Botnets ECE 4112 Lab 10 Group 19.

Slides:



Advertisements
Similar presentations
Backdoors, Trojans and Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited.
Advertisements

System and Network Security Practices COEN 351 E-Commerce Security.
Introduction to Security Computer Networks Computer Networks Term B10.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.
1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
Sravanthi Vattikuti Sri Harsha Devabhaktuni
Botnets An Introduction Into the World of Botnets Tyler Hudak
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.
Attacks on Computer Systems
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Network and Internet Security SYSTEM SECURITY. Virus Countermeasures Antivirus approach ◦Ideal solution: Prevention ◦Not allowing the virus to infect.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
BotNet Detection Techniques By Shreyas Sali
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Honeypot and Intrusion Detection System
This courseware is copyrighted © 2015 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.
Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.
A N I NSIDE L OOK AT B OTNETS ARO-DHS S PECIAL W ORKSHOP ON M ALWARE D ETECTION, 2005 Written By: Paul Barford and Vinod Yegneswaran University of Wisconsin,
Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.
Final Introduction ---- Web Security, DDoS, others
2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.
--Harish Reddy Vemula Distributed Denial of Service.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
BOTNETS Presented By : Ramesh kumar Ramesh kumar 08EBKIT049 08EBKIT049 A BIGGEST THREAT TO INERNET.
Hacker’s Strategies Revealed WEST CHESTER UNIVERSITY Computer Science Department Yuchen Zhou March 22, 2002.
Denial of Service (DoS) DoS attacks are aggressive attacks on an individual computer or groups of computers with the intent to deny services to intended.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
7400 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved. -0/17- OfficeServ 7400 Enterprise IP Solutions Quick Install Guide.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju.
DoS Suite and Raw Socket Programming Group 16 Thomas Losier Paul Obame Group 16 Thomas Losier Paul Obame.
Published: Internet Measurement Conference (IMC) 2006 Presented by Wei-Cheng Xiao 2015/11/221.
Module 7: Advanced Application and Web Filtering.
Omar Hemmali CAP 6135 Paul Barford Vinod Yegneswaran Computer Sciences Department University of Wisconsen, Madison.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Backdoors and Rootkits.
An Inside Look at Botnets By Paul Barford and Vinod Yegneswaran In Series: Advances in Information Security, Springer, 2006 Presented by Jared Bott.
Sid Stamm, Zulfikar Ramzan and Markus Jokobsson Erkang Xu.
4061 Session 26 (4/19). Today Network security Sockets: building a server.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
DoS/DDoS attack and defense
Firewalls. Intro to Firewalls Basically a firewall is a barrier to keep destructive forces away from your computer network.
Know your Enemy: Tracking Botnets The Honeynet Project & Research Alliance Presented by: Jonathan Dowdle.
1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.
Botnets A collection of compromised machines
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Backdoor Attacks.
Botnets A collection of compromised machines
Information Security Session October 24, 2005
Chapter 3. Basic Dynamic Analysis
Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Implementing Client Security on Windows 2000 and Windows XP Level 150
Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.
Presentation transcript:

Botnets ECE 4112 Lab 10 Group 19

Botnets Collection of compromised machines running programs (malicious) under a common command and control infrastructure Attackers target Class B networks Once vulnerable system detected System compromised  control client (bot) installed These bots further attack networks  exponential growth in a tree like fashion

Botnets - Uses Distributed Dos attacks Spamming Sniffing Traffic Keylogging Attacking other networks Identity theft Google Adsense abuse Spyware/Malware infestation

Lab Procedures I. Setup: Setting up the IRCd server II. SDBot III. q8Bot IV. HoneyNet Botnet capture analysis

Infected RedHat machine (Victim) IRCd Server IRC networks considered part of the “underground” Internet Home to many hacking groups and illegal software release groups Setup on WS 4.0 machine IRCd IRC client (Attacker) Redhat WS4.0 Infected RedHat machine (Victim)

SDBot/RBot/UrBot/UrXbot The most active family of bots Published under GPL Poorly implemented in C provides a utilitarian IRC-based command and control system easy to extend large number of patches to provide more sophisticated malicious capabilities scanning, DoS attacks, sniffers, information harvesting & encryption features

SDBot Setup on Windows XP VM using lccwin32 compiler Created executable using bat file Edited host file to include ircserver Bot Login Random username joins channel – Bot Login .repeat 6 .delay 1 .execute 1 winmine.exe Started 6 instances of minesweeper on the victim

SDBot General Commands .execute causes the bot to run a program. .download causes the bot to download the file specified by url .redirect lets the bot to start a basic port redirect. everything sent to the port .sysinfo causes the bot to reply with information on the host system .netinfo causes the bot to reply with information on the bot's network connection .visit lets the bot to invisibly visit the specified url

SDBot – UDP/Ping Flood .udp <RH 7.2 IP> 1000 4096 100 23 command causes a UDP flood For 1 Gbit link Avg packet size = 1169 bytes Bots required = 106,928 .ping <RH 7.2 ip> 1000 4096 1 Initiates a ping flood Avg packet size = 1351 bytes Bots required = 92,532 (approx)

SDBot – Pay per click .visit http://57.35.6.10/index.html http://<anything>.com Ethereal – Tcp stream with http packets illustrating http://<anything>.com as referrer

SDBot – Bot Removal Kill Process Remove registry entries: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\CONFIGURATION LOADER HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\CONFIGURATION LOADER

q8Bot Small bots with 926 lines of C code Written only for Unix based systems Features DDos attacks Dynamic updating Flooding Versions with spreaders available

q8Bot Installation after changes to C file ps –e ps –ef Shows the bot file running with a pid ps –ef Same pid shown as ‘-bash’ F flag gives full listing with the command line process name -> replaced by FAKENAME in source code E flag gives the pid with the executable used

q8Bot – Commands PAN <target> <port> <secs> - SYN flood which disables most network drivers TSUNAMI <target> <secs> - packets that can bypass any firewall GET <target> <save as> - Download/rename files

q8Bot Tsunami Attack – PAN Basic Dos attack Packets directed to port 80 (http) – hence ignored by firewalls PAN Add statement: Sendto(get, &send_tcp, 40+psize, 0, (struct sockaddr*)&sin, sizeof(sin); Change return()  break in final if block PAN <WIN XP IP> <port> <delay in ms>

HoneyNet Botnet Capture Analysis Data Forensics View IRC connections Ip.dst == 172.16.134.191 && tcp.srcport==6667 Sniff IRC packets (Ip.dst== 172.16.134.191 && (tcp.srcport==6667|| tcp.dstport==6667) Usernames sniffed: Eohisou – Unsuccessful login attempt Rgdiuggac – Successful login attempt

HoneyNet Botnet Capture Analysis Once logged in, chanserv sets modes i – Invisible mode (hidden) x – provides random hostname to user Source attack ips – Analyze through ethereal filter 209.196.44.172 63.241.174.144 217.199.175.10

Botnets – Defense keep your system updated, downloading patches careful with opening suspicious attachments in email Control use of scripting languages such as ActiveX and JavaScript fundamental to use an updated antivirus / antitrojan

Botnets – Defense main signs of bot presence are connection and system slowdown netstat –an Admins - subscription to mailing lists (eg. Bugtraq) study the logs generated by IDS/firewall/mail/DHCP servers for abnormal activity Most important – user awareness

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.