12
Introduction to Botnets Introduction to Botnets ZIANE Bilal http://www.ZIANEBilal.com

Intro to Botnets - Bilal ZIANE

Embed Size (px)

DESCRIPTION

www.ZIANEBilal.com Introduction to Botnets

Citation preview

  • 1. Introduction toBotnets Introduction to Botnets ZIANE Bilal http://www.ZIANEBilal.com
  • 2. 1 www.ZIANEBilal.com 1
  • 3. 2 Definition of a Botnet www.ZIANEBilal.com 1- Definition of a Botnet A bot is an abbreviation for a software robot that can be used for malicious or beneficial purposes, but in this post I will focus on the bad manipulation of botnets, I will try to explain that kind of botnets that allow attacker to remotely control the affected computer without the owner knowledge. Indeed, what is a Botnet? Botnet or Drone-Army, designed as a Zombie-Army as well, is an abbreviation for a robot Network. Botnet is a network of compromised computers that can be remotely controlled by an attacker, called the BotMaster or BotHerder and each infected computer by a bot can be referred as a Zombie or as a Drone. Bots are remotely controlled through commands sent via the internet by the Botmaster using the C&C server, which stands for Command and Control server (C&C) a remote control & communication channels, for sending and receiving commands between the Botherder and the Zombies. 2
  • 4. 3 Attacking Behavior of Botnets www.ZIANEBilal.com Sizes of Botnets Zeus: 3.6 million compromised computers Koobface: 2.9 million TidServ: 1.5 million Trojan.Fakeavalert: 1.4 million TR/Dldr.Agent.JKH: 1.2 million 2- Attacking Behavior of Botnets Distributed Denial-of-Service Attacks Installing Advertisement Addons Spamming Google AdSense abuse Sniffing Traffic Manipulating online polls/games Keylogging Mass identity theft Spreading new malware Phishing attacks Figure representing how botnets are used in DDos attacks. 3
  • 5. 4 Types of Botnets www.ZIANEBilal.com 3- Types of Botnets Many types of botnets exist, I will try the explain the most used ones, starting by the HTTP botnet the most commonly used, which exploits vulnerabilities in web browsers, then a I will give short presentation of the IRC Botnet that give the attacker to silently control computers through internet relay chat channel, and at the end the P2P Peer to Peer Botnet that infect files shared on P2P services. A- HTTP Botnets: Used for creation and control of botnets. The zombies sign into an HTTP server at listening mode waiting for commands from the Botmaster, or they will visit pre-designated sites to get commands that are coded into the sites files. Many HTTP bots have their own servers for downloading malware, phishing, etc. B- IRC Botnets: The most botnets rely on the IRC protocol. This is because the IRC protocol has been around the longest, and that is where earlier botnets operated before HTTP came along. IRC is used by a wide variety of applications to allow users to have simple text based chatting environments. Infected IRC clients log into a specific IRC server and wait for specially formatted text messages that contain commands. Commands can also be encoded into the title or name of the chat channel, so that every bot entering can be given commands. IRC Botnets are generally the most complex and the hardest to detect. C- P2P Botnets: Many P2P applications are utilized by bot herders to share files that have bots and malware attached. In most cases, these bots are pre- programmed to perform specific functions when a file is opened, or when a container application like a game or desktop application is installed. The main reason why IRC is so popular is: A- Easiness - setting up private servers or use existing ones are easy B- Interactivity - full two-way communication between the server and client. C- Control all the needed functionalities already exist in the IRC protocol (credentials such as usernames, passwords and channels) D- Redundancy possibilities by linking several servers together, one server can go down while the botnet is still functioning by connecting to other IRC servers. 4
  • 6. 5 Botnet topologies www.ZIANEBilal.com 4- Botnet topologies Botnets come in all kinds of shapes and sizes. As a result, they employ a range of C&C topologies and each have relative strengths and weaknesses. C&C topologies encountered in the wild typically match one of the following types: A- Star typology [+] Strengths: Speed of control, due to the direct communicationbetween the bot and C&C server instructions are transferred rapidly. [-] Weaknesses: If the C&C server is down the botnet will be useless. 5
  • 7. 6 Botnet topologies www.ZIANEBilal.com A- Multi-server [+] Strengths: Geographic optimissation, Multiple geographically distributed C&C servers speed up communications between botnet elements. And if one single C&C goes down, the botnet operator still maintain control over all bot agents. [-] Weaknesses: Require multiple C&C server infrastructures. B- Hierarchical [+] Strengths: Interception or hijacking of bot agents will not enumerate all numbers of the botnet and is likely to reveal the C&C server. [-] Weaknesses: slow communication among bots breaches, causing a high degree of latency and that makes attacks and malicious operations difficult. 6
