2. What is Botnet
History of Botnet
Botnet Usage
How do they do it
How a Botnet is controlled
Why are Botnet is a Threat
Botnet Detection
Q&A
3. The term ‘bot’ or ‘robot’ refer to a program that:
-perform repetitive tasks OR
-Acts as an ‘agent’ or user interface for controlling
others program
Bots can be very beneficial programs when they are
designed to assist a human user, either by automating
a simple task, or by simplifying a user's control over
various programs or systems. Example google bot and
game bot.
4. Unfortunately, bots can also be created to perform
malicious tasks that compromise the system or any
information stored on the machine.
The 'bot' in botnets definitely refers to the second
type, as these bots are used by an attacker to 'hijack'
and control a computer system.
5. When more than one computer has the same bot
installed on it, the multiple infected machines form a
network, which is under the direct control of the
attacker. This network is a botnet – a network of
'enslaved' computer systems infected with malicious
bot programs. A single machine in a botnet can be
referred to as a 'bot', a 'zombie' or a 'zombie computer'.
6. First existence of botnet started in August 1988 when
IRC invented at University of Oulu, Finland
1989 - First bot - “GM”
-assist user to manage their own IRC Connections
May 1999 – Pretty park
Reported in June 1999 in Central Europe
Internet Worm – a password stealing trojan
1999 – Subseven
Remote controlled trojan
7. 2000 – GTbot (Global Threat)
New capabilities - port scanning, flooding and cloning
Support UDP and TCP socket connections
Support IRC Server to run malicious script
2002 – SDbot
Written by Russian Programmer by the name ‘SD’
40Kb – C++ Code
First to publish the code for hackers via website
Provided e-mail and chat for support
2002 – Agobot
Modular update
Spread through Kazaa, Grokser and etc
8. 2003 – Spybot or Milkit
Derived from SDbot
Come with spyware capabilities
Spread via file sharing applications and e-mail
2003 – Rbot
Backdoor trojan on IRC
Compromised Microsoft vulnerable share Port 139 and 445
Based on MSRT Report in June 2006 by Microsoft - 1.9 million
PCs affected worldwide
2004 – PolyBot
Polymorphism capabilities
Based on Agobot
9. 2005 – MyBot
New version of SpyBot
Hybrid coding
Spread via file sharing applications and e-mail
2006 – P2P Based Bot
1st generation - “SpamThru”, “Nugache”
Basd on “Gnutella” file sharing
2nd Generation – “Peacomm’
Pure Distributed P2P
2007 – “Storm Botnet”
Truly pure P2P
No single point of failure
Provided high resilience, scalability and difficulty in tracking
10. 2010 – Stuxnet
spreads via Microsoft Windows, and
targets Siemens industrial software and equipment
malware that spies on and subverts industrial systems
targeted five Iranian organizations - uranium
enrichment infrastructure in Iran
September 2011 – Duqu
Duqu is a computer worm discovered on
1st September, 2011
Operation Duqu is the process of only using Duqu for
unknown goals
11. DDOS
Spam
Sniffing traffic
Keylogging
Installing Advertisement Addons and Browser Helper
Objects (BHOs)
Manipulating online polls/games
Mass ID theft
12. The attacker giving directions to the botnet is usually
referred to as the botherder or controller. Botnets used
to be run by individuals, but in recent years, botnets have
become more 'commercialized', and it is thought that
many botnets nowadays are in the hands of criminal
syndicates.
To control the botnet, the botherder uses an application
known as a client program to issues commands to the bot
programs installed on zombies. This is very similar to how
a backdoor is controlled and allows the botherder to
operate very efficiently, as they can easily give instructions
to a single zombie, or multiple zombies, or even the entire
botnet - all via a single client program.
13. Using the client, the botherder can direct a single zombie
to perform a certain action. For example, it can be ordered
to send all the e-mail addresses stored on its hard drive to a
remote website, where it can be added to a spammer's
mailing list. Alternatively, all the zombies in the botnet can
be commanded to perform the same routine, such as
sending requests to a specific website (basically, a Denial of
Service or DoS attack).
The relationship between the zombies and the client
controlling them is known as a command-and-control
(C&C)infrastructure. The zombie or website or server that
hosts the client is known as the C&C server. The following
image is a simplified view of this infrastructure:
14.
15. Of course, in real life, a botnet's organization can be
far more complicated. Some botnets will use multiple
C&C servers, using the redundancy as a type of
protection; others will have only one C&C server, but
will continually change the machine the client
application is saved on, also for better security.
Botherders put in all these security measures for one
simple reason: the C&C server is the nerve center of
the entire botnet, and also its Achilles heel.
16. These malicious bots can arrive on a victim machine in
many ways. The most common method involves dropping
the bot in the payload of a Trojan or a similar malware.
Other methods include infecting the computer via a drive-
by download, or distributing the bot via spam e-mail
messages with infected attachments.
Once installed, the bot can take control of the system. A
remote attacker can then give commands to the infected
computer via the bot and force it to perform malicious
actions. In this context, a bot is very similar to
a backdoor program, which is also forcibly planted on a
computer and used by a remote attacker to direct the
infected machine.
17.
18.
19.
20.
