1. Botnets Uses, Prevention, and Examples

2. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security world Network of compromised machines that can be remotely controlled

3. Theoretical Structure Malware with control

4. Not Zombies, Servants

5. Spatial Distribution Result of an unethical Internet Census that infected over 420,000 machines

6. Uses - for Fun and Profit of Course! Numbers Power Information

7. Numbers Typically rented DDOS (10K – 120K (10-100 Gbps) for $200 per day) Spamming (SOCKS proxy) Web traffic Control (unique IP) o Page/Ad views o Likes o Poll Manipulation

8. Power Cheap super computers (sold, rented, or kept for use) Bitcoin/Dogecoin mining o BadLepricon distributed by Google Play o GPU ‘idle’ at 180° F o Storm Botnet (1mil – 50 mil machines), largest at time

9. Information May as well Traffic sniffing, key loggers and other information theft Self propagation o Spreading over network o Detection of other botnets presence o The enemy of my enemy is my competitor o Happy Hacker, Zeu$ botnet master

10. For the Greater Good What makes them bad can be used for good o Hard to remove or disable o Good at hiding/quiet monitoring o Botnets with good intentions fighting botnets Phalanx, DDOS protection o Nodes of botnet used as protective mailboxes o Pass on information when requested o Computational puzzle to gain access

11. Prevention Defensive (users, owners) Offensive (security agencies, research)

12. Defensive Treat just like malware Intrusion Detection System Main target of botnets don’t follow these o Keeping updated o Quality firewall, anti-virus o Other general security measures o Removal, maybe clean install

13. Offensive Agencies know people think of security last Research for IDS o Development of “good” botnets o Gun buying programs, better unused o Tracking down botnet masters o Examining bought/captured botnets o Honeypots

14. Examples o Agobot o SDBot o Global Threat Bot (Fig. 1) Originally bots, now popular templates

15. Agobot - the multi-tool 500 know versions Easy to use, little programming knowledge required Simple to add commands / vulnerability scanners Offers rootkit capabilities (process hiding) If you want it there is a version that has it Advanced form of traffic sniffing o Packet sniffers / key loggers o Self propagation o DDOS commands o Stripped down lipcpap dll registered as system driver o Utilizes libpcre dll to lookout for bot commands

16. SDBot – the cheaper multi-tool Written in very poor C but still widely used Less sophisticated, smaller instruction set Similar to Agobot in features Copies self to all mapped drives and shared network resources Can update itself which is cool Bad form of traffic sniffing o Processes hiding o Self replication o Based on windows raw socket listining, listens to own traffic

17. Global Threat Bot - DDOS tool Distributed as a Trojan over Internet Relay Chat (IRC) networks Runs in stealth mode with the name mIRC Client Utilizes a number of mIRC bot scripts Once installed joins IRC channel and waits for commands Useful for launching DDOS attacks over IRC networks

18. Review Botnets are malware with control (NO ZOMBIES) Numbers, Power, Information and maybe good uses Offensive and Defensive prevention 3 common examples

19. Links http://www.wired.co.uk/news/archive/2013-05/16/internet-census https://www.youtube.com/watch?v=2GdqoQJa6r4 - How to Steal a Botnet https://www.youtube.com/watch?v=2GdqoQJa6r4 https://www.youtube.com/watch?v=A5-ewv3zvrM – How to Make a Botnet https://www.youtube.com/watch?v=A5-ewv3zvrM https://blog.damballa.com/archives/330 - DDOS pricing https://blog.damballa.com/archives/330 The good stuff is just a search away, but be weary

20. Q&A