Presentation is loading. Please wait.

Presentation is loading. Please wait.

BotNets- Cyber Torrirism Battling the threats of internet Assoc. Prof. Dr. Sureswaran Ramadass National Advanced IPv6 Center - Director.

Published byCarmel Todd Modified over 9 years ago

Similar presentations

Presentation on theme: "BotNets- Cyber Torrirism Battling the threats of internet Assoc. Prof. Dr. Sureswaran Ramadass National Advanced IPv6 Center - Director."— Presentation transcript:

1 BotNets- Cyber Torrirism Battling the threats of internet Assoc. Prof. Dr. Sureswaran Ramadass National Advanced IPv6 Center - Director

2 Page  2 –In 2006, Microsoft’s Malicious Software Removal Tool (MSRT) found backdoor trojans on 62% of the 5.7 million computers it scanned. The majority of these were bots. –Commtouch found, 87% of all email sent over the Internet during 2006 was spam. Botnets generated 85% of that spam. –Commtouch’s GlobalView™ Reputation Service identifies between 300,000 and 500,000 newly active zombies per day, on average. –ISPs rank zombies as the single largest threat facing network services and operational security*. * Worldwide Infrastructure Security Report, Arbor Networks, September 2007. Why Talk About Botnets? Because Bot Statistics Suggest Assimilation

3 Page  3 High Low 1980198519901995 2000+ password guessing self-replicating code password cracking exploiting known vulnerabilities disabling audits back doors hijacking sessions sweepers sniffers packet spoofing GUI automated probes/scans denial of service www attacks Tools Attackers Intruder Knowledge Attack Sophistication “stealth” / advanced scanning techniques burglaries network mgmt. diagnostics distributed attack tools Cross site scripting Staged attack bots Source: CERT Why Talk About Botnets? Cyber Attack Sophistication Continues To Evolve

4 Page  4 Botnet Powered Attacks Targeting the World With full control of a massive army of machines, the only limit to a botherder’s attack potential is his imagination. –Distributed Denial of Service (DDoS) Attacks BlueSecurity Estonia Extortion of small businesses –Spamming Email spam SPIM Forum spam

5 Page  5  A Botnet is a network of compromised computers under the control of a remote attacker. Botnets consist of: –Bot herder The attacker controlling the malicious network (also called a Botmaster). –Bot A compromised computers under the Bot herders control (also called zombies, or drones). –Bot Client The malicious trojan installed on a compromised machine that connects it to the Botnet. –Command and Control Channel (C&C) The communication channel the Bot herder uses to remotely control the bots. What is Botnets? Zombie Army

6 Page  6  Botnet originator (bot herder, bot master) starts the process Bot herder sends viruses, worms, etc. to unprotected PCs »Direct attacks on home PC without patches or firewall »Indirect attacks via malicious HTML files that exploit vulnerabilities (especially in MS Internet Explorer) »Malware attacks on peer-to-peer networks Infected PC receives, executes Trojan application ⇒ bot Bot logs onto C&C IRC server, waits for commands Bot herder sends commands to bots via IRC server »Send spam »Steal serial numbers, financial information, intellectual property, etc. »Scan servers and infect other unprotected PCs, thereby adding more “zombie” computers to botnet What is Bot herder? Bot master

7 Page  7 What is Bot? The Zombie/drone  Bot = autonomous programs capable of acting on instructions Typically a large (up to several hundred thousand) group of remotely controlled “zombie” systems »Machine owners are not aware they have been compromised »Controlled and upgraded via IRC or P2P  Used as the platform for various attacks Distributed denial of service Spam and click fraud Launching pad for new exploits/worms

8 Page  8 1. Botnet operator sends out viruses or worms (bot client)  infect ordinary users [trojan application is the bot] 2. The bot on the infected PC logs into an IRC server  Server is known as the command-and-control server 3. Attackers gets access to botnet from operator  Spammers 4. Attackers sends instructions to the infected PCs  To send out spam 5. Infected PCs will  Send out spam messages What is Bot Client? Compromising a machine-worms

