Presentation is loading. Please wait.

Presentation is loading. Please wait.

Botnets.

Published byMargaretMargaret Logan Modified over 6 years ago

Similar presentations

Presentation on theme: "Botnets."— Presentation transcript:

1 Botnets

2 Botnet Threat Botnets are a major threat to the Internet because:
Consist of a large pool of compromised computers that are organized by a master. a.k.a., Zombie Armies Carry out sophisticated attacks to disrupt, gather sensitive data, or increase armies Armies are in the 1000’s to aggregate computing power Communication network allows bots to evolve on compromised hosts

3 Evolution of Botnets Motivation change in computer hacking
Vandalism  Financial gains Loss of $67.2 billion (2006 figure)

4 eCrime Market Operation
Raw Materials Goods (Re)Application Goal Market S Buy, Sell, & Trade Wealth Step back a bit…talk about market enabling specialization, overview of process Miscreants buy, sell, and trade goods procured through hacking, social engineering, etc. Some employ new techniques to perpetrate old crimes Ex: Using form-grabbing trojans to steal online credentials for identity theft and financial fraud Others perpetrate sophisticated electronic crimes Using off-the-shelf goods and services acquired at market Ex: Spear phishing with “store bought” bank lists, mailers, scam pages, and hosting Goods produced include: online credentials (online banking, payment services) offline credentials (cc nums, SSNs) hosts themselves Applications: Bots Cashiers credentials to funds Send more phish, spam 4 4

5 Sensitive Data and Market Significance
Credit Card #s SSNs Bank Account #s Percentage of Labeled Data Idea: More sensitive data means more potential fraud and monetary loss Sensitive Data Type 5 5

6 Botnet Architecture Botmaster Bot Bot Bot Recruiting Recruiting

7 Classification Scheme
Botnet Taxonomy A taxonomy model is necessary to develop the intelligence to identify, detect, and mitigate the risk of an attack. Classification Scheme Attacking Behavior C&C Models Rally Mechanisms Communication Protocols Observable botnet activities Evasion Techniques

8 Attacking Behaviors Infecting new hosts Stealing personal information
Social engineering and distribution of malicious s or other electronic communications (i.e. Instant Messaging) Example - sent with botnet diguised as a harmless attachment. Stealing personal information Keylogger and Network sniffer technology used on compromised systems to spy on users and compile personal information Phishing and spam proxy Aggregated computing power and proxy capability make allow spammers to impact larger groups without being traced. Distributed Denial of Service (DDoS) Impair or eliminate availability of a network to extort or disrupt business

9 Command and Control (C&C)
Essential for operation and support of botnet Mainly two styles – Centralized and P2P Weakest link of the botnet because: Elimination of botmaster takes out the botnet High level of activity by botmaster makes them easier to detect than their bots

10 C&C Centralized Model Advantage: Simple to deploy, cheap, short latency for large scale attacks Disadvantage: Easiest to eliminate

11 C&C Centralized Model Example
3 Steps of Authentication Bot to IRC Server IRC Server to Bot Botmaster to Bot (*) : Optional Step

12 P2P Botnet Example: Storm
The Overnet network Storm uses is extremely dynamic. Peers come and go and can change OIDs frequently. In order to stay “well connected” peers must periodically search for themselves to find nearby peers: Storm Node

13 Peer to Peer Model Advantage: Resilient to failures, hard to discover, hard to defend. Disadvantage: Hard to launch large scale attacks because P2P technologies are currently only capable of supporting very small groups (< 50 peers)

14 Rallying Mechanisms Hard-coded C&C server IP address
The bot communicates using C&C ip addresses that are hard-coded in it’s binary files. Easy to defend against, as ip addresses are easily detectable and blocked, which makes the bot useless.

15 Rallying Mechanisms Dynamic IP address with DNS domain name resolution
Hard-coded C&C domains names. Detection harder when botmaster randomly changes the mapped IP address If connection fails the bot performs DNS queries to obtain the new C&C address for redirection.

16 Rallying Mechanisms Distributed DNS Service
Hardest to detect & destroy. Newest mechanism. Sophisticated. Botnets run own DNS service out of reach of authorities Bots use the DNS addresses to resolve the C&C servers Use high port numbers to avoid detection by security devices and gateways

17 Communication Protocols
In most cases botnets use well defined and accepted Communication Protocols. Understanding the communication protocols used helps to: Determine the origins of a botnet attack and the software being used Allow researchers to decode conversations happening between the bots and the masters There are two main Communication Protocols used for bot attacks: IRC HTTP

18 IRC Protocol IRC Botnets are the predominant version
IRC mainly designed for one to many conversations but can also handle one to one Most corporate networks do not allow IRC traffic so any IRC requests can determine and external or internal bot Outbound IRC requests means an already infected computer on the network Inbound IRC requests mean that a network computer is being recruited

19 HTTP Protocol Due to prevalence of HTTP usage it is harder to track a botnet that uses HTTP Protocols Using HTTP can allow a botnet to skirt the firewall restrictions that hamper IRC botnets Detecting HTTP botnets is harder but not impossible since the header fields and the payload do not match normal HTTP traffic Some new options emerging are IM and P2P protocols and expect growth in the future

20 HTTP Botnet Example: Fast-flux Networks
Commonly used scheme Used to control botnets w/ hundreds or even thousands of nodes

21 Conclusions C&C Models Rally Mechanisms Communication Protocols
Centralized P2P Rally Mechanisms Static IP Dynamic IP Distributed DNS Communication Protocols IRC Http

22 Backup Slides

23 Chronicle of Botnets

24 Observable Behaviors Three categories of observable Botnet behaviors:
Network-based Host-based Global Correlated 1. In order to detect and possibly defeat botnets, we need to discover the abnormal behaviors exhibited by botnets.

