Presentation is loading. Please wait.

Presentation is loading. Please wait.

Botnets ECE 4112 Lab 10 Group 19.

Published byAshton Conger Modified over 9 years ago

Similar presentations

Presentation on theme: "Botnets ECE 4112 Lab 10 Group 19."— Presentation transcript:

1 Botnets ECE 4112 Lab 10 Group 19

2 Botnets Collection of compromised machines running programs (malicious) under a common command and control infrastructure Attackers target Class B networks Once vulnerable system detected System compromised  control client (bot) installed These bots further attack networks  exponential growth in a tree like fashion

3 Botnets - Uses Distributed Dos attacks Spamming Sniffing Traffic
Keylogging Attacking other networks Identity theft Google Adsense abuse Spyware/Malware infestation

4 Lab Procedures I. Setup: Setting up the IRCd server II. SDBot
III. q8Bot IV. HoneyNet Botnet capture analysis

5 Infected RedHat machine (Victim)
IRCd Server IRC networks considered part of the “underground” Internet Home to many hacking groups and illegal software release groups Setup on WS 4.0 machine IRCd IRC client (Attacker) Redhat WS4.0 Infected RedHat machine (Victim)

6 SDBot/RBot/UrBot/UrXbot
The most active family of bots Published under GPL Poorly implemented in C provides a utilitarian IRC-based command and control system easy to extend large number of patches to provide more sophisticated malicious capabilities scanning, DoS attacks, sniffers, information harvesting & encryption features

7 SDBot Setup on Windows XP VM using lccwin32 compiler
Created executable using bat file Edited host file to include ircserver Bot Login Random username joins channel – Bot Login .repeat 6 .delay 1 .execute 1 winmine.exe Started 6 instances of minesweeper on the victim

8 SDBot General Commands .execute causes the bot to run a program.
.download causes the bot to download the file specified by url .redirect lets the bot to start a basic port redirect. everything sent to the port .sysinfo causes the bot to reply with information on the host system .netinfo causes the bot to reply with information on the bot's network connection .visit lets the bot to invisibly visit the specified url

9 SDBot – UDP/Ping Flood .udp <RH 7.2 IP> 1000 4096 100 23
command causes a UDP flood For 1 Gbit link Avg packet size = 1169 bytes Bots required = 106,928 .ping <RH 7.2 ip> Initiates a ping flood Avg packet size = 1351 bytes Bots required = 92,532 (approx)

10 SDBot – Pay per click .visit Ethereal – Tcp stream with http packets illustrating as referrer

11 SDBot – Bot Removal Kill Process Remove registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\CONFIGURATION LOADER HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\CONFIGURATION LOADER

12 q8Bot Small bots with 926 lines of C code
Written only for Unix based systems Features DDos attacks Dynamic updating Flooding Versions with spreaders available

13 q8Bot Installation after changes to C file ps –e ps –ef
Shows the bot file running with a pid ps –ef Same pid shown as ‘-bash’ F flag gives full listing with the command line process name -> replaced by FAKENAME in source code E flag gives the pid with the executable used

14 q8Bot – Commands PAN <target> <port> <secs> - SYN flood which disables most network drivers TSUNAMI <target> <secs> - packets that can bypass any firewall GET <target> <save as> - Download/rename files

15 q8Bot Tsunami Attack – PAN Basic Dos attack
Packets directed to port 80 (http) – hence ignored by firewalls PAN Add statement: Sendto(get, &send_tcp, 40+psize, 0, (struct sockaddr*)&sin, sizeof(sin); Change return()  break in final if block PAN <WIN XP IP> <port> <delay in ms>

16 HoneyNet Botnet Capture Analysis
Data Forensics View IRC connections Ip.dst == && tcp.srcport==6667 Sniff IRC packets (Ip.dst== && (tcp.srcport==6667|| tcp.dstport==6667) Usernames sniffed: Eohisou – Unsuccessful login attempt Rgdiuggac – Successful login attempt

17 HoneyNet Botnet Capture Analysis
Once logged in, chanserv sets modes i – Invisible mode (hidden) x – provides random hostname to user Source attack ips – Analyze through ethereal filter

18 Botnets – Defense keep your system updated, downloading patches
careful with opening suspicious attachments in Control use of scripting languages such as ActiveX and JavaScript fundamental to use an updated antivirus / antitrojan

19 Botnets – Defense main signs of bot presence are connection and system slowdown netstat –an Admins - subscription to mailing lists (eg. Bugtraq) study the logs generated by IDS/firewall/mail/DHCP servers for abnormal activity Most important – user awareness

Download ppt "Botnets ECE 4112 Lab 10 Group 19."

Similar presentations

Backdoors, Trojans and Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited.

Backdoors, Trojans and Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Introduction to Security Computer Networks Computer Networks Term B10.

Introduction to Security Computer Networks Computer Networks Term B10.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.

BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.

Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
Sravanthi Vattikuti Sri Harsha Devabhaktuni

Sravanthi Vattikuti Sri Harsha Devabhaktuni
Botnets An Introduction Into the World of Botnets Tyler Hudak

Botnets An Introduction Into the World of Botnets Tyler Hudak
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.

Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.

Similar presentations

Ads by Google