SlideShare une entreprise Scribd logo

Mcs2453 aniq mc101053-assignment1

Aniq Eastrarulkhair
Aniq Eastrarulkhair

Talking about botnet

Formation
1  sur  34
Present By: Muhammad Aniq Eastrarulkhair Bin Mohmad Hairin
 What is Botnet  History of Botnet  Botnet Usage  How do they do it  How a Botnet is controlled  Why are Botnet is a Threat  Botnet Detection  Q&A
 The term ‘bot’ or ‘robot’ refer to a program that: -perform repetitive tasks OR -Acts as an ‘agent’ or user interface for controlling others program  Bots can be very beneficial programs when they are designed to assist a human user, either by automating a simple task, or by simplifying a user's control over various programs or systems. Example google bot and game bot.
 Unfortunately, bots can also be created to perform malicious tasks that compromise the system or any information stored on the machine.  The 'bot' in botnets definitely refers to the second type, as these bots are used by an attacker to 'hijack' and control a computer system.
 When more than one computer has the same bot installed on it, the multiple infected machines form a network, which is under the direct control of the attacker. This network is a botnet – a network of 'enslaved' computer systems infected with malicious bot programs. A single machine in a botnet can be referred to as a 'bot', a 'zombie' or a 'zombie computer'.
 First existence of botnet started in August 1988 when IRC invented at University of Oulu, Finland  1989 - First bot - “GM”  -assist user to manage their own IRC Connections  May 1999 – Pretty park  Reported in June 1999 in Central Europe  Internet Worm – a password stealing trojan  1999 – Subseven  Remote controlled trojan
 2000 – GTbot (Global Threat)  New capabilities - port scanning, flooding and cloning  Support UDP and TCP socket connections  Support IRC Server to run malicious script  2002 – SDbot  Written by Russian Programmer by the name ‘SD’  40Kb – C++ Code  First to publish the code for hackers via website  Provided e-mail and chat for support  2002 – Agobot  Modular update  Spread through Kazaa, Grokser and etc
 2003 – Spybot or Milkit  Derived from SDbot  Come with spyware capabilities  Spread via file sharing applications and e-mail  2003 – Rbot  Backdoor trojan on IRC  Compromised Microsoft vulnerable share Port 139 and 445  Based on MSRT Report in June 2006 by Microsoft - 1.9 million PCs affected worldwide  2004 – PolyBot  Polymorphism capabilities  Based on Agobot
 2005 – MyBot  New version of SpyBot  Hybrid coding  Spread via file sharing applications and e-mail  2006 – P2P Based Bot  1st generation - “SpamThru”, “Nugache”  Basd on “Gnutella” file sharing  2nd Generation – “Peacomm’  Pure Distributed P2P  2007 – “Storm Botnet”  Truly pure P2P  No single point of failure  Provided high resilience, scalability and difficulty in tracking
 2010 – Stuxnet  spreads via Microsoft Windows, and targets Siemens industrial software and equipment  malware that spies on and subverts industrial systems  targeted five Iranian organizations - uranium enrichment infrastructure in Iran  September 2011 – Duqu  Duqu is a computer worm discovered on 1st September, 2011  Operation Duqu is the process of only using Duqu for unknown goals
 DDOS  Spam  Sniffing traffic  Keylogging  Installing Advertisement Addons and Browser Helper Objects (BHOs)  Manipulating online polls/games  Mass ID theft
 The attacker giving directions to the botnet is usually referred to as the botherder or controller. Botnets used to be run by individuals, but in recent years, botnets have become more 'commercialized', and it is thought that many botnets nowadays are in the hands of criminal syndicates.  To control the botnet, the botherder uses an application known as a client program to issues commands to the bot programs installed on zombies. This is very similar to how a backdoor is controlled and allows the botherder to operate very efficiently, as they can easily give instructions to a single zombie, or multiple zombies, or even the entire botnet - all via a single client program.
 Using the client, the botherder can direct a single zombie to perform a certain action. For example, it can be ordered to send all the e-mail addresses stored on its hard drive to a remote website, where it can be added to a spammer's mailing list. Alternatively, all the zombies in the botnet can be commanded to perform the same routine, such as sending requests to a specific website (basically, a Denial of Service or DoS attack).  The relationship between the zombies and the client controlling them is known as a command-and-control (C&C)infrastructure. The zombie or website or server that hosts the client is known as the C&C server. The following image is a simplified view of this infrastructure:
 Of course, in real life, a botnet's organization can be far more complicated. Some botnets will use multiple C&C servers, using the redundancy as a type of protection; others will have only one C&C server, but will continually change the machine the client application is saved on, also for better security.  Botherders put in all these security measures for one simple reason: the C&C server is the nerve center of the entire botnet, and also its Achilles heel.
 These malicious bots can arrive on a victim machine in many ways. The most common method involves dropping the bot in the payload of a Trojan or a similar malware. Other methods include infecting the computer via a drive- by download, or distributing the bot via spam e-mail messages with infected attachments.  Once installed, the bot can take control of the system. A remote attacker can then give commands to the infected computer via the bot and force it to perform malicious actions. In this context, a bot is very similar to a backdoor program, which is also forcibly planted on a computer and used by a remote attacker to direct the infected machine.
