 1 CS 236 Online Worms Programs that seek to move from system to system –Making use of various vulnerabilities Other performs other malicious.
CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012.

CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012.
Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.

Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.
A N I NSIDE L OOK AT B OTNETS ARO-DHS S PECIAL W ORKSHOP ON M ALWARE D ETECTION, 2005 Written By: Paul Barford and Vinod Yegneswaran University of Wisconsin,

A N I NSIDE L OOK AT B OTNETS ARO-DHS S PECIAL W ORKSHOP ON M ALWARE D ETECTION, 2005 Written By: Paul Barford and Vinod Yegneswaran University of Wisconsin,
Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

Similar presentations

Ads by Google