9 Page  9  Without bot communication, botnet would not be as useful or dynamic IRC servers are not best choice for bot communication »Simpler protocol could be used »Usually unencrypted, easy to get into and take over or shut down  However, »IRC servers freely available, simple to set up »Attackers usually have experience with IRC communication  Bots log into a specific IRC channel  Bots are written to accept specific commands and execute them (sometimes from specific users) CC What is Bot C&C? C ommand and C ontrol Server (C2)

10 Page  10 –Today, bot herders primarily rely on these three protocols for their C&C: »Internet Relay Chat (IRC) Protocol »Hyper-Text Transfer Protocol (HTTP) »Peer-to-Peer (P2P) networking protocols. CC What is Bot C&C? C ommand and C ontrol Server (C2)

11 Page  11 Botnet Life Cycle? Botnet and bot Life Cycle  Botnet Life Cycle o Bot herder configures initial parameters: infection vectors, payload, stealth, C&C details o Bot herder registers dynamic DNS server o Bot herder launches, seeds new bots o Bots spread, grow o Other botnets steal bots o Botnet reaches stasis, stops growing o Bot herder abandons botnet, severs traces thereto o Bot herder unregisters dynamic DNS server  Bot Life Cycle o Bot establishes C&C on compromised computer o Bot scans for vulnerable targets to “spread” itself o User, others take bot down o Bot recovers from takedown o Bot upgrades itself with new code o Bot sits idle, awaiting instructions

12 Page  12 1.Botmaster infects victim with bot (worm, social engineering, etc) 2. Bot connects to IRC C&C channel 4. Repeat. Soon the botmaster has an army of bots to control from a single point 3. Botmaster sends commands through IRC C&C channel to bots Botmaster Victim IRC Server Botnet in Action? Putting all together

13 Page  13  Phishing  Spam  Distributed Denial of Service  Click Fraud  Adware/Spyware Installation  Identity Theft  Making Additional Income!!!  Keystroke logging  Stealing registration keys or files Whatever you pay for them to do! Or whatever makes money or is fun for the operator. Botnets used for? Hiring the Botnets

14 Page  14 Payload malware Troj/Banker http://bar.com 4 Exp ANI ANI exploit http://foo2.com 3 Obf JS Malicious Script http://foo.com 2 Spam campaign 1        Botnet in Action Attack Summary

15 Page  15

16 Page  16 The Botnet: contined The Lifecycle of a Botnet

17 Page  17 The Current Threats The SpamThru Trojan Over 1 Billion Emails

18 Page  18 Break Visualizing a Botnet Relax, and Enjoy the Video

19 Page  19 Until recently, IRC-based botnets were by far the most prevalent type exploited in the wild. Benefits of IRC to botherder: Well established and understood protocol Freely available IRC server software Interactive, two-way communication Offers redundancy with linked IRC servers Most blackhats grow up using IRC. Botnet user Types Botnets IRC botnets

20 Page  20 Types Botnets IRC botnets Botherders are migrating away from IRC botnets because researchers know how to track them. Drawbacks: Centralized server IRC is not that secure by default Security researchers understand IRC too. Common IRC Bots: SDBot Rbot (Rxbot) Gaobot Botnet user

21 Page  21 Types Botnets P2P botnets  Distributed control

22 Page  22 Types Botnets P2P botnets  Hard to disable

23 Page  23 What is a Botnet? P2P Botnet Diagram

24 P2P communication channels offer anonymity to botherders a and resiliency to botnets.  Benefits of P2P to botherder: »Decentralized; No single point of failure »Botherder can send commands from any peer »Security by Obscurity; There is no P2P RFC  Drawbacks: »Other peers can potentially take over the botnet  P2P Bots: »Phatbot: AOL’s WASTE protocol »Storm: Overnet/eDonkey P2P protocol Types Botnets P2P botnets