 Botnets are considering a menace for three simple reasons: • To build them, attackers have to 'steal' a computer from its legitimate user • Botnet operations can directly impact large numbers of real-world organizations and individuals • Botnets appear to be increasing in size and capability
 Widespread Repercussions  Once created, a botnet can be used to commit more malicious acts, such as stealing data, sending out spam and launching attacks. Even then, a botnet might be considered only a nuisance if its impact were limited to a few dozen, or even hundreds of infected machines. Unfortunately, botnets can perform actions that directly affect hundreds of thousands, or even millions of people.  With Greater Size Comes Greater Power  Generally, a botnet's potential threat increases with its size, as the increased resources gives the controllers more power or capacity for their activities. For example, a DoS attack from a massive botnet is even harder to defend against than a similar attack from a smaller one, simply because a bigger botnet can generate more attack code.
 An attacker who controls a botnet can do a wide range of actions, both TO individual machines in the botnet and WITH the entire resources of the botnet.  Data Harvesting  Most people store highly sensitive personal information on their computers - personal identification, work-related materials, e-mail addresses of all contacts and so on. If all these details are stored on a computer in a botnet, then the bot herder is almost guaranteed access to it. Such information can be sold, often to criminals intent on perpetrating or facilitating fraud. Botnets also actively harvest information related to banking accounts. For example, during research into the activities of the Torpig botnet in 2007, researchers observed the theft of credentials for thousands of accounts belonging to hundreds of financial institutions - all in a period of 10 days.
 Stolen Resources  Rather than purchase all the hardware and bandwidth necessary for their operations, botnet controllers can siphon the physical resources they need (processing power, storage space, bandwidth, etc) from their zombies. These resources can be put to various uses, such as:  Cyber attacks A botnet can be used to launch a Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack against a target. The target can be any resource linked to the Internet, be it a major corporate website or a military database.  Spam Generators Probably the most common way a botnet is used is to send out massive quantities of spam e-mails. Botnets known to perform this activity include Srizi and Storm. To give an idea of the size of this activity, in 2008 about 153 billion spam messages were sent out every day - an estimated 60 percent of which is botnet-generated.
 Malware Distributors Another "product" being distributed by botnets is malware - trojans, viruses, worms and other things of that ilk. These offerings may be attached to spam e-mails or sent out via vulnerability exploits, or other methods.  Storage Space Zombies in a botnet may also be used is as an illicit warehouse to store all the malicious or objectionable "merchandise" the botnet operators handle. The stored data may be everything from harvested personal details to pornographic images.  Rental  Last but not least, botnet 'owners' can rent use of the botnet to other users, almost always for malicious purposes. This is an increasingly lucrative activity for the botnet herders. According to Yuval Ben-Itzhak, Chief Technology Officer of computer security company Finjan, the botnet controllers can "make as much as $190,000 in one day" renting out "their" computers.
 Host Based  Intrusion Detection Systems (IDS)  Anomaly Detection  IRC Nicknames  HoneyPot and HoneyNet
Virus scanning Watching for Symptoms Modification of windows hosts file Random unexplained popups Machine slowness Antivirus not working Watching for Suspicious network traffic Since IRC is not commonly used, any IRC traffic is suspicious. Sniff these IRC traffic Check if the host is trying to communicate to any Command and Control (C&C) Center Through firewall logs, denied connections
 Example Systems: Snort and Bro  Sniff network packets, looks for specific patterns (called signatures)  If any pattern matches that of a malicious binary, then block that traffic and raise alert  These systems can efficiently detect virus/worms having known signatures  Can't detect any malware whose signature is unknown (i.e., zero day attack)
Normal traffic has some patterns Bandwidth/Port usage Byte-level characteristics (histograms) Protocol analysis – gather statistics about TCP/UDP src, dest address Start/end of flow, Byte count DNS lookup First learn normal traffic pattern Then detect any anomaly in that pattern Example systems: SNMP, NetFlow Problems: Poisoning Stealth
Bots use weird nicknames But they have certain pattern (really!) If we can learn that pattern, we can detect bots & botnets Example nicknames: USA|016887436 or DE|028509327 Country | Random number (9 digit) RBOT|XP|48124 Bot type | Machine Type | Random number Problem: May be defeated by changing the nickname randomly
HoneyPot is a vulnerable machine, ready to be attacked Example: unpatched windows 2000 or windows XP Once attacked, the malware is caught inside The malware is analyzed, its activity is monitored When it connects to the C&C server, the server’s identity is revealed
Thus many information about the bot is obtained C&C server address, master commands Channel, Nickname, Password Now Do the following make a fake bot join the same IRC channel with the same nickname/password Monitor who else are in the channel, thus observer the botnet Collect statistics – how many bots Collect sensitive information – who is being attacked, when etc..
Finally, take down the botnet HoneyNet: a network of honeypots (see the ‘HoneyNet Project’) Very effective, worked in many cases They also pose great security risk If not maintained properly - Hacker may use them to attack others Must be monitored cautiously
Mcs2453 aniq mc101053-assignment1