25 Network-Based Network patterns can be used to detect Botnets
IRC & HTTP are the most common forms of Botnet communications Detectable by identifying abnormal traffic patterns. IRC communications in unwanted areas IRC conversations that human’s can not understand DNS domain names DNS queries to locate C&C server Hosts query improper domain names IP address associated with a domain name keeps changing periodically Traffic Bursty at times, and idle the rest of the time Abnormally fast responses compared to a human Attacks (eg: Denial of Service) - Large amounts of invalid TCP SYN Packets with invalid source IP addresses IRC & HTTP traffic detectable by identifying abnormal traffic patterns. Examples can be IRC traffic in a part of a network that does not allow it or IRC conversations that consist of syntax that humans do not understand. Botnets use DNS queries to locate C&C Server Host query strange domain names like cheese.dns4biz.org. This normally indicates that a host has been compromised. IP addresses are assigned to domain names. If an IP address keeps changing, then it normally indicates presence of a botnet. Network traffic can burst at certain times and remain idle the rest of the time. Botnets respond abnormally fast compared to a human surfing the web. Attacking Traffic Denial of Service Attacks Invalid source IP Addresses Large number of Invalid TCP SYN Packets

26 Host-Based Botnet behavior can be observed on the host machine.
Exhibit virus like activities When executed, Botnets run a sequence of routines. Modifying registries Modifying system files Creating unknown network connections Disabling Antivirus programs

27 Global Correlated Global characteristics are tied to the fundamentals Botnets Not likely to change unless Botnets are completely redesigned and re-implemented Most valuable way to detect Botnets Behavior the same regardless if the Botnets are communicating via IRC or HTTP Global DNS queries increase due to assignment of new C&C servers Network Flow disruptions Global correlated behaviors are one of the most value ways to detect botnets DNS queries increase when a bots are disconnected from an old C&C server and try to locate the new C&C server. Botmasters try to change the location of the C&C servers to avoid detection

28 Conclusion By using the taxonomy and accurately identifying what type of botnet you are dealing with it will be easier to use the correct evasion technique.

29 Evasion Techniques Sophistication of Botnets allow them to evade
AV Engines Signature base intrusion detection systems (IDS) Anomaly-based detection systems Techniques Executable packers Rootkits Protocols

30 Evasion Techniques Moving away from IRC Taking control of HTTP VoIP
IPV6 ICMP Skype protocols

31 Evasion Techniques Skype, the best botnet ever??
Very popular, 9M+ users, average 4M+ connected Very good firewall ”punching” capabilities Obfuscated and persistent network flow Provides network API Skype provides network connectivity and obfuscation Skype is resilient by design Just need nickname(s) for communications Things are easy Exploit Skype Install bot as Skype plugin Generate plugin authorization token and execute

32 Beating Evasion Techniques
Prevention Find C&C servers and destroying them Most effective method for prevention and cure: Combining traditional detection mechanisms with those based on anomaly network behavior

33 Round 3 Bootstrapping Peer Round 1 Round 4 Round 2

34 Overnet Message Passing:
Overnet has three basic message types to facilitate proper function of the network: Connect: A peer uses connect messages to report their OID to other peers and to receive a list of peers somewhat close to the peer. Search: A peer uses search messages to find resources and other nodes based on OID. Publicize: A peer uses publicize messages to report ownership of network resources (OIDs) so that other peers can find the resource later.

35 Random Mechanisms Theoretical architecture: Evan Cooke, et al describe the model Easy implementation and resilient to discovery and destruction Scalability limitations make it impractical for large scale attacks. Bots sleep and are not activated until Bot Master is ready to attack

Download ppt "Botnets."

Similar presentations

Botnets. Botnet Threat Botnets are a major threat to the Internet because: Consist of a large pool of compromised computers that are organized by a master.

Botnets. Botnet Threat Botnets are a major threat to the Internet because: Consist of a large pool of compromised computers that are organized by a master.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Taxonomy of Botnets Team Mag Five Valerie Buitron Jaime Calahorrano Derek Chow Julia Marsh Mark Zogbaum.

Taxonomy of Botnets Team Mag Five Valerie Buitron Jaime Calahorrano Derek Chow Julia Marsh Mark Zogbaum.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.

BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon.

Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
Botnets An Introduction Into the World of Botnets Tyler Hudak

Botnets An Introduction Into the World of Botnets Tyler Hudak
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Speaker : YUN–KUAN,CHANG Date : 2009/10/13 Working the botnet: how dynamic DNS is revitalising the zombie army.

Speaker : YUN–KUAN,CHANG Date : 2009/10/13 Working the botnet: how dynamic DNS is revitalising the zombie army.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.

 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.

Similar presentations

Ads by Google