Professional Documents
Culture Documents
– Commtouch found, 87% of all email sent over the Internet during 2006 was spam.
Botnets generated 85% of that spam.
– ISPs rank zombies as the single largest threat facing network services and operational
security*.
* Worldwide Infrastructure Security Report, Arbor Networks, September 2007.
Page 2
Why Talk About Botnets?
Cyber Attack Sophistication Continues To Evolve
bots
Cross site scripting
“stealth” / advanced
Tools
High scanning techniques
Staged
packet spoofing denial of service attack
sniffers distributed
attack tools
Intruder sweepers www attacks
Knowledge
automated probes/scans
GUI
back doors
disabling audits network mgmt. diagnostics
hijacking
burglaries sessions
Attack exploiting known vulnerabilities
Sophistication
password cracking
self-replicating code
password guessing
Attackers
Low
1980 1985 1990 1995 2000+
Page 3
Source: CERT
Botnet Powered Attacks
Targeting the World
• BlueSecurity
• Estonia
– Spamming
• Email spam
• SPIM
• Forum spam
Page 4
What is Botnets?
Zombie Army
Page 5
What is Bot herder?
Bot master
Page 6
What is Bot?
The Zombie/drone
Page 7
What is Bot Client?
Compromising a machine-worms
Page 8
What is Bot C&C?
Command and Control Server (C2)
Page 9
What is Bot C&C?
Command and Control Server (C2)
– Today, bot herders primarily rely on these three protocols for their C&C:
Page 10
Botnet Life Cycle?
Botnet and bot Life Cycle
Page 11
Botnet in Action?
Putting all together
1. Botmaster infects
victim with bot
(worm, social
engineering, etc)
Victim
Botmaster
Page 12
IRC Server
Botnets used for?
Hiring the Botnets
Phishing
Spam
Distributed Denial of Service
Click Fraud
Adware/Spyware Installation
Identity Theft
Making Additional Income!!!
Keystroke logging
Stealing registration keys or files
Whatever you pay for them to do! Or whatever makes money or is fun
for the operator.
Page 13
Botnet in Action
Attack Summary
Obf JS
Exp ANI
ANI exploit
Malicious Script
3
http://foo2.com
2
http://foo.com
Troj/Banker
4
http://bar.com
Payload malware
Spam campaign 1
Page 14
Page 15
The Botnet: contined
The Lifecycle of a Botnet
Page 16
The Current Threats
The SpamThru Trojan
Over 1 Billion
Emails
Page 17
Break
Visualizing a Botnet
Page 18
Types Botnets
IRC botnets
Until recently, IRC-based botnets were by far the most prevalent type
exploited in the wild.
Page 19
Types Botnets
IRC botnets
• Drawbacks:
Centralized server
IRC is not that secure by default
Security researchers understand IRC too.
Rbot (Rxbot)
Gaobot
Page 20
Types Botnets
P2P botnets
Distributed control
Page 21
Types Botnets
P2P botnets
Hard to disable
Page 22
What is a Botnet?
P2P Botnet Diagram
Page 23
Types Botnets
P2P botnets
Drawbacks:
» Other peers can potentially take over the botnet
P2P Bots:
» Phatbot: AOL’s WASTE protocol
Polling Method
Registration
Page 25
What is a Botnet?
HTTP Botnets
Drawbacks:
» Still a Centralized server
Page 26
» BlackEnergy: DDoS bot
What Bots can do?
The Zombie/drone
Page 27
Botnets used for?
Network for hire
Botnet user
(customer)
Botnet
originator
(owner)
Page 28
Botnets, the hardest
Challenges
Page 29
Botnets, Research
Methods
Capture
– Active (go out and get malware)
» Actual (use vulnerable browser/application)
» Simulated (use tool that mimics vulnerable app)
» FTP (go to malware repository)
– Passive (let it come to you)
» Honeypot/net
» Collection from infected end-users
Page 30
Botnets, Research
Monitoring of herder - botmatser
Page 31
Botnets, Research
Monitoring of herder – bot matser
Infected
IRC Herder
unbiased Researcher
unbiased
Page 32
Avoid Assimilation: Botnet Defense
Preventing Bot Infections
– Use a Firewall
Page 33
USER EDUCATION IS VITAL!
Recommendation Readings
Page 34
Thank You