Recommandé

A review botnet detection and suppression in clouds
A review botnet detection and suppression in cloudsA review botnet detection and suppression in clouds
A review botnet detection and suppression in cloudsAlexander Decker
 
Botnet
BotnetBotnet
BotnetJoshin Gomez
 
Botnet Detection in Online-social Network
Botnet Detection in Online-social NetworkBotnet Detection in Online-social Network
Botnet Detection in Online-social NetworkRubal Sagwal
 
Botnet
Botnet Botnet
Botnet PriyanKa Harjai
 
A Survey of Botnet Detection Techniques
A Survey of Botnet Detection TechniquesA Survey of Botnet Detection Techniques
A Survey of Botnet Detection Techniquesijsrd.com
 
Study on Botnet Architecture
Study on Botnet ArchitectureStudy on Botnet Architecture
Study on Botnet ArchitectureBini Bs
 
Botnet
BotnetBotnet
Botnetlokenra
 
Botnets In Cyber Security
Botnets In Cyber SecurityBotnets In Cyber Security
Botnets In Cyber Securitysumit saurav
 

Recommandé

A review botnet detection and suppression in clouds
A review botnet detection and suppression in cloudsA review botnet detection and suppression in clouds
A review botnet detection and suppression in cloudsAlexander Decker
 
Botnet
BotnetBotnet
BotnetJoshin Gomez
 
Botnet Detection in Online-social Network
Botnet Detection in Online-social NetworkBotnet Detection in Online-social Network
Botnet Detection in Online-social NetworkRubal Sagwal
 
Botnet
Botnet Botnet
Botnet PriyanKa Harjai
 
A Survey of Botnet Detection Techniques
A Survey of Botnet Detection TechniquesA Survey of Botnet Detection Techniques
A Survey of Botnet Detection Techniquesijsrd.com
 
Study on Botnet Architecture
Study on Botnet ArchitectureStudy on Botnet Architecture
Study on Botnet ArchitectureBini Bs
 
Botnet
BotnetBotnet
Botnetlokenra
 
Botnets In Cyber Security
Botnets In Cyber SecurityBotnets In Cyber Security
Botnets In Cyber Securitysumit saurav
 
