Botnets - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

Botnets

Description:

A collection of software robots, or bots, which run autonomously ... against Six Apart (TypePad's owner) and Tucows (Blue Security's DNS provider) ... – PowerPoint PPT presentation

Number of Views:261
Avg rating:3.0/5.0
Slides: 20
Provided by: DC6
Category:
Tags: botnets | tucows

less

Transcript and Presenter's Notes

Title: Botnets


1
Botnets
  • Adam Champion
  • Derick Chan
  • Matt Brand

2
What are Botnets?
  • A botnet is
  • A collection of software robots, or bots, which
    run autonomously
  • A network of computers that uses distributed
    computing software
  • A collection of compromised computers running
    bots via worms, Trojan horses, or backdoors under
    a command-and-control (CC) infrastructure that
    uses Internet Relay Chat (IRC) servers

3
How Botnets Work
  • Botnet originator (bot herder, bot master) starts
    the process
  • Bot herder sends viruses, worms, etc. to
    unprotected PCs
  • Direct attacks on home PC without patches or
    firewall
  • Indirect attacks via malicious HTML files that
    exploit vulnerabilities (especially in MS
    Internet Explorer)
  • Malware attacks on peer-to-peer networks
  • Infected PC receives, executes Trojan application
    ? bot
  • Bot logs onto CC IRC server, waits for commands
  • Bot herder sends commands to bots via IRC server
  • Send spam
  • Steal serial numbers, financial information,
    intellectual property, etc.
  • Scan servers and infect other unprotected PCs,
    thereby adding more zombie computers to botnet

4
Communication with Bots
  • Without bot communication, botnet would not be as
    useful or dynamic
  • IRC servers are not best choice for bot
    communication
  • Simpler protocol could be used
  • However,
  • IRC servers freely available, simple to set up
  • Attackers usually have experience with IRC
    communication

5
Botnet, Bot Life Cycles
  • Botnet Life Cycle
  • Bot herder configures initial parameters
    infection vectors, payload, stealth, CC details
  • Bot herder registers dynamic DNS server
  • Bot herder launches, seeds new bots
  • Bots spread, grow
  • Other botnets steal bots
  • Botnet reaches stasis, stops growing
  • Bot herder abandons botnet, severs traces thereto
  • Bot herder unregisters dynamic DNS server
  • Bot Life Cycle
  • Bot establishes CC on compromised computer
  • Bot scans for vulnerable targets to spread
    itself
  • User, others take bot down
  • Bot recovers from takedown
  • Bot upgrades itself with new code
  • Bot sits idle, awaiting instructions

Source http//en.wikipedia.org/wiki/Botnet
6
Overview of Botnet Use
  • Bots, botnets have many benign applications
  • Search engine spiders that index websites
  • Opponents in multiplayer games (e.g., Quake)
  • However, malicious uses outweigh benign ones
  • Malicious bot becoming redundant term, like
    malicious hacker

7
Malicious Botnet Uses
  • Launch DDoS attacks against websites
  • Facilitate extortion attempts
  • Perpetrate click fraud by automatically
    clicking on ads
  • Send large quantities of spam
  • Record users keystrokes
  • Collect user passwords, credit card numbers
  • Steal business information, intellectual property
  • Obtain, store, propagate warez

8
Brief History of Botnets, part 1
  • First malicious use in early 2000s
  • IRC users plagued by Global Threat bots (GT Bots)
  • GT Bots disguise themselves as legitimate mIRC
    clients, hide in Windows system directories
  • Social engineering involved, e.g., IRC ads to
    download software to protect yourself against
    viruses
  • Bot herders used them to launch DDoS attacks
  • 2001 Steve Gibsons site GRC.com suffered 3Mbps
    UDP, ICMP packet flooding attacks from
    Wicked-run botnet
  • He blocked attack with packet filters on routers
  • ISPs, law enforcement didnt helpnot enough
    damage!
  • He tracked down original bot author on IRC to
    stop attack

