2.  Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of term botnet  Illegal  Bots usually added through infections  Communicate through standard network protocols

3.  Named after malware that created the botnet  Multiple botnets can be created by same malware ▪ Controlled by different entities  “Bot master” can control entire group of computers remotely through Command and Control(C&C) system

4.  Botnets used for various purposes  Distributed Denial of Service Attacks(DDOS)  SMTP mail relays for spam  Click Fraud ▪ Simulating false clicks on advertisements to earn money  Theft of information ▪ Application serial numbers ▪ Login information ▪ Financial information ▪ Personal information  Bitcoin mining

5.  Three main connection models  Centralized  P2P-based  Unstructured

6.  Central point(server) that forwards messages to bots  Advantages  Simple to implement  Customizable  Disadvantages  Easier to detect and destroy  Most botnets use this model

7.  Mainly used to avoid problems with centralized model  Does not use server as central location  Instead the bots are connected to each other  Advantages  Very hard to destroy  Commands can be injected at any point  Hard for researchers to find all bots  Disadvantages  Harder to implement and design

8.  Bots will not actively contact other bots or botmaster  Only listens for incoming connections  Botmsater randomly scans internet for bots  When bot is found botmaster sends encrypted commands

9.  Botnets use well defined communication protocols  Helps blend in with traffic  Protocol examples  IRC ▪ Most common ▪ Used for one-to-many or one-on-one  HTTP ▪ Difficult to be detected ▪ Allowed through most security devices by default  P2P ▪ More advanced communication ▪ Not always allowed on network

10.  Two main detection methods  Signature-based ▪ Relies on knowing connection methods ▪ Cannot detect new threats  Anomaly-based ▪ Relies on anomalies from base-line traffic ▪ High false-positive rates ▪ Not useful in cases where base-line traffic cannot be established

11.  Malware writers constantly looking for new ways to avoid detection  Recent botnets employ new methods to avoid detection  Fast flux  Domain flux

12.  Use a set of IP addresses that all correspond to one domain name  Use short TTL(Time To Live) and large IP pools  Can be grouped in two categories.  Single flux  Double flux

13.  Domain resolves to different IP in different time ranges  User accesses same domain twice  First time DNS query returns 11.11.11.11  TTL expires on DNS query  User performs another DNS query for domain  DNS server returns 22.22.22.22

14.  More sophisticated counter-detection  Repeated changes of both flux agents and registration in DNS servers  Authoritative DNS server part of fluxing  Provides extra redundancy

15.  Critical step in detecting fast flux network is to distinguish fast fluxing attack network(FFAN) and fast fluxing service network(FFSN)  All agents in FFSN should be up 24/7  Agents within FFAN have unpredictable alive time ▪ Botmaster does not have physical control over bots  Two metrics developed to distinguish these  Average Online Rate(AOR)  Minimum Available Rate(MAR)

16.  Uses AOR and MAR to track FFANs and FFSNs  Broken up into four components  Dig tool ▪ Gather information and add new IP addresses to database  Agents monitor ▪ Sends HTTP requests records response  IP lifespan records database ▪ Stores service status  Detector ▪ Judges between FFAN and FFSN by using AOR and MAR

17.  To avoid single point of failure domain flux was created  Uses a set of domain names that are constantly, and automatically, generated  Occasionally correspond to IP address  Bots and server both run domain name generation algorithm.  Bots try to contact C&C server by using generated domain names  If no answer is received at one, it moves on

18.  Torpig was botnet that used domain flux  Eventually taken over by researchers  First calculated domain names by current week and current year  “weekyear.com” or “weekyear.net”  If those fail it moves on to calculated the daily domain  If all other methods fail, a Torpig bot will try to connect to a hard-coded domain within its configuration files

19.  Reverse-engineering domain generation algorithm not always possible  Only a few domains will resolve to IP addresses  One detection method is to watch DNS query failures  Small percentage will be user error/poor configuration  Larger part of errors will be from malicious activity  With enough data one should be able to find patterns in DNS query errors

20.  Fast Flux networks mitigated by blacklisting domain name associated with flux  Contact registrar  ISP block requests in DNS  ISP monitor DNS queries to domain  Domain flux is harder to mitigate  In order to register domain names before attackers one must know the algorithm used  Automated techniques to block DNS queries not always accurate  Registrars used by attackers usually do not listen to abuse reports

21.  BredoLab  Created May, 2009  30,000,000 bots  Mariposa  Created 2008  12,000,000 bots  Zeus  Banking credentials for all major banks  3,600,000 bots in US alone  Customizable