Botnets
BotnetsBotnets
BotnetsVishwadeep Badgujar
 
Botnets
BotnetsBotnets
Botnetsrichashri3
 
BotNet Attacks
BotNet AttacksBotNet Attacks
BotNet AttacksRangana lakmal
 
BOTNET
BOTNETBOTNET
BOTNETArjo Ghosh
 
Botnet Detection Techniques
Botnet Detection TechniquesBotnet Detection Techniques
Botnet Detection TechniquesTeam Firefly
 
Botnet Architecture
Botnet ArchitectureBotnet Architecture
Botnet ArchitectureBhagath Singh Jayaprakasam
 
Social engineering
Social engineeringSocial engineering
Social engineeringlokenra
 
Information security
Information securityInformation security
Information securityJAMEEL AHMED KHOSO
 
Tracing Back The Botmaster
Tracing Back The BotmasterTracing Back The Botmaster
Tracing Back The BotmasterIJERA Editor
 
introduction to Botnet
introduction to Botnetintroduction to Botnet
introduction to Botnetyogendra singh chahar
 
C 7
C 7C 7
C 7Les Davy
 
Modern cyber threats_and_how_to_combat_them_panel
Modern cyber threats_and_how_to_combat_them_panelModern cyber threats_and_how_to_combat_them_panel
Modern cyber threats_and_how_to_combat_them_panelRamsés Gallego
 
Bot software spreads, causes new worries
Bot software spreads, causes new worriesBot software spreads, causes new worries
Bot software spreads, causes new worriesUltraUploader
 
Botnets And Alife
Botnets And AlifeBotnets And Alife
Botnets And AlifeZotronix
 
Fundamentals of Computing Chapter 9
Fundamentals of Computing Chapter 9Fundamentals of Computing Chapter 9
Fundamentals of Computing Chapter 9Mohd Harris Ahmad Jaal
 
Presentation1
Presentation1Presentation1
Presentation1Rachel Lasotas
 
5 network-security-threats
5 network-security-threats5 network-security-threats
5 network-security-threatsReadWrite
 
Bots and Botnet
Bots and BotnetBots and Botnet
Bots and BotnetHicube Infosec
 
I.T Security Threats
I.T Security ThreatsI.T Security Threats
I.T Security ThreatsUmakant Mishra
 
SECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURESSECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURESShyam Kumar Singh
 
Botnets
BotnetsBotnets
BotnetsKavisha Miyan
 
All you know about Botnet
All you know about BotnetAll you know about Botnet
All you know about BotnetNaveen Titare
 

Contenu connexe

Tendances

Botnet Detection Techniques
Botnet Detection TechniquesBotnet Detection Techniques
Botnet Detection TechniquesTeam Firefly
 
Social engineering
Social engineeringSocial engineering
Social engineeringlokenra
 
Tracing Back The Botmaster
Tracing Back The BotmasterTracing Back The Botmaster
Tracing Back The BotmasterIJERA Editor
 
Modern cyber threats_and_how_to_combat_them_panel
Modern cyber threats_and_how_to_combat_them_panelModern cyber threats_and_how_to_combat_them_panel
Modern cyber threats_and_how_to_combat_them_panelRamsés Gallego
 
Bot software spreads, causes new worries
Bot software spreads, causes new worriesBot software spreads, causes new worries
Bot software spreads, causes new worriesUltraUploader
 
Botnets And Alife
Botnets And AlifeBotnets And Alife
Botnets And AlifeZotronix
 
5 network-security-threats
5 network-security-threats5 network-security-threats
5 network-security-threatsReadWrite
 
SECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURESSECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURESShyam Kumar Singh
 

Tendances (20)

Botnets
BotnetsBotnets
Botnets
 
Botnets
BotnetsBotnets
Botnets
 
BotNet Attacks
BotNet AttacksBotNet Attacks
BotNet Attacks
 
BOTNET
BOTNETBOTNET
BOTNET
 
Botnet Detection Techniques
Botnet Detection TechniquesBotnet Detection Techniques
Botnet Detection Techniques
 