9
Brief History of Botnets, part 2
  • Botnet-driven (D)DoS attacks continue
  • 2004 Gambling sites attacked, threatened by
    extortionists
  • 2005 Bots spread adult spam with keylogger
    program
  • 300,000 LexisNexis, credit-card accounts
    compromised
  • Many victims did not (and do not) report attacks

10
The Tale of Blue Security
  • Israeli security firm Blue Security made benign
    bot, Blue Frog, that sent opt-out messages to
    spammers
  • 500,000 users signed up for the program
  • 2006 one spammer launched DDoS attacks against
    Blue Frog servers, Blue Security itself
  • Blue Security re-routed website to blog,
    bluesecurity.typepad.com
  • Spammer launched DDoS attack against Six Apart
    (TypePads owner) and Tucows (Blue Securitys DNS
    provider)
  • Blue Security came back online with aid of
    Prolexic, which protected gambling sites from
    extortionists DDoS attacks
  • Spammer launched new DDoS attack against Blue
    Security
  • Company forced out of business

11
2006 The Year of the Zombies
  • 21-year-old Jeanson Ancheta receives 57-month
    Federal prison sentence for running botnet that
    infected over 400,000 computers
  • 21-year-old Christopher Maxwell receives 37-month
    Federal prison sentence plus 3 years probation
    for running botnet that infected hundreds of
    thousands of computers
  • Spam skyrockets in late 2006 due to botnets
  • Symantec claims over 4.5 million compromised
    machines in first half of the year

12
2007 Year of the Botnet?
  • Vint Cerf, co-inventor of TCP/IP, claims 100 to
    150 million of 600 million Internet-connected
    computers are part of a botnet
  • Microsoft considers botnets 1 threat to its
    business, held secretive conference in January to
    address the threat
  • Experts believe spam, viruses, spyware will
    converge
  • Botnets play an increasing role in threat
    landscape
  • Examples phishing spam delivered via botnets,
    spam via IM, VoIP delivered via botnets

13
Difficulties Taking Down Botnets
  • No sure-fire way to take down a botnet
  • Uninformed users can easily have an infected
    machine and not know it
  • Hard to catch and prosecute, especially
    internationally
  • Akin to Whac-A-Mole
  • So many out there that only the big ones get
    dealt with, e.g., Ancheta and Maxwells botnets

14
Common-Sense Precautions
  • Beware of files sent from unknown users
  • Keep anti-virus and anti-spyware programs
    up-to-date and use them regularly
  • Get critical application and OS updates
  • Disconnect from network when not in use
  • Be wary of HTML e-mails
  • Send/receive mails as plaintext instead

15
Sandboxing
  • Programs placed in a sandbox are restricted from
    making system changes or accessing personal
    information
  • Use on high risk applications such as instant
    messengers and browsers
  • Ex
  • Amusts 1-Defender
  • DropMyRights
  • SandBoxIE

16
Network Monitoring
  • Identify normal network behavior, then monitor
    any anomalous activity
  • Is there traffic to servers outside the country?
  • IRC chat traffic on high number ports?
  • Only a means of detection, not removal
  • Honeypots, honeynets may aid research and
    takedown efforts

17
Reverse Engineering
  • Disassemble botnet code
  • Can identify controllers IP address
  • Locate system weaknesses
  • Safely remove botnets
  • Requires good knowledge of disassemblers,
    assembly language, and other low level concepts

18
DNS Management
  • Botnets use DNS hosting services to point to IRC
    channels
  • Domains are hardcoded into the bot
  • Taking down the subdomains used by bots, you can
    cripple entire nets
  • Nullrouting
  • However, requires knowledge of which DNS host and
    domain name to take down
  • Less effective than in past due to extremely
    redundant, distributed CC servers

19
The Future
  • Botnets are becoming more modular, and thus
    resistant to takedown
  • Becoming polymorphic as well
  • Security evolving towards a holistic approach of
    combating botnets, phishing scams, etc.
  • Unified security suites, like Symantecs Norton
    360, gain traction in the marketplace
  • We are moving towards more open-source threat
    evaluation
Write a Comment
User Comments (0)
About PowerShow.com