Malware: Botnets and Worms

By Apurba Dhungana
 Outline

- Introduction
- History
- LifeCycle
- Security Threat
- Prevention Techniques
- Detection Techniques
- Conclusion
 Botnets
-It is collection of compromised system/computers
That is taken by malicious software.

- Bots are controlled by the bot herder by using

one or more C&C server.

- Bots is generally installed in on system through

malware,worms,trojan horse or other back door.

- Controlled by one person or group of people.

 History
- Originated as useful feature for carrying out
repetitive task and time consuming operation.

- First Bot program was eggdrop created by Jeff

Fisher in 1993 was useful for Internet relay
Chat.

- Nowadays evolved for a malicious intent.

- TFN,Trinoo,Stacheldraht(2000) started DDOS

attacks.
 History
- Attacker create different way to control bot by
Using P2P and IRC.

- Spam Thru,Ago Bot, SD Bot, Bagle etc average

spam email send by these bot per day ranges
from million to more then ten billion message.

- According to USToday 40 percent of the 800

million computer connected to the Internet are
bot that used to send a spam, virus and mine
personal data.

- Botnet has become a buisness.

 Botnet Lifecycle
1) Spread Phase

2) Infection Phase

3) Command and Control

4) Attack Phase
 Botnet Lifecycle

Figure 1: Life Cycle Of Botnet

Source: Intel Corporation 2009
 Botnet Command And Control(C&C)
Techniques
1) Centeralized Command and Control Technique
e.g Agobot,Rbot,SDbot,Zobot.

2) P2P Command and Control Technique

e.g Phatbot,Sinit.
 Security Threats From Botnet
- Distributed Denial Of Service(DDos) Attack

- Spamming

- Phishing and Identity Theft

- Click Fraud

- Hosting Illegal Material

- Identity Theft
 Prevention Technique
- High level of awareness about on line security and
privacy.

- System must be upto date by installation of OS updates

and patches.

- Do not use pirated software,games or other illegal

material available online they may contain malicious
code.

- Use of Firewalls and antivirus/anti spyware program.

- Use Of CAPTCH Test for website and otherservices to

prevent against botnet.
 Detection Technique

- Use of Honeypot.

- By monitoring the network.

- Use IDS technique to watch DOS/Attacks traffic

coming from a your network.

-Examine the flow characteristic such

bandwidth,duration and timing.
 What is
- Computer worm is a independent program that
reproduce across a network by exploiting a
security flaws.

- Virus require some sort of user action to start

propagation.
 History
- The term worm was applied to self replicating
computer program by John Bruner sci fi novel “The
shock wave rider”.

- First worm was Morris Worm that was developed in

1988 by a Yale computer science student,it exploit the
buffer overflow vulnerabilities.

- Melissa (1999) est. damage $1.1 billion

Using holes in microsoft outlook,once executed it will
spread through 50 address in outlook address book.

- I LOVE YOU (2000) est damage $ 8.75 billion

 History

Instead of sending a copy of worm to first 50 address in

the host like melissa it used a every single address of
the host to send.it overwrote a important files and
download Trojan Horse that will steal information.

Code Red (2001) est damage 2.6 billion

Exploit the vulnerabilities in IIS,provide a command line
control to who know the web server is compromised.
Also launch DOS attacks.

NIMDA(2001) est damage $645 million

Advance feature and different means of
propogation.First worm that has Email program,it do
not depend upon Host email program to propagate.
 Worms Life Cycle

- Initialization Phase

- Payload Activation Phase

- Network Propagation Phase

- Target acquisition
- Network Reconnaissance
- Attack

- Dormant Phase
 Initialization Phase

- In the initialization phase worms install in victim

machine copy the necessary files into memory
and hard drive.

- Worms also try to disable the antivirus or firewall.

- Phase complete machine is infected.

 Payload Activation Phase

- It unleashes the attack towards the another

target or host itself.

- Common payload is DDOS attack.

 Network Propagation Phase
- It is phase where a worms concentrate on
spreading to other machine.

- Three sub phases

- Target Acquisition
- In worms create a list of systems to
infect.
- Have hitlist or PRNG.
- I LOVE YOU use victim address
book.
- NetSky search for the webfiles on the
- victim harddrive for email address.
- Crucial phase for success of worm
- Network Reconnaissance Sub Phase
- In this phase it find out vulnerable host
Using list of IP address generated by
Target acquisition phase.

- Attack Sub-Phase
- Worms try to take control of the identified
host.
- Successful attack will lead to intializatiton
phase in target machine.

- Dormant Phase

- It is a period of time where worm become

inactive may be temporary phase or end of
worms life cycle.
Figure 2 Life Cycle Of worms
Source:Internet Worms threats,attacks by Sean Lau
 Security Threats from Worms
- Distributed Denial Of Service Attack.

- Install Rootkits or Backdoor programs

- Data Damage

- Compromising a computer system

- Other malicious activities

 Defense Mechanism
User
User Education(Social Engineering)

Apply patches to prevent buffer overflow

Identify Monitor and Protect
Application Changing the configuration of software

Block ports that vulnerable

Transport Securing the point of communication

Focus on packets transmitted in

Network network
Authorization Enforcement Facility
DataLink

Physical Cut the wire

Questions?