Botnet Architecture
Botnet ArchitectureBotnet Architecture
Botnet Architecture
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Information security
Information securityInformation security
Information security
 
Tracing Back The Botmaster
Tracing Back The BotmasterTracing Back The Botmaster
Tracing Back The Botmaster
 
introduction to Botnet
introduction to Botnetintroduction to Botnet
introduction to Botnet
 
C 7
C 7C 7
C 7
 
Modern cyber threats_and_how_to_combat_them_panel
Modern cyber threats_and_how_to_combat_them_panelModern cyber threats_and_how_to_combat_them_panel
Modern cyber threats_and_how_to_combat_them_panel
 
Bot software spreads, causes new worries
Bot software spreads, causes new worriesBot software spreads, causes new worries
Bot software spreads, causes new worries
 
Botnets And Alife
Botnets And AlifeBotnets And Alife
Botnets And Alife
 
Fundamentals of Computing Chapter 9
Fundamentals of Computing Chapter 9Fundamentals of Computing Chapter 9
Fundamentals of Computing Chapter 9
 
Presentation1
Presentation1Presentation1
Presentation1
 
5 network-security-threats
5 network-security-threats5 network-security-threats
5 network-security-threats
 
Bots and Botnet
Bots and BotnetBots and Botnet
Bots and Botnet
 
I.T Security Threats
I.T Security ThreatsI.T Security Threats
I.T Security Threats
 
SECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURESSECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURES
 

Similaire à Mcs2453 aniq mc101053-assignment1

All you know about Botnet
All you know about BotnetAll you know about Botnet
All you know about BotnetNaveen Titare
 
Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkEditor IJCATR
 
Detection of Botnets using Honeypots and P2P Botnets
Detection of Botnets using Honeypots and P2P BotnetsDetection of Botnets using Honeypots and P2P Botnets
Detection of Botnets using Honeypots and P2P BotnetsCSCJournals
 
How spam change the world
How spam change the world How spam change the world
How spam change the world Farhaan Bukhsh
 
A Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior AnalysisA Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior Analysisidescitation
 
“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”iosrjce
 
Botnet Attacks How They Work and How to Defend Against Them.pdf
Botnet Attacks How They Work and How to Defend Against Them.pdfBotnet Attacks How They Work and How to Defend Against Them.pdf
Botnet Attacks How They Work and How to Defend Against Them.pdfuzair
 
A short visit to the bot zoo
A short visit to the bot zooA short visit to the bot zoo
A short visit to the bot zooUltraUploader
 
Understanding the Botnet Phenomenon
Understanding the Botnet PhenomenonUnderstanding the Botnet Phenomenon
Understanding the Botnet PhenomenonDr. Amarjeet Singh
 
Detecting HTTP Botnet using Artificial Immune System (AIS)
Detecting HTTP Botnet using Artificial Immune System (AIS)Detecting HTTP Botnet using Artificial Immune System (AIS)
Detecting HTTP Botnet using Artificial Immune System (AIS)sadique_ghitm
 
Face expressions, facial features, kinect sensor, face tracking SDK, neural n...
Face expressions, facial features, kinect sensor, face tracking SDK, neural n...Face expressions, facial features, kinect sensor, face tracking SDK, neural n...
Face expressions, facial features, kinect sensor, face tracking SDK, neural n...iosrjce
 
Untitled document.pdf
Untitled document.pdfUntitled document.pdf
Untitled document.pdfgoogle
 
Lab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docxLab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docxsmile790243
 
Bots and malware
Bots and malwareBots and malware
Bots and malwareDoron Segal
 

Similaire à Mcs2453 aniq mc101053-assignment1 (20)

Botnets
BotnetsBotnets
Botnets
 
All you know about Botnet
All you know about BotnetAll you know about Botnet
All you know about Botnet
 
Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social Network
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot Attacks
 
BOTNETS
BOTNETSBOTNETS
BOTNETS
 
Detection of Botnets using Honeypots and P2P Botnets
Detection of Botnets using Honeypots and P2P BotnetsDetection of Botnets using Honeypots and P2P Botnets
Detection of Botnets using Honeypots and P2P Botnets
 
