INTRODUCTION TO BOTNETS

What is BOTNET ?

Introduction

Botnet is a network of zombies, i.e. compromised computers under control of an attacker. Malware is computers used to infect
Zombies

Attacker (Botmaster )

Malware is currently the major source of attacks and fraudulent activities on the Internet.

Bot is a program loaded on zombie computer that provides remote control mechanisms to an attacker.

How An Attack Works ?  Attacker spreads a trojan horse to infect several hosts  hosts become zombies and connect to IRC server on a specific channel  channel may be encrypted or open   IRC Server can be on a public network or installed on one of the compromised hosts Bots listen to the channel for instructions from the operator and perform the task .

org/wiki/Botnet .http://en.wikipedia.

 extend) a botnet’s of The topology provides trades-off in terms bandwidth. Typical protocols IRC  HTTP  Overnet (Kademlia)   Protocols imply (to an communication topology. and so forth. . affectivity. stealth.C&C channel   Means of receiving and sending commands and information between the botmaster and the zombies.

Popular Botnets Propagation Methods Spammed Messages Social Networking Websites Install Malware Become Bot Worm Removable Devices Malicious Websites .

HOW ARE BOTNETS DETECTED? .

Botnet Detection • • • • Every interaction between two entities requires the flow of information. . The problem is that this interaction is generally obfuscated and mixed with others with similar behaviour. Traditionally work in botnet detection has been categorized by either detection methodology (behavioural/signature) or C&C infrastructure. This can utilized to detect the interaction.

HOW DO THEY HIDE? .

3-ways of hiding .

WHAT DOES BOTNETS DO? .

Botnet’s Activities • • • • DDOS attacks Click Fraud Data Theft Phishing The least damage caused by Botnets is Bandwidth Consumption .

g.com http://en.org/wiki/Denial-of-service_attack .DDOS attacks Attacker Brazil China Russia US e. Google.wikipedia.

Bahama Botnet (200k) .Click Fraud   Pay per Click (PPC) is an Internet advertising model used on websites in which advertisers pay their host only when an ad is clicked. Famous Bots: ClickBot(100k).

antiphishing. http://www.org/reports/apwg_report_h1_2009.Data Theft   Accounts for a great deal of botnet activity. Purpose: Harvesting user data  Screen captures  Typed data  Files  Anti-Spyware software  Highly controversial.pdf .

html .org/06aug/00446/Phishing.Phishing  A deceptive email/website/etc.thinkquest. http://library. to harvest confidential information.

IT ACTS AGAINST BOTNET .

but for the purpose of causing annoyance. inconvenience. criminal intimidation. obstruction. hatred. injury. or ill will. persistently makes by making use of such computer resource or a communication device .IT Act Section 66A  Any information which he knows to be false. insult. danger. enmity.

  Any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages Shall be punishable with imprisonment for a term which may extend to three years and with fine. .

.IT Act Section 66C  Punishment for identity theft Whoever. fraudulently or dishonestly make use of the electronic signature. password or any other unique identification feature of any other person. shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.

shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees Punishment for cyber terrorism Whoever commits or conspires to commit cyber terrorism shall be punishable with imprisonment which may extend to imprisonment for life .IT Act Section 66E and 66F   Punishment for violation of privacy Violating the privacy of that person.

PAST CASES  .

In the news…  July 29 2010 .dd_ssh Botnet attacks SSH servers Aug 12 2010 .000 UK PCs taken out Aug 12 2010 .Zeus v3 botnet raid on UK bank accounts .Zeus v2 Botnet that owned 100.Multi-Purpose Botnet Used in Major Check Counterfeiting Operation  Aug 4 2010 .Zeus ‘Mumba’ Botnet Seizes Confidential Database sized 60GB    Aug 12 2010 .

000 computers.Aug 4 2010   Security researchers have uncovered the command and control network of a Zeus 2 botnet sub-system targeted at UK surfers that controlled an estimated 100. The original attack was probably seeded by a combination of infected email attachments and drive-by downloads .ZEUS 2.

000 from 3.Aug 12 2010    Security experts have uncovered a Zeus v3 Trojan botnet that specifically targets customers of an unnamed UK bank The trojan also is reported to remain undetected by traditional anti-virus software and is activated when the users log-in to their online banking accounts The trojan managed to steal around £675.ZEUS 3.000 customers .

OPERATION--B49 .

Microsoft’s fight against BOTNETS    Microsoft moved the battle against spamdistributing botnets from cyberspace to the court room. winning a temporary restraining order for shutting down nearly 300 domains. Microsoft was able to essentially decapitate the botnet-severing the compromised bots from the brains of the operation. or sue for damages in civil court. Microsoft didn't seek to criminally charge the botnet developer. .

K. Alexandria. B.html .com http://www. http://www.html  The fast flux techniques. Paxson.com/en/weblog?discuss=208187897&return=1 C. Spamalytics: An Empirical Analysis of Spam Marketing Conversion.org/papers/ff/index.honeynet. 15th ACM Conference on Computer and Communications Security 2008. S. Kreibich. Enright.ipa.securelist. http://old. V.trendmicro.go. Savage.jp/security/english/virus/press/201001/E_PR201001. C. Voelker.    The Koobface botnet. http://us. Malicious websites. G. Levchenko. VA.References  The Gumblar system. Kanich. USA.

Sign up to vote on this title
UsefulNot useful