Presentation is loading. Please wait.

Presentation is loading. Please wait.

Big Bad Botnet Day! Xeno Kovah In association with the Corporation for Public Botcasting, and Viewers Like You! Xeno Kovah In association with the Corporation.

Published byTyler Norman Modified over 8 years ago

Similar presentations

Presentation on theme: "Big Bad Botnet Day! Xeno Kovah In association with the Corporation for Public Botcasting, and Viewers Like You! Xeno Kovah In association with the Corporation."— Presentation transcript:

1 Big Bad Botnet Day! Xeno Kovah In association with the Corporation for Public Botcasting, and Viewers Like You! Xeno Kovah In association with the Corporation for Public Botcasting, and Viewers Like You!

2 What is a bot? botnet? G A “bot” in the botnet sense of the word is a program which was installed by a malicious 3rd party to control the computer G Each bot can accept commands from a controlling entity G When many bots can be controlled simultaneously to perform specific actions, this is a botnet G A “bot” in the botnet sense of the word is a program which was installed by a malicious 3rd party to control the computer G Each bot can accept commands from a controlling entity G When many bots can be controlled simultaneously to perform specific actions, this is a botnet

3 History. How did we get here?  First D DoS tools (trinoo, TFN2k, Stacheldraht) + G Trojans (BackOrifice, BO2k, SubSeven, others) + G Worms (Code Red, Blaster, Sasser) + G IRC Bots  = “ Bots ” or “ Zombies/Drones ” or “ Trojans ” depending on which “ expert ” you ’ re asking what EXACTLY it does(subtle) or it ’ s context  First D DoS tools (trinoo, TFN2k, Stacheldraht) + G Trojans (BackOrifice, BO2k, SubSeven, others) + G Worms (Code Red, Blaster, Sasser) + G IRC Bots  = “ Bots ” or “ Zombies/Drones ” or “ Trojans ” depending on which “ expert ” you ’ re asking what EXACTLY it does(subtle) or it ’ s context

4 Infection vector G EVERYTHING! :) G E-mail virii, IE browsing exploits, remote exploits, social engineering, trojaned binaries, etc G EVERYTHING! :) G E-mail virii, IE browsing exploits, remote exploits, social engineering, trojaned binaries, etc

5 What do they COMMONLY do? G DDoS (origin) G SPAM G Phishing/Identity Theft G Keystroke logging G Stealing registration keys or files G Click fraud G Whatever you pay for them to do! Or whatever makes money or is fun for the operator. G DDoS (origin) G SPAM G Phishing/Identity Theft G Keystroke logging G Stealing registration keys or files G Click fraud G Whatever you pay for them to do! Or whatever makes money or is fun for the operator.

6 Botnet economics 101 G Extortion = $$$ (IF you pick a good target) G SPAM = $$ (easy money, but beware supply & demand) G Phishing = $$ G Click fraud = $ (likely to be shut down) G The feeling of intoxicating raw power commanding an army of undead computers to do your every bidding? Priceless G Extortion = $$$ (IF you pick a good target) G SPAM = $$ (easy money, but beware supply & demand) G Phishing = $$ G Click fraud = $ (likely to be shut down) G The feeling of intoxicating raw power commanding an army of undead computers to do your every bidding? Priceless

7 Typical botnet topology G IRC based (hence the name ;) G Centralized control G Stepping stones to get to control G Exact machine controlling can be changed thanks to handy dandy free dynamic DNS services G password protected control (sort of, mainly just obscurity) G Customized/stripped down IRC clients G IRC based (hence the name ;) G Centralized control G Stepping stones to get to control G Exact machine controlling can be changed thanks to handy dandy free dynamic DNS services G password protected control (sort of, mainly just obscurity) G Customized/stripped down IRC clients

8 Botnet using only strait lines! Entire Chain(s) observed, All zombies identified

9 Emergent control structure? G Gao/Ago/Phatbot added P2P control G Phatbot allows WASTE… G BUT it’s kinda pointless stripped out the good bits, presumably for “ease of use”, and from the looks of it it’s still centralized, but you just might not need a dyn-DNS provider G Ago’s P2P technique? G Gao/Ago/Phatbot added P2P control G Phatbot allows WASTE… G BUT it’s kinda pointless stripped out the good bits, presumably for “ease of use”, and from the looks of it it’s still centralized, but you just might not need a dyn-DNS provider G Ago’s P2P technique?