How spam change the world
How spam change the world How spam change the world
How spam change the world
 
A Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior AnalysisA Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior Analysis
 
P01761113118
P01761113118P01761113118
P01761113118
 
“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”
 
Botnet
BotnetBotnet
Botnet
 
Botnet Attacks How They Work and How to Defend Against Them.pdf
Botnet Attacks How They Work and How to Defend Against Them.pdfBotnet Attacks How They Work and How to Defend Against Them.pdf
Botnet Attacks How They Work and How to Defend Against Them.pdf
 
A short visit to the bot zoo
A short visit to the bot zooA short visit to the bot zoo
A short visit to the bot zoo
 
Understanding the Botnet Phenomenon
Understanding the Botnet PhenomenonUnderstanding the Botnet Phenomenon
Understanding the Botnet Phenomenon
 
Detecting HTTP Botnet using Artificial Immune System (AIS)
Detecting HTTP Botnet using Artificial Immune System (AIS)Detecting HTTP Botnet using Artificial Immune System (AIS)
Detecting HTTP Botnet using Artificial Immune System (AIS)
 
L017326972
L017326972L017326972
L017326972
 
Face expressions, facial features, kinect sensor, face tracking SDK, neural n...
Face expressions, facial features, kinect sensor, face tracking SDK, neural n...Face expressions, facial features, kinect sensor, face tracking SDK, neural n...
Face expressions, facial features, kinect sensor, face tracking SDK, neural n...
 
Untitled document.pdf
Untitled document.pdfUntitled document.pdf
Untitled document.pdf
 
Lab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docxLab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docx
 
Bots and malware
Bots and malwareBots and malware
Bots and malware
 

Dernier

Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting DataJhengPantaleon
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxPoojaSen20
 
Concept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfConcept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfUmakantAnnand
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxRoyAbrique
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 

Dernier (20)

Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docx
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Concept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfConcept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.Compdf
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 

