Presentation is loading. Please wait.

Presentation is loading. Please wait.

AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju.

Published byGabriel Parsons Modified over 9 years ago

Similar presentations

Presentation on theme: "AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju."— Presentation transcript:

1 AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju

2 INTRODUCTION Attacks for financial gain Proactive methods Understanding of malicious software readily available 4 IRC botnet codebases along 7 dimensions

3 ARCHITECTURE AGOBOT (Phatbot) – Found in october 2002 – Sophisticated and best written source code – 20,000 lines of c/c++ – High level components IRC based command and control mechanism Large collection of target exploits DOS attacks Harvest the local host

4 SDBOT – October 2002 – Simple code in C, 2000 lines – IRC based command and control system – Easy to extend and so many patches available(DOS attacks, information harvesting routines) – Motivation for patch dissemination is diffusion of accountability

5 SPYBOT – 3000 lines of C code – April 2003 – Evolved from SDBOT No diffusion accountability – Includes scanning capability and launching flooding attacks – Efficient

6 GTBOT(global threat)(Aristotles) – Based on functions of mIRC(writes event handlers for remote nodes) – Capabilities are Port scanning DOS attacks – Stored in file mirc.ini – Remote execution BNC(proxy system), psexec.exe Implications

7 BOTNET CONTROL MECHANISMS Communication Command language and control protocols Based onIRC Commands – Deny service – spam – Phish

8 Agobot – Command language contain Standad IRC and specific commands of this bot – Bot commands, perform specific function Bot.open Cvar.set Ddos_max_threads

9 Sdbot NICK_USER PONG USERHOST JOIN EST ACTIONRESETREJOIN NICK PING 302 KICK353 PART/QUIT PREVMSG/ NOTICE/ TOPIC 001/005

10 SPYBOT – Command language simple – Commands are login, passwords, disconnect, reconnect, uninstall, spy, loadclones,killclones GTBOT – Simplest – Varies across versions – Commands are !ver, !scan, !portscan, !clone.*,!update IMPLICATIONS – Now simple – Future, encrypted communication – Finger printing methods

11 HOST CONTROL MECHANISMS Manipulate victim host AGOBOT Commands to harvest sensitive information(harvest.cdkeys, harvest.emails, registry, windowskeys) List and kill processes(pctrl.list, kill, killpid) Add or delete autostart entries(inst.asadd, asdel) SDBOT Remote execution commands and gather local information Patches Host control commands (download, killthread, update)

12 SPYBOT – Control commands for file manipulation, key logging, remote command execution – Commands are delete, execute, makedir, startkeylogger, stopkilllogger, reboot, update. GTBOT – Gathering local system information – Run or delete local files IMPLICATIONS – Underscore the need to patch – Stronger protection boundaries – Gathering sensitive information

13 PROPAGATION MECHANISMS Search for new host systems Horizontal and vertical scan AGOBOT – IP address within network ranges – Scan.addnetrange, scan.delnetrange, scan.enable SDBOT – Same as agobot – NETBIOS scanner Starting and end IP adresses

14 SPYBOT – Command interface Command Scan Example Scan 127.0.0.1 17300 1 netbios portscan.txt GTBOT – Horizontal and vertical scanning IMPLICATIONS – Simple scanning methods – Source code examination

15 EXPLOITS AND ATTACK MECHANISMS Attack known vulnerabilities on target systems AGOBOT – Broadening set of exploits – Generic DDOS module Enables seven types of service attacks Ddos.udpflood, synflood, httpflood, phatsyn, phaticmp,Phatwonk, targa3, stop. SDBOT – UDP and ICMP packets, flooding attacks – udp and ping

16 SPYBOT AND GTBOT – Same as sdbot IMPLICATIONS – Multiple exploits

17 MALWARE DELIVERY MECHANISMS GT/SD/SPY bots deliver exploit and encoded malware in single package Agobot – Exploit vulnerability and open a shell on remote host – Encoded binary is then sent using HTTP or FTP. IMPLICATIONS

18 OBFUSCATION MECHANISMS Hide the details Polymorphism AGOBOT – POLY_TYPE_XOR – POLY_TYPE_SWAP – POLY_TYPE_ROR – POLY_TYPE_ROL IMPLICATIONS

19 CONCLUSIONS Expanded the knowledge base for security research Lethal classes of internet threats Functional components of botnets

20 WEAKNESSES Study only IRC No Preventive mechanisms No dynamic profiling of botnet executables Insufficient analysis

21 IMPROVEMENTS Dynamic profiling can be executed using some tools Botnet monitoring mechanism can be explained Analysis for peer to peer infrastructure

Download ppt "AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju."

Similar presentations

Botnets ECE 4112 Lab 10 Group 19.

Botnets ECE 4112 Lab 10 Group 19.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.

Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon.

Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.
China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Botnets An Introduction Into the World of Botnets Tyler Hudak

Botnets An Introduction Into the World of Botnets Tyler Hudak
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Similar presentations

Ads by Google