Professional Documents
Culture Documents
COURSE:
COLLOQUIUM (CS 14.371)
PRESENTED BY:
SIDDHI MEHENDALE(170429) 1
Botnets: Introduction
•Botnet is a collection of INTERNET CONNECTED
DEVICES including PC’s , servers , mobile devices and IoT
devices that are infected and controlled by a common type of
MALWARE.
4
COMMAND AND CONTROL ARCHITECTURE
5
(A) BOTNET IRC (INTERNET RELAY CHAT)
• Communication is
formed on the basis of
text messages.
•Infection through IRC
server
•Bot installation
•Random bot id assigned
•Bot enters private IRC
channel
•Authentication
•Stays in standby
•Botmaster enters a
command to launch
•The attack is executed.
6
(B) BOTNET HTTP :
• Came into being
because IRC servers were
getting recognized.
• Port filtering
mechanisms.
•Examples: Rustock,
Bobax, Clickbot.
7
PEER TO PEER ARCHITECTURE:
• Decentralized network.
• Any bot can act as client
or server or both
simultaneously.
• High latency because
commands take a large
time to execute.
• Difficult to capture or
shut down even if the
BOTMASTER is
identified.
• Each bot has its own
encryption design.
8
BOTNET LIFECYCLE
9
10
INFECTIONS AND VULNERABLE DEVICES
Typically infect millions of devices.
Deployed through a TROJAN HORSE.
STRATERGY: Targets infect their own systems by
clicking on malicious links and on pop-ups.
Complex Botnets can self propagate and infect devices
on their way of propagation.
12
BOTNET DETECTION
1) THE SIGNATURE METHOD:
• When a single copy is found, binary structure can be traced and stored.
•Can be screened through many devices in order to check for the signature.
•DRAWBACKS:
(i)Every time a botnet is updated, it’s signature changes (some even have
built-in ones!).
(ii)Many botnets can have multiple versions which have the same
functionalities but signatures are different.
2)NETWOK FLOW:
• PRINCIPLE: Botnet traffic has patterns and is different from normal
traffic.
• Usually in the C&C mechanism,the traffic is quite uniform throughout the
network,occurs at specific intervals and the packets exchanged between
server and the host is roughly uniform at each time interval.
• Machine learning algorithms can be used for detection.
13
3) GROUP NETWORK ANALYSIS:
• Because of the botnet signatures shared across the network, many devices
might be performing the same sort of work at the same time.
•By building and monitoring these activities , a large botnet network can be
uncovered.
•BotGAD (Botnet Group Activity Detector) is a popular tool.
Now,
After all this… there are still ways that botnets can hide their identity.
Across the network, they can add randomness in their communication
algorithms.
This is quite difficult to execute and changing algorithms frequently may
result in latency and also limit the functionality.
But, if this technique is applied on large botnets, the latency gets nullified.
14
15