Mcs2453 aniq mc101053-assignment1

  • 1. Present By: Muhammad Aniq Eastrarulkhair Bin Mohmad Hairin
  • 2.  What is Botnet  History of Botnet  Botnet Usage  How do they do it  How a Botnet is controlled  Why are Botnet is a Threat  Botnet Detection  Q&A
  • 3.  The term ‘bot’ or ‘robot’ refer to a program that: -perform repetitive tasks OR -Acts as an ‘agent’ or user interface for controlling others program  Bots can be very beneficial programs when they are designed to assist a human user, either by automating a simple task, or by simplifying a user's control over various programs or systems. Example google bot and game bot.
  • 4.  Unfortunately, bots can also be created to perform malicious tasks that compromise the system or any information stored on the machine.  The 'bot' in botnets definitely refers to the second type, as these bots are used by an attacker to 'hijack' and control a computer system.
  • 5.  When more than one computer has the same bot installed on it, the multiple infected machines form a network, which is under the direct control of the attacker. This network is a botnet – a network of 'enslaved' computer systems infected with malicious bot programs. A single machine in a botnet can be referred to as a 'bot', a 'zombie' or a 'zombie computer'.
  • 6.  First existence of botnet started in August 1988 when IRC invented at University of Oulu, Finland  1989 - First bot - “GM”  -assist user to manage their own IRC Connections  May 1999 – Pretty park  Reported in June 1999 in Central Europe  Internet Worm – a password stealing trojan  1999 – Subseven  Remote controlled trojan
  • 7.  2000 – GTbot (Global Threat)  New capabilities - port scanning, flooding and cloning  Support UDP and TCP socket connections  Support IRC Server to run malicious script  2002 – SDbot  Written by Russian Programmer by the name ‘SD’  40Kb – C++ Code  First to publish the code for hackers via website  Provided e-mail and chat for support  2002 – Agobot  Modular update  Spread through Kazaa, Grokser and etc
  • 8.  2003 – Spybot or Milkit  Derived from SDbot  Come with spyware capabilities  Spread via file sharing applications and e-mail  2003 – Rbot  Backdoor trojan on IRC  Compromised Microsoft vulnerable share Port 139 and 445  Based on MSRT Report in June 2006 by Microsoft - 1.9 million PCs affected worldwide  2004 – PolyBot  Polymorphism capabilities  Based on Agobot
  • 9.  2005 – MyBot  New version of SpyBot  Hybrid coding  Spread via file sharing applications and e-mail  2006 – P2P Based Bot  1st generation - “SpamThru”, “Nugache”  Basd on “Gnutella” file sharing  2nd Generation – “Peacomm’  Pure Distributed P2P  2007 – “Storm Botnet”  Truly pure P2P  No single point of failure  Provided high resilience, scalability and difficulty in tracking
  • 10.  2010 – Stuxnet  spreads via Microsoft Windows, and targets Siemens industrial software and equipment  malware that spies on and subverts industrial systems  targeted five Iranian organizations - uranium enrichment infrastructure in Iran  September 2011 – Duqu  Duqu is a computer worm discovered on 1st September, 2011  Operation Duqu is the process of only using Duqu for unknown goals
  • 11.  DDOS  Spam  Sniffing traffic  Keylogging  Installing Advertisement Addons and Browser Helper Objects (BHOs)  Manipulating online polls/games  Mass ID theft
  • 12.  The attacker giving directions to the botnet is usually referred to as the botherder or controller. Botnets used to be run by individuals, but in recent years, botnets have become more 'commercialized', and it is thought that many botnets nowadays are in the hands of criminal syndicates.  To control the botnet, the botherder uses an application known as a client program to issues commands to the bot programs installed on zombies. This is very similar to how a backdoor is controlled and allows the botherder to operate very efficiently, as they can easily give instructions to a single zombie, or multiple zombies, or even the entire botnet - all via a single client program.
  • 13.  Using the client, the botherder can direct a single zombie to perform a certain action. For example, it can be ordered to send all the e-mail addresses stored on its hard drive to a remote website, where it can be added to a spammer's mailing list. Alternatively, all the zombies in the botnet can be commanded to perform the same routine, such as sending requests to a specific website (basically, a Denial of Service or DoS attack).  The relationship between the zombies and the client controlling them is known as a command-and-control (C&C)infrastructure. The zombie or website or server that hosts the client is known as the C&C server. The following image is a simplified view of this infrastructure:
  • 14.
  • 15.  Of course, in real life, a botnet's organization can be far more complicated. Some botnets will use multiple C&C servers, using the redundancy as a type of protection; others will have only one C&C server, but will continually change the machine the client application is saved on, also for better security.  Botherders put in all these security measures for one simple reason: the C&C server is the nerve center of the entire botnet, and also its Achilles heel.
  • 16.  These malicious bots can arrive on a victim machine in many ways. The most common method involves dropping the bot in the payload of a Trojan or a similar malware. Other methods include infecting the computer via a drive- by download, or distributing the bot via spam e-mail messages with infected attachments.  Once installed, the bot can take control of the system. A remote attacker can then give commands to the infected computer via the bot and force it to perform malicious actions. In this context, a bot is very similar to a backdoor program, which is also forcibly planted on a computer and used by a remote attacker to direct the infected machine.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.  Botnets are considering a menace for three simple reasons: • To build them, attackers have to 'steal' a computer from its legitimate user • Botnet operations can directly impact large numbers of real-world organizations and individuals • Botnets appear to be increasing in size and capability
