Botnets

BotNets Presented by: Kavisha B.Tech.(I.T.)-V semester Banasthali University, Rajasthan

Outline What are Botnets? Botnet Terminology Botnet Life-cycle Types of attacks Botnets in Network Security Botnet Detection Preventing Botnet Infection Conclusion References

What are Botnets ? A Botnet is a network of compromised computers called Zombie Computers or Bots , under the control of a remote attacker. Bots began as a useful tool. They were originally developed as a virtual individual that could sit on a IRC channel & monitor network traffic. They are significant contributors to the malicious & criminal activities on the Internet today and far importantly an underground network whose size & scope is not fully known.

Botnet Terminology Bot Herder(Bot Master) Bots IRC Server Command & Control Server (C&C)

Bot Herder Bot herders (aka Bot Masters )are the hackers who use automated techniques to scan specific network ranges and find vulnerable systems, on which they can install their bot program. To create an army of Zombies over internet, attacker typically infect machines of home users, network maintained by universities or small enterprises, etc.

Bot Master

Bots Bots (also called Zombie Computers )are the computers that contribute to the botnet network. They run using a hidden channel to communicate to their C&C server. They can auto scan their environments and propagate themselves taking advantage of vulnerabilities &weak passwords.

Bots(contd.) Generally the more vulnerabilities a bot can scan, the more valuable it becomes to the botnet controller community. The process of stealing computing resources as a result of a system being joined to a botnet is called Scrumping . Gammima (gaming password stealer), Conficker (fake antivirus) and Zeus (information stealer), are among what are believed to be the largest botnets, according to security firm Damballa .

IRC Server Internet Relay Chat ( IRC ) is a form of real-time Internet text messaging ( chat). The server listens to connections from IRC clients enabling people to talk to each other via the Internet . Most IRC servers do not require users to register an account but a user will have to set a nickname before being connected . M ost IRC networks lack any strong authentication, and a number of tools to provide anonymity on IRC networks are available . IRC provides a simple, low-latency, widely available, and anonymous command and control channel for botnet communication.

Command & Control Server C&C infrastructure allows a bot agent to receive new instructions, malicious capabilities, update existing infections or to instruct the infected computer to carry out specific task as dictated by the remote controller. The criminal actively controlling botnets must ensure that their C&C infrastructure is sufficiently robust to manage tens-of-thousands of globally scattered bots as well as resist attempts to hijack or shutdown the botnet.

Bot Master Bots IRC Server Victim IRC Channel Attack IRC Channel C&C Traffic

Botnet Life-cycle

Botnet Life-cycle ( contd .)

Botnet Life-cycle (contd.)

Distributed Denial of Service (DDoS) attacks Sending Spams Phishing (fake websites) Adware Spyware (keylogging, information harvesting) Click Fraud Types of attacks

Botnets In Network Security Internet users are getting infected by bots. Many times corporate and end users are trapped in botnet attacks. Today 16-25% of the computers connected to the internet are members of a botnet. According to Damballa’s Technical report, 83.1% of global spam in March,2011 was sent by Botnets . Computer security experts estimate that most Spam is sent by home computers that are controlled remotely & millions of these computers are part of Botnets.

Contd. 2010 was a big year for internet crimes with botnets & targeted attacks becoming headlines on almost weekly basis. Botnets such as Mariposa, Confiker, Koobface have become household names. The public disclosure of electronic attacks on international organizations such as Google, Adobe & many others referred to as “ Operation Aurora ” revealed that sophisticated & advanced malware are now every day inclusions of the criminal toolkits.

Most Wanted Botnets Zeus - Compromised U.S. 3.6 million computers. Koobface- Compromised U.S. 2.9 million computers. TidServ - Compromised U.S. 1.5 million computers. Trojan.Fakeavalert- Compromised U.S. 1.4 million computers. TR/Dldr.Agent.JKH- Compromised U.S. 1.2 million computers.

Botnet Detection The two approaches for botnet detection are based on:: Setting up honeynets Passive traffic monitoring Signature based Anomaly based DNS based

Botnet Detection: Honeynets Honeynets A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of Information Systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers. Windows Honeypot

Contd. Once an intruder breaks into the victim host, the machine or a network administrator can examine the intrusion methods used by the intruder . Two or more honeypots on a network form a H oneynet. One practical application of this is the S pamtrap - a honeypot that controls spam by masquerading as a type of system abused by spammers.

Advantages With the help of honeynets we are able to learn some key information (e.g. IP address of the server or nickname of the bot ) that enable us to observe botnets. We can extract the sensitive information about bots in a semi-automated fashion with the help of a classical Honeywall . We are able to monitor the typical commands issued by attackers and sometimes we can even capture their communication. This helps us in learning more about the motives of attackers and their tactics .

Botnet Detection: Traffic Monitoring It helps us to understand what’s there on the network. Signature based: Detection of known botnets. Anomaly based : One study found that bots on IRC were idle most of the time and would respond faster than a human upon receiving a command . Detect botnet using following anomalies- High network latency High volume of traffic Unusual system behaviour Vulnerable systems DNS based: Analysis of DNS traffic generated by botnets.

Botnet Detection up Honeynets Malicious Traffic Inform bot’s IP Authorize Bot Sensor Bot Master Admin

Preventing Botnet Infections Use a Firewall Patch regularly and promptly Use Antivirus (AV) software Use Anti-Bots Deploy an Intrusion Detection System ( IDS) Deploy an Intrusion Prevention System (IPS)

Conclusion Botnets pose a significant and growing threat against cyber security. Even if we use well known techniques, botnets continue to dominate the cyber threat landscape. As network security has become integral part of our life, botnets have become the most serious threat to it. Staying ahead of threat will require advanced knowledge of building out new anti bot campaigns. It is very important to detect botnet attack and find the solution for it.

References Adam J. Aviv, Andreas Haeberlen. Challenges in Experimenting with Botnet Detection Systems .2011. March 2011 Intelligence Report . Symantec. Cloud . Paul Bacher, Thorsten Holz, Markus Kotter, Georg Wicherski. Know your Enemy: Tracking Botnets . Technical Report, The Honeynet Project. Aug 2008.

QUESTIONS

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Botnets

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Pray For The Peace Of Jerusalem and You Will Prosper

Don_t_Waste_Your_Life_God.....powerpoint

VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf

Fertility awareness methods for women in the society

Chapter 5 Arithmetic Functions Computer Organisation and Architecture

syakira bhasa inggris (1) (1).pptx.......