Scribd Logo
Upload

Welcome to Scribd!

  • BOTNETS

    Uploaded by

    Siddhi M
    38 views15 pages
    Botnets are networks of infected internet-connected devices that are controlled by botmasters through command and control servers. Botnets use various architectures like centralized, peer-to-peer, and HTTP to infect devices with malware and control large networks for malicious purposes like DDoS attacks and spamming. Botnets go through a lifecycle of infection, command and control, actions, and updates. While signature-based and network traffic analysis can detect botnets, they evolve techniques to avoid detection like decentralized peer-to-peer architectures and changing command and control protocols. Major past botnets have infected millions of devices and been responsible for large spam campaigns and ransomware infections.

    Original Description:

    Original Title

    BOTNETS.pptx

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Botnets are networks of infected internet-connected devices that are controlled by botmasters through command and control servers. Botnets use various architectures like centralized, peer-to-peer, and HTTP to infect devices with malware and control large networks for malicious purposes like DDoS attacks and spamming. Botnets go through a lifecycle of infection, command and control, actions, and updates. While signature-based and network traffic analysis can detect botnets, they evolve techniques to avoid detection like decentralized peer-to-peer architectures and changing command and control protocols. Major past botnets have infected millions of devices and been responsible for large spam campaigns and ransomware infections.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    38 views15 pages

    BOTNETS

    Uploaded by

    Siddhi M
    Botnets are networks of infected internet-connected devices that are controlled by botmasters through command and control servers. Botnets use various architectures like centralized, peer-to-peer, and HTTP to infect devices with malware and control large networks for malicious purposes like DDoS attacks and spamming. Botnets go through a lifecycle of infection, command and control, actions, and updates. While signature-based and network traffic analysis can detect botnets, they evolve techniques to avoid detection like decentralized peer-to-peer architectures and changing command and control protocols. Major past botnets have infected millions of devices and been responsible for large spam campaigns and ransomware infections.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 15

    BOTNETS

    COURSE:
    COLLOQUIUM (CS 14.371)

    PRESENTED BY:
    SIDDHI MEHENDALE(170429) 1
    Botnets: Introduction
    •Botnet is a collection of INTERNET CONNECTED
    DEVICES including PC’s , servers , mobile devices and IoT
    devices that are infected and controlled by a common type of
    MALWARE.

    •Commonly used to send span e-mails , fraud messages and to


    generate malicious traffic for DDoS ATTACKS.

    •IN OTHER WORDS:


    Botnets are networks of coordinated, compromised
    computers (BOTS) which are remotely controlled by
    BOTMASTERS through a CONTROL CHANNEL unknown
    to the individual.
    2
    BOTS AND BOTMASTERS
    •Botmasters : These are hackers who
    tend to scan and search networks for
    their vulnerabilities and thus reach to
    vulnerable systems.
    They generally attack networks which
    have a large number of connected
    devices such as networks managed by
    universities or enterprises.

    • Bots : These are also called ZOMBIE


    COMPUTERS. These are the devices
    that contribute to a botnet network.
    It can also be a program built so that it
    automates an action at a much higher
    rate , eg: HTTP requests.
    3
    BOTNET ARCHITECTURE:

    4
    COMMAND AND CONTROL ARCHITECTURE

    • Oldest, low latency.

    •Centralized, thus providing


    the botmaster direct access.

    •WEAKNESS: when gets


    traced, all botnets become
    useless.

    • Protocols Used: 1) IRC and


    2)HTTP

    5
    (A) BOTNET IRC (INTERNET RELAY CHAT)
    • Communication is
    formed on the basis of
    text messages.
    •Infection through IRC
    server
    •Bot installation
    •Random bot id assigned
    •Bot enters private IRC
    channel
    •Authentication
    •Stays in standby
    •Botmaster enters a
    command to launch
    •The attack is executed.
    6
    (B) BOTNET HTTP :
    • Came into being
    because IRC servers were
    getting recognized.

    •These are hard to track.

    •Bots use HTTP hiding


    protocols.

    • Port filtering
    mechanisms.

    •Examples: Rustock,
    Bobax, Clickbot.
    7
    PEER TO PEER ARCHITECTURE:
    • Decentralized network.
    • Any bot can act as client
    or server or both
    simultaneously.
    • High latency because
    commands take a large
    time to execute.
    • Difficult to capture or
    shut down even if the
    BOTMASTER is
    identified.
    • Each bot has its own
    encryption design.

    8
    BOTNET LIFECYCLE

    9
    10
    INFECTIONS AND VULNERABLE DEVICES
     Typically infect millions of devices.
    Deployed through a TROJAN HORSE.
    STRATERGY: Targets infect their own systems by
    clicking on malicious links and on pop-ups.
    Complex Botnets can self propagate and infect devices
    on their way of propagation.

    Can infect any device connected directly or wirelessly


    to the internet.
    As the growth of Internet-Of-Things devices , it has
    become very easy for attackers to propagate and update
    their bots.
    11
    MAJOR BOTNET ATTACKS
    ZEUS SRIZBI GAMEOVER ZEUS
    ORIGIN Detected in 2007. Discovered in 2007 Roughly around
    2008-2009

    ATTACKS •Used for spreading •Responsible for the •Used Domain


    CRYPTOLOCKER largest E-mail spams. Generation
    RANSOMEWARE. •60 million spams per Algorithm to
    • Gathering Bank details and day communicate.
    financial information •Infected devices
    searched random
    domains until they
    reached an active
    one.

    SHUT DOWN: •2009: infected 3.9 million 2008 Mid 2014


    hosts.

    •2010: Shut down

    12
    BOTNET DETECTION
    1) THE SIGNATURE METHOD:
    • When a single copy is found, binary structure can be traced and stored.
    •Can be screened through many devices in order to check for the signature.
    •DRAWBACKS:
    (i)Every time a botnet is updated, it’s signature changes (some even have
    built-in ones!).
    (ii)Many botnets can have multiple versions which have the same
    functionalities but signatures are different.

    2)NETWOK FLOW:
    • PRINCIPLE: Botnet traffic has patterns and is different from normal
    traffic.
    • Usually in the C&C mechanism,the traffic is quite uniform throughout the
    network,occurs at specific intervals and the packets exchanged between
    server and the host is roughly uniform at each time interval.
    • Machine learning algorithms can be used for detection.

    13
    3) GROUP NETWORK ANALYSIS:
    • Because of the botnet signatures shared across the network, many devices
    might be performing the same sort of work at the same time.
    •By building and monitoring these activities , a large botnet network can be
    uncovered.
    •BotGAD (Botnet Group Activity Detector) is a popular tool.

    Now,
    After all this… there are still ways that botnets can hide their identity.
    Across the network, they can add randomness in their communication
    algorithms.
    This is quite difficult to execute and changing algorithms frequently may
    result in latency and also limit the functionality.
    But, if this technique is applied on large botnets, the latency gets nullified.

    14
    15

    You might also like