Presentation is loading. Please wait.

Presentation is loading. Please wait.

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan."— Presentation transcript:

1 Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18 Botnet ● Collection of infected systems ● Controlled by one party

19 Most commonly used Bot families ● Agobot ● SDBot ● SpyBot ● GT Bot

20 Agobot ● Most sophisticated ● 20,000 lines C/C++ code ● IRC based command/control ● Large collection of target exploits ● Capable of many DoS attack types ● Shell encoding/polymorphic obfuscation ● Traffic sniffers/key logging ● Defend/fortify compromised system ● Ability to frustrate dissassembly

21 SDBot ● Simpler than Agobot, 2,000 lines C code ● Non-malicious at base ● Utilitarian IRC-based command/control ● Easily extended for malicious purposes  Scanning  DoS Attacks  Sniffers  Information harvesting  Encryption

22 SpyBot ● <3,000 lines C code ● Possibly evolved from SDBot  Similar command/control engine  No attempts to hide malicious purposes

23 GT Bot ● Functions based on mIRC scripting capabilities ● HideWindow program hides bot on local system ● Port scanning, DoS attacks, exploits for RPC and NetBIOS

24 ● Variance in codebase size, structure, complexity, implementation ● Convergence in set of functions  Possibility for defense systems effective across bot families ● Bot families extensible ● Agobot likely to become dominant

25 ● All of the above use IRC for command/control  Disrupt IRC, disable bots  Sniff IRC traffic for commands  Shutdown channels used for Botnets ● IRC operators play central role in stopping botnet traffic ● Automated traffic identification required ● Future botnets may move away from IRC  Move to P2P communication  Traffic fingerprinting still useful for identification Control

26 Host control ● Fortify system against other malicious attacks ● Disable anti-virus software ● Harvest sensitive information  PayPal, software keys, etc.  Economic incentives for botnets ● Stresses need to patch/protect systems prior to attack ● Stronger protection boundaries required across applications in OSes

27 Propagation ● Horizontal scans  Single port across address range ● Vertical scans  Single IP across range of ports ● Current scanning techniques simple  Fingerprinting to identify scans ● Future methods  Flash, more stealthy ● Source code examination  Propagation models

28 Exploits/Attacks ● Agobot  Has the most elaborate set  Several scanners, various flooding mechanisms for DDoS ● SDBot  None in standard  UDP/ICMP packet modules usable for flooding  Variants include DDoS ● SpyBot  NetBIOS attacks  UDP/TCP/ICMP SYN Floods, similar to SDBot  Variants include more ● GTBot  RPC-DCOM exploits  ICMP Floods, variants include UDP/TCP SYN floods

29 ● Required for protection  Host-based anti-virus  Network intrusion detection  Prevention signatures sets ● Future  More bots capable of launching multiple exploits ● DDoS highlight danger of large botnets

30 Delivery ● Packers, shell encoders for distribution ● Malware packaged in single script ● Agobot separates exploits from delivery  Exploit vulnerability ● Buffer overflow  Open shell on host  Upload binary via HTTP or FTP  Encoder can be used across multiple exploits  Streamlines codebase ● NIDS/NIPS need knowledge of shell codes/perform simple decoding ● NIDS incorporate follow-up connection detection for exploit/delivery separation prevention

31 Obfuscation ● Hide details of network transmissions ● Only slightly provided by encoding ● Same key used in encoding => signature matching ● Polymorphism – generate random encodings, evades signature matching  Agobot ● POLY_TYPE_XOR ● POLY_TYPE_SWAP (swap consecutive bytes) ● POLY_TYPE_ROR (rotate right) ● POLY_TYPE_ROL (rotate left) ● NIDS/Anti-virus eventually need to develop protection against polymorphism

32 Deception ● Detection evasion once installed ● a.k.a. rootkits ● Agobot  Debugger tests  VMWare tests  Anti-virus process termination  Pointing DNS for anti-virus to localhost ● Shows merging between botnets/trojans/etc.  Honeynet monitors must be aware of VM attacks  Better tools for dynamic malware analysis  Improved rootkit detection/anti-virus as deception improves

Download ppt "Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan."

Similar presentations

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Botnets ECE 4112 Lab 10 Group 19.

Botnets ECE 4112 Lab 10 Group 19.
Botnets. Botnet Threat Botnets are a major threat to the Internet because: Consist of a large pool of compromised computers that are organized by a master.

Botnets. Botnet Threat Botnets are a major threat to the Internet because: Consist of a large pool of compromised computers that are organized by a master.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
Taxonomy of Botnets Team Mag Five Valerie Buitron Jaime Calahorrano Derek Chow Julia Marsh Mark Zogbaum.

Taxonomy of Botnets Team Mag Five Valerie Buitron Jaime Calahorrano Derek Chow Julia Marsh Mark Zogbaum.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.

Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
DDos Distributed Denial of Service Attacks by Mark Schuchter.

DDos Distributed Denial of Service Attacks by Mark Schuchter.
Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon.

Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Hands-On Ethical Hacking and Network Defense Chapter 3 Network and Computer Attacks.

Hands-On Ethical Hacking and Network Defense Chapter 3 Network and Computer Attacks.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Similar presentations

Ads by Google