  • 22.  Widespread Repercussions  Once created, a botnet can be used to commit more malicious acts, such as stealing data, sending out spam and launching attacks. Even then, a botnet might be considered only a nuisance if its impact were limited to a few dozen, or even hundreds of infected machines. Unfortunately, botnets can perform actions that directly affect hundreds of thousands, or even millions of people.  With Greater Size Comes Greater Power  Generally, a botnet's potential threat increases with its size, as the increased resources gives the controllers more power or capacity for their activities. For example, a DoS attack from a massive botnet is even harder to defend against than a similar attack from a smaller one, simply because a bigger botnet can generate more attack code.
  • 23.  An attacker who controls a botnet can do a wide range of actions, both TO individual machines in the botnet and WITH the entire resources of the botnet.  Data Harvesting  Most people store highly sensitive personal information on their computers - personal identification, work-related materials, e-mail addresses of all contacts and so on. If all these details are stored on a computer in a botnet, then the bot herder is almost guaranteed access to it. Such information can be sold, often to criminals intent on perpetrating or facilitating fraud. Botnets also actively harvest information related to banking accounts. For example, during research into the activities of the Torpig botnet in 2007, researchers observed the theft of credentials for thousands of accounts belonging to hundreds of financial institutions - all in a period of 10 days.
  • 24.  Stolen Resources  Rather than purchase all the hardware and bandwidth necessary for their operations, botnet controllers can siphon the physical resources they need (processing power, storage space, bandwidth, etc) from their zombies. These resources can be put to various uses, such as:  Cyber attacks A botnet can be used to launch a Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack against a target. The target can be any resource linked to the Internet, be it a major corporate website or a military database.  Spam Generators Probably the most common way a botnet is used is to send out massive quantities of spam e-mails. Botnets known to perform this activity include Srizi and Storm. To give an idea of the size of this activity, in 2008 about 153 billion spam messages were sent out every day - an estimated 60 percent of which is botnet-generated.
  • 25.  Malware Distributors Another "product" being distributed by botnets is malware - trojans, viruses, worms and other things of that ilk. These offerings may be attached to spam e-mails or sent out via vulnerability exploits, or other methods.  Storage Space Zombies in a botnet may also be used is as an illicit warehouse to store all the malicious or objectionable "merchandise" the botnet operators handle. The stored data may be everything from harvested personal details to pornographic images.  Rental  Last but not least, botnet 'owners' can rent use of the botnet to other users, almost always for malicious purposes. This is an increasingly lucrative activity for the botnet herders. According to Yuval Ben-Itzhak, Chief Technology Officer of computer security company Finjan, the botnet controllers can "make as much as $190,000 in one day" renting out "their" computers.
  • 26.  Host Based  Intrusion Detection Systems (IDS)  Anomaly Detection  IRC Nicknames  HoneyPot and HoneyNet
  • 27. Virus scanning Watching for Symptoms Modification of windows hosts file Random unexplained popups Machine slowness Antivirus not working Watching for Suspicious network traffic Since IRC is not commonly used, any IRC traffic is suspicious. Sniff these IRC traffic Check if the host is trying to communicate to any Command and Control (C&C) Center Through firewall logs, denied connections
  • 28.  Example Systems: Snort and Bro  Sniff network packets, looks for specific patterns (called signatures)  If any pattern matches that of a malicious binary, then block that traffic and raise alert  These systems can efficiently detect virus/worms having known signatures  Can't detect any malware whose signature is unknown (i.e., zero day attack)
  • 29. Normal traffic has some patterns Bandwidth/Port usage Byte-level characteristics (histograms) Protocol analysis – gather statistics about TCP/UDP src, dest address Start/end of flow, Byte count DNS lookup First learn normal traffic pattern Then detect any anomaly in that pattern Example systems: SNMP, NetFlow Problems: Poisoning Stealth
  • 30. Bots use weird nicknames But they have certain pattern (really!) If we can learn that pattern, we can detect bots & botnets Example nicknames: USA|016887436 or DE|028509327 Country | Random number (9 digit) RBOT|XP|48124 Bot type | Machine Type | Random number Problem: May be defeated by changing the nickname randomly
  • 31. HoneyPot is a vulnerable machine, ready to be attacked Example: unpatched windows 2000 or windows XP Once attacked, the malware is caught inside The malware is analyzed, its activity is monitored When it connects to the C&C server, the server’s identity is revealed
  • 32. Thus many information about the bot is obtained C&C server address, master commands Channel, Nickname, Password Now Do the following make a fake bot join the same IRC channel with the same nickname/password Monitor who else are in the channel, thus observer the botnet Collect statistics – how many bots Collect sensitive information – who is being attacked, when etc..
  • 33. Finally, take down the botnet HoneyNet: a network of honeypots (see the ‘HoneyNet Project’) Very effective, worked in many cases They also pose great security risk If not maintained properly - Hacker may use them to attack others Must be monitored cautiously