10 Improved topology? Tricky G P2P is both good and bad, depending on assumptions G Good: distributed C&C, possible better anonymity (integrated mixnets/tor?) G Bad: distributed C&C :), more information about network structure directly available to good guys IDS, overhead, typical p2p problems like partitioning, join/leave, etc G P2P is both good and bad, depending on assumptions G Good: distributed C&C, possible better anonymity (integrated mixnets/tor?) G Bad: distributed C&C :), more information about network structure directly available to good guys IDS, overhead, typical p2p problems like partitioning, join/leave, etc

11 Detection/Prevention G Detection: fairly easy G MINDS cheated!, but it COULD do G Honeynet G Harder if P2P? Maybe G Prevention/Shutting down entire network: very hard G Much harder if P2P G Detection: fairly easy G MINDS cheated!, but it COULD do G Honeynet G Harder if P2P? Maybe G Prevention/Shutting down entire network: very hard G Much harder if P2P

12 Anti-anti-virus & anti- debugging/disassembly G (quick word on malware “best practices” ;) G Terminate known AV software processes G Refuse to run in debugging/VM environment G Rootkit obfuscation G (quick word on malware “best practices” ;) G Terminate known AV software processes G Refuse to run in debugging/VM environment G Rootkit obfuscation

13 On innovation G Major families of bots have had their source code “leaked” at some point G Therefore there’s a LOT of code reuse G Previously it was all about recognition G Becoming profit driven  (just like the “security industry”!) :P G Major families of bots have had their source code “leaked” at some point G Therefore there’s a LOT of code reuse G Previously it was all about recognition G Becoming profit driven  (just like the “security industry”!) :P

14 Related Buzzwords! G OS hardening G IPS/IDS G Stepping Stones G Sybil Attack G Encrypted, Obfuscated, or Anonymous P2P G DDoS G Worm prevention (in particular flash worms) G Many others G OS hardening G IPS/IDS G Stepping Stones G Sybil Attack G Encrypted, Obfuscated, or Anonymous P2P G DDoS G Worm prevention (in particular flash worms) G Many others

15 Refs G http://www.honeynet.org/papers/bots / (Germans being germane ) http://www.honeynet.org/papers/bots / G www.lurhq.com/phatbot.html (1 yr old) www.lurhq.com/phatbot.html G http://swatit.org/bots/ (kinda old, but still fairly informative about the IRC aspect) http://swatit.org/bots/  http://en.wikipedia.org/wiki/Botnet G Lots of little news articles found by googling & searching The Register G http://www.honeynet.org/papers/bots / (Germans being germane ) http://www.honeynet.org/papers/bots / G www.lurhq.com/phatbot.html (1 yr old) www.lurhq.com/phatbot.html G http://swatit.org/bots/ (kinda old, but still fairly informative about the IRC aspect) http://swatit.org/bots/  http://en.wikipedia.org/wiki/Botnet G Lots of little news articles found by googling & searching The Register

Download ppt "Big Bad Botnet Day! Xeno Kovah In association with the Corporation for Public Botcasting, and Viewers Like You! Xeno Kovah In association with the Corporation."

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.

Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.
Security for Internet Every Day Use Standard Security Practices and New Threats.

Security for Internet Every Day Use Standard Security Practices and New Threats.
Malicious Attacks By: Albert, Alex, Andon, Ben, Robert.

Malicious Attacks By: Albert, Alex, Andon, Ben, Robert.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.

BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:

What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:
Windows Malware: Detection And Removal TechBytes Tim Ramsey.

Windows Malware: Detection And Removal TechBytes Tim Ramsey.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.

CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.

Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.
Internet safety Viruses A computer virus is a program or piece of code that is loaded onto your computer without your knowledge and runs against your.

Internet safety Viruses A computer virus is a program or piece of code that is loaded onto your computer without your knowledge and runs against your.
Trojan Horse Implementation and Prevention By Pallavi Dharmadhikari Sirisha Bollineni VijayaLakshmi Jothiram Vasanthi Madala.

Trojan Horse Implementation and Prevention By Pallavi Dharmadhikari Sirisha Bollineni VijayaLakshmi Jothiram Vasanthi Madala.
China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.
Sravanthi Vattikuti Sri Harsha Devabhaktuni

Sravanthi Vattikuti Sri Harsha Devabhaktuni

Similar presentations

Ads by Google