Presentation is loading. Please wait.

Presentation is loading. Please wait.

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Published byPaula Márquez Bustamante Modified over 5 years ago

Similar presentations

Presentation on theme: "Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan."— Presentation transcript:

1 Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18 Botnet Collection of infected systems Controlled by one party

19 Most commonly used Bot families
Agobot SDBot SpyBot GT Bot

20 Agobot Most sophisticated 20,000 lines C/C++ code
IRC based command/control Large collection of target exploits Capable of many DoS attack types Shell encoding/polymorphic obfuscation Traffic sniffers/key logging Defend/fortify compromised system Ability to frustrate dissassembly

21 SDBot Simpler than Agobot, 2,000 lines C code Non-malicious at base
Utilitarian IRC-based command/control Easily extended for malicious purposes Scanning DoS Attacks Sniffers Information harvesting Encryption

22 SpyBot <3,000 lines C code Possibly evolved from SDBot
Similar command/control engine No attempts to hide malicious purposes

23 GT Bot Functions based on mIRC scripting capabilities
HideWindow program hides bot on local system Port scanning, DoS attacks, exploits for RPC and NetBIOS

24 Variance in codebase size, structure, complexity, implementation
Convergence in set of functions Possibility for defense systems effective across bot families Bot families extensible Agobot likely to become dominant

25 Control All of the above use IRC for command/control
Disrupt IRC, disable bots Sniff IRC traffic for commands Shutdown channels used for Botnets IRC operators play central role in stopping botnet traffic Automated traffic identification required Future botnets may move away from IRC Move to P2P communication Traffic fingerprinting still useful for identification

26 Host control Fortify system against other malicious attacks
Disable anti-virus software Harvest sensitive information PayPal, software keys, etc. Economic incentives for botnets Stresses need to patch/protect systems prior to attack Stronger protection boundaries required across applications in OSes

27 Propagation Horizontal scans Vertical scans
Single port across address range Vertical scans Single IP across range of ports Current scanning techniques simple Fingerprinting to identify scans Future methods Flash , more stealthy Source code examination Propagation models

28 Exploits/Attacks Agobot Has the most elaborate set
Several scanners, various flooding mechanisms for DDoS SDBot None in standard UDP/ICMP packet modules usable for flooding Variants include DDoS SpyBot NetBIOS attacks UDP/TCP/ICMP SYN Floods, similar to SDBot Variants include more GTBot RPC-DCOM exploits ICMP Floods, variants include UDP/TCP SYN floods

29 Required for protection
Host-based anti-virus Network intrusion detection Prevention signatures sets Future More bots capable of launching multiple exploits DDoS highlight danger of large botnets

30 Delivery Packers, shell encoders for distribution
Malware packaged in single script Agobot separates exploits from delivery Exploit vulnerability Buffer overflow Open shell on host Upload binary via HTTP or FTP Encoder can be used across multiple exploits Streamlines codebase NIDS/NIPS need knowledge of shell codes/perform simple decoding NIDS incorporate follow-up connection detection for exploit/delivery separation prevention

31 Obfuscation Hide details of network transmissions
Only slightly provided by encoding Same key used in encoding => signature matching Polymorphism – generate random encodings, evades signature matching Agobot POLY_TYPE_XOR POLY_TYPE_SWAP (swap consecutive bytes) POLY_TYPE_ROR (rotate right) POLY_TYPE_ROL (rotate left) NIDS/Anti-virus eventually need to develop protection against polymorphism

32 Deception Detection evasion once installed a.k.a. rootkits Agobot
Debugger tests VMWare tests Anti-virus process termination Pointing DNS for anti-virus to localhost Shows merging between botnets/trojans/etc. Honeynet monitors must be aware of VM attacks Better tools for dynamic malware analysis Improved rootkit detection/anti-virus as deception improves

Download ppt "Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan."

Similar presentations

Botnets ECE 4112 Lab 10 Group 19.

Botnets ECE 4112 Lab 10 Group 19.
Botnets. Botnet Threat Botnets are a major threat to the Internet because: Consist of a large pool of compromised computers that are organized by a master.

Botnets. Botnet Threat Botnets are a major threat to the Internet because: Consist of a large pool of compromised computers that are organized by a master.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
Taxonomy of Botnets Team Mag Five Valerie Buitron Jaime Calahorrano Derek Chow Julia Marsh Mark Zogbaum.

Taxonomy of Botnets Team Mag Five Valerie Buitron Jaime Calahorrano Derek Chow Julia Marsh Mark Zogbaum.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Article presentation for: The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware Based on article by: Jaideep Chandrashekar,

Article presentation for: The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware Based on article by: Jaideep Chandrashekar,
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012.

CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012.
A N I NSIDE L OOK AT B OTNETS ARO-DHS S PECIAL W ORKSHOP ON M ALWARE D ETECTION, 2005 Written By: Paul Barford and Vinod Yegneswaran University of Wisconsin,

A N I NSIDE L OOK AT B OTNETS ARO-DHS S PECIAL W ORKSHOP ON M ALWARE D ETECTION, 2005 Written By: Paul Barford and Vinod Yegneswaran University of Wisconsin,

Similar presentations

Ads by Google