The Taxonomy of BotNets Evolution of Malware

1
The Taxonomy of BotNetsEvolution of Malware

• Presented by
• AVATAR
• Rajesh Augustine, Marek Jakubik, Jonathon Raclaw,
  Rao Pathangi

2
Definitions What is a BotNet?

• According to the Merriam-Webster Dictionary, a
  Computer Virus is described as a computer
  program that is usually hidden within another
  seemingly innocuous program and that produces
  copies of itself and inserts them into other
  programs and usually performs a malicious action
  (as destroying data)
• Source http//www.merriam-webster.com/dictionary
  /virus
• According to the article a Bot is described as a
  compromised end-host, or a computer a malicious
  executable that compromises, and controls a
  computer host.

3
History

• The Creeper Virus was the first self replicating
  virus, written by Bob Thomas in 1971.
• http//en.wikipedia.org/wiki/Creeper_virus
• Just as computers have grown and evolved during
  the last 38 years, as too have computer viruses.
  Now they communicate with each other via the
  internet, giving commands and following orders.

4
So what is new?

• The primary difference, which signifies a unified
  attack by a so called BotNet is a mechanism to
  coordinate the attack by the infected systems.
• The article calls these systems Command and
  Control (CC)
• The evolution of computer viruses, has seen a new
  next step. A need to command and control them
  remotely. Hackers are no longer content with
  having their system attack on a particular date
  April 1st, Friday the 13th, Hitlers Birthday,
  etc.

5
An Analogy

• Bots and BotNets are just the latest evolution of
  malware. They are not to be taken lightly.
• Lets compare
• The original Viruses 35 years ago to Gunpowder.
  A combination of sulfur, charcoal and potassium
  nitrate, which when introduced to a spark or
  flame explodes.
• Then the original Worms can be compared to
  Nitroglycerine. A simple and elegant compound
  that is very volatile, and explodes easily.
• Bots and BotNets can be compared to Dynamite, a
  mature combination of both gunpowder and
  nitroglycerine. Just as Bots and BotNets are a
  combination of viruses and worms. Dynamite is
  stable, not easily triggered, and when it is

6
Analogy Continued
The resolve is surgical strike, with total
destruction. A kin not too far from a
BotMasters attack with a well placed and well
executed BotNet Strike.
7
Example 1 Command Control

• The article talks about three strict types of
  command and control (centralized, P2P and random)
  but the Command and Control as witnessed in the
  news story in the Wall Street Journal and PRI
  (http//www.theworld.org/node/25621\) suggests a
  new type of command and control where the bots
  are distributed through the grid systems upon
  surveillance. The important point being that each
  different bot is recruited to do certain
  malicious activities. So the location of the bot
  in the system would be critical. The botmaster
  knows ahead of time the keys to turn in time of
  crisis to take control of the grid.

8
Example 2 Financial Fallacy

• Article talks about the financial gains by using
  Botnets, article doesn't give any specific
  examples or instances of the financial gains,
  where as other articles and sources provide these
  information. I would say that there is not enough
  study done by Trend Micro to find out this
  information instead this article seems like
  having a marketing intent.

9
Example 3 Asymmetric Vulnerability

• The recent WSJ incident highlights the new and
  upcoming trend in warfare where the concept of
  "asymmetric vulnerability" is exploited. The like
  for like concept is used in wars. City for city,
  warhead for warhead but if a network is
  penetrated and taken hostage, there is no
  parallel elsewhere for the sophisticated systems
  in the US.

10
Example 4 Infrastructure Attack

• The Wall Street Journal has reported that the
  electricity grid in the United States has been
  infiltrated by "cyperspies," in an attempt to map
  the infrastructure, leaving behind software that
  could pose potential threats in times of crisis.
  Quoting anonymous "current and former" national
  security officials, the report claims that the
  spies, hailing from countries unknown have not
  attempted to do any damage, but that they could,
  and that these types of intrusions are on the
  rise. The best method to implement this attack at
  this level would be a BotNet.
• Source http//www.theworld.org/node/25621

11
Summary

• Leading This document was written to instill
  fear into customers, to encourage them to buy
  TrendMicros product.
• Dated This document was written in 2006, so
  there are many assumptions which have not proven
  true.
• Tech Shift The scenarios offered by TrendMicro
  are a small step in the actual direction. Actual
  application are far worse.

12
From T-Bone and Tonic

• More evolutions in the taxonomy of botnets.
• 2007, the Storm botnet compromised an estimated
  5,000,000 computers at the height of its
  infection.
• One of the most disturbing behaviors of this
  botnet was its self-defense capabilities.
• Launch DDoS attacks against the machines that
  attempted to probe the botnet
• In some cases researchers could not even publish
  their findings
• 2009 Waledac, Storms successor, sending out spam
  with infected Valentines day emails.

13
From Jero Jewo

• Recent propagation of botnet software via social
  networks