  • 8. 7 Example of well-known Botnets www.ZIANEBilal.com B- Random [+] Strengths: Lack of a centralized C&C infrastructure and the many-to-many communication links between bot agents make it very resilient to shutdown. [-] Weaknesses: Command latency and botnet enumeration. 5- Example of well-known Botnets Agobot/Phatbot/Forbot/XtremBot. SDBot/RBot/UrBot/UrXBot. mIRC-based Bots - GT-Bots. DSNX Bots. Q8 Bots. Kaiten. 7
  • 9. 8 Botnet Detection www.ZIANEBilal.com 6- Botnet Detection A- Static analysis The static method analysis for botnet detection is based on detecting malicious activities in the network, including URLs, IP addresses and executable binaries, process of identifying bad items. In such methods of botnet detection, the items are checked against the familiar dangerous and malicious items. These include IP addresses, URLs, executable binaries. The entire procedure can be quite fast if the list of the items is up to date and accurate. This process of identifying the bad items is relatively risk free. However, when it comes to practice, performing only static analysis is not a helpful way of maintaining a botnet free network. This is due to the fact that the developers of malware are continuously creating threats that are completely undetected. The developers use different types of techniques in order to avoid getting detected by the security researchers and antivirus tools. These techniques are: Methods of URL obfuscation Polymorphism Changing the IP addresses at a fast rate Using lots of URLs which ultimately connect to a particular resource. Serving various web pages or downloads B- Behavioral analysis This is really a powerful method of botnet detection. However, it requires a suitable environment for observing the behavior of the computer and there is a risk of the false positives that can make the process of diagnosis more difficult. The procedure can get more complicated if certain malware do not run. Once it was often seen bots attempting connection in every port of the target computers in a sequence. This helped the target computer in easily recognizing an attacker. Now most of the bots spread by using targeted attacks. Some parts are examined by them. This generally involves the ports which are used by another service. There are several preventive measures that you can take for getting rid of a botnet. 8
  • 10. 9 Botnet Detection www.ZIANEBilal.com C- OURMON and Botnet Detection Ourmon is an open source, UNIX based tool, Designed for network packet sniffing and port monitoring. Ourmon has two parts: 1. The FRONT-END for sniffing packets. 2. The BACK-END for log entries and ASCII reports. How can be used to detect Botnet? By collecting IRC information using its IRC module and the TCP report to figure out if the IRC channel is a botnet. http://sourceforge.net/projects/ourmon/ http://ourmon.sourceforge.net/ How to ensure the computer is safe from the botnet attacks? Install a firewall and keep it ON. Install good quality AV software, with a regular update. Install some kind of intrusion detection software in the computer that will informe you if you are under any attack from other networks. Install Botnet removal software, many of them available for free out there. 9
  • 11. 10 Resources www.ZIANEBilal.com 7- Resources Know your Enemy: Tracking Botnets: http://www.honeynet.org/book/export/html/50 The history of the botnet: http://countermeasures.trendmicro.eu/the-history-of- the-botnet-part-i/ Attack of the Bots: http://www.wired.com/wired/archive/14.11/botnet_pr.html Storm botnet: http://en.wikipedia.org/wiki/Storm_botnet Good botnets to take on the bad boys: http://www.pcpro.co.uk/news/191040/good-botnets-to-take-on-the-bad-boys Americas 10 most wanted botnets: http://www.networkworld.com/news/2009/072209-botnets.htm Anomaly-Based Botnet server detection: http://web.cecs.pdx.edu/~jrb/jrb.papers/flocon/flocon.pdf 10
  • 12. 11 Resources www.ZIANEBilal.com Contents 1- Definition of a Botnet ..................................................................................................................2 2- Attacking Behavior of Botnets ......................................................................................................3 3- Types of Botnets .........................................................................................................................4 4- Botnet topologies........................................................................................................................5 5- Example of well-known Botnets ...................................................................................................7 6- Botnet Detection.........................................................................................................................8 7- Resources ................................................................................................................................. 10 11