21. Botnets are considering a menace for three simple
reasons:
• To build them, attackers have to 'steal' a computer
from its legitimate user
• Botnet operations can directly impact large
numbers of real-world organizations and individuals
• Botnets appear to be increasing in size and
capability
22. Widespread Repercussions
Once created, a botnet can be used to commit more malicious acts,
such as stealing data, sending out spam and launching attacks. Even
then, a botnet might be considered only a nuisance if its impact were
limited to a few dozen, or even hundreds of infected machines.
Unfortunately, botnets can perform actions that directly affect
hundreds of thousands, or even millions of people.
With Greater Size Comes Greater Power
Generally, a botnet's potential threat increases with its size, as the
increased resources gives the controllers more power or capacity for
their activities. For example, a DoS attack from a massive botnet is even
harder to defend against than a similar attack from a smaller one,
simply because a bigger botnet can generate more attack code.
23. An attacker who controls a botnet can do a wide range of actions, both
TO individual machines in the botnet and WITH the entire resources
of the botnet.
Data Harvesting
Most people store highly sensitive personal information on their
computers - personal identification, work-related materials, e-mail
addresses of all contacts and so on. If all these details are stored on a
computer in a botnet, then the bot herder is almost guaranteed access
to it. Such information can be sold, often to criminals intent on
perpetrating or facilitating fraud.
Botnets also actively harvest information related to banking accounts.
For example, during research into the activities of the Torpig botnet in
2007, researchers observed the theft of credentials for thousands of
accounts belonging to hundreds of financial institutions - all in a
period of 10 days.
24. Stolen Resources
Rather than purchase all the hardware and bandwidth necessary for their
operations, botnet controllers can siphon the physical resources they need
(processing power, storage space, bandwidth, etc) from their zombies. These
resources can be put to various uses, such as:
Cyber attacks
A botnet can be used to launch a Denial of Service (DoS) or Distributed Denial
of Service (DDoS) attack against a target. The target can be any resource linked
to the Internet, be it a major corporate website or a military database.
Spam Generators
Probably the most common way a botnet is used is to send out massive
quantities of spam e-mails. Botnets known to perform this activity include
Srizi and Storm. To give an idea of the size of this activity, in 2008 about 153
billion spam messages were sent out every day - an estimated 60 percent of
which is botnet-generated.
25. Malware Distributors
Another "product" being distributed by botnets is malware - trojans,
viruses, worms and other things of that ilk. These offerings may be
attached to spam e-mails or sent out via vulnerability exploits, or other
methods.
Storage Space
Zombies in a botnet may also be used is as an illicit warehouse to store
all the malicious or objectionable "merchandise" the botnet operators
handle. The stored data may be everything from harvested personal
details to pornographic images.
Rental
Last but not least, botnet 'owners' can rent use of the botnet to other
users, almost always for malicious purposes. This is an increasingly
lucrative activity for the botnet herders. According to Yuval Ben-Itzhak,
Chief Technology Officer of computer security company Finjan, the
botnet controllers can "make as much as $190,000 in one day" renting
out "their" computers.
26. Host Based
Intrusion Detection Systems (IDS)
Anomaly Detection
IRC Nicknames
HoneyPot and HoneyNet
27. Virus scanning
Watching for Symptoms
Modification of windows hosts file
Random unexplained popups
Machine slowness
Antivirus not working
Watching for Suspicious network traffic
Since IRC is not commonly used, any IRC traffic is
suspicious. Sniff these IRC traffic
Check if the host is trying to communicate to any
Command and Control (C&C) Center
Through firewall logs, denied connections
28. Example Systems: Snort and Bro
Sniff network packets, looks for specific
patterns (called signatures)
If any pattern matches that of a malicious
binary, then block that traffic and raise alert
These systems can efficiently detect
virus/worms having known signatures
Can't detect any malware whose signature is
unknown (i.e., zero day attack)
29. Normal traffic has some patterns
Bandwidth/Port usage
Byte-level characteristics (histograms)
Protocol analysis – gather statistics about
TCP/UDP src, dest address
Start/end of flow, Byte count
DNS lookup
First learn normal traffic pattern
Then detect any anomaly in that pattern
Example systems: SNMP, NetFlow
Problems:
Poisoning
Stealth
30. Bots use weird nicknames
But they have certain pattern (really!)
If we can learn that pattern, we can detect bots
& botnets
Example nicknames:
USA|016887436 or DE|028509327
Country | Random number (9 digit)
RBOT|XP|48124
Bot type | Machine Type | Random number
Problem: May be defeated by changing the
nickname randomly
31. HoneyPot is a vulnerable machine, ready to be
attacked
Example: unpatched windows 2000 or windows
XP
Once attacked, the malware is caught inside
The malware is analyzed, its activity is
monitored
When it connects to the C&C server, the server’s
identity is revealed
32. Thus many information about the bot is obtained
C&C server address, master commands
Channel, Nickname, Password
Now Do the following
make a fake bot
join the same IRC channel with the same
nickname/password
Monitor who else are in the channel, thus observer
the botnet
Collect statistics – how many bots
Collect sensitive information – who is being attacked,
when etc..
33. Finally, take down the botnet
HoneyNet: a network of honeypots (see the
‘HoneyNet Project’)
Very effective, worked in many cases
They also pose great security risk
If not maintained properly - Hacker may use
them to attack others
Must be monitored cautiously