25 Page  25 HTTP Post Command to C&C URL Polling Method Registration Method Types Botnets HTTP botnet

26 Page  26 What is a Botnet? HTTP Botnets Botherders are shifting to HTTP-based botnets that serve a single purpose.  Benefits of HTTP to botherder: »Also very robust with freely available server software »HTTP acts as a “covert channel” for a botherder’s traffic »Web application technologies help botherders get organized.  Drawbacks: »Still a Centralized server »Easy for researchers to analyze.  Recent HTTP Bots: »Zunker (Zupacha): Spam bot »BlackEnergy: DDoS bot

27 Page  27 What Bots can do? The Zombie/drone  Each bot can scan IP space for new victims  Automatically »Each bot contains hard-coded list of IRC servers’ DNS names »As infection is spreading, IRC servers and channels that the new bots are looking for are often no longer reachable  On-command: target specific /8 or /16 prefixes »Botmasters share information about prefixes to avoid Evidence of botnet-on-botnet warfare o DoS server by multiple IRC connections (“cloning”) Active botnet management o Detect non-responding bots, identify “superbots”

28 Page  28 Botnet originator (owner) Botnet user (customer) Botnets used for? Network for hire

29 Page  29  Determining the source of a botnet-based attack is challenging: »Every zombie host is an attacker »Botnets can exist in a benign state for an arbitrary amount of time before they are used for a specific attack Traditional approach: » identify the C&C server and disable it New trend: »P2P networks, »C&C server anonymized among the other peers (zombies)  Measuring the size of botnets Botnets, the hardest Challenges

30 Page  30  Capture –Active (go out and get malware)‏ »Actual (use vulnerable browser/application) »Simulated (use tool that mimics vulnerable app)‏ »FTP (go to malware repository)‏ –Passive (let it come to you)‏ »Honeypot/net »Collection from infected end-users Botnets, Research Methods

31 Page  31  Logging onto herder IRC server to get info Passive monitoring »Either listening between infected machine and herder or spoofing infected PC Active monitoring »Poking around in the IRC server  Sniffing traffic between bot & control channel  What if herder is using 'mixed' server? »innocent and illegitimate traffic together Botnets, Research Monitoring of herder - botmatser

32 Page  32 Botnets, Research Monitoring of herder – bot matser Infected IRCHerder unbiased Hi! Researcher

33 Page  33 Avoid Assimilation: Botnet Defense Preventing Bot Infections  Protecting your network from a botnet’s many attack vectors requires “Defense in Depth.” –Use a Firewall –Patch regularly and promptly –Use AntiVirus (AV) software –Deploy an Intrusion Prevention System (IPS) –Implement application-level content filtering –Define a Security Policy and share it with your users systematically USER EDUCATION IS VITAL!

34 Page  34 Recommendation Readings –Botnets: The Killer Web Application, Craig Schiller ISBN 1-59749-135-7 –Managing an Information Security and Privacy Awareness and Training Program, Rebecca Herold ISBN 0-8493-2963-9 –The CISO Handbook: A Practical Guide to Securing Your Company, Michael Gentile ISBN 0-8493-1952-8 –Google Hacking for Penetration Testers, Volume 1, Johnny Long ISBN 1-93183-636-1

35 Thank You

Download ppt "BotNets- Cyber Torrirism Battling the threats of internet Assoc. Prof. Dr. Sureswaran Ramadass National Advanced IPv6 Center - Director."

Similar presentations

High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.

High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.
SCADA Security, DNS Phishing

SCADA Security, DNS Phishing
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.

Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.

BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.

Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.
What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:

What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
DDos Distributed Denial of Service Attacks by Mark Schuchter.

DDos Distributed Denial of Service Attacks by Mark Schuchter.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

Similar presentations

Ads by Google