Modern Botnets - Maggi

Modern Botnets - Maggi

Documents
Bots and Botnets plus

Bots and Botnets plus

Documents
Monitoring botnets from within

Monitoring botnets from within

Documents
Hunting Botnets with Zmap

Hunting Botnets with Zmap

Technology
Refactoring to Object-Oriented Design Patterns Mikal Ziane (LIP6 and Université Paris 5)

Refactoring to Object-Oriented Design Patterns Mikal Ziane (LIP6 and Université Paris 5)

Documents
Botnets An Introduction Into the World of Botnets Tyler Hudak tyler@hudakville.com

Botnets An Introduction Into the World of Botnets Tyler Hudak [email protected]

Documents
Army of Botnets

Army of Botnets

Documents
Peer-to-Peer Botnets

Peer-to-Peer Botnets

Documents
Towards Incentivizing ISPs To Mitigate Botnets · Towards Incentivizing ISPs To Mitigate Botnets ... Moura Towards Incentivizing ISPs To Mitigate Botnets. ... botnet is my botnet:

Towards Incentivizing ISPs To Mitigate Botnets · Towards Incentivizing ISPs To Mitigate Botnets ... Moura Towards Incentivizing ISPs To Mitigate Botnets. ... botnet is my botnet:

Documents
Modeling and Measuring Botnets

Modeling and Measuring Botnets

Documents
Botnets & DDoS Introduction

Botnets & DDoS Introduction

Technology
Detecting Botnets and Malware

Detecting Botnets and Malware

Documents
Wearable botnets 201560319_v3

Wearable botnets 201560319_v3

Internet
Taming botnets

Taming botnets

Technology
Botnets 101

Botnets 101

Documents
bilal Research

bilal Research

Documents
Bilal Projects

Bilal Projects

Documents
Malware: Botnets and Worms

Malware: Botnets and Worms

Documents
"Bilal Masood"1. Renewable Energy Systems Bilal Masood "Bilal Masood"2

"Bilal Masood"1. Renewable Energy Systems Bilal Masood "Bilal Masood"2

Documents
Withstanding Multimillion-Node Botnets

Withstanding Multimillion-Node Botnets

Documents
Botnets Malware Spyware

Botnets Malware Spyware

Documents
Botnets and Cybercrime - ISWATlab · Botnets and Cybercrime ... Easily to takedown ... Zombie to Zombie

Botnets and Cybercrime - ISWATlab · Botnets and Cybercrime ... Easily to takedown ... Zombie to Zombie

Documents
Resilient Botnets - KAIST

Resilient Botnets - KAIST

Documents
Bilal Slides

Bilal Slides

Documents
about botnets

about botnets

Internet
Defense against botnets

Defense against botnets

Documents
bilal bashir

bilal bashir

Documents
botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your

botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your

Documents
Malware: Worms and Botnets

Malware: Worms and Botnets

Documents
Bilal Philips

Bilal Philips

Documents