Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Botnets

Published byMatilda French Modified over 9 years ago

Similar presentations

Presentation on theme: "Introduction to Botnets"— Presentation transcript:

1 Introduction to Botnets
Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of New Brunswick

2 Part 1: Intro to Botnets What are they?

3 In the news… July Multi-Purpose Botnet Used in Major Check Counterfeiting Operation Aug Zeus v2 Botnet that owned 100,000 UK PCs taken out Aug dd_ssh Botnet attacks SSH servers Aug Zeus ‘Mumba’ Botnet Seizes Confidential Database sized 60GB Aug Zeus v3 botnet raid on UK bank accounts

4 Introduction Malware is currently the major source of attacks and fraudulent activities on the Internet. Malware is used to infect computers. Botnet is a network of zombies, i.e. compromised computers under control of an attacker. Bot is a program loaded on zombie computer that provides remote control mechanisms to an attacker. Attacker (Botmaster ) Zombies

5 Bot Bot - a small program to remotely control a computer Characterized by Remote control & communication (C&C) channels to command a victim For ex., perform denial-of service attack, send spam The implemented remote commands For ex., update bot binary to a new version The spreading mechanisms to propagate it further For ex., port scanning,

6

7 C&C channel Means of receiving and sending commands and information between the botmaster and the zombies. Typical protocols IRC HTTP Overnet (Kademlia) Protocols imply (to an extend) a botnet’s communication topology. The topology provides trades-off in terms of bandwidth, affectivity, stealth, and so forth.

8 Botnet Infection Stages - Centralized

9 Part 2 – How does a botnet operate?

10 Popular Botnets Propagation Methods
Spammed Messages Install Malware Become Bot Worm Social Networking Websites Removable Devices Malicious Websites

11 Shift in the way that malware is distributed
Every 1.3 seconds a new web page is getting infected Every month almost 2 million web pages across 210,000 websites are infected with Malware Malware attacks have grown by 600% since 2008

12 Spammed Messages

13 Spammed Messages Storm Botnet

14 Propagation Steps Step 1: Click Link Step 2: Link to malicious website
Download & Run Malware

15 Sample subjects and attachments
A killer at 11, he's free at 21 and kill again! British Muslims Genocide Naked teens attack home director. 230 dead as storm batters Europe. Re: Your text Radical Muslim drinking enemies's blood. Saddam Hussein alive! Fidel Castro dead. FBI vs. Facebook Sample attachments: Postcard.exe ecard.jpg FullVideo.exe Full Story.exe Video.exe Read More.exe FullClip.exe GreetingPostcard.exe MoreHere.exe FlashPostcard.exe GreetingCard.exe ClickHere.exe ReadMore.exe FullNews.exe NflStatTracker.exe ArcadeWorld.exe Left-right-brain-test.gif

16 Social Networking Websites
e.g. Koobface

17 Social Networking Websites
Koobface Downloader

18 Koobface Spam Messages
A typical KOOBFACE infection starts with a spam sent through: Facebook Twitter MySpace Other social networking sites

19 Koobface Spam Messages

20 Koobface Spam Messages

21 Koobface Spam Messages

22 Koobface Malware Download
Clicking the link will redirect the user to a website designed to mimic YouTube (but is actually named YuoTube), which asks the user to install an executable (.EXE) file to be able to watch the video.

23 Malicious Websites e.g. Gumblar Zeus

24 Malicious Websites

25 Gumblar Compromised Website
The malicious script embedded in the website.

26 Zeus Malware Download

27 Zeus Compromised host

28 Part 3 – How is a botnet organized?

29 Traditional botnet Attacker Botnet topology mainly refers to the organization of C&C channels between zombies and an attacker. Your home computer Commands & controls Zombies Infect Attack Victim

30 Topology Based on C&C channels, there are two typical botnet topologies: Centralized Decentralized (P2P) Traditional botnet metrics: Resiliency A botnet ability to cope with a loss of members (zombies) or servers Latency Reliability in message transmission Enumeration An ability to accurately estimate a botnet size Difficuly for security analysis Re-sale A possibility to carve off sections of the botnet for lease or resale to other operators.

31 Centralized botnet Communication between attacker and zombies goes via centralized server Classical communication method IRC (Internet Relay Chat) Centralized server

32 Centralized botnet topologies
Centralized topology can be represented in different shapes. The exact organization of botnet depends on the bot operator nothing prevents a bot operator to come up with a new topology. Often seen topologies: Star Multi-server Hierarchical

33 Star topology Communication is directly between a single centralized server and ALL zombies. When new machine is infected, it is preconfigured to contact the server to announce its membership. Pros: Low latency Each zombie is issued commands directly from the server. Cons: Low resilience Only server needs to be blocked to neutralize the whole botnet

34 Example Koobface Old variant employed start architecture:
Zombies connected to C&C server directly

35 Multi-server topology
Similar to start topology Instead of one server, multiple servers are used to provide instructions to zombies. Pros: Better resilience No single point of failure Geographical distribution of servers Communication speed up More resistant to legal shut downs Cons: Requires advance planning

36 Hierarchical topology
Zombies are generally not aware of the server location Pros: Ease of re-sale A botnet operator can easily carve off sections of their botnet for lease or resale to other operators. Hard to enumerate Hard to evaluate the size and complexity of the botnet Cons: High latency makes some botnet attacks difficult.

37 Example - Gumblar Gumblar’s architecture is not well studied, fully built on zombies Website visitors are infected with the Windows executable, it grabs FTP credentials from the victim machines. The FTP account is then used to infect every webpage on new webserver.

38 Decentralized botnet P2P (peer-to-peer) communication
zombies talking to each other no central server Pros: Very high resilience Cons: High latency Difficult for enumeration

39 Hybrid topologies High resilience Low latency Example,
Hierarchical P2P Centralized P2P Centralized Peer-to-peer

40 Storm botnet A three-level self-organizing hierarchy:
master servers proxy bots transfers traffic between workers and master servers. worker bots responsible for sending the spam, proxy bots Once a Storm binary is downloaded, an infected host might become a worker bot (if not reachable from the Internet) or a proxy

41 Detection Complicated organization of botnets & variety of cover-up techniques make detection of botnets challenging

42 Part 4 – How do they hide?

43 Outline

44

45 Encryption Botnet malware use encryption techniques to avoid being detected by signature-based Intrusion detection system Matched

46 Snort Example Without encryption, Snort can successfully detect attack: 12/30-22:59: :138 -> :138 UDP TTL:64 TOS:0x0 ID:33092 IpLen:20 DgmLen:234 Len: 214 ..l....F EEEBEGEGFJCACACACACACACACACACAAA. ABACFPFPENFDECF CEPFHFDEFFPFPACAB..SMB% & &.V \MAILSLOT\BROWSE METALGODS U.DAFFY. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Packet Without encryption alert udp $EXTERNAL_NET any -> (msg:"SAMBA server identified on local subnet!"; content: "SMB"; content: "MAILSLOT";) Snort Rule [**] [1:0:0] SAMBA server identified on local subnet! [**] 01/06-02:21: :138 -> :138 UDP TTL:64 TOS:0x0 ID:64503 IpLen:20 DgmLen:262 Len: 242 Snort Alert

47 Snort Example Snort cannot detect attack from encrypted traffic:
12/30-22:59: :138 -> :138 UDP TTL:64 TOS:0x0 ID:33092 IpLen:20 DgmLen:234 Len: Li5sLi4uLkYuLi4uLi4gRUVFQkVHRUdGSkNBQ0FDQUNBQ0FDQUNBQ0FDQUNBQUEuIEFCQUNGUEZQRU5GREVDRiBDRkNBQ0FDQUNBQ0FDQUNBQ0FDQUVBGSEZERUZGUEZQQUNBQi4uU01CJS4uLi4uLi4uLi4uLg== =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Encrypted Packet alert udp $EXTERNAL_NET any -> (msg:"SAMBA server identified on local subnet!"; content: "SMB"; content: "MAILSLOT";) Snort Rule

48

49 Fast Flux IP addresses that are rotated in seconds against the same domain. For example: [QUESTION] Website name: [ANSWER] IP Addresses:          …………………

50 Advantages for the attacker
Simplicity Only one suitably powerful backend server (or mothership) host is needed to serve the master content and DNS information. Resilience A layer of protection from ongoing investigative response or legal action Extend the operational lifespan of the critical backend core servers that are hidden by the front-end nodes

51 An Example of Fast Flux

52

53 Rootkit A rootkit is a tool that is designed to hide itself and other processes, data, and/or activity on a system To hide what is taking place an attacker wants to: Survive system restart Hide processes Hide services Hide listening TCP/UDP ports Hide kernel modules Hide drivers

54 How Rootkit Works Overwrite first few bytes of target function with a jump to rootkit code Create “trampoline” function that first executes overwritten bytes from original function, then jumps back to original function When function is called, rootkit code executes Rootkit code calls trampoline, which executes original function

55 Rootkit Usage Example – Hide process
Process list BEFOR the rootkit is launched. Process list AFTER the rootkit is launched.

56 Part 5 – What do botnets do?

57 The least damage caused by Botnets: Bandwidth Consumption
Botnet Activities The least damage caused by Botnets: Bandwidth Consumption Other things: DDOS attacks Spam Click Fraud Data Theft Phishing Mistrustful services

58 DDOS attacks Attacker China Brazil Russia US e.g. Google.com

59 Click Fraud Pay per Click (PPC) is an Internet advertising model used on websites in which advertisers pay their host only when an ad is clicked. Famous Bots: ClickBot(100k), Bahama Botnet (200k)

60 Click Fraud - FFSearcher

61 Data Theft Accounts for a great deal of botnet activity.
Purpose: Harvesting user data Screen captures Typed data Files Anti-Spyware software Highly controversial. Has resulted in Scareware.

62 Data Theft-Mumba Zeus Botnet

63 Phishing A deceptive /website/etc. to harvest confidential information.

64

65 Part 6 – How difficult is it to create a botnet?

66 Botnet business is booming
The primary reason for rapid botnet evolution is the underground market Botnet services has reached a professional level Software, zombies or even botnet service can be purchased Customization & professional support

67 Reality To obtain a simple botnet or botnet services DOES NOT require
Great technical knowledge Special hardware … unless you’re planning to make it your primary source of income

68 What is needed to create a simple botnet
A bot, i.e., a small program that can remotely perform certain functions C&C server A network of zombies

69 Step 1: Creating a bot Where to find a bot:
Find a script on the Internet Purchase a ready-to-go bot Prices vary from $5 to $1000 depending on the bot functionality Write yourself

70 Step 2: C&C server C&C server is simply a powerful computer which will give you direct access to zombies, or if needed will store stolen data. For example, to install IRC server Dedicated computer with installed software (fairly legal) Buy a domain, since it should be set up as a web server Hosting - to make the server accessible from the Internet, it should be hosted by a hosting company

71 Step 3: Creating zombies
Options: Purchase/rent a network of zombies Compromise computers yourself Using software packages such as Mpack, Icepack and WebAttacker Using your brains

72 Thank You!

73 Extra Slides

74 Social Aspects of Botnets
Malware in general is written by some, contributed by others and used by many more. Incentives Challenge Seeking (C:H N:L) Fame Seeking (C:A N:A) Revenge Seeking (C:? N:L) Gain Seeking

75 Fight-back Centralized C&C Peer-to-peer SpamThru C&C migration
Random Domain Names E.g. McColo takedown Peer-to-peer New protocols SpamThru

76 Botnet Detection Every interaction between two entities requires the flow of information. This can utilized to detect the interaction. The problem is that this interaction is generally obfuscated and mixed with others with similar behaviour. Traditionally work in botnet detection has been categorized by either detection methodology (behavioural/signature) or C&C infrastructure.

77 References The Gumblar system, C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, S. Savage. Spamalytics: An Empirical Analysis of Spam Marketing Conversion. 15th ACM Conference on Computer and Communications Security 2008, Alexandria, VA, USA.  The Koobface botnet, Malicious websites, The fast flux techniques,

Download ppt "Introduction to Botnets"

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
A look into Bullet Proof Hosting November 2014 - DefCamp 5 Silviu Sofronie – Head of Forensics

A look into Bullet Proof Hosting November DefCamp 5 Silviu Sofronie – Head of Forensics
Content  Overview of Computer Networks (Wireless and Wired)  IP Address, MAC Address and Workgroups  LAN Setup and Creating Workgroup  Concept on.

Content  Overview of Computer Networks (Wireless and Wired)  IP Address, MAC Address and Workgroups  LAN Setup and Creating Workgroup  Concept on.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.

BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.
URL Obscuring COEN 152/252 Computer Forensics  Thomas Schwarz, S.J. 2004.

URL Obscuring COEN 152/252 Computer Forensics  Thomas Schwarz, S.J
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.

S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon.

Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Application Layer Functionality and Protocols Network Fundamentals – Chapter 3.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Application Layer Functionality and Protocols Network Fundamentals – Chapter 3.
How do worms work? Vivek Ramachandran Nagraj – An Indian comic book hero, who commands all the snakes of the world.

How do worms work? Vivek Ramachandran Nagraj – An Indian comic book hero, who commands all the snakes of the world.
Botnets An Introduction Into the World of Botnets Tyler Hudak

Botnets An Introduction Into the World of Botnets Tyler Hudak

Similar